Creative
Exploit a vulnerable web application and some misconfigurations to gain root privileges.
Last updated
Exploit a vulnerable web application and some misconfigurations to gain root privileges.
Last updated
Let's start with a nmap scan.
The Nmap scan results show only two open ports: port 22, which is running SSH, and port 80, hosting a web server with nginx version 1.18.0.
Visting the site, it seems to be a webpage for a UI/UX, Web Development and App Design services.
Ferox buster didn't reveal any directories worth looking at.
Subdomain enumeration revealed a subdomain beta.creative.thm.
After adding it to /etc/hosts we can visit this site. We encounter a beta URL tester that checks if a provided URL is live or dead. If the URL is live, we get redirected to the corresponding page. This setup appears to be vulnerable to Server-Side Request Forgery (SSRF) exploitation.
We can utilize Ffuf for port scanning by generating a port list using the seq command. After a short duration, we identify port 1337. The scan pauses briefly on port 5000, likely due to the presence of beta.creative.thm internally, causing a recursive call delay. However, the scan resumes shortly afterward.
Requesting the endpoint on 1337:
We make a request to the home directory and find a directory called saad. Which has user.txt.
We can also find the private SSH key of saad in the .ssh folder.
After saving the key and adjusting permissions accordingly, we attempt to log in via SSH as Saad. However, we encounter a prompt requesting a passphrase for the SSH key.
We feed the SSH key into ssh2john to produce a hash that can be cracked using John the Ripper.
Next, we crack the hash using John with rockyou.txt, and get the passphrase for the key.
With the passphrase obtained, we successfully log in and gain access as the user Saad. In the user's home directory, we locate the first flag, which was previously accessible via the beta.creative.thm website.
sudo -l asks for a password, however while enumerating the user's home directory, we discover a .bash_history file containing valuable content. This file holds the credentials for the user Saad.
With the obtained credentials, we successfully query sudo -l. We find that we have permission to run /usr/bin/ping with sudo privileges. However, this alone does not provide a straightforward path for privilege escalation.
Fortunately for us, there's another option available: env_keep+=LD_PRELOAD.
LD_PRELOAD is an environment variable commonly used on Unix-like systems to preload shared libraries before others when a program is executed. This enables overriding functions in other shared libraries.
If an attacker can manipulate LD_PRELOAD to reference a malicious shared library, and if this environment variable is preserved when running commands with sudo, it presents an avenue for executing arbitrary code with elevated privileges.
We make use of a provided resource containing a previously mentioned shared library written in C. This library incorporates a function designed to elevate privileges to root by setting the user and group IDs to zero and spawning a shell. This effectively grants root shell access to the user.
We compile the C code into a shared library.
Next, we execute the ping command with sudo privileges while setting LD_PRELOAD to the previously crafted shared library. This allows us to obtain a root shell, granting us access to extract the root flag located at /root.
