Bounty Hunter HTB Solution
Hello, this is my first publication of a solution for a hack the box machine, which is BountyHunter:
We start with the enumeration using the nmap tool, I will use the arguments as I will annotate them respectively:
All the 65535 ports, those that are open, with aggressiveness, with vervosity and withdrawing the DNS resolution to optimize the scanning of this machine (10.10.11.100), all export it in grepeable format to a file called allPorts (I export it like this since I will use a tool that filters this information in grepeable format in a great way).
Now I will use the following tool created by the pentester s4vitar I leave the tool at the following link: https://gist.github.com/anibalardid/5e05b6472feb3d31116729dc24e6d3e2
Now, having the allPorts file, I will use this tool as follows:
Now knowing which are the open ports on the victim machine then proceed to make the detailed enumeration of each port, with the nmap tool the arguments of this command will describe it like this:
Of the ports (22, 80 TCP / IP) I want a scan with nmap scripts and I want to know the version of each service that executes each port of the victim machine (10.10.11.100) all this export it in nmap format with the name of targeted.
Note that we have an html page through port 80 TCP / IP, that way we open a web browser in my case google chrome for convenience.
When entering PORTAL we note that it takes us to a page where it tells us that we must access another page after this
When entering we notice that we have a php where by the concept of this it is an exploit report page, filling in the inputs we have that our exploit has been added to its database of said system
We proceed to use burp suite to analyze the data as it is sent to the “vulnerabilities database” of the server, note the value of data that is sent by POST to tracker_diRbPr00f314.php, at first glance the data content seems to be a base64 text.
We notice that we have an XML that is sent by POST, thus we come to the conclusion that the vulnerability is in the OWASP TOP 10 (https://owasp.org/www-project-top-ten/), the vulnerability is that of XXE by injecting the code corresponding to said XML from a PHP WRAPPER (file: //) which will help us to obtain relevant information.
Taking advantage of the fact that this information is transferred via POST to tracker_diRbPr00f314.php create a script that sends a request to the server via POST to tracker_diRbPr00f314.php.
Now replacing that PATH that I put there with a / etc / passwd we will obtain the machine’s passwd.
As it was clarified previously, use of php wrappers is used to obtain the information that I show previously, in this way, take advantage of the php wrapper php: //filter/convert.base64-encode/resource=file to obtain the code of php files that are of interest.
In this way, we proceed to scan potential files that are on the server with wfuzz with double FUZZ for the extensions(.txt, .php) as follows:
Note that the interesting file is db.php, to see its content I will use my script.
Since we have these credentials, what would be missing is the user with which to enter the server from ssh, as it turns out that when the server’s passwd reference was made, by applying filters I obtain the active users on the server.
Now with the credentials development: m19RoAU0hP41A1sTsq6K we enter the server via ssh.
Being inside the machine then I will import to this LinEnum (https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh) and when executing a perimeter of the machine will be obtained to escalate privileges.
When I saw this, then I noticed the ticketValidator.py executable when entering the PATH of this executable in python, let’s notice the permissions it has and the code it contains
Note that in the evaluate function of ticketValidator.py there is a certain format to follow for this function to return a true value, I will show the following example of a correct ticket.
Now as we know the correct format of the ticket, let’s notice the following line of the program (ticketValidator.py).
The function eval is in charge of evaluating a condition written in a string. More information in (https://docs.python.org/3/library/functions.html) I did some tests on my windows (my main operating system).
Now in this way we can execute the following code to execute a command line from the python operating system library, note that it is not yet within the exec function, it is only a demonstration of the injection, we proceed as follows:
The same applies inside the exec function, only this value but in a string since the exec function is passed a string as an argument.
Creating the malicious ticket we have:
We notice that the command that is executed from the python os library is executed with the same user with which I am executing python3.8 this same idea applies to the script (tickerValidator.py) since it is executed at the administrator level that is to say root, but we realize that it only executes for root unless there is a possibility, this possibility is confirmed by the following command line on the victim machine.
Note that if we can execute this executable from sudo in this way we proceed to execute the malicious ticket.
If that would be the solution of the bounty Hunter machine in my opinion a good box, thanks.
