๐ดRoad
Hello hackers!๐๐ฑโ๐ป
Today I will tackle a room titled โRoadโ by StillNoob on the TryHackMe platform. Itโs a medium-level room and is a classic CTF challenge with two flags to obtain โ user and root. So, letโs begin...
Enumeration
After launching our box, weโll start with enumeration. For this task, weโll use the Nmap tool. Personally, I like to perform two scans instead of one. The first scan with the -sS flag is known as a TCP SYN Scan, or stealth scan, not performing a full TCP handshake. The second argument is -p-, allowing our Nmap to scan all 65535 TCP ports. The whole output is redirected to a file for clarity.
The complete command will look like this:
sudo nmap -sS -p- Target_IP -v >> nmap_scan.txt
As we can see, only 2 ports are open: 22 and 80. Now, weโll proceed to the second, more extensive scan but only for these ports. We do this to avoid bombarding the network with various scripts and heavy network traffic, which would be immediately noticeable in a real-world scenario.
Use the command:
Here, we add two new flags, -sV for version detection and -sC using default scripts. A handy cheatsheet regarding nmap syntax can be found here: Nmap and Nessus Cheat Sheet.
We see that the machine is using the HTTP port with a server running. However, before we start tinkering with the website, letโs run a directory search in the background to find any noteworthy locations. For this task, various tools can be used, and this time I used disearch, but many others can be used based on preference. Using the command dirsearch -u http://Target_IP/ allows dirsearch to run in the background.
Letโs take a look at the website, shall we?
On the main page, thereโs nothing noteworthy. However, we can find a login window at the location http://Target_IP/v2/admin found by dirsearch. The page also allows the creation of a new account.
Letโs fill in the fields with any information in the register panel. After logging in, weโll see our dashboard, but unfortunately, besides resetting the password, we canโt do much.
However, by going to our profile, weโll find information about the adminโs email.
User flag
The idea is to reset not our password but the administratorโs password. Unfortunately, the option to enter the address for which we want to change the password is locked. Therefore, weโll use BurpSuite to manually manipulate the page to perform this action by modifying the HTTP packet.
This way, we can log in to the administratorโs account with our newly reset password.
So, having gained access to the administrative panel, we canโฆ well, not much more than we could with a regular user account. The only difference is that, unlike our previous account, we can change our profile picture. However, during testing, I discovered that the website doesnโt perform file type verification, meaning we can upload any file to the server. Letโs try to exploit this to gain shell access. I uploaded a PHP shell script to the server, which is available for download here: php-reverse-shell.php. The problem arose when we didnโt know where the images are saved on the server, and dirsearch didnโt find anything that could help us with this.
After some time, I discovered something I overlooked at the very beginning. Checking the page source code using the F12 button, we can see a comment that the files are saved in the location http://Target_IP/v2/profileimages.
So, it works! Now all we need to do is edit our PHP script, changing the port and IP to the IP of our local machine from which we are attacking, and set up a listener. You can do it traditionally using the netcat program with the command nc -lvnp Listening_Port, but I decided to do it with style๐ using the pwncat program. You can find pwncat, along with installation instructions and usage documentation, here: pwncat. After setting up the listener, all thatโs left is to wait for our reverse shell.
And we are in! Navigating through the file system we can find the user flag.
The root flag | part 1
The next element of our task is privilege escalation, which involves our journey to becoming the root. A very helpful automated tool for such tasks is linpeas, which can be downloaded here: linPEAS. Our task is to upload the file with the .sh extension (linpeas.sh) to our machine. There are many ways to do this, but I will use our pwncat for this task. Pwncat allows easy file transfer from our machine to the server with the command upload. Itโs good practice to save this file in the /tmp folder and then use the command chmod +x linpeas.sh to make it an executable file. In the end, just run it by adding โ./โ before the name (./linpeas.sh).
During the analysis of information provided by linpeas, we can observe that the server has a service on port 27017, which is the default port for MongoDB. We can access the database using the command mongo 127.0.0.1
Navigating through the MongoDB database requires using commands similar to those in MySQL, but the syntax is different in the case of MongoDB. To access interesting files, use the following commands:
show dbs โ lists databases
use backup โ queries a database named โbackupโ
show collections โ displays tables (collections in MongoDB)
db.user.find() โ shows the content of a collection
In this way, we found credentials for another user in the system, namely โwebdeveloperโ!
With our newly acquired credentials, we can log in as the web developer!
The Root flag | part 2
So, we are a new user who, although has more freedom than the previous one, is not yet the root. We can verify this with the command: sudo -l. Interestingly, this user can use administrator privileges in the location /usr/bin/sky_backup_utility. We also have information about default entries that were not on our previous account: env_keep+-LD_PRELOAD, which is a feature allowing programs to use shared libraries. We will try to exploit this for our purposes.
Below is a simple C code that will allow us to take advantage of this attack vector:
Simply open your favorite text editor on the server, paste the code, and save it with a name. In my case, it will be root.c. Then, use the command:
gcc -fPIC -shared -o root.so root.c -nostartfilesto compile our code. To execute the privilege escalation, use the command:
โฆand voila, we are the root!
A very interesting room! I had a ton of fun solving it and learning new things. To you, the reader, I hope the above write-up helped in solving the room and learning something new. Let me know if I missed anything, and feel free to check out my other write-ups. Thanks for reading, and see you soon! ๐
Last updated