add: writeup-ctf

content/writeup-ctf/writeup-road-thm/index.md

@@ -0,0 +1,155 @@
+---
+title: "Writeup - Road (THM)"
+date: 2022-04-08
+slug: "writeup-road-thm"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Road](https://tryhackme.com/room/road) machine from the TryHackMe site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.57.115
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 8.2p1)
+- 80/tcp : HTTP web server (Apache 2.4.41)
+
+![](img/image-2.webp)
+
+## Exploit
+
+I start with an enumeration of the files of the website.
+
+![](img/image-3.webp)
+
+I find a button on the basic site page that redirects to a login page. We have the possibility to create an account, I start by doing that.
+
+![](img/image-4.webp)
+
+Once the account is created, I log in and see the following page:
+
+![](img/image-5.webp)
+
+In the `edit profil` section you can't modify anything except the profile picture, but after looking closer, a message indicates that only the admins can do this action... Except that we learn an important information: the email of the admin!
+
+![](img/image-6.webp)
+
+After some research on the site, I find another page. This page allows you to change your password. I make a password change and capture the request sent to the server with Burp.
+
+![](img/image-7.webp)
+
+I realize that the email of the account is sent during the validation of the form, so I try to send the request but changing my email for the admin one. The server does not return any error, so I can connect to the admin account of the site!
+
+![](img/image-8.webp)
+
+Now that I'm admin, I can upload a new profile picture!
+
+![](img/image-9.webp)
+
+So I create a PHP reverse shell with the following template:
+
+[php-reverse-shell/php-reverse-shell.php at master · pentestmonkey/php-reverse-shellContribute to pentestmonkey/php-reverse-shell development by creating an account on GitHub.![](https://github.com/fluidicon.png)
+
+{{< github repo="pentestmonkey/php-reverse-shell" >}}
+
+I upload my `reverse.php` file thanks to the profile image change form. No error during the upload, I just have to find where the file has been put on the server..
+
+I look at the source code of the page to see if there would not be any information. I find the following comment:
+
+![](img/image-10.webp)
+
+So I go to the following address:
+
+
+```bash
+10.10.57.115/v2/profileimages/reverse.php
+```
+![](img/image-11.webp)
+
+I now have a reverse shell and can recover the first flag.
+
+
+```bash
+$ cat /home/webdeveloper/user.txt
+63191e4ece37523c9fe6bb62a5e64d45
+```
+## Privilege escalation
+
+I start by running [linPeas](https://linpeas.sh). In the result of the command I find that Mysql and MangoDB are running on the machine...
+
+I upgrade my shell with the following command:
+
+
+```bash
+python3 -c 'import pty; pty.spawn("/bin/bash")'
+```
+Then I try to connect to MySQL without success, so I test with MongoDB :
+
+![](img/image-12.webp)
+
+I am now in Mongo, I list the databases with the following command:
+
+![](img/image-13.webp)
+
+After a little exploration, I find in the `backup` database a table `user` :
+
+![](img/image-14.webp)
+
+I can now connect via SSH to webdeveloper. I then check if this user has SUDO authorization:
+
+![](img/image-15.webp)
+
+The `webdeveloper` user can execute the `sky_backup_utility` with root rights. But the most interesting thing is the tag: `env_keep+=LD_PRELOAD`.
+
+After some research I found this website:
+
+[Sudo (LD_PRELOAD) (Linux Privilege Escalation) – Touhid’s Blog](https://touhidshaikh.com/blog/2018/04/sudo-ld_preload-linux-privilege-escalation/)
+
+Overall, it explains that it is possible to execute code before the program and that with root execution rights. So I create a bash.c file with the following content :
+
+
+```C
+#include <stdio.h>
+#include <sys/types.h>
+#include <stdlib.h>
+
+void _init() {
+unsetenv("LD_PRELOAD");
+setgid(0);
+setuid(0);
+system("/bin/bash");
+}
+```
+bash.cThen I compile it with the following command:
+
+
+```bash
+gcc -fPIC -shared -o evil.so evil.c -nostartfiles
+```
+I can now run the program with sudo, without forgetting our code that will be executed at the beginning:
+
+
+```bash
+sudo LD_PRELOAD=/home/webdeveloper/bash.so sky_backup_utility
+```
+![](img/image-16.webp)
+
+I now have a root shell so I can get the last flag.
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Secured the password change page to prevent a user from changing the password of a user other than his own
+- Set up a verification of the upload files to the server to avoid sending PHP code or other
+- Do not store passwords in clear text in a database
+- Secure access to databases
+- Do not change SETUID bit of a program to avoid `LD_PRELOAD` exploit