THM [Easy Lab] – Creative

THM [Easy Lab] - Creative

Exploit a vulnerable web application and some misconfigurations to gain root privileges.

First, I ran an Nmap scan against the target and discovered that the HTTP and SSH ports were open. When I tried to access the service further, I encountered an error, and I noticed a domain name creative.thm displayed in the address bar. I then added this domain to the hosts file and proceeded to access the website using that domain.

As usual, I browsed around the website first, but there wasn’t anything interesting. So I continued with directory scanning and tried to see if there were any other subdomains. After using ffuf to fuzz subdomains, I discovered another domain: beta.creative.thm, and then proceeded to access that website to see what it contained.

After accessing the beta site, I noticed that it had a URL tester feature. When I entered a domain name into the input box, I used Burp Suite to intercept the request and sent it to the Repeater tab for further testing. I tried several command injection filter bypass techniques, but the results were not promising. I thought the payload might not be correct, so I decided to use ffuf to fuzz the url parameter to check whether any command injection payloads could work.

The results of that fuzzing attempt were also not very promising, so I continued by considering whether this might be related to SSRF. I started testing with the simplest payload, trying to see if I could access a service hosted on localhost by using http://127.0.0.1:80. At that point, I saw that the web page index was returned, which indicated that this site was indeed vulnerable to an SSRF flaw.

I suddenly remembered a previous SSRF lab and realized that there might be another service running on localhost on a port other than 80. Therefore, I used a for loop to generate a wordlist containing ports from 1 to 65536, and then continued using ffuf to fuzz these local ports. And I found another port that is 1337

I used Burp Suite to request this port and saw that it returned a large amount of content, which looked like a Linux directory tree. So I went back to the browser, accessed the beta site, and entered http://127.0.0.1:1337. As expected, it returned the entire directory tree of the machine.

The first thing I did when I saw the entire directory tree was to navigate to the /home directory to check which users had home directories and whether any of them were misconfigured and accidentally exposed their SSH keys. Luckily, this machine had both issues: I found a user home directory named saad, and when I accessed it, I not only obtained the user flag but also got hold of his SSH key.

I copied the contents of the id_rsa file back to my machine to SSH into this user, but then I realized that just having the key does not necessarily mean I can log in immediately, since it might be protected by a passphrase. Because of that suspicion, I used ssh2john on the id_rsa file and then ran John the Ripper to crack the SSH key’s passphrase, and I was able to successfully recover it.

At this point, I logged into the machine via SSH to make things easier to work with. The next task was to obtain the root flag, which meant I needed to escalate my privileges to root. The first thing I wanted to do was run sudo -l, but then I realized that I didn’t know this user’s password, since I logged in using an SSH key.

So, I decided to check the .bash_history file, and surprisingly, this user had made one of the most fatal mistakes: typing their password directly into the terminal. Well, that made things much easier—I now had the user’s password.

With that, I ran sudo -l to see what binaries I could run with root privileges. I noticed that the ping binary was allowed. When I checked GTFOBins, ping itself doesn’t have a direct privilege escalation method. However, looking more closely, I saw the line env_keep+=LD_PRELOAD. That was interesting—this meant I could potentially escalate privileges using shared libraries.

LD_PRELOAD is an environment variable used on Unix-like operating systems to load additional dynamic libraries before all others when a program is run. This can be used to override functions in other shared libraries.

If an attacker can set LD_PRELOAD to point to a malicious shared library, and this environment variable is preserved when running commands with sudo, it allows the attacker to execute arbitrary code with elevated privileges.

The user saad is allowed to run ping as root, and although ping is called with an absolute path, we can still exploit the LD_PRELOAD issue to execute a custom shared library. So, I created a file called shell.c, copied the payload into it, and then compiled it using gcc.

I noticed it threw an warning, but the shell.so file was still created. Hmm, I decided to just try running it anyway—if it failed, I would debug it later.

So I went ahead and exploited it, and in the end, I successfully obtained a root shell.

Okay, that wraps up this write-up. I think I’ll add a few links about SSRF, LD_PRELOAD below so both you and I can revisit and read more about it later if we forget.