# The London Bridge

{% embed url="<https://tryhackme.com/r/room/thelondonbridge>" %}
Room Link
{% endembed %}

This work by Manav G Krishna is licensed under [CC BY-NC 4.0](http://creativecommons.org/licenses/by-nc/4.0/?ref=chooser-v1) <img src="/files/fgutP6VmsOsVHYVe8Cfh" alt="" data-size="line"><img src="/files/J1FStDkVaABJlaGdbdeX" alt="" data-size="line">

**`Machine IP`**: 10.10.139.115

**`Hosts file entry`**: echo '10.10.139.115 london.thm' | sudo tee -a /etc/hosts

**`Nmap Scan`**:&#x20;

```bash
nmap -p- -A -v --min-rate 100 -oN londonbridge_thm -Pn london.thm

Nmap scan report for london.thm (10.10.139.115)
Host is up (0.15s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 58:c1:e4:79:ca:70:bc:3b:8d:b8:22:17:2f:62:1a:34 (RSA)
|   256 2a:b4:1f:2c:72:35:7a:c3:7a:5c:7d:47:d6:d0:73:c8 (ECDSA)
|_  256 1c:7e:d2:c9:dd:c2:e4:ac:11:7e:45:6a:2f:44:af:0f (ED25519)
8080/tcp open  http-proxy gunicorn
| http-methods: 
|_  Supported Methods: GET OPTIONS HEAD
|_http-server-header: gunicorn
|_http-title: Explore London
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Sat, 28 Sep 2024 07:39:33 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 2682
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="UTF-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Explore London</title>
|     <style>
|     body {
|     font-family: Arial, sans-serif;
|     margin: 0;
|     padding: 0;
|     background-color: #f2f2f2;
|     header {
|     background-color: #333;
|     color: #fff;
|     padding: 10px 20px;
|     text-align: center;
|     background-color: #444;
|     color: #fff;
|     padding: 10px 20px;
|     text-align: center;
|     color: #fff;
|     text-decoration: none;
|     margin: 0 10p
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Sat, 28 Sep 2024 07:39:34 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Allow: GET, OPTIONS, HEAD
|_    Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.94SVN%I=7%D=9/28%Time=66F7B2B6%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,B15,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:
SF:\x20Sat,\x2028\x20Sep\x202024\x2007:39:33\x20GMT\r\nConnection:\x20clos
SF:e\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x2
SF:02682\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n\x20\x2
SF:0\x20\x20<meta\x20charset=\"UTF-8\">\n\x20\x20\x20\x20<meta\x20name=\"v
SF:iewport\"\x20content=\"width=device-width,\x20initial-scale=1\.0\">\n\x
SF:20\x20\x20\x20<title>Explore\x20London</title>\n\x20\x20\x20\x20<style>
SF:\n\x20\x20\x20\x20\x20\x20\x20\x20body\x20{\n\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20font-family:\x20Arial,\x20sans-serif;\n\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20margin:\x200;\n\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20padding:\x200;\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20background-color:\x20#f2f2f2;\n\x20\x20\x20\x20\
SF:x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20header\x20{\n\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20background-color:\x20#333;\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20color:\x20#fff;\n\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20padding:\x2010px\x2020px;\n\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20text-align:\x20center;\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20nav\x20{
SF:\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20background-color:\x20
SF:#444;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20color:\x20#fff;\
SF:n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20padding:\x2010px\x2020
SF:px;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20text-align:\x20cen
SF:ter;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20nav\x20a\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20color:
SF:\x20#fff;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20text-decorat
SF:ion:\x20none;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20margin:\
SF:x200\x2010p")%r(HTTPOptions,B3,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gu
SF:nicorn\r\nDate:\x20Sat,\x2028\x20Sep\x202024\x2007:39:34\x20GMT\r\nConn
SF:ection:\x20close\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nAll
SF:ow:\x20GET,\x20OPTIONS,\x20HEAD\r\nContent-Length:\x200\r\n\r\n");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=9/28%OT=22%CT=1%CU=43300%PV=Y%DS=2%DC=T%G=Y%TM=66F7
OS:B347%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)
OS:OPS(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508
OS:ST11NW7%O6=M508ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)
OS:ECN(R=Y%DF=Y%T=40%W=F507%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%
OS:F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T
OS:5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=
OS:Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF
OS:=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40
OS:%CD=S)

Uptime guess: 17.234 days (since Wed Sep 11 07:34:34 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 995/tcp)
HOP RTT       ADDRESS
1   146.14 ms 10.11.0.1
2   146.68 ms london.thm (10.10.139.115)
```

The scan results show that we have two ports open, that is port **`22`** & **`8080`** .&#x20;

### Enumeration

**`Checking out port 8080`**:

<div align="left"><figure><img src="/files/ZrRsAOfmvU4YvyNZEtxX" alt=""><figcaption></figcaption></figure></div>

From the **`source code`** of the page, we can see that the only functioning options containing links are **`Gallery`** & **`Contact`**:

<div align="left"><figure><img src="/files/EuOHjObphSfvd1O9y8pn" alt="" width="364"><figcaption></figcaption></figure></div>

<figure><img src="/files/VUacLhOA3rf9PNFScu6t" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/LSj9iZhj3mGMD7S6FtYR" alt=""><figcaption></figcaption></figure>

We can now test for **`XSS`** in the **`Contact Us`** form:

<div align="left"><figure><img src="/files/gLNIVL9Cu3twiR9rA1MK" alt="" width="563"><figcaption></figcaption></figure></div>

Now let's set up a **`netcat`** listener on port **`80`**. If the above payload works after clicking on `Submit` we should be getting a connection back on our listener which shows that the server has reached out to our machine. The **`IP`** specified in the payload is the **`tun0`** interface **`IP`**.

<figure><img src="/files/q1kCN397PNVjuy5LERME" alt=""><figcaption></figcaption></figure>

But unfortunately, we don't get any connection on the listener.

We can now check out the **`Upload`** option that we have on the **`Gallery`** page by uploading an image:

<div align="left"><figure><img src="/files/l9mlCU0qEKtNfanFkCpX" alt="" width="374"><figcaption></figcaption></figure></div>

<figure><img src="/files/vy8NUsK8baVXdi1fxTuJ" alt=""><figcaption></figcaption></figure>

![](/files/AoMqBpkxrBxwP6w9ECcQ)

As we can see the image gets uploaded successfully within the **`/uploads`** path.  The source code of the **`/gallery`** page shows the same and we also have this note:

<figure><img src="/files/Ai26kIXBR2tKt92jX1nI" alt=""><figcaption></figcaption></figure>

&#x20;Let us try to put some other file format for example a **`PHP`** file to see how the feature reacts:

<div align="left"><figure><img src="/files/w9XL3knveF39dlkDWa6d" alt="" width="335"><figcaption></figcaption></figure></div>

<div align="left"><figure><img src="/files/Gbwzs9gkxKTPibxu2jPB" alt="" width="405"><figcaption></figcaption></figure></div>

Based on the response, we cannot upload any file that isn't an **`image`**.  I will be directly jumping to the point that none of the file upload bypasses had worked here and there was no good information from any of the already present images metadata. This wasn't the correct path to go further into solving the room.

We can now do some **`directory busting`**.

**`Directory Busting`**:

**`Command`**:

```bash
dirsearch -u http://london.thm:8080/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
```

<figure><img src="/files/C5vVKx1cgUFJh3RvifHK" alt=""><figcaption></figcaption></figure>

There is a path named **`/dejaview`**. We can check this out:

<figure><img src="/files/DJZhUUgtTg80JHng0GBs" alt=""><figcaption></figcaption></figure>

We have a box where we could enter an **`image URL`** and then it would show us the image. Trying out the same with our previously uploaded **`car.jpeg`** image (**`http://london.thm:8080/uploads/car.jpeg`**):

<div align="left"><figure><img src="/files/DTy3w829jEuJnNRVravT" alt="" width="197"><figcaption></figcaption></figure></div>

<div align="left"><figure><img src="/files/qyBJ6SVsJfOLAlgNY625" alt="" width="332"><figcaption></figcaption></figure></div>

And it gives us the image. But the note in the **`Gallery`** page's source code said we could add images using links which is not the case here. So that likely means that the devs might not have implemented this feature yet.

But we have a box wherein we can enter a **`URL`**. The first thing that comes to mind is **`SSRF`** (**`Server-Side Request Forgery`**).

### Exploitation

Intercepting the **`View Image`** request in **`Burp`**:

<figure><img src="/files/Q6vbanheMEvk4tTjmmES" alt=""><figcaption></figcaption></figure>

There is a **`parameter`** named **`image_url`**. We can test for **`SSRF`** here by seeing if the server is reaching out to our **`attacker machine`** (The same setup that we had done before while testing for **`XSS`** applies here too).

<figure><img src="/files/jOJn5Jx3T5jH58EsnUSf" alt=""><figcaption></figcaption></figure>

The value is **`URL encoded`**. But we don't get any hit on the listener on port **`80`**. This is where the **`Hint`** given to us for the room comes in handy.

<div align="left"><figure><img src="/files/DDkNIEN4dmbYQ1AVXRFz" alt="" width="423"><figcaption></figcaption></figure></div>

It tells us to check for **`other parameters`** apart from the one that we already know, that being - **`image_url`**.

To find **`parameters`** we can make use of a tool called **`Arjun`** and the same can be done using tools like **`wfuzz`**, **`ffuf`** etc.&#x20;

**`Using wfuzz`**:

Firstly we have to fetch a **`wordlist`**:

<div align="left"><figure><img src="/files/Mu1M5h3ueZEv3cAhnai9" alt="" width="449"><figcaption></figcaption></figure></div>

<div align="left"><figure><img src="/files/ioW3jvnBl3FvygvdpPEH" alt="" width="518"><figcaption></figcaption></figure></div>

{% embed url="<https://github.com/maverickNerd/wordlists>" %}

{% embed url="<https://github.com/maverickNerd/wordlists/blob/master/params.txt>" %}
Wordlist
{% endembed %}

Save this to a file called **`params.txt`** or just clone the repo.

**`Command`**:

```bash
wfuzz -c -z file,params.txt --hc 404 --hl 32 -d "FUZZ=value" http://london.thm:8080/view_image
```

<figure><img src="/files/7jfHrjr2SulHAqWy59To" alt=""><figcaption></figcaption></figure>

**`Using Arjun`**:

{% embed url="<https://github.com/s0md3v/Arjun>" %}
Arjun
{% endembed %}

**`Command`**:

```bash
arjun -u http://london.thm:8080/view_image -m POST
```

<figure><img src="/files/1gATeeO2gAAzrHxLZxvD" alt=""><figcaption></figcaption></figure>

We have found another **`parameter`** named - **`www`**.

Let us now try **`SSRF`** by using this newly found **`parameter`** in the request:

<figure><img src="/files/S36wMiQOY4Wk0ETqzDKz" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/v9uEqkFqjiRukZNK2jSB" alt=""><figcaption></figcaption></figure>

And the server reached out to us. We now have a **`successful SSRF`**.

Let us try connecting to the **`localhost`** of the target machine now:

<figure><img src="/files/0F6JLZMLgXHYvpVaWdNq" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/g9C1541CIFdN1ae9AAQG" alt=""><figcaption></figcaption></figure>

But it gives us a **`403 Forbidden`** error. Upon replacing **`127.0.0.1`** with **`localhost`** too we end up getting the same response. This likely means that there is something on the target machine preventing us from using the **`traditional methods`** to connect to the localhost via ways like using: **`127.0.0.1`**, **`localhost`** etc.

Let us now try **`127.0.1`**. This is one of the many **`block list bypass`** techniques that can be used to connect to **`localhost`**.

<figure><img src="/files/O1KtVI8043xFfPGFP0Ky" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/uxHaFtt8WftJMrqMHVrf" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/ow4ibLxRydh5LI51bA7a" alt=""><figcaption></figcaption></figure>

And it worked. This means port **`80`** is **`open`**. This: **`http://127.0.1`**, is the same as doing a **`http://127.0.1:80`**.

For the sake of the writeup let us go ahead and ignore the information that we now know about port **`80`** being **`open`**. Assume it wasn't **`80`** and if we had to find out other **`internally open ports`**. The below section explains how this can be achieved through a **`Python script`** and also via **`wfuzz`**.

**`SSRF Port Scanning Python script`**:

```python
import requests
from termcolor import colored

def parse_ports(port_input):

    ports = set()  
    for part in port_input.split():
        if '-' in part:  
            start, end = map(int, part.split('-'))
            ports.update(range(start, end + 1))  
        else:
            ports.add(int(part))  
    return sorted(ports)  

def SSRF_TEST(url, param_name, param_value_template, port_list):
    for port in port_list:
        
        formatted_data = {param_name: param_value_template.replace("[port]", str(port))}  # Replace placeholder with port
        try:
            
            result = requests.post(url, data=formatted_data, timeout=1)
            
            if result.status_code == 200:
                print(colored('[*]', 'green'), "port %s" % port, colored("open", "green"))
            else:
                print(colored('[!]', 'red'), "port %s" % port, colored("closed", "red"))
        except requests.RequestException:
            print(colored('[!]', 'red'), "port %s" % port, colored("could not be reached", "yellow"))

if __name__ == "__main__":
    
    url = input("Enter the URL: ")
    param_name = input("Enter the parameter name: ")
    param_value_template = input("Enter the value for the parameter (use [port] as a placeholder for the port): ")
    
    
    port_input = input("Enter the list of ports or ranges, separated by spaces: ")
    port_list = parse_ports(port_input)

    
    SSRF_TEST(url, param_name, param_value_template, port_list)

```

<figure><img src="/files/GMCsHKnjgoEsYJibOkCg" alt=""><figcaption></figcaption></figure>

<div align="left"><figure><img src="/files/OT3mxsaGRmtbMYlET4Q4" alt="" width="172"><figcaption></figcaption></figure></div>

<div align="left"><figure><img src="/files/aSum3i0oBhGtnMYLq6zm" alt="" width="173"><figcaption></figcaption></figure></div>

The ports can also be specified in this manner: **`80 85 8080-8085`**.&#x20;

But anyways we now know that ports such as **`80`**, **`8080`**, etc. are open. The 8080 is nothing but the **`web server`** itself that we are able to access **`externally`**.

**`Using wfuzz`**:

We need to first create a **`wordlist`** containing a few of the most **`common ports`**:

<figure><img src="/files/IqZzuhKeULWNaRFXbFKX" alt=""><figcaption></figcaption></figure>

**`Command`**:

```bash
wfuzz -c -z file,common_ports --hc 403,404 -d "www=http://127.0.1:FUZZ" http://london.thm:8080/view_image
```

<figure><img src="/files/1xVYcbw9crGFDoVQM5XZ" alt=""><figcaption></figcaption></figure>

Now that we've confirmed port **`80`** is **`open`** and serving content, we can proceed to explore potential **`directories`** that may be accessible within it.

### Foothold

**`Using wfuzz`**:

Firstly we have to fetch a **`wordlist`** that contains **`directory paths`**:

<div align="left"><figure><img src="/files/rGWxjWMuTED6eUmlfVLD" alt="" width="339"><figcaption></figcaption></figure></div>

<div align="left"><figure><img src="/files/ax7PmLsnSbEJs93cehcT" alt="" width="554"><figcaption></figcaption></figure></div>

{% embed url="<https://github.com/Twibow/Pentest-WordLists/blob/master/directory_wordlist.txt>" %}
Wordlist
{% endembed %}

A few entries:

<div align="left"><figure><img src="/files/kTluEBoTORkpIz4mksO5" alt="" width="563"><figcaption></figcaption></figure></div>

**`Command`**:

```bash
wfuzz -z file,dir_wordlist -d "www=http://127.0.1/FUZZ" --hc 404 --hl 14 http://london.thm:8080/view_image
```

<figure><img src="/files/kByU3fuNgGH1Z9sq7gHG" alt=""><figcaption></figcaption></figure>

We get a good amount of **`valid hits`**, **`.ssh`** being the most interesting. Let us check it out:

<figure><img src="/files/5TzfcQVB81cWOZQOoZvK" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/MO5P7GT9A8W5pg3y552V" alt=""><figcaption></figcaption></figure>

The private (**`id_rsa`**) and the public key (**`authorized_keys`**) is present within the **`.ssh`** directory.

We can now read the contents of it:

<figure><img src="/files/MCLfg0aELRqWWtRWI7sc" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/TMMtk6DCC7gz5GoJbWVU" alt=""><figcaption></figcaption></figure>

The public key shows that the private key possibly belongs to a user named **`beth`**.

<figure><img src="/files/Gmx1tEp8eJYmIGA5hdJY" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/8ZnH4SLGSEAWCSr6NrAA" alt=""><figcaption></figcaption></figure>

Now we can possibly **`SSH`** in as beth, post putting the private key to a file on our **`attacker machine`**.

**`Command`**:

```bash
chmod 400 id_rsa_beth && ssh beth@london.thm -i id_rsa_beth
```

<figure><img src="/files/cAEv1ngjdu3D3OTVf2EQ" alt=""><figcaption></figcaption></figure>

We indeed get in.&#x20;

In the home directory, we don't see the **`user flag`**.&#x20;

**`Finding the flag`**:

<div align="left"><figure><img src="/files/VwiOP3NO0KKjQ7tfCZ6L" alt="" width="471"><figcaption></figcaption></figure></div>

There is also an **`app.py`** and here we can see the lines of code that were **`blocklisting`** common ways **`localhost`** could be accessed via:

<figure><img src="/files/q3s8YJvudUyTf6l71txd" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/sMSShu5dNiiPch1GqjL6" alt=""><figcaption></figcaption></figure>

So using: **`localhost`**, **`127.0.0.1`** & **`0.0.0.0`** were **`blocked`**.

### Further Enumeration

No significant findings were discovered during the manual traversal of various directories and files. So we can now run **`linpeas`**.&#x20;

It can be placed in the **`/tmp`** directory as it is universally writeable:

<figure><img src="/files/7kkBEuqokTITMQ0iNbon" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/EBWXGpgkUdclIqpitmeq" alt=""><figcaption></figcaption></figure>

**`Important information from the output`**:

<figure><img src="/files/UYt07ZqZGIaYi7SNYvVR" alt=""><figcaption></figcaption></figure>

Kernel **`version`** being **`4.15.0-112-generic`**.

**`Linux exploit suggester`** suggested exploits can also be checked out, this can come in handy as we couldn't find anything else on the machine that would potentially help us **`privilege escalate`**. So **`kernel exploits`** might be the way to **`root`**.

<figure><img src="/files/SZ7oNwFr5qKYuIZbJVkZ" alt=""><figcaption></figcaption></figure>

At this point, we can start by looking for **`exploits`** based on the exact **`kernel version`**.

<figure><img src="/files/Bx9KdpEMCqjooduoXZA9" alt=""><figcaption></figcaption></figure>

We have **`two`** results from **`Exploit-DB`**. The first result is for **`CVE-2018-18955`**. **`Linpeas`** too had suggested the same exploit and also the **`affected kernel version`** starting range is a close match to what we are having on our **`target machine`**. So this is something worth trying out. The result below is for **`CVE-2019-13272`** and it says affected versions start from **`4.10`** and our version fits well within the range. This can be tried out too.

The final result shows a **`GitHub`** exploit, **`CVE-2023-6546`**, which too is an **`LPE`** exploit.&#x20;

{% embed url="<https://github.com/Nassim-Asrir/ZDI-24-020>" %}
CVE-2023-6546
{% endembed %}

Following are the **`two`** main reasons this exploit might end up working:

**`First reason`**:

<figure><img src="/files/ppETmESHkmXKL8D2k3HA" alt=""><figcaption></figcaption></figure>

This is a close match with our **`OS`**:

<div align="left"><figure><img src="/files/ws790p2uoz991unD8idk" alt=""><figcaption></figcaption></figure></div>

The same can also be seen in the **`linpeas`** output.

**`Second reason`**:

<figure><img src="/files/6GOjTJ8YxQUVfWK0fq1L" alt=""><figcaption></figcaption></figure>

It is the same **`Kernel`** for us too.

### Privilege Escalation

**`Trying out CVE-2023-6546`**:

**`Command`**:

```bash
git clone https://github.com/Nassim-Asrir/ZDI-24-020 && cd ZDI-24-020
```

Editing the **`Makefile`** from this:

<div align="left"><figure><img src="/files/upRPeD9hTKvOydwslnP7" alt=""><figcaption></figcaption></figure></div>

To this (**`adding the -static switch`**):

<figure><img src="/files/Qe1FT4FUQ6stzwIX5Ntn" alt=""><figcaption></figcaption></figure>

Using the **`-static`** switch when compiling with **`gcc`** creates a statically linked executable. This means that all **`necessary libraries`** (like glibc) are included **`directly within`** the executable itself, rather than relying on these **`shared libraries`** at **`runtime`** on the **`target machine`** that it would be run on. This is done to avoid any runtime errors that might occur due to the needed **`glibc version`** not being found on the target, etc.&#x20;

If it is possible to **`compile`** the **`exploit code`** on the **`target machine`**, then that would work too.

**`Compiling the exploit code via make, serving it and running it on the target machine`**:

<figure><img src="/files/WsGRdrCDSNyY242EVSB9" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/EcTMHddcjnoGpDtWs7eX" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/xf4s69eDBJ7WMvN7ZNf9" alt=""><figcaption></figcaption></figure>

<div align="left"><figure><img src="/files/NyDQcnop5bUoRfFPmlaV" alt=""><figcaption></figcaption></figure></div>

We run the exploit using the **`ubuntu`** argument and we are **`root`**.

I had further checked out **`CVE-2019-13272`** but found that the **`kernel`** we have was **`not tested`** for this **`vulnerability`**. Nevertheless, I attempted to exploit it, but unfortunately, it **`did not`** work.

Now finally moving on to **`CVE-2018-18955`**:

{% embed url="<https://github.com/bcoles/kernel-exploits>" %}

After cloning the repo:

<figure><img src="/files/f1fe1VVnINAzR2ARH2BR" alt=""><figcaption></figcaption></figure>

We can send the entire directory to the **`target machine`** like so:

<figure><img src="/files/BVoFgRKhKFOa0AzSPqKM" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/bpPaiMopcaegPNc9esqi" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/pOP7tTOOyHGAltCidp9d" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/d00zIV3J8QUX0fzoISGp" alt=""><figcaption></figcaption></figure>

Out of the above-marked exploit scripts only the **`exploit.dbus.sh`** worked. Showing the same:

<div align="left"><figure><img src="/files/LJyW3gTpCXqxzX7O1UW8" alt=""><figcaption></figcaption></figure></div>

The reason why the **`dbus`** script worked is due to the **`SUID`** bit set on **`dbus-daemon-launch-helper`**. By default, this binary will have the bit set as part of the **`dbus`** package.

**`Command`**:

```bash
find / -perm -u=s -type f 2>/dev/null   //To find binaries that have the SUID bit set
```

<figure><img src="/files/xYHVhKSrPgWZOUKtvHS2" alt=""><figcaption></figcaption></figure>

The **`root flag`** can be fetched from the **`/root`** directory:

<figure><img src="/files/UfzrG6zbpoOFMp7XRo5U" alt=""><figcaption></figcaption></figure>

Now for this **`question`**:

<div align="left"><figure><img src="/files/uyOKa03s83oZlhU5xJ5t" alt=""><figcaption></figcaption></figure></div>

There is no direct way we could laterally move from **`beth`** to **`charles`** on this machine, so we had to get to **`root`** first.

<figure><img src="/files/TD9lrnwZ7xx7Z6BvFuOR" alt=""><figcaption></figcaption></figure>

We see a **`.mozilla`** directory.

<figure><img src="/files/7z3ccWJXgMNjPEThsMh0" alt=""><figcaption></figcaption></figure>

And there is a **`Firefox profile`** named **`8k3bf3zp.charles`**. Such profiles will usually have **`stored encrypted credentials`**.

<figure><img src="/files/uIl1nxMCCyE86QCW4RiQ" alt=""><figcaption></figcaption></figure>

We can see that the most important file, that is **`logins.json`** is present. The presence of this file indicates that we can go ahead with **`decrypting`** the **`encrypted password`**.

Both **`logins.json`** and **`key4.db`** are needed to **`decrypt`** the **`saved passwords`** in **`Firefox`**:

* **`logins.json`**: Contains the encrypted passwords and associated usernames.
* **`key4.db`**: Contains the encryption keys used to encrypt and decrypt the passwords in **`logins.json`**.

For **`decrypting`**, we can make use of this tool:

{% embed url="<https://github.com/unode/firefox_decrypt>" %}

Downloading the **`profile`** to our **`attacker machine`**:

<figure><img src="/files/O7BVPETHTCeXUZCfy4gS" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/8x6ahAkk5z1JBuzBblG0" alt=""><figcaption></figcaption></figure>

Cloning the repo and **`running`** the tool:

<figure><img src="/files/svPnMGZiKJ0Op1FczTWj" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/fXGu3J5ZYyxdjh8xChWD" alt=""><figcaption></figcaption></figure>

And we get the **`decrypted password`** for **`charles`**.

Room solved!!

{% embed url="<https://tryhackme.com/p/gravereaper2038>" %}
Profile Link
{% endembed %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://manav-g-krishna.gitbook.io/tryhackme-writeups/the-london-bridge.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.