This is a writeup for the Road machine from the TryHackMe site.
Enumeration #
First, let’s start with a scan of our target with the following command:
nmap -sV -T4 -Pn 10.10.57.115
Two TCP ports are discovered:
- 22/tcp : SSH port (OpenSSH 8.2p1)
- 80/tcp : HTTP web server (Apache 2.4.41)
Exploit #
I start with an enumeration of the files of the website.
I find a button on the basic site page that redirects to a login page. We have the possibility to create an account, I start by doing that.
Once the account is created, I log in and see the following page:
In the edit profil section you can’t modify anything except the profile picture, but after looking closer, a message indicates that only the admins can do this action… Except that we learn an important information: the email of the admin!
After some research on the site, I find another page. This page allows you to change your password. I make a password change and capture the request sent to the server with Burp.
I realize that the email of the account is sent during the validation of the form, so I try to send the request but changing my email for the admin one. The server does not return any error, so I can connect to the admin account of the site!
Now that I’m admin, I can upload a new profile picture!
So I create a PHP reverse shell with the following template:
[php-reverse-shell/php-reverse-shell.php at master · pentestmonkey/php-reverse-shellContribute to pentestmonkey/php-reverse-shell development by creating an account on GitHub.
I upload my reverse.php file thanks to the profile image change form. No error during the upload, I just have to find where the file has been put on the server..
I look at the source code of the page to see if there would not be any information. I find the following comment:
So I go to the following address:
10.10.57.115/v2/profileimages/reverse.php
I now have a reverse shell and can recover the first flag.
$ cat /home/webdeveloper/user.txt
63191e4ece37523c9fe6bb62a5e64d45
Privilege escalation #
I start by running linPeas. In the result of the command I find that Mysql and MangoDB are running on the machine…
I upgrade my shell with the following command:
python3 -c 'import pty; pty.spawn("/bin/bash")'
Then I try to connect to MySQL without success, so I test with MongoDB :
I am now in Mongo, I list the databases with the following command:
After a little exploration, I find in the backup database a table user :
I can now connect via SSH to webdeveloper. I then check if this user has SUDO authorization:
The webdeveloper user can execute the sky_backup_utility with root rights. But the most interesting thing is the tag: env_keep+=LD_PRELOAD.
After some research I found this website:
Sudo (LD_PRELOAD) (Linux Privilege Escalation) – Touhid’s Blog
Overall, it explains that it is possible to execute code before the program and that with root execution rights. So I create a bash.c file with the following content :
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
bash.cThen I compile it with the following command:
gcc -fPIC -shared -o evil.so evil.c -nostartfiles
I can now run the program with sudo, without forgetting our code that will be executed at the beginning:
sudo LD_PRELOAD=/home/webdeveloper/bash.so sky_backup_utility
I now have a root shell so I can get the last flag.
Recommendations #
To patch this host I think it would be necessary to perform a number of actions:
- Secured the password change page to prevent a user from changing the password of a user other than his own
- Set up a verification of the upload files to the server to avoid sending PHP code or other
- Do not store passwords in clear text in a database
- Secure access to databases
- Do not change SETUID bit of a program to avoid
LD_PRELOADexploit