---
title: "Writeup - Road (THM)"
date: 2022-04-08
slug: "writeup-road-thm"
type: "writeup-ctf"
--- 

This is a writeup for the [Road](https://tryhackme.com/room/road) machine from the TryHackMe site.

## Enumeration

First, let's start with a scan of our target with the following command:


```bash
nmap -sV -T4 -Pn 10.10.57.115
```
Two TCP ports are discovered:

![](img/image-1.webp)

- 22/tcp : SSH port (OpenSSH 8.2p1)
- 80/tcp : HTTP web server (Apache 2.4.41)

![](img/image-2.webp)

## Exploit

I start with an enumeration of the files of the website.

![](img/image-3.webp)

I find a button on the basic site page that redirects to a login page. We have the possibility to create an account, I start by doing that.

![](img/image-4.webp)

Once the account is created, I log in and see the following page:

![](img/image-5.webp)

In the `edit profil` section you can't modify anything except the profile picture, but after looking closer, a message indicates that only the admins can do this action... Except that we learn an important information: the email of the admin!

![](img/image-6.webp)

After some research on the site, I find another page. This page allows you to change your password. I make a password change and capture the request sent to the server with Burp.

![](img/image-7.webp)

I realize that the email of the account is sent during the validation of the form, so I try to send the request but changing my email for the admin one. The server does not return any error, so I can connect to the admin account of the site!

![](img/image-8.webp)

Now that I'm admin, I can upload a new profile picture!

![](img/image-9.webp)

So I create a PHP reverse shell with the following template:

[php-reverse-shell/php-reverse-shell.php at master · pentestmonkey/php-reverse-shellContribute to pentestmonkey/php-reverse-shell development by creating an account on GitHub.![](https://github.com/fluidicon.png)

{{< github repo="pentestmonkey/php-reverse-shell" >}}

I upload my `reverse.php` file thanks to the profile image change form. No error during the upload, I just have to find where the file has been put on the server..

I look at the source code of the page to see if there would not be any information. I find the following comment:

![](img/image-10.webp)

So I go to the following address:


```bash
10.10.57.115/v2/profileimages/reverse.php
```
![](img/image-11.webp)

I now have a reverse shell and can recover the first flag.


```bash
$ cat /home/webdeveloper/user.txt
63191e4ece37523c9fe6bb62a5e64d45
```
## Privilege escalation

I start by running [linPeas](https://linpeas.sh). In the result of the command I find that Mysql and MangoDB are running on the machine...

I upgrade my shell with the following command:


```bash
python3 -c 'import pty; pty.spawn("/bin/bash")'
```
Then I try to connect to MySQL without success, so I test with MongoDB :

![](img/image-12.webp)

I am now in Mongo, I list the databases with the following command:

![](img/image-13.webp)

After a little exploration, I find in the `backup` database a table `user` :

![](img/image-14.webp)

I can now connect via SSH to webdeveloper. I then check if this user has SUDO authorization:

![](img/image-15.webp)

The `webdeveloper` user can execute the `sky_backup_utility` with root rights. But the most interesting thing is the tag: `env_keep+=LD_PRELOAD`.

After some research I found this website:

[Sudo (LD_PRELOAD) (Linux Privilege Escalation) – Touhid’s Blog](https://touhidshaikh.com/blog/2018/04/sudo-ld_preload-linux-privilege-escalation/)

Overall, it explains that it is possible to execute code before the program and that with root execution rights. So I create a bash.c file with the following content :


```C
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
```
bash.cThen I compile it with the following command:


```bash
gcc -fPIC -shared -o evil.so evil.c -nostartfiles
```
I can now run the program with sudo, without forgetting our code that will be executed at the beginning:


```bash
sudo LD_PRELOAD=/home/webdeveloper/bash.so sky_backup_utility
```
![](img/image-16.webp)

I now have a root shell so I can get the last flag.

## Recommendations

To patch this host I think it would be necessary to perform a number of actions:

- Secured the password change page to prevent a user from changing the password of a user other than his own
- Set up a verification of the upload files to the server to avoid sending PHP code or other
- Do not store passwords in clear text in a database
- Secure access to databases
- Do not change SETUID bit of a program to avoid `LD_PRELOAD` exploit