Empline - THM

October 14, 2021•414 words

Empline - THM

After the initial scan there are three open ports. Two are clearly no-goes unless you feel like bruteforcing (which I would not suggest, unwise at least). Look up the web page, most links seem pointless but one gives away both a domain and, more importantly, a subdomain. Save both of them in your /etc/hosts and go take a look. The initial front page could not give you clearer instructions on what to do next. There is a software name and a version: Google this combination of informations.

Turns out, there is a pretty sweet unauthenticated XXE available, and more than a few blog posts detailing the steps to create the appropriate resume to exploit this. Now, we can read /etc/passwd, gain some usernames and go for brute forcing one of the other two services, OR we can read config.php and take away the credentials to connect to the database server. The choice is yours.

Once you CLEARLY decide to pick the credentials from config.php, the maneuver is pretty straightforward. Connect to the DB, open the users table and get those hashes. Crack them (crackstation is a strong suggestion in this case, if you don't want to sit and wait for I honestly don't know how long). You now have valid credentials to start a SSH connection.

Get your first flag, and start looking around.

Now the privesc vector is...not the most common, not the most UNcommon. If you have in your routine to look for capabilities, well done. If you do not, maybe linpeas did the job for you.

Turns out, ruby has the chown capability set, meaning it can change ownership of files, like this:

ruby -e 'require "fileutils"; FileUtils.chown(1002, 1002, "/etc/passwd")'

From this point on, the possible ways you could go are endless. My choice was to modify /etc/passwd adding this line

root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash

This creates a user, named root2, with the password "mrcake", which has the same privileges as the original root (look at its UID, there's the trick).

After this step is done, simply su root2 and get your well deserved root flag. Your job is done, move forward.

And, as always, merry hacking ;)

👍❤️🫶👏👌🤯🤔😂😍😭😢😡😮

Subscribe to the author

You'll only receive email when they publish something new.

More from emacab98
All posts

Superspam - THM

August 25, 2021•655 words

Super-Spam - THMThe ports after the initial scan, apart from the usual service on port 80, are fairly uncommon, like FTP on 4019 and SSH on 4012. The first I tried (more because this is a CTF than anything else) is to anonymously login to FTP, which gave us access to quite a few files. From the note, we could assume adam and super-spam are usernames. We also learn that the capture file is a reminder of how the alien got in, so we download that for further analysis and give it to Wireshark. While...

Read post

OWASP Juice Shop

November 9, 2021•3,019 words

OWASP Juice ShopThis is how I solved some of the challenges listed in the OWASP Juice Shop scoreboard, you can find the one that interests you by searching its name in the table.Error Handling (Provoke an error that is neither very gracefully nor consistently handled.)Try a URL of your choice to see if anything funny happens, some error handling practices could give you great results in terms of finding vulnerabilities. In this case, it reveals the framework AND it solves the challenge.Score Boa...

Read post

Empline - THM

Empline - THM

More from emacab98All posts

Superspam - THM

OWASP Juice Shop

More from emacab98
All posts