The London Bridge (THM)
The London Bridge is falling down.
Hello EveryOne today i wanted to catch Up with the machines i miss so we having The London Bridge Today shall we ?
Enumeration.
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 58:c1:e4:79:ca:70:bc:3b:8d:b8:22:17:2f:62:1a:34 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDziNs6aSHIQOJFilv8PhCPd676iD1TrhMYe4p4Mj2E3yaAl4xb8DNT2dhpcv6H8EvtCJnAbXmnFTTOZy14fd7FKc2/Mr4MNLsINFpMU8hc85g6S9ZEnWKlU8dw5jUUeZnAbHSTnq6ARvEbT/Y5seiWEJ7IBiUqptlUA2eiOU7g0DFwrYH7n40aDe0m6PKPIfI9G0XO0cJHISeJ0bsSES1uun2WHLM0sRx+17hrBgM2YfD9OevcltVMlQqWasP9lqf2ooOdBvQTq4eH5UyyuEzaRtQwBYP/wWQEVFacejJE1iT2VD6ZAilhlzo9mww9vqTEwGTvatH65wiyCZHMvrSb
| 256 2a:b4:1f:2c:72:35:7a:c3:7a:5c:7d:47:d6:d0:73:c8 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJuZrGZxDIlI4pU1KNZ8A87cWFcgHxRSt7yFgBtJoUQMhNmcw8FSVC54b7sBYXCgBsgISZfWYPjBM9kikh8Jnkw=
| 256 1c:7e:d2:c9:dd:c2:e4:ac:11:7e:45:6a:2f:44:af:0f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICkCeqFADY/YvhJyJabcs5DVTYbl/DEKEpBoluTuDdB1
8080/tcp open http-proxy syn-ack ttl 63 gunicorn
|_http-title: Explore London
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
| fingerprint-strings:
| GetRequest:
| HTTP/1.0 200 OK
| Server: gunicorn
| Date: Fri, 18 Oct 2024 15:12:45 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 2682
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="UTF-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <title>Explore London</title>
| <style>
| body {
| font-family: Arial, sans-serif;
| margin: 0;
| padding: 0;
| background-color: #f2f2f2;
| header {
| background-color: #333;
| color: #fff;
| padding: 10px 20px;
| text-align: center;
| background-color: #444;
| color: #fff;
| padding: 10px 20px;
| text-align: center;
| color: #fff;
| text-decoration: none;
| margin: 0 10p
| HTTPOptions:
| HTTP/1.0 200 OK
| Server: gunicorn
| Date: Fri, 18 Oct 2024 15:12:45 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Allow: GET, HEAD, OPTIONS
|_ Content-Length: 0
|_http-server-header: gunicornSo with rust scan we can see that we have port 8080 and port 22 opens which is HTTP and SSH. So let's search the web application first let's see what we have.
Using dirsearch we can see the two directories we have and we have to endpoints that accept POST requests which is feedback , upload.
So basiclly now i have access to the machine let me walk you through the process.
find the hidden endpoint.
As you can see the endpoint view_image we have not see it before and it returns 405 which is method is not allowed GET in this case so i tried POST and it works.
curl -X POST http://londonbridge.thm:8080/view_image
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>View Image</title>
<style>
body {
font-family: Arial, sans-serif;
margin: 0;
padding: 20px;
background-color: bisque;
}
img {
max-width: 100%;
height: auto;
border-radius: 8px;
box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
}
</style>
</head>
<body>
<h1>View Image</h1>
<form action="/view_image" method="post">
<label for="image_url">Enter Image URL:</label><br>
<input type="text" id="image_url" name="image_url" required><br><br>
<input type="submit" value="View Image">
</form>
</body>
</html>Here we have an input image_url mean we can upload url from a link. I stuck here for a while but i check the hint and it says something about hidden parameter and using arjun i was able to find it.
SSRF
SSRF is an exploit which allow the attacker to access the internal services from the server it self as if it ask from the localhost.
Which is www in this case so i tried multiple stuff here and SSRF was the way to go.
And here i have tried "localhost" and "127.0.0.1" and they does not work which appear to be some sort of filter. So now we want to dig more into the internal network.
So here the file we used is just a file contain numbers from 1..10_000. Now let's dig more into port 80
As you can see in the image it appears to be linux home folder which maybe contains .ssh folder let's check that out.
As you can see in the images above we find the ssh key as well as a using name. So now let's login into ssh.
username: beth
using key to login.
Root access.
So as for the root access i search a lot and using linpeas i saw this.
After searching more a bit o found an exploit can exploit this vlun
i tried most of them and the one that works is exploit.dbus.sh. I think i know why, This exploit take advanges from the mishandle of the nested user space In Linux, user namespaces allow processes to run with different user and group IDs than they have on the host. This means that, inside the namespace, a process can have root-like privileges (UID 0), even if it's running as a normal user on the host system. And also we can see that in the SUID we has.
Which is related somehow to the exploit it self digging more into exploit will be a later job but for now let's enjoy the rootness.
Charles password.
to get and idea of how to extractr the password at first i thought that we only need to crack the hash and we will be able to get his password and i was wrong. I tried with john but nothing came out. But once i step into charles home directory i know what i need to do.
We have a mozilla folder which usually contains a firefox stored passwords. So can we crack it.
Using the above two resources we will be able to do that all we need to do is to transfer the charles home directory into our machine using a python server. And then crack it using firefox_decrypt.py
I have charles directory in my machine now we just run the code.
And here it is.
Conclusion.
Finally this machine was too fun and i have not using kernal exploit in a while so this would refresh my memory. Also this was the first time i deal with firefox creds which was intresting. I also need to dig more into the kernal exploit to find out what is the core reason of it. I hope you enjoy it. đź‘ľ
Last updated