Publisher — TryHackMe writeup

By NF

• Difficulty : Easy
• Platform : Linux

Objectives :

Flag 1 : What is the user flag?

Flag 2 : What is the root flag?

Reconnaissance (recon) is the first phase in the penetration testing or hacking process.

Use Nmap : nmap -sCV -Pn {target-IP}

Let’s open on the web browser on http:// {target-IP},we get a static page about SPIP CMS.

Using gobuster scanning this directories to discover the /spip endpoint.

WE found many more subdirectories like the one below. I went through them one by one.

At http:// {target-IP}/spip, We found the installation data forSPIP CMS .

Upon checking the version, we found that SPIP CMS is version 4.2.0

When searching for vulnerabilities in SNIP CMS 4.2.0, we found CVE-2023–27372, which is a remote code execution vulnerability.

You can find more ia POC. https://github.com/nuts7/CVE-2023-27372

Since the POC code already uses quotation marks in the payload, we can use base64 to avoid dealing with escaping issues in our reverse shell payload.

Now, when using the PoC with our payload, we received a shell as the www-data .

Access to the target was achieved with www-data user privileges.

We found the answer to the first question.

We also noticed the presence of the .ssh directory inside /home/think.

Get the id_rsa key and try it with the SSH service as the think user and changed it’s permissions.

: chmod 400

Looking for any binaries with a SUID bit set, we find /usr/sbin/run_container.

When I examined its contents with the strings command, I saw a bash file named /opt/run_container.sh, which means that this bash file is used by the binary binary.

I tried to inspect the files in /opt.

we get permission denied. What was the reason for this?

I reviewed the AppArmor policy files to see which directories are restricted and what permissions are applied

/opt/ directory reading is blocked
/opt/** with /opt/** blocked from writing to everything under /opt
But here we are allowed to write under the /var/tmp directory because the blocking should be done in /var/tmp/**.

We can bypass the AppArmor and spawn an unconfined shell.

:https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/apparmor#apparmor-shebang-bypass

We just need to modify it to write to /dev/shm instead of /tmp since the deny /tmp/** w rule prevents us from writing to /tmp.

With this shell, we are able to write to the /opt/run_container.sh file.

Now, running the /usr/sbin/run_container, which in turn will run the /opt/run_container.sh script, we can see changed permissions on /bin/bash.

Finally, by running /bin/bash -p, we obtain a root shell and can read the root flag.

Thank you sincerely for taking the time to read and show interest in my write-up. I am very pleased that the effort and thought put into this work have garnered your attention. Your feedback and comments are important to me and help me improve both myself and the work I do. Thank you again for your support and interest.