THM Smol

curtain
#thm  #wordpress  #ssrf  #forensic 

This is a Linux machine with web service provided by WordPress which has a SSRF vulnerability to leak the credentials for web user.

After login into the system as web user, we obtains the hash of the password of another normal user. Subsequently, we utilized forensic techniques to move laterally across users on the system. Ultimately, we discovered that user xavi had configured a sudo rule allowing passwordless execution of arbitrary programs, effectively granting root privileges.

[Read more]

THM Pyrat

curtain
#thm  #fuzz  #forensic 

This machine provide a remote Python REPL environment via a SimpleHTTP service.

We just gain initial access by constructing a simple Python version of a reverse shell.

After conducting a thorough search of the system (targeting users with login shells), we discovered that one user maintained a Git repository containing their login credentials. Subsquently, uncovered clues within the Git logs pointing to the remote REPL environment. This led us to further fuzz the environment hidden endpoint and its password, ultimately gaining root privilege.

[Read more]

THM Chronicle

curtain
#thm  #fuzz  #suid  #api_vuln  #browser_decrypt  #lateral_movement  #ret2libc 

This is a Linux machine with ssh and two different web services enabled. One of the web services had an API vulnerability that could leak user credentials (though it required a key). Coincidentally, another service had a source code disclosure vulnerability. We found the required key in the Git logs, thereby obtaining SSH login credentials.

Subsequently, by decrypting Firefox browser data, we acquired credentials for another user for lateral movement.

Within their home directory, we discovered a SUID program with a buffer overflow vulnerability and weak security protections. We exploited this using ret2libc to gain root privilege.

[Read more]

THM Lookup

curtain
#thm  #fuzz  #suid  #cmd_injection 

This is a Linux machine with ssh and web services. According to the different responses are generated based on different credentials, we can fuzz the credentials for login.php. After login into the system, there is version disclose of the platform. We leverage it to get foothold.

First of all, we are a low-privilege (www-data) user. Fortunately, there is a dedicated SUID program reserved for us to read password of the user (think).

After that, we can discovery that there is a sudo rule for us to read arbitrary files. We can steal the root's ssh private key!!

[Read more]