BountyHunter (Easy)

Description

• Difficult -> Easy

• OS -> Linux

• State -> Retired

• Tags -> Vulnerability Assessment / Web Application / Source Code Analysis / XXE Injection / Clear Text Credentials / Python

https://app.hackthebox.com/machines/359

Write-up

• I started doing an initial port scan using Nmap

nmap -p- -Pn --min-rate 2500 -oN scan.txt 10.129.95.166

---

• Then I did an exhaustive scan to learn more about the services running on the open ports

nmap -p22,80 -sVC -oN serv_scan.txt 10.129.95.166

---

• I found an HTTP service on port 80 so I tried accessing the content on the browser. There I found a simple page for testing services where some of the buttons didn't work

To learn more about the HTTP protocol you can go here

---

• Exploring the page and reading the source code, I didn't find anything relevant apart from a contact form which didn't seem to do any action. Reaching the Portal button in the top bar, redirected me to a page with a message that had a link to another page for testing purposes. This last one had a form for a reporting system that I filled and after hitting Submit, I noticed it shows me back the information given as a summary

---

• This made me think it could be vulnerable to an XSS vulnerability but after some tests, it didn't go through. So I decided to look at the petition sent when filling out this form with the help of FoxyProxy and Burpsuite and noticed it was sending a data parameter with an encoded value in the body. I used the decoder tab to decode this first from URL and then from Base64, seeing the content was an XML petition

---

• Knowing this, I tried to test this for a possible XXE Injection, changing the content of the petition to add a payload to retrieve the content of the /etc/passwd file and encoding it back into the initial format. Then I put this in the data value and re-sent the petition, obtaining the desired result and confirming the vulnerability. Also, checking the content I noticed there was a development user in the system, so I tried getting the file from its home folder but it didn't work

To learn more about XXE Injection you can go here

---

• As I knew this was an Apache server from my scan, I could search for possible PHP files on the system, but calling them directly would execute them instead of showing the source code. I investigated and found this could be bypassed by using PHP filters, so I did this by inserting a new payload to call the default db.php file, re-did the encoding process, and sent it again, leaking the information from the database and leaking some credentials

To learn more about bypassing using PHP filters you can go here

---

• With this, I tried assuming the m19RoAU0hP41A1sTsq6K password found in this leak, was the same to connect to the development user. So I used the SSH protocol to connect to the machine and it worked, and after that, I sanitized the terminal to work more comfortably with it

ssh development@10.129.95.166

To learn more about the SSH protocol you can go here and to learn more about the sanitization process you can go here

---

• Once inside, I listed the contents of the folder where I was, which was the /home folder from the user, finding a user.txt file, and reading its content to retrieve the user flag

---

• With that, I got the user flag

Answer: bdc19bdcee275e01eef25a0c645b79db

---

• I needed to find a way to escalate privileges but first I looked at the content of the contract.txt file which was in the same location. The most relevant thing about the message was that the company had set permissions for the user to do testing on a tool. So I checked the privileged execution permissions with sudo -l and found the user could execute a Python script as the root user

---

• I looked at the content of this script which was a tool for handling tickets, and analyzed the flow of the actions. First, it asked the user to enter the path the the ticket, search the file, and check it had the .md extension to read its content. Then it checked the first and second lines started with specific strings, and searched for the Ticket Code section to make some validations about the ticket number and confirm if it was or not a valid ticket

---

• Also, in the folder where the script was, I found another folder with some examples for the construction of the tickets, which helped me understand better the format

---

• What caught my attention was that this script was using the eval function which is well-known for being vulnerable as it has global scope, and wasn't doing proper sanitization of the input. So I tried leveraging this, creating a ticket in the /tmp folder based on the examples and internal validations, and adding a payload to spawn a shell in the part where the eval function would act. Then I ran the script using sudo specifying the path to this ticket and this gave me a shell as the root user

nano shell.md
sudo /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py

shell.md

# Skytrain Inc
## Ticket to New Haven
__Ticket Code:__
**11+9 == 20 and __import__('os').system('/bin/bash')**

To learn more about abusing the Python eval function for privilege escalation you can go here

---

• Finally, I navigated to the /root folder where I found a root.txt file, and reading its content I got the root flag

---

• With that, I got the root flag and pwned the machine

Answer: 24f7090b6fd22d11acc7a2028eebe475