6.9 KiB
HackTheBox-BountyHunter
NMAP
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Bounty Hunters
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
PORT 80 (HTTP)
We can see this is just an html being used on the webserver , going to portal it says that it's under development
Which takes us to Bounty reporting system
But when we submit details to the reporting system it just doesn't get saved
So here let's try to run gobuster and fuzz for files and directories
We can't visit /assets as it's forbidden for us
Checking the /resources folder we do see some files
From README.txt it seems that reporting system isn't connected to database also it says about disabling the test account maybe we can login somewhere but for now I don't think there's a login page.
Moving on and checking the the bountylog.js we can see a url which points to tracker_diRbPr00f314.php
So let's use burp suite and try intercepting that reporting system to see if it's actually sending data somewhere
This is making a POST request to that page and sending the data as base64 encoded
So this means here we need to do what is called XXE(XML Xternal Entity), what XXE basically allows us to read local files like /etc/passwd and sensitive files like php file's source code that the browser doesn't reveal we can steal some information that can be either passwords or some sensitive data . An application that parses XML input . we can add a variable which is called Entity that we define inside a DTD which is Document Type Definiation which looks like this
<!DOCTYPE arz [Entity] >
The DOCTYPE declaration is where we declare elements, attributes, entities, and notations.
So in DTD we define an entity
<!ENTITY arz SYSTEM "file:///etc/passwd">
This is an external Entity as we are accessing something which isn't declared in the current xml and they are defined with SYSTEM keyword
If we combine this together it will look like this
<!DOCTYPE test [<!ENTITY arz SYSTEM "file:///etc/passwd"> ]>
Now in this scenario our xml input looks like this
<?xml version="1.0" encoding="ISO-8859-1"?>
<bugreport>
<title>SQLI</title>
<cwe>IDK</cwe>
<cvss>4.4</cvss>
<reward>99</reward>
</bugreport>
Including our XXE payload
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE test [<!ENTITY arz SYSTEM "file:///etc/passwd"> ]>
<bugreport>
<title>&arz;</title>
<cwe>IDK</cwe>
<cvss>4.4</cvss>
<reward>99</reward>
</bugreport>
Notice that <title>&arz;</title> this is the variable or the entity that we defined and we are calling that in title , so let's base64 encoded it and convert it to url encoding so it can be parsed
And we have performed XXE and are successful in reading the /etc/password file means that we can access that db.php as well by using a php filter php://filter/convert.base64-encode/resource=index.php that converts the php page to base64 text form as php won't be able to parse base64 encoded text so it will output that page in base64 that we can decode it and see the whole source code
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE replace [<!ENTITY example SYSTEM "php://filter/convert.base64-encode/resource=db.php"> ]>
<bugreport>
<title>&example;</title>
<cwe>IDK</cwe>
<cvss>4.4</cvss>
<reward>99</reward>
</bugreport>
From /etc/passwd the only user that has a command shell bash is only development user so we can try this password through ssh
On doing sudo -l we can see that we are allowed to run a python script as root
So to break down that python script it's going to first ask for the path of the markdown file .md file
And it's going to run load_file function
This function will check if the file is ending with markdown extension or not if ti is it's going to open that file and read it , then it's going to return the contents of the file to evaluate function
The first part of this code will check if that markdown file starts with # Skytrain Inc if not it's going to return false and the program will end else it will continue
The scond part would check if the second line contains ## Ticket to if not it's going to return false and will end the program else that will continue
The third will check if the next line of markdown starts with __Ticket Code:__ or not and will do the same as previously
The fourth part of this function is important as it will only evaluate the file if those asteriks contain a number that on dividing with 7 it's remainder must be 4 also the number we have in those asteriks must be greate than 100
Here this is going to split the txt on + that will make a list and it's going to take the first argument of that list
Now this part is where we can do code injection
So first let's make our markdown file
# Skytrain Inc
## Ticket to
__Ticket Code:__
**102**+__import__('os').system('whoami')
We have 102 which on dividing with 7 will give us the remainder 4 and after that we added + and then importing os module to run the shell command whoami
So that eval function will have the value 102+__import__('os').system('whoami') and during runtime it's going to import os module in python script and execute the command
So we can just replace whoami with bash reverse shell
References
https://research.cs.wisc.edu/mist/SoftwareSecurityCourse/Chapters/3_8_3-Code-Injections.pdf