# mKingdom Writeup: Tryhackme

### Box Summary

The mKingdom room was an easy rated machine created by [uartao](https://tryhackme.com/p/uartuo). The machine involved around finding a concrete cms instance where we get in as admin and then get foothold as www-data using a webshell. and then privilege escalation to another user and then root.

### Enumeration

As Always started enumerating the box with nmap for open ports and found just one open port - 85.

port 85 was a webapp with a default banner, using ffuf with common.txt, we find the /app endpoint where a concrete5 cms instance is hosted.

From the footer we see the login link, trying default credentials such as admin:admin, admin:password, we find that **admin:password** is the right credential and get in as admin.

from the files endpoint (from right navbox) we can upload files to the instance. but only images are allowed. This can either be bypassed easily or we can go to **System & Settings &gt; Allowed Filetypes** and add the '**php**' extension.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1718624816097/5b42f627-3e78-4ad8-85cf-7b8b5f4aed10.png align="center")

GO back to **Files**, I will be uploading a php reverse shell, from [here](https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php). Make sure you change the `$ip` and `$port` variables to your IP and listening port.

Upload the reverse shell using the upload file feature.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1718625010620/0e7116f0-82c3-4f62-9498-8dcd37900d33.png align="center")

Start a netcat listener on the port you specified in the reverse shell:

`nc -lvnp <port>`

Use the File Link to access it.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1718625051807/fbadcd90-4ae1-482b-a785-0cb7a2c68c5b.png align="center")

And if we get a shell as www-data.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1718625162631/7e832f62-c03e-45a8-9b04-af8f0ed21f09.png align="center")

### Privilege Escalation (to Toad):

Now as www-data, we need to find a way to escalate to toad user. checking the web directory in `/var/www/html/app/castle/application/config` we find the database.php file. which contains the password for mysql for the toad user.

Now Instead of checking mysql (I checked it later, nothing useful there) The password is being reused by toad user. and we get in as toad.

### Privilege Escalation (to Mario):

I spent some time in this, although it was something really easy. Checking environment variables (`env`) we find a base64 encoded value in PWD\_token variable.

The Solution was that the decoded PWD\_Token is the password for mario user. But I felt like it was too guessy and i was lucky to try and find this. This part could've been a lot better.

We get in as Mario user with the decoded password.

### Privilege Escalation (to Root):

Checking the sudo permissions with the command `sudo -l`, we can find that we can run /usr/bin/id as root. we cannot spawn a shell or anything with id, but interestingly we have the `pwfeedback` variable enabled in sudo. This seemed like the obvious thing to exploit and become root, but i could not exploit it.

I ran pspy64 to check for running cronjobs by root in the background. and found a job:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1718626084939/c186c75b-feff-4e26-a22d-76b07fcfcfa0.png align="center")

Root is running a cronjob that makes a curl request to download counter.sh file from mkingdom.thm:85/ and then execute that to store its output in a log.

The first thing i thought of was, if we can write to hosts file (/etc/hosts) and then change the mkingom.thm ip address to ours, we can control what counter.sh is.

So I checked and Hosts file was indeed part of mario's group, that means we can write to it.

Edited the hosts file to change the localhost (127.0.0.1) to my IP address.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1718626516927/34a7e450-5791-4672-bd7a-8b300aee8271.png align="center")

and started a webserver in port 85 with the directory structure of the curl request url.

**Counter.sh:**

```bash
#!/bin/bash

cp /bin/bash /tmp/rootbash

# set suid bit
chmod +s /tmp/rootbash
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1718626621564/98638bda-3a26-4cfc-b539-ea776ccf3687.png align="center")

Make sure you start the webserver from the same directory as the counter.sh file. (The above image is not, and its wrong)

Now after a few seconds, i get a request from the box for counter.sh and it executes the counter.sh, in /tmp the rootbash binary was present.

**Get root shell:**

```bash
/tmp/rootbash -p 
```

Got a shell as **root!**
