6.1 KiB
HackTheBox-Faculty
NMAP
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://faculty.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
PORT 80 (HTTP)
Visting port 80 it reidrects to faculty.htb
, so adding that in hosts file
I tried with a random ID number but it failed
On trying a sqli to bypass login it worked
I intercepted the request with burp to run sqlmap on the parameter to dump database
But the issues it, it's time-based blind sqli so it;s going to take a lot of time in dumping data, in the meantime I ran gobuster
to fuzz for files and directories which found /admin
After bypassing login, we can just visit /admin to access the admin dashboard
From the Course List
we have an option to download the course list in pdf format
On intercepting the request we see base64 content in the pdf
POST parameter
Using cyberchef we can see that data is first being double URL encoded then base64 encoded and then generated into pdf format and it's just html data being converted
From the url it seems that it uses mpdf
which is a php library for generating pdfs, and from googling it seems that it's vulnerable to remote code execution but that requires a crafted image with php deserlization to be uploaded on the server
https://github.com/mpdf/mpdf/issues/949
There was LFI (Local File Inclusion) through mpdf
https://github.com/mpdf/mpdf/issues/356
This was found by Jonathan Bouman
https://medium.com/@jonathanbouman/local-file-inclusion-at-ikea-com-e695ed64d82f
So our payload will look like this
<annotation file="/etc/passwd" content="/etc/passwd" icon="Graph" title="Attached File: /etc/passwd" pos-x="195"/>
Even tho the page looks empty but on clicking on the attachment it shows the passwd
file
From the passwd file we can see two users, developer
and gbyolo
I tried to read ssh keys of the users if they were readable and were there
Foothold (gbyolo)
Which failed, going back to login page, we can see the error message through sqli which reveals the full path of the php file
Placing the encoded content in the POST parameter again we'll get admin_class.php
We can see it's including db_connect.php
file which might be having credentials to database
Using the password Co.met06aci.dly53ro.per
we can login through ssh as gbyolo
user
Privilege Escalation (developer)
We can see a message on login You have mail
, on checking /var/mail/gbyolo
it tells that we can manage git repositories belonging to faculty
group
Doing sudo -l
we can run meta-git
as developer
user
I didn't find any files owned by faculty group but meta-git itself was vulnerable to remote code execution
https://hackerone.com/reports/728040
It doesn't sanitize user input so we can execute arbitary commands
This user is in debug
group and checking what files or folders does this group have access it to reveals that it can run gdb
binary
Privilege Escalation (root)
Checking the capbilites on this system it seems that gdb has cap_sys_ptrace
through which we can inject commands into the process
We need to fiind the process id (pid) of processes running as root user
I first tried attaching the process of id of cron job 908
But this didn't worked, next I looked for another root owned process which was running python3 with process id 730
Attaching it to a python3 process makes it possible to execute system calls and we can execute arbitary commands, all that is left is to get a reverse shell
References
- https://security.snyk.io/vuln/SNYK-PHP-MPDFMPDF-73647
- https://github.com/mpdf/mpdf/issues/949
- https://github.com/mpdf/mpdf/issues/356
- https://www.youtube.com/watch?v=tbjtfGvym4M&ab_channel=byq
- https://medium.com/@jonathanbouman/local-file-inclusion-at-ikea-com-e695ed64d82f
- https://hackerone.com/reports/728040
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation
- https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities#example-with-binary-1