This is THM: Road.
Inspired by a real-world pentesting engagement
Medium rated.
Ports
SSH and HTTP, we’ll assume we’re looking to compromise a website.
Clicking around on the site we have a website for a courier company, we can register an account:
And then login. Once we’re logged in, we can poke around and most of the links are disabled, but we do have an option to reset our password:
And if we look at our profile:
GET /v2/profile.php HTTP/1.1
We see there is an option to upload a profile picture, but there is a message:
Right now, only admin has access to this feature. Please drop an email to admin@sky.thm in case of any changes.
So, of course we use the password reset feature with the admin username, right?!
And we get this response:
And now we are admin. Which means we can upload a profile picture:
But where do we find it? This is where the Burpsuite ‘Target’ tab comes in handy:
http://10.10.55.104/v2/profileimages/
We have no directory listing, so let’s try:
http://10.10.55.104/v2/profileimages/shell.php
Boom.
Next
Linpeas says we have mongodb:
I don’t know how to use it:
But that’s never stopped me before:
Hello!
Privesc
I have never done one of these before. The tar wildcard privesc doesn’t work on an extract, and it’s LD_PRELOAD we want.
This was fun :)