Today I’ll be going over a CTF I recently completed on TryHackMe called “Ollie”, apparently named after 0day‘s dog. This is a medium level room, and can be found HERE. This room will involve exploiting an SQL injection CVE to gain a reverse shell on the target system, then exploiting a system timer misconfiguration to escalate to root. Let’s get into it!
Initial Scans and Enumeration
Starting off with a port scan, we see three open ports; 22 (SSH), 80 (HTTP), and 1337. Port 1337 seems interesting in particular due to the strings collected by nmap and the service name (waste?).
Hmm… Let’s try connecting to port 1337 using netcat and see what we can learn.
Interestingly, when we connect to port 1337, it asks us some questions and then gives us credentials for an administration panel. Well, it’s not difficult to figure out where we should go from here. We can navigate to the webpage and use the credentials to login to the phpIPAM service. Once we are logged in, we see that the website is running phpIPAM v1.4.5.
Doing some research on google, we find a few different vulnerabilities in various phpIPAM versions, but none for v1.4.5 that will help us. After continuing to dig around with no success, I decided to just try one of the v1.4.4 exploits I found, and thankfully it worked. This particular exploit takes advantage of an SQL injection vulnerability present in one of the features present in phpIPAM. This post from fluidattacks.com explains the vulnerability and how to exploit it. I decided to use the SQLmap tool to automate some of the work of leveraging the SQL injection to gain Remote Code Execution (RCE). I did so by intercepting a POST request to edit-bgp-mapping-search.php in burpsuite, saving the request as a text file, then supplying that text file as an argument to SQLmap in order to connect to the target and perform the injection. You can also use the –file-write argument in SQLmap to upload a file to the target, which is exactly what I did. First I opened a netcat listener on the port which I specified in the php reverse shell. Then I uploaded a php reverse shell to the /var/www/html directory on the target, and accessed the httx://ollie.thm/phprevshell.php URL in the browser. This popped a php reverse shell in my terminal.
Privilege Escalation to Ollie
Now we need to figure out how to escalate to Ollie. Luckily for us, Ollie is guilty of password reuse! The password that we got from port 1337 and that allowed us to log in to the phpIPAM site, is also his user password. Using “su Ollie”, we can supply his user password and change over from the www-data user to Ollie. Now we can work on escalating to root!
Privilege Escalation to Root
From here, we need to enumerate and see if we can find something for us to exploit in pursuit of root access. One thing I’ve learned from doing CTF’s is that it is important to always look at what processes are running on the target, as a lot of information can be gained from it. We can do this with the pspy tool.
After waiting for a few minutes, pspy shows a process with an interesting name (feedme) and running with root privileges (UID=0). This process also wasn’t running when I first ran pspy, it took a minute or two to come up, leading me to believe it was a cronjob or that it was running on a timer. Let’s investigate further. Using the find command allows us to see exactly where the feedme binary is at in the filesystem.
Now that we know the location of the feedme binary, we can open it in the nano text editor and see what’s inside. Oddly enough, there’s really nothing in there. Since we have write privileges, and the binary is being run with root privileges, we can write our own reverse shell command. This will give us a root shell on our machine, which will then allow us to retrieve the user flag and complete the room! Using the reverse shell generator, we can craft this shell command.
Now we need to open a netcat listener on the same port that we specified in that reverse shell command, and wait until the feedme binary is run again. Once that happens, we should have a reverse shell with root privileges.
Now submit that root flag and get those points!
Conclusion and Takeaways
This was another really fun CTF and it helped reinforce some important lessons, not only for completing CTF’s but also practical security tips and practices that should be implemented in real life. The first being, always know what vulnerabilities may be present in software and services running on your systems. We saw this when we found that the phpIPAM service had functionality that was vulnerable to SQL injection. This service either shouldn’t have been exposed to the internet at all, or some form of compensating control should be implemented such as a Web Application Firewall (WAF), which could block the SQL injection attempts. The second lesson being, password reuse. The password that we used to log in the phpIPAM service was also Ollie’s user password. Although convenient, this is also dangerous because an attacker can
(and probably will) try to reuse the password elsewhere in the environment as they attempt to expand their access. Bottom line, use different passwords for different services and systems. Finally, privileged processes, binaries, etc., need to be carefully managed and monitored. A binary which is run with root privileges, like the feedme binary in this CTF, should not allow any non-administrative users write access. Doing so will allow an attacker to modify the binary and take malicious actions with it, like escalating their privileges on the target system.
I hope you enjoyed this writeup and got some value from it, and I hope you come back to read some more writeups/blog posts in the future as well. Feel free to share this post and other posts from my blog if you think others would also like it. Thank you!