Summary
Highlights
The video starts by introducing Try HackMe as a platform for ethical hacking exercises. The presenter sets up their Try HackMe VPN and starts a new challenge machine, aiming to capture two flags: one for user access and one for root access. After resolving connection issues, the target machine's IP address is established.
An Nmap scan is initiated to identify open ports and services on the target machine. The scan reveals SSH, HTTP (port 80) running a Magnus Billing web service, MySQL, and an unknown port 5038 related to Asterisk. The focus shifts to exploring the web service first.
The Magnus Billing web service is accessed, and a Gobuster scan is started to discover hidden directories. Research on 'Magnus Billing' identifies a potential unauthenticated remote code execution vulnerability (CVE). The video also briefly mentions a directory traversal vulnerability related to Asterisk Call Manager on port 5038 and attempts to connect to MySQL, which is unsuccesful.
Metasploit is launched to exploit the Magnus Billing vulnerability. A specific module for unauthenticated remote code execution is selected and configured. After a check confirms the target is vulnerable, the exploit is executed, resulting in a partially interactive Metasploit session. A full TTY shell is then obtained using a Python reverse shell for easier interaction.
With a user shell, the file system is explored. The 'user.txt' flag is located in the '/home/Magnus' directory, providing the first objective. The next step is to escalate privileges to root. A common privilege escalation checklist is used, and 'sudo -l' reveals that the user can run 'fail2ban-client' as root without a password.
The 'fail2ban-client' vulnerability is researched using GTFOBins, which provides a method for privilege escalation. Since direct parameter passing might be an issue, a temporary shell script is created in a world-writable directory ('/dev/shm'). This script will contain the reverse shell command. After confirming the script works, it's executed via 'sudo fail2ban-client', leading to a root shell and the root flag.