NOTICE: Please try it yourself before looking into this writeup. If you are truly stuck, then let this writeup help you wriggle out a little bit.
Hello everyone. This is a writeup about the room Road from TryHackMe created by StillNoob and my first writeup. It was a fun experience to try and tackle this room. Hopefully this writeup will help those who are stuck on a particular part of the room. Feedback on this writeup is highly appreciated!
Scanning and Enumeration
As per usual, we started with an enumeration process on the box given to get as much information as we can about it. I started with a full-port nmap scan and saved the output as a file.
sudo nmap -sV [MACHINE_IP] -p- -o initialscan
In this box, ports for ssh and http are open. We could try accessing the website first and then use gobuster to bruteforce directory.
gobuster dir -u http://[MACHINE_IP] -w $dir_common -x php,txt,html -t 100 -o 80gobustercommon -q
I run gobuster against the web server using the common.txt wordlist that is available in Kali Linux (the wordlist’s file path is at /usr/share/wordlist/dirbuster/common.txt) to find directories and files with php,txt,html extensions that are accessible. Let us save the output into a file so we can read it again.
Hey, there’s a phpMyAdmin directory. Accessing it brings us to the phpmyadmin login page. I tried logging in using default credentials such as root with no password, but access denied because it is configured to login with a password.
Next, let’s actually explore the website. At first glance, there seems nothing special except the button “Merchant Central” that redirected us to a login page. Looking at the page source is also a good place to start examining the website to see if there are commented lines or not. Page source doesn’t have anything interesting so let’s explore the login page that we found.
Since we don’t know the credentials, we could try and register first to see what’s behind this login page. Fill the necessary form with whatever data you want. I usually use abc to help me easily memorize the credentials. Fill it and try logging in.
This is nice, let’s start examining this page. I found that this page has a ResetUser page where we can reset our password. Trying it resulted in a message “password change unsuccessful”. Well, that’s weird. Looking into its page source yielded no result as well.
There is a profile page where we can modify information about the profile we are using. Almost all of it are greyed out, except the select profile image. Only the admin has the access to the feature, and it gave us the email of the admin. Note down the email “admin@sky.thm”.
So far, there are two page that caught my interest, the ResetUser and the Profile Page. It might be possible to reset the admin account’s password and then try to upload a shell instead of a profile image but the ResetUser is not working. I tried to find other places that I might miss but I don’t think that I find anything else.
I find that we could register using the admin email, but it doesn’t work. Probably the website is using a SQL database that is configured in phpmyadmin and it compared the admin email with its true password instead of our cheeky replication.
I tried logging in again using the account that we created before but failed to login. I tried using the password that I have changed, success. This proves that the ResetUser actually worked despite the message it generated.
Foothold
I used BurpSuite to try and see the request that is getting sent to the server.
We sent out our email and it is stored as “uname” and our new password as well as our confirm password as “npass” and “cpass” respectively. Looking at the request that we intercepted, I concluded that maybe we can change the value of “uname” to admin@sky.thm then eventually changed its password to “abcde”. We forward the intercepted request and try logging in as admin@sky.thm.
Oh no, we successfully changed the admin password to what we specified. Looking at the ResetUser form, the server should’ve compared the “uname” current password to its password but in this case, the server didn’t do it resulting in us being able to change the admin@sky.thm’s password.
Let us try uploading an image, a cat image, in the Profile page.
It showed that the image is saved, but I cannot seem to find the directory. I checked the /assets directory that we found from our gobuster, nope, nothing.
I inspected the source code, reading line by line, then I found a commented line that showed a new directory /v2/profileimages/. Hey this might be where my cat picture is saved! Accessing the directory, it tells us that directory listing is disabled. But by adding our filename in the directory (/v2/profileimages/[filename]), we can see my cat picture has successfully been uploaded!.
Now let us try and upload a shell. Since the web is using php, let’s upload a php reverse shell that is available. I used php reverse shell created by pentestmonkey. There is no filter on what file can and can’t be uploaded to the server. We use the same method to access the shell by using the /v2/profileimages directory. But before that, we set up a listener on the port we specify in the php reverse shell file.
nc -lvnp 1234
We got it!
Stabilize our shell, then let’s explore the server!
Privilege Escalation
Currently we are a low privileged user “www-data” and possibly cannot do much. Trying the command sudo -l prompted us for a password. Let’s see the /etc/passwd file for other user that might exist in this server.
cat /etc/passwd
I saw that there is a user called “webdeveloper” and apparently this server also contains MongoDB. Let us see if we can access the “webdeveloper” home directory.
There’s the user.txt, let’s cat it and submit the flag.
We could upload linpeas to this server but before doing that, let us see if we can access the MongoDB by using the command mongo and try to see what databases it holds. After some time tinkering and Google searching, I found commands that we can use to view the data inside MongoDB.
We can see that there are multiple databases that we can try and see its contents. Inside the “backup” database, exists the credentials to the user “webdeveloper”. Using the credentials, we succeeded in switching user as “webdeveloper”
su webdeveloper
We use the command sudo -l to try and see which command the user “webdeveloper” can run as a superuser.
sudo -l
We found that this user can run sky_backup_utility as a super user. Let’s try and see what this file do.
Based on the painful experience of using cat to see an executable, let’s use strings to see strings that is contained inside the file. Fortunately, the server has the command strings in it. We can check using the command:
which strings
Just like the name suggests, this file will create backup of the website, compress all the file inside /var/www/html directory then store it into the specified directory.
I was a little bit stuck in this part and decided to try and enumerate the server using linpeas. I uploaded linpeas to the server and run it. There’s something interesting from the result linpeas has generated.
A simple Google search gives us a method to try and escalate our privileges. Long story short, we can make use of the specified LD_PRELOAD environment variable to run a program using a specified library.
We create the instructed C file on our Kali Linux then compile it into a shared library file (.so). We then transfer that file to the server and try to exploit this vulnerability by executing the following command.
sudo LD_PRELOAD=/tmp/[FILENAME].so /usr/bin/sky_backup_utility
We got root!
From here, we can access /root directory to get our root.txt
Conclusion
In this room, I learned to pay more attention when doing enumeration since I spent quite a lot of time to try and find a way to actually get a shell because I don’t know where the profile image is being uploaded. And it is in the page source!
Overall it’s a wonderful experience challenging this room and making my first ever writeup. Hope you have the same experience!
