Road - THM

There is an SSH port open and a web server. With no credentials, the web server is a better option right now.

I started by looking around the website: there is the information about who created the platform right in front of you, but I could not turn that into valuable info with a basic search. I registered an account and logged in. Snoop around the authenticated pages, and you see there is a functionality to upload a profile picture, but it is admin-only. However, this tells us the email for the admin, we can try to brute force and obtain the password now.

While bruteforcing, notice that there is the opportunity to change your current password. Intercept the request and reset the admin's one. There is no authorization check, so we can now login as the admin.

Now we can try to upload a reverse shell as a profile image.

When you upload, analyze the response. It says "Image saved" but gives you no direction as to where it was saved. Either search for "profile" or scroll a little further down in the response and you should catch a reference to a /v2/profileimages directory, you can go there and catch your reverse shell (careful, go straight for your file as directory listing is disabled for this one).

We now have a beautiful shell and we can read the user.txt flag.

Snooping around, the /etc/passwd reveals there are both mysql and mongo on the box.

Tried with mysql first, nothing. Running "mongo", instead, gives us the mongo cli prompt. Enumerating the DB, there is a backup database containing a user table where we can find the credentials for the user "webdeveloper".

With these credentials we can just kill our reverse shell and open an SSH connection to the box.

Our new user has sudo privileges to run a binary as any other user, including root. Running strings on this binary reveals that it runs the following command:

tar -czvf /root/.backup/sky-backup.tar.gz /var/www/html/*