Bolt Hackthebox writeup

In this Hackthebox we will go analyze a docker img files and from there will find some juicy stuff will help us login to a vhost “demo” which has some functions aren’t in the main web application , from there we will exploit SSTI and gain low-privilege shell as www-data , during box enumeration we will find some passwords in the system which will let us get a user access , after that we will connect to a mysql database then will find a PGP encrypted message , somehow will gain the user private gpg key to decrypt the message which contains the root password .

Scanning :

$ nmap -A -T 4 $IP  -sV -oN nmap/intial

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 4d:20:8a:b2:c2:8c:f5:3e:be:d2:e8:18:16:28:6e:8e (RSA)
|   256 7b:0e:c7:5f:5a:4c:7a:11:7f:dd:58:5a:17:2f:cd:ea (ECDSA)
|_  256 a7:22:4e:45:19:8e:7d:3c:bc:df:6e:1d:6c:4f:41:56 (ED25519)
80/tcp  open  http     nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title:     Starter Website -  About
443/tcp open  ssl/http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-title: Passbolt | Open source password manager for teams
|_Requested resource was /auth/login?redirect=%2F
| ssl-cert: Subject: commonName=passbolt.bolt.htb/organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=AU
| Not valid before: 2021-02-24T19:11:23
|_Not valid after:  2022-02-24T19:11:23
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

• if we do a full port scan it won’t return any new ports so now we can start our enumeration process.

• we can notice from the nmap scan commonName=passbolt.bolt.htb so we can add bolt.htb and pass.bolt.htb to our /etc/hosts

• we can also search for other potential vhosts now :

ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://bolt.htb -H "Host: FUZZ.bolt.htb" -fw  10870

mail                    [Status: 200, Size: 4943, Words: 345, Lines: 99]
demo                    [Status: 302, Size: 219, Words: 22, Lines: 4]

• we can add them all to the /etc/hosts as well

Enumeration :

• visiting the web application at bolt.htb or passbolt.bolt.htb we are introduced with :

• there is a feedback form at the end but it doesn’t work
• we can start viewing the pages at the application :

• at /download there is a file we can download so let’s download it and see what it contains

• extracting the image.tar we can see it contains :

• each directory contains a layer.tar file , we can utilize some bash magic to extract them all :

#!/usr/bin/bash
for file in $( ls -d */)
do
tar -xf  $file/layer.tar -C $file/
done

• now we can use tree command to have an overview what does the files contains then we can start checking them manually

at 745959c3a65c3899f9e1a5319ee5500f199e0cadf8d487b92e2f297441f8c5cf/ will find a config.py file

• reading it will find :

• and it loads db.sqlite3 we can start searching for it in all image layers maybe we find it and we did :

# under img dir
find . -name db.sqlite3
./a4ea7da8de7bfbf327b56b0cb794aed9a8487d31e588b75029f6b527af2976f2/db.sqlite3

• now we can open it and will find :

admin@bolt.htb:$1$sm1RceCh$rSd3PygnS/6jlFDfF2J5q.

we can try to crack this hash with JTR :

john --wordlist=/usr/share/wordlists/rockyou.txt admin@bolt.htb_hash
# password:deadbolt

great we have credentials we can try to login at the web application with it and we are in:

• let’s see where else we can utilize these valid credentials , we can visit mail.bolt.htb but it didn’t work :( .
• we can also visit demo.bolt.htb and it also doesn’t work however it contains a registration function :
• it needs a ticket to create an account

• navigating through img files will see at 41093412e0da959c80875bb0db640c1302d5bcdffec759a3a5670950272789ad/app/base/ some source codes we can check routes.py and we will see :

• seems like invitation code we can try to register at demo.bolt.htb with it .
• we create account successfully and can login with it :

• we can also login to mail.bolt.htb with our new credentials , they seem to be connected somehow

Enumeration Harder

• now as we are logged in in all the web applications we should have notice that demo.bolt.htb and bolt.htb are pretty much the same however in the demo there are more features and pages we can access .
• we now are searching for any input at any page to test it
• at demo and under profile page we have this setting tab which has input option :

• we can test it

• and instantly at mail.bolt.htb an email has received

• and when we pressed the link another mail has received :

• so now we have understood how the web applications function together we can test these input fields for potential vulnerabilities .
• we have seen in the source codes “flask” a lot so we can test SSTI .

exploitation :

testing SSTI can began with a basic test like :

• we now will receive first mail to confirm and 2nd one with the response :

• Nice we have a valid SSTI exploit at the name field , we can try to leverage it to RCE with payload like those

response :

so now we can get a reverse shell with :

Foothold :

and we have our shell as www-data :

• if we look around we will find a lot of files to explore , we can use Linpeas to guide us where to look first and non expected files in some directories and if there is a path to escalate our privilege .

• we can check roundcube/config/config.inc.php and will find :

which is a potential password we can use latter

• also there is /etc/passbolt we can check it
• to search for potential passwords in it we can use :

grep --color=auto -rnw '.' -Rie "password" --color=always 2>/dev/null
# ./passbolt.php:42:            'password' => 'rT2;jW7<eY8!dX8}pQ8%',

we can try to see if we can access the mysql database :

passbolt:rT2;jW7<eY8!dX8}pQ8%

www-data@bolt:/etc/passbolt$ mysql -u passbolt -D passboltdb -p
# mysql>

• and we have connected successfully , we can now see if there is anything interesting for us

mysql > SHOW databases ; # list them
mysql > use passboltdb;
mysql > show tables; # list tables
mysql > Describe secrets ; # found table secrets seems interesting

• will find this PGP message inside the column data of table secrets :

• so far we didn’t find a potential factor to escalate to eddie or clarck
• however we have collected some passwords we can test them as ssh credentials with any user .

Eddie user :

• now we can ssh to the eddie user :

• Back to our linpeas output we had :

• and he had one mail from clark contains :

Go ahead and download the extension to your browser and get logged in.  Be sure to back up your private key because I CANNOT recover it

• so we should search for this browser to see what is this mail about
• we can find google-chrome is the browser mentioned

• now we want to get eddie private key to be able to read the message we have seen before in the MySQL DB .
• we can start searching for it inside the chrome folder we just hit .

eddie@bolt:~/.config/google-chrome$ grep "PRIVATE KEY" -r .

will find some results just have the header and not the key itself , but will find :

Binary file ./Default/Local Extension Settings/didegimhafipceonhjepacocaffmoppf/000003.log matches

seems promising , now to grep in a binary you should use “-a” which means all even binaries .

and here it is now you can copy it then replace “\r\n” with new line and you now have the private key

Decrypting the message

now to decrypt a PGP encrypted message we will use :

$ gpg --import eddie_private
$ gpg -d message.inc

but it asks for a passphrase to import the gpg key

• we can utilize gpg2john to get the hash then john to crack it

$ gpg2john eddie_private > eddie_key_hash
$ john --wordlist=/usr/share/wordlists/rockyou.txt eddie_key_hash

• now we can decrypt the message :

Root Access

using the password we just found in the message : Z(2rmxsNW(Z?3=p/9s we get the root access