WackyHacker

WackyHacker

Ethical Hacker | CTF challenge player / Red Teamer 🚩󠁵󠁳󠁴󠁸󠁿󠁵󠁳󠁴󠁸󠁿

Gobox - HackTheBox

I started with an Nmap scan for open ports.

┌──(root💀kali)-[/home/kali/HTB/Gobux]
└─# nmap -sS --min-rate=5000 -n -vvv --open -Pn 10.10.11.113 -oG allPorts
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-01 10:33 EDT
Happy 24th Birthday to Nmap, may it live to be 124!
Initiating SYN Stealth Scan at 10:33
Scanning 10.10.11.113 [1000 ports]
Discovered open port 8080/tcp on 10.10.11.113
Discovered open port 22/tcp on 10.10.11.113
Discovered open port 80/tcp on 10.10.11.113
Completed SYN Stealth Scan at 10:33, 0.37s elapsed (1000 total ports)
Nmap scan report for 10.10.11.113
Host is up, received user-set (0.047s latency).
Scanned at 2021-09-01 10:33:20 EDT for 1s
Not shown: 994 closed ports, 3 filtered ports
Reason: 994 resets and 3 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack ttl 63
80/tcp   open  http       syn-ack ttl 63
8080/tcp open  http-proxy syn-ack ttl 63

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds
           Raw packets sent: 1003 (44.132KB) | Rcvd: 997 (39.892KB)

I did another scan to find out the version of each open port found.

┌──(root💀kali)-[/home/kali/HTB/Gobux]
└─# nmap -sC -sV -p22,80,8080 10.10.11.113 -oN targeted                  
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-01 10:33 EDT
Nmap scan report for 10.10.11.113
Host is up (0.066s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 3072 d8:f5:ef:d2:d3:f9:8d:ad:c6:cf:24:85:94:26:ef:7a (RSA)
| 256 46:3d:6b:cb:a8:19:eb:6a:d0:68:86:94:86:73:e1:72 (ECDSA)
|_ 256 70:32:d7:e3:77:c1:4a:cf:47:2a:de:e5:08:7a:f8:7a (ED25519)
80/tcp   open  http    nginx
|_http-title: Hacking eSports | 
8080/tcp open  http    nginx
|_http-title: Hacking eSports | Home page
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.36 seconds

There were two web servers, the one running on port 80 had the following.

https://imgur.com/uDri3uL.png

Apparently there was nothing interesting, in the second one I found something different.

https://imgur.com/XRw6QZA.png

There were two buffers but I had no credentials, I tried to see if it was vulnerable to SQLi but no luck, it asked me to enter an email.

https://imgur.com/8o24U6Z.png

There was a button called “Forgot Password”, I clicked it and it took me to another buffer.

https://imgur.com/KZJetmj.png

I sent a request via GET and thanks to the headers I identified that Go was running on the web server, this caught my attention.

https://imgur.com/jpnKkc5.png

I also tried SQLi on this buffer but still no luck.

https://imgur.com/EwhF8wK.png

I made up an email and entered it, and it said it was sent.

https://imgur.com/dylVlfD.png

I wanted to intercept the request to see how everything runs behind the scenes, so I used burp.

https://imgur.com/6VreJyc.png

Knowing that GO runs on the server I remembered nmap, I saw that it reported a page title suspicious of a vulnerability.

https://imgur.com/ApK3ETK.png

I looked into whether a server running GO could be vulnerable to SSTI and found the following.

https://imgur.com/umgsZbr.png

It was possible to identify and confirm if it was vulnerable with “ “, I immediately tried it in the email field and it reported the following.

https://imgur.com/FgrhFqM.png

Apparently it is vulnerable, it reported to me in plain text some credentials that apparently could be from the “buffers” at the start, I entered them and it redirected me to a page with a code.

https://imgur.com/c1UEcmF.png

What caught my attention the most is the DebugCmd function.

https://imgur.com/vGoAv9m.png

It seemed to allow me to execute code on the system by passing it arguments, I tried it in burp.

https://imgur.com/cDNEAxv.png

And it worked, I tried to see the IP it had, but the ifconfig command did not exist, I also wanted to check if the machine could have connectivity with me but neither the ping command nor the wget command existed.

https://imgur.com/ZSuCUtG.png

This made me think it was in a container, I looked at the /proc/net/fib_trie file and it was indeed in a container.

https://imgur.com/w3i498N.png

After some desperate time I found that I had the aws command enabled, that caught my attention, this would allow me to list and copy buckets, actually more things could be done, but I’m not interested.

https://imgur.com/7wNaj68.png

I tried listing the repositories and found one called website.

https://imgur.com/l7QaVBG.png

I accessed it and found something that caught my attention, the files that were there seemed to be communicating with the web server that runs on port 80, so I thought that if I managed to include some file I could have access to it from the web server, before that I tried to list the aws credentials that were stored in ~/aws/credentials.

https://imgur.com/UO0QRes.png

And I was able to list them.

https://imgur.com/DqqNclW.png

They were useful for me to have connectivity from my machine, but I wasn’t interested in that, so I tried to include a webshell in PHP to the web server, I had to encode it in urlencode otherwise it wouldn’t let me, I exported it to /tmp with the name reversess.php.

https://imgur.com/LHsv5I7.png

And I managed to get it into the bucket with the aws cp parameter.

https://imgur.com/fDV4XnZ.png

I went to the web server and got arbitrary code execution.

https://imgur.com/cTcPnbb.png

To establish a reverse shell I created a txt file with the code that would allow me to gain access to the system and opened a web server on port 8000.

https://imgur.com/Y0G7wKq.png

I did a curl from the webshell.

https://imgur.com/VjK4TCF.png

And now I just piped the code into bash and gained access as the www-data user.

https://imgur.com/ikL9Wqm.png

I did some TTY workaround and was now able to view the user’s flag.

j7W85u2

ESCALADA DE PRIVILEGIOS

Now all that was missing was the privilege escalation, I listed the SUID privileges but found nothing interesting.

https://imgur.com/S04sYGq.png

Listing a little more I found a web server listening on port 8000, what caught my attention the most is that it is only accessible from localhost, I decided to investigate the nginx modules and found one that caught my attention a lot, called 50-backdoor.conf, I did a cat on it and it reported a route in clear text, after researching it on the internet I found that there was a backdoor.

Captura de pantalla (16)

But to activate it I needed the parameter that was configured, to find the parameter I needed a copy, for this I filtered the file name with find and found it.

https://imgur.com/zDLUO81.png

I did a strings and filtered by run to find it in a faster way and I managed to find it.

https://imgur.com/iOKieyF.png

Now all that was left was to send a request to the server at localhost using the parameter found and I would get command execution as the root user.

https://imgur.com/Yx7dg2D.png

And now I could see the root flag.

aZxblDX

Leave a comment