Skip to main content
  1. writeup-ctf/

Writeup - Road (THM)

·651 words·4 mins·
Table of Contents

This is a writeup for the Road machine from the TryHackMe site.

Enumeration
#

First, let’s start with a scan of our target with the following command:

nmap -sV -T4 -Pn 10.10.57.115

Two TCP ports are discovered:

  • 22/tcp : SSH port (OpenSSH 8.2p1)
  • 80/tcp : HTTP web server (Apache 2.4.41)

Exploit
#

I start with an enumeration of the files of the website.

I find a button on the basic site page that redirects to a login page. We have the possibility to create an account, I start by doing that.

Once the account is created, I log in and see the following page:

In the edit profil section you can’t modify anything except the profile picture, but after looking closer, a message indicates that only the admins can do this action… Except that we learn an important information: the email of the admin!

After some research on the site, I find another page. This page allows you to change your password. I make a password change and capture the request sent to the server with Burp.

I realize that the email of the account is sent during the validation of the form, so I try to send the request but changing my email for the admin one. The server does not return any error, so I can connect to the admin account of the site!

Now that I’m admin, I can upload a new profile picture!

So I create a PHP reverse shell with the following template:

[php-reverse-shell/php-reverse-shell.php at master · pentestmonkey/php-reverse-shellContribute to pentestmonkey/php-reverse-shell development by creating an account on GitHub.

pentestmonkey/php-reverse-shell

PHP
2216
1845

I upload my reverse.php file thanks to the profile image change form. No error during the upload, I just have to find where the file has been put on the server..

I look at the source code of the page to see if there would not be any information. I find the following comment:

So I go to the following address:

10.10.57.115/v2/profileimages/reverse.php

I now have a reverse shell and can recover the first flag.

$ cat /home/webdeveloper/user.txt
63191e4ece37523c9fe6bb62a5e64d45

Privilege escalation
#

I start by running linPeas. In the result of the command I find that Mysql and MangoDB are running on the machine…

I upgrade my shell with the following command:

python3 -c 'import pty; pty.spawn("/bin/bash")'

Then I try to connect to MySQL without success, so I test with MongoDB :

I am now in Mongo, I list the databases with the following command:

After a little exploration, I find in the backup database a table user :

I can now connect via SSH to webdeveloper. I then check if this user has SUDO authorization:

The webdeveloper user can execute the sky_backup_utility with root rights. But the most interesting thing is the tag: env_keep+=LD_PRELOAD.

After some research I found this website:

Sudo (LD_PRELOAD) (Linux Privilege Escalation) – Touhid’s Blog

Overall, it explains that it is possible to execute code before the program and that with root execution rights. So I create a bash.c file with the following content :

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

bash.cThen I compile it with the following command:

gcc -fPIC -shared -o evil.so evil.c -nostartfiles

I can now run the program with sudo, without forgetting our code that will be executed at the beginning:

sudo LD_PRELOAD=/home/webdeveloper/bash.so sky_backup_utility

I now have a root shell so I can get the last flag.

Recommendations
#

To patch this host I think it would be necessary to perform a number of actions:

  • Secured the password change page to prevent a user from changing the password of a user other than his own
  • Set up a verification of the upload files to the server to avoid sending PHP code or other
  • Do not store passwords in clear text in a database
  • Secure access to databases
  • Do not change SETUID bit of a program to avoid LD_PRELOAD exploit

Related

Writeup - Timing (HTB)
·1143 words·6 mins
Writeup - Devel (HTB)
·293 words·2 mins
Writeup - Paper (HTB)
·782 words·4 mins