Poison - Hack The Box

 

Poison was one of the machine in hack the box and got retired few minutes back. It was my first box and took me a bit long to root this for no reason. Why Poison was my first box? Because I had to start with something really easy just because I get some confidence to play. Well, lets get started.

Getting Started:
I initiated with nmaping on the box. Lets find top 10 ports in nmap-services using --top-ports flag.

 

More other options can be used to determine open and running ports but this is usually I use for quick results.

As can be seen in the above screenshot, port 22 and 80 are open. I quickly went to my browser and this is what I found.

They had already given some filenames which I tried. On trying them, I observed a URL pattern which smells fishy. It was like this, http://10.10.10.84/browse.php?file=ini.php. I was able to view the content of the file. Lets try /../../etc/passwd instead of ini.php

Awesome! Its LFI. Noted. For now lets move on to other files we already know and explore their content.

All the files had some or the other php array but listfiles.php was listing out current directories files which had an interesting file with name pwdbackup.txt.

This password is secure, it's encoded atleast 13 times.. what could go wrong really.. Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0 NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO Ukd4RVdub3dPVU5uUFQwSwo=

This string looks like base64. On decoding the the string 13 times "Charix!2#4%6&8(0" is something I found. This says it all because Charix looks like a username and if you remember, /etc/password had charix as a user on this box but then the question arise, how to login to the system? nmap results says that the box has ssh service. The credentials were correct and here we could successfully login as charix user.

 

 

Escalating Privilege:
ls command have a file namely 'secret.zip'. While trying to unzip the file, the error was to provide a password to the file. quick google search and got to know that unzip -P file.zip would extract the file contents. Did not work. I downloaded the file using python SimpleHTTPServer.

On trying to unzip and crack this locally, found nothing. But wait, I haven't tried what I already have. Lets try the charix password and yes, it did worked locally. On extracting the strange string did not mean anything. Lets leave this for now.

 

I tried to access /root/root.txt just to make sure I was not having access to it. 
Lets try to gather some information about the system:

FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017     root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64

There are couple of ways to get this information about FreeBSD Version is using uname -a and strings /boot/kernel/kernel | grep RELEASE commands. I tried to find any public exploit available for this FreeBSD version but nothing interesting found. So, freebsd is better at security and usually it is not that easy to gain other privilege over such BSD systems.
I tried to search for file name with the string 'password' using find / | grep 'password'. Found some interesting files and on analyzing them did not come up with what was required.

Finding some root internal service which can also reveal something good. 
So lets see the running processes which is running on the machine with a ps aux.
We can see some processes running under root privileges. Nothing interesting except a single service, vnc. Yes, this is something I should try to exploit.
 

But wait, this wasn't found in nmap. Why was this even a service running, when it was supposed to be accessible from outside?? On searching more about this, I got to know that it was possible to create an ssh tunnel to any port. 

https://www.cl.cam.ac.uk/research/dtg/attarchive/vnc/sshvnc.html
The above article says VNC to make more secure. but now, how this could be exploited? We have the service internally running as a root. Somehow if we can access vnc would be great as it will give a root access directly. We somehow need to run commands on vnc connecting with vnc. So let us create an ssh connection to vnc which is already running as a root. 

   
We are getting connected as charix and after logging in, nothing happens. It is simply creating a coonection to the port and that is it. After sometime, it struck me that when we are connected as ssh, we are exposing internal services to the host. All it require is a way to access vnc. Do we have something? vncviewer is something which should work. 

It ask for the password. We do have a pass file. On a bit of searching I found that it was possible to provide password from a file. I tried doing the same on the file directly.

As soon as this, a popup with a shell I could see..

I hope you all enjoyed the article. Share it if you liked it.. :)

Read More

Celestial - Hack The Box

SPOILER ALERT!!
Celestial was pretty straightforward. It was not as easy as Poison to achieve user access. Though root was pretty easy. Celestial made me do alot of different things and in the process learned alot of new things. This is the advantage of Hack The Box as well as other vulnerable machines and CTF.

Lets Get Started:

The machine was little unstable as sometimes I could not even connect to it and was loosing connection frequently due to some reason. To start, lets nmap to see what are the open ports. Initially for a normal scan, I didn't find anything but after few more scans, I found one open port and below are the results:

As we can see, there is only one port available. After a bit of searching got to know that this is used for nodejs. This is how it looks like when opened up on browser.

  

404? Well I tried to enumerate directories but was showing error i.e no GET request defined for the application but soon this grabbed my attention:

Well, this can be a hint but no. I wondered, how this came up? May be because someone did a mischief? No. It struck me first about expression injection based on this. Soon I realized that there must be some kind of session used. This came up when I refreshed it again. Whenever a new user land on this page, 404 was shown, though it wasn't 404 Error and as soon as refreshed, the application gives session to the user. The session was base64 encoded.

This again looks like a hint. I thought, lets change the use to another use and again encode it with base64 and provide the application, a rough session id by changing the username to admin. No results, so I tried playing with this json and something I came across.

This Error caught my attention. So now we have something related to nodejs serialization. Is there any vulnerability related to serialization in nodejs? Yes! Deserialization to RCE.

Some of the programming languages have serialization function to convert data into an object. There are various reason to serialize something. When a nodejs data is been serialized it looks something like this.

{"rce":"_$$ND_FUNC$$_function (){\n \t [Code] \n }()"}

This can be seen when a function is converted into a serialized format. We already knew that the application is taking a serialized data to it. I tried to run this to know if this works for me before even trying to exploit.

Error!! I tried to change rce in the format to dummy but soon realized that this is the correct format and this is how the application should respond.

Payload
Why not have a serialized format there to make it execute the way we want? Lets run some nodejs based shell. nodejsshell.py can help us with thi.

The payload is ready all you have to do is to place it in the serialize formatted function between  {"rce":"_$$ND_FUNC$$_function (){\n \t [code] \n }"} but will this even work? The answer is NO! If you look at the image where I found a proper payload has () at the end on the function. This is similar to constructors. Function is called itself, placed the payload in the function and base64'd it and sent the request. 

and

It did not took me long to go to Documents to find the user flag but a thing to notice that Documents also had a python script named as script.py which was getting updated every 5mins. It had a single line of code saying, script is running. I remembered it clearly there was an output.txt file there on the user's root folder.

On checking the contents it was printing the output of script.py file. I also recognized that the permissions given to the file was root only.
I wrote a small python script in script.py

Believe me, I was literally waiting for 5mins.

This is enough to make it clear that we could now run anything as root. I even got a reverse shell though by just providing a python based reverse shell. To know, what exactly was going on, I thought to check out the logs.

There was this cronjob responsible to execute the script.

I Hope you enjoyed the article. Please share and comment.

Read More