Forgot is a medium rated difficulty Linux machine from HackTheBox created by MrR3boot. This box is pretty confusing and it’s pretty slow, you need a lot of patience to complete this one. In the current post my IP is 10.10.14.18 and the target’s IP is 10.129.228.104.
Gathering Information
This step is always the same, you must ping the machine to see if is alive, and then use Nmap to scan all the ports to avoid surprises.
Local Terminal
nmap-p---open-T5-v-n10.129.228.104
Nmap’s output, just a website?
It’s just a website, but there is something weird about it.
Relevant information: Varnish 6.2, after exploring you should search about that.
Browser: http://10.129.228.104
Main page
Fragment of the main page source code (CTRL+U)
Add more information to your notes {user : robert-dev-14522}, still, we don’t have much information, so our best option is to fuzz the website and try to obtain more.
home, tickets, and reset. Interesting.
My target machine explodes, new target IP: 10.129.219.117
Browser: http://10.129.219.117/forgot
We can see that the website sends something to the user, we need to intercept it, by using one terminal, Burpsuite, and your browser.
User Interception Step
Before, from http://10.129.219.117 take the username of “robert-dev” using view:source (CTRL+U) or try curl http://10.129.219.117/ | grep “Q1 release fix by”
This machine have a timer where it changes the username of “robert-dev”, and it will fail if you are slow. Repeat everything from “User Interception Step”
This version of Varnish have an issue with the cache (this was hard to find), we will use it to intercept and get the credentials to login directly to the machine.
view:source of home, /admin_tickets sounds like an important subdomain
First, we need to submit a ticket to a valid important URL from the machine plus a fictional directory, and the best place is static, where the .JS files are saved. After this, we will get the admin’s cookie to go to /admin_tickets
Browser: http://10.129.219.117/escalation
Submit!
Here you have to wait around two or three minutes, If you want now, you can retrieve your user cookie to compare, by using Burpsuite, intercepting a site like http://10.129.219.117/escalation while logged in.
And after waiting, we can get the cookie from the fictional page
Admin cookie, if this fails, repeats by summiting a new ticket with a new folder
Now that we have the administrator’s cookie, we have to use Burpsuite to change the cookie when going to /admin_tickets
Burpsuite {Intercept ON}
Browser: http://10.129.219.117/admin_tickets
Burpsuite {Replace Cookie}
Burpsuite {Forward}
Burpsuite {Intercept OFF}
And we are in! Look, there is an ssh issue
We have to try to login using these credentials, but before we notice that this website loves to add an Uppercase everywhere… so we are going to get the information from the source
view:source of /admin_tickets… {diego:dCb#1!x0%gjq}
Now our LocalTerminal [Term] is the Target Terminal [Diego]
Get the user.txt
Privilege Escalation
Now we want to become root, first we need to know what applications we can execute as root.
By exploring the code, we found two things, it reads a MySQL data base, and by the version of TensorFlow, we can inject code in saved_model_cli to execute another bash file. I found an explanation and steps from this post.
It’s connected to SQL! Nice.
app's Tables
Content of users table
Still, I couldn’t do anything else with this information…
From here, we need three terminal, two connected to the target as Diego, one to use the MySQL queries [MySQL], the other one to execute ml_security.py [Diego], and one Local Terminal [Term]
chmod 777 script.sh
mysql -u diego -p #pass: dCb#1!x0%gjq
Target Terminal [MySQL]
use app;
insert into escalate values (“TEXT”,”TEXT”,”TEXT”,’hello=exec(“””\nimport os\nos.system(“/dev/shm/script.sh”)\nprint(“&ErrMsg=%3Cimg%20src=%22http://imgur.com/bTkSe.png%22%20/%3E%3CSCRIPT%3Ealert%28%22xss%22%29%3C/SCRIPT%3E”)”””)’);
