From fc76c1ceb1c298423a896e75342fefa9157e51bc Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Sat, 22 Oct 2022 18:25:33 +0300
Subject: [PATCH] Create Faculty.md
---
HackTheBox/Faculty.md | 186 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 186 insertions(+)
create mode 100644 HackTheBox/Faculty.md
diff --git a/HackTheBox/Faculty.md b/HackTheBox/Faculty.md
new file mode 100644
index 0000000..8f65fcb
--- /dev/null
+++ b/HackTheBox/Faculty.md
@@ -0,0 +1,186 @@
+# HackTheBox-Faculty
+
+## NMAP
+
+```bash
+PORT STATE SERVICE VERSION
+22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
+80/tcp open http nginx 1.18.0 (Ubuntu)
+| http-methods:
+|_ Supported Methods: HEAD POST OPTIONS
+|_http-server-header: nginx/1.18.0 (Ubuntu)
+|_http-title: Did not follow redirect to http://faculty.htb
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+```
+
+## PORT 80 (HTTP)
+
+Visting port 80 it reidrects to `faculty.htb`, so adding that in hosts file
+
+
+
+
+
+I tried with a random ID number but it failed
+
+
+
+On trying a sqli to bypass login it worked
+
+
+
+
+
+ I intercepted the request with burp to run sqlmap on the parameter to dump database
+
+ 
+
+ But the issues it, it's time-based blind sqli so it;s going to take a lot of time in dumping data, in the meantime I ran `gobuster` to fuzz for files and directories which found `/admin`
+
+ 
+
+ After bypassing login, we can just visit /admin to access the admin dashboard
+
+ 
+
+ From the `Course List` we have an option to download the course list in pdf format
+
+ 
+
+ 
+
+ On intercepting the request we see base64 content in the `pdf` POST parameter
+
+ 
+
+
+
+Using cyberchef we can see that data is first being double URL encoded then base64 encoded and then generated into pdf format and it's just html data being converted
+
+From the url it seems that it uses `mpdf` which is a php library for generating pdfs, and from googling it seems that it's vulnerable to remote code execution but that requires a crafted image with php deserlization to be uploaded on the server
+
+https://github.com/mpdf/mpdf/issues/949
+
+There was LFI (Local File Inclusion) through mpdf
+
+https://github.com/mpdf/mpdf/issues/356
+
+This was found by Jonathan Bouman
+
+https://medium.com/@jonathanbouman/local-file-inclusion-at-ikea-com-e695ed64d82f
+
+So our payload will look like this
+
+```bash
+
+```
+
+
+
+
+
+
+
+Even tho the page looks empty but on clicking on the attachment it shows the `passwd` file
+
+
+
+
+
+From the passwd file we can see two users, `developer` and `gbyolo`
+
+
+
+I tried to read ssh keys of the users if they were readable and were there
+
+
+
+
+
+## Foothold (gbyolo)
+
+Which failed, going back to login page, we can see the error message through sqli which reveals the full path of the php file
+
+
+
+
+
+Placing the encoded content in the POST parameter again we'll get `admin_class.php`
+
+
+
+We can see it's including `db_connect.php` file which might be having credentials to database
+
+
+
+
+
+
+
+
+
+Using the password `Co.met06aci.dly53ro.per` we can login through ssh as `gbyolo` user
+
+
+
+## Privilege Escalation (developer)
+
+
+We can see a message on login `You have mail` , on checking `/var/mail/gbyolo` it tells that we can manage git repositories belonging to `faculty` group
+
+
+
+Doing `sudo -l` we can run `meta-git` as `developer` user
+
+
+
+I didn't find any files owned by faculty group but meta-git itself was vulnerable to remote code execution
+
+https://hackerone.com/reports/728040
+
+It doesn't sanitize user input so we can execute arbitary commands
+
+
+
+This user is in `debug` group and checking what files or folders does this group have access it to reveals that it can run `gdb` binary
+
+
+
+## Privilege Escalation (root)
+Checking the capbilites on this system it seems that gdb has `cap_sys_ptrace` through which we can inject commands into the process
+
+https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities#example-with-binary-1
+
+
+
+We need to fiind the process id (pid) of processes running as root user
+
+
+
+I first tried attaching the process of id of cron job ` 908`
+
+
+
+
+
+But this didn't worked, next I looked for another root owned process which was running python3 with process id `730`
+
+
+
+
+
+Attaching it to a python3 process makes it possible to execute system calls and we can execute arbitary commands, all that is left is to get a reverse shell
+
+
+
+
+## References
+
+- https://security.snyk.io/vuln/SNYK-PHP-MPDFMPDF-73647
+- https://github.com/mpdf/mpdf/issues/949
+- https://github.com/mpdf/mpdf/issues/356
+- https://www.youtube.com/watch?v=tbjtfGvym4M&ab_channel=byq
+- https://medium.com/@jonathanbouman/local-file-inclusion-at-ikea-com-e695ed64d82f
+- https://hackerone.com/reports/728040
+- https://book.hacktricks.xyz/linux-hardening/privilege-escalation
+- https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities#example-with-binary-1