Road – Medium

In this writeup we’ll cover a great machine, Road by StillNoob on TryHackMe.

Room: https://tryhackme.com/room/road

Summary

• NMAP and rustscan found following open ports:
  • 22/SSH
  • 80/HTTP
• Sky Couriers web application running on port 80
• Register new user using the merchant portal on the web application
• Edit Profile functionality revealed admin’s username – [email protected]
• Reset Password functionality allowed us to reset admin's  password.
• Reverse shell upload via upload profile picture functionality
• Upload path found as a comment in page source
• Privilege Escalation – 1: Using mongo
• Privilege Escalation – 2: Using pkexec
• All Done! 😀

Enumeration/Exploitation

• Nmap and rustscan found the following ports open:
  • 22/SSH
  • 80/HTTP
• Browsing through the application hosted on port 80, we found that there is a merchant portal
• We tried simple SQLi, no luck. However, we were able to register a new user to the system
• Once logged in as the user, we found that a user can upload their profile picture (Possible reverse shell upload). However, this functionality only works for [email protected] user
• Looking for ways to gain access to the admin user, we found that the user can reset their password. However, the server doesn’t validate the username provided. Therefore, we leveraged that to gain access to the admin account.
• Once logged in as admin, we attempted to upload php reverse shell using the upload profile picture functionality, which worked. We found the directory path as a comment in the page source.

Privilege Escalation - 1

• Looking for ways to escalate our privileges, we observed the following:
  • There is a user called webdeveloper 
  • webdeveloper has sudo rights
  • mongod is running (127.0.0.1:27017)
  • mysql is running
• Attempted to login to mysql with common creds, didn’t work.
• Tried finding creds for webdeveloper inside config files etc, no luck.
• Tried accessing mongo shell using mongo, worked.
  • Listed DBs using show dbs
  • Found user and collection collections inside backup DB.
  • Inside the user collection, we found creds for webdeveloper user

Privilege Escalation - 2

• We were able to SSH to the host using creds found earlier.
• Looking for ways to escalate our privileges, we observed the following:
  • webdeveloper is a member of sudo group
  • webdeveloper can run /usr/bin/sky_backup_utility as sudo without password.
  • /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf contains AdminIdentities=unix-group:sudo;unix-group:admin (Default in Ubuntu)
• Since webdeveloper is a member of the sudo group, we can escalate our privileges using pkexec
• pkexec allows an authorized user to execute commands as another user.
• Therefore, we could have used pkexec /bin/bash to spawn a shell as root.
• However, there is known issue that “pkexec fails in a non-graphical environment”
  • https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1821415
• To solve this, we needed to create two SSH connections as user webdeveloper
• Following was the process:
  • Opened two SSH connections as user webdeveloper
  • On the first session ran – echo $$ 
  • On the second session ran – pkttyagent -p {pid}
    • Replaced {pid} with the output received for the echo $$ command 
  • On the first session, ran – pkexec /bin/bash
  • On the second session, entered the password for webdeveloper
  • All done! Root shell was spawned on the first session.

Hope you enjoyed reading this writeup.

Happy Hunting! 😀

Posted by: infinity

Helpful Link

• https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1821415