Road Writeup

 


Road link


Enumeration



Running through an nmap scan we can see we have 2 ports open, port 22(ssh) and port 80(http), lets start by taking a look at the webserver and see what website is running on it.


Looks like we have a logistics company, could be some goodies in here, lets start by firing up gobuster and start trying to find some directories on the site. Whilst that's running we can also look through some of the page source to see if theirs anything hidden in their, for this i'm going to load up burp suit and create a sitemap by click through the pages so I can quickly review the source code.





Looking through the website not much was revealed in the source code, but the Merchant Login button in the top right leads to an admin page that has a register option so diving into that and seeing if we can get an account is definitely a good option.
Gobuster revealed a /phpMyAdmin/ page, this could also be really helpful and could be a good way to get rce on the server.
Lets start by registering an account and see what we can do in the portal.


And we have an account, now we need to start searching around to see if we can find a way to exploit this portal.


Looks like we can reset our password without needing the old password, this could possibly be able to be abused to rest another accounts password, lets keep exploring the site to see if we can find any kind of admin or support account listed somewhere.


Going to our profile in the top right and then clicking profile we can see some details of our profile, we can also see further down the page a way to upload profile images, it seems it's locked to admin only currently, this would be a great way to possibly get rce on the server, we also have an email address for an admin account as well!

Exploitation


Lets go capture a request in burp for changing the password and see if we can reset the admin account above.


Capturing the request in burp we can see it is sending a bunch of data through a post request, lets try changing our email to the admin one.

And as we can see after changing the email address to admin@sky.thm and forwarding the request in burp, we receive a password changed response. Lets see if we can now log into the admin account.


Success! We are now signed in as the admin account. Lets take a look around and see if there's anything of interest we can do as an admin.


Going back to the profile lets see if we can bypass any filters that may be there and upload a php shell, lets start by uploading a standard image and try to find out where the image is stored.



I copied an image from the /assets/img/ directory which is where the original profile icon is stored and renamed it to test.png, we'll use this as our test.



After submitting the image we can see we get an Image saved message and then further down in the response we can see that we have where the image appears to be saved, lets go check the /v2/profileimages/ directory and see if our test image is there.




Navigating to the directory we can see directory listing is disabled, but we can still navigate directly to the test image we uploaded, now lets see if we can upload a php reverse shell.



Selecting our reverse shell and uploading it we can see that the content-type gets listed as application/x-php lets change this to image/png just incase their some filtering, there's way more advanced tactics we could use to bypass any additional filtering but lets start off light incase we can get an easy win.


And as we can see above we managed to save the "image" successfully, lets go check that it's actually there and that we can establish a reverse shell.



And sure enough we have a reverse shell, lets stabilize the shell with socat before we enumerate any further.



Nice and easy, now lets do a quick bit of enumeration on the machine manually before upload linpeas and letting that give us some extra info.


Navigating through to the home directory we can see we have a user called webdeveloper, we can also see the user.txt is readable so lets grab that quickly as our first flag.


Looking through what linpeas finds we can see that we have some extra ports running internally only and one of those ports appears to be mongodb which is on 27017 and further down we can confirm that we have mongodb shell, so lets try access mongodb shell and see what we can do.


Checking the databases available we can see that we have 4, starting with the admin one there was only a system.version collection which isn't overly interesting, moving further down we check out the backup database and see that there are 2 collections, one called collection and the other called user, inspecting the user collection we can see that we have a pass for the webdeveloper user!

Lets take that password and try switching users.


And sure enough we have the webdeveloper account!

PrivEsc

Earlier we could see a .sudo_as_admin file in the webdeveloper home directory, lets see if we can do anything with sudo -l.


There's two things to notice here, first is the env_keep+=LD_PRELOAD and the second is we can run a binary called sky_backup_utility, let's run strings on the binary and try see what it does.


Looks pretty simple, it runs tar and backups up the /var/wwwhtml directory, we can't exploit the wildcard though as the wildcard is apart of the path, what we can do is abuse the LD_PRELOAD listed in sudo -l.


On our machine we can create a file like above, then we need to transfer this to the our victum, compile it as a shared object and load it with our sudo command. To confirm gcc is on the machine you can look under software information in the linpeas output or type which gcc in the terminal.


The two commands run above that are cutoff by the terminal are gcc -fPIC -shared -o exploit.so exploit.c -nostartfiles and sudo LD_PRELOAD=/tmp/exploit.so /usr/bin/sky_backup_utility.
After the above steps have been completed we now have root and can grab our root flag!




Comments

Post a Comment

Popular posts from this blog

Biteme Writeup

Image
  Biteme link Enumeration Firing up nmap we can see that we have 2 ports open, 22(ssh) and 80(http), let's take a quick look at the webserver first and see what's running on it. Just the default apache page, lets run gobuster and see if we can find any directories. Looking at gobuster we only seem to have the one directory, /console/  so let's take a look at that, we may need to possibly run a bigger wordlist later if we can't net anything from this. Interesting, we have a login page with a captcha, taking a quick look at the page source doesn't reveal any hidden details so let's take a look at what happens and what data is submitted when we attempt to login. Interesting, it seems there was a message logged to the console when we attempted to sign in stating that php file syntax highlighting has been turned on. We can also see that when we submit a sign in attempt there is an extra variable of clicked = yes. Lets run a quick gobuster scan on the console director...
Read more

0day Writeup

Image
  0day link Enumeration Running an initial nmap scan we can see that we have port 80 and 22 open, so lets start by taking a look at the website to see what we have. Nothing exciting on the main page and looking into the page source we don't have much so lets run gobuster and see what that brings us back. Gobuster returns a whole bunch of interesting directories, we'll start by looking at robots.txt just incase there's anything extra listed in their that gobuster didn't find and then we'll slowly start working through each of the folders that returned a 301 redirect. Nothing really interesting on any of the directories, mainly looks to be a bunch of rabbit holes, the /backup/  directory did have a private rsa key in it though which we'll copy and save for later just incase, but we don't have a known user that it could be associated with so it's not much use. Next step would be to look for exploits, usually with /cgi-bin/  exposed we'd be hoping for an...
Read more

Olympus Writeup

Image
  Olympus link Enumeration Starting off with a nmap scan we can see that we have two ports open, 22(ssh) and 80(http), let's start by taking a look at the web server first. Looks like we instantly get redirected to olympus.thm so we need to make sure we add this to our /etc/hosts  file. Once we get to the website we can see that there is a message letting us know that we can still visit the old version of the website on this domain, so lets run gobuster and see if we can find a directory that will take us there. Taking a look at the gobuster scan we can see that we have a /~webmaster/  directory so we should go check that out, we can also see that the site is running a mysql db based on the /phpmyadmin/ Looks like we have a pretty basic CMS system, there's some interesting details on this page other than the Admin and Register links, we should probably go look for that wordlist quickly, we can also run another gobuster scan on this directory as well to see if we find anyt...
Read more