π£οΈTHM Road
Last updated
Last updated
Another day, another challenge. I do this machine along with my friend Jack. This time I choose from medium created by StillNoob. Enjoy your reading :D.
Before we start, let play some song to make time fly and not so bored. Okay. Let recon the port and directory and using testing tool for link finder.
Appear to have 2 ports. Nothing more than normal port.
LinkFinder manage to detect 2 interesting part here and being proof by directory search below.
On landing page, it come with login page and register. Huh. Let register dummy account and login into it.
Once we enter button registration. It will appear like below.
Next, once we manage to login. Let play around. I would like to check what user can do and what in profile can do. Notice here, resetuser? WOW.
As default, we can see username already state there and we can change into new password without asking old password. That mean, if we know the administrator username, we can get access to their profile. Interesting right.
Now going to check around in case I found anything related to admin.
In profile, we found place to upload picture. Might be we upload arbitrary file here. Unfortunately, only admin have access to that feature. What a day. But!! I notice juicy information there. Going back to resetpassword and intercept the request.
Change into admin username we found early. And boommm.. we manage to change password.
To proof that. Let login into admin. And the result like that. We in!.
Know we are admin, and that mean we can upload the file. Let upload our reverse shell instead of picture and see where the upload file going by reading some source here.
After we manage to find location where our file locate. Fire up our listener and wait for it to work.
Once we manage to get access as www-data, as usual I will run 3 basic command. Before that, make our shell stable.
/etc/crontab
/etc/passwd
/home/
From here, we manage to get user and database?. Let check either this database running or not.
ss -tunlp (ss same as netsat)
Mongodb run in port 27017 and from result it appear to have it. Let run mongo
At once, I stuck here since mongodb not same as mysql. Need to study first. I use this reference.
Using the credential, login into ssh to get better shell.
And start to check sudo permission and SUID binary
We manage to find no pass for sky_backup_utility. Let run into sudo.
This command are use to backup all folder inside /var/www. I donβt have any idea how I can put malicious code to escalate as root. But I proceed to pkexec. To confirm that this method can be use need to run this script.
cat /etc/polkit-1/localauthority.conf.d/*
If you find that the binary pkexec is a SUID binary and you belong to sudo or admin, you could probably execute binaries as sudo using pkexec. Proof that we can escalate using this method. Follow the instructions here
Follow the step and we manage to get the root.
To answer why we need 2 shell because, since polkit need to be run in graphical interface which I donβt have, so pkexec should fallback onto pkttyagent. The second machine will act as pkttyagent.
Polkit agent
Exploit pkexec
Mongo DB
