Empline - THM

Empline - THM


After the initial scan there are three open ports. Two are clearly no-goes unless you feel like bruteforcing (which I would not suggest, unwise at least). Look up the web page, most links seem pointless but one gives away both a domain and, more importantly, a subdomain. Save both of them in your /etc/hosts and go take a look. The initial front page could not give you clearer instructions on what to do next. There is a software name and a version: Google this combination of informations.

Turns out, there is a pretty sweet unauthenticated XXE available, and more than a few blog posts detailing the steps to create the appropriate resume to exploit this. Now, we can read /etc/passwd, gain some usernames and go for brute forcing one of the other two services, OR we can read config.php and take away the credentials to connect to the database server. The choice is yours.

Once you CLEARLY decide to pick the credentials from config.php, the maneuver is pretty straightforward. Connect to the DB, open the users table and get those hashes. Crack them (crackstation is a strong suggestion in this case, if you don't want to sit and wait for I honestly don't know how long). You now have valid credentials to start a SSH connection.

Get your first flag, and start looking around.

Now the privesc vector is...not the most common, not the most UNcommon. If you have in your routine to look for capabilities, well done. If you do not, maybe linpeas did the job for you.

Turns out, ruby has the chown capability set, meaning it can change ownership of files, like this:

ruby -e 'require "fileutils"; FileUtils.chown(1002, 1002, "/etc/passwd")'

From this point on, the possible ways you could go are endless. My choice was to modify /etc/passwd adding this line

root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash

This creates a user, named root2, with the password "mrcake", which has the same privileges as the original root (look at its UID, there's the trick).

After this step is done, simply su root2 and get your well deserved root flag. Your job is done, move forward.

And, as always, merry hacking ;)


You'll only receive email when they publish something new.

More from emacab98