Hack The Box | Sau Write Up

2023-07-30T17:48:00+00:00

Sau? Don’t really find any possible association from the name but it is flagged as really easy by the community. Is that really easy?

Recon

The recon started with the usual nmap where it was found 2 ports open and one filtered.

And actually on tcp port 55555 a HTTP service was found - by checking the page:

The first action done before even explore the page was search what request-baskets was - https://github.com/darklynx/request-baskets. After checking what it was, why not search for a possible security flaw and in fact that version was found to be vulnerable to a SSRF - from the info on this page: https://github.com/advisories/GHSA-58g2-vgpg-335q

By going into the references, the following page https://notes.sjtu.edu.cn/s/MUUhEymt7 was in fact very helpful to understand what the vulnerability was about and also, how to explore it. Since no interaction was done with the application so far, it was difficult to not trying at the same time that the how to was being read. Altough the final outcome was not a prompt reverse shell, it was feeling worthy to follow the steps and so, the basket was created:

With mycrazybasquet it was possible to start the PoC for the SSRF. As a paranteses, SSRF (Server-Side Request Forgery) happens when a threat actor tricks a server to acess/request unintended resources by somehow crafting a request. On this case, the framework used has a feature to forward the traffic which was explorer and SSRF was achieved.

And, after the configuraiton is done, when accessing the basket created the following page pops-up:

And… Same approach, Google is always a good idea so after just pasting Maltrail v0.53, the attention went to an OS command injection vulnerability: https://github.com/spookier/Maltrail-v0.53-Exploit & https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/. After digging in on the how the vulnerability was found and explored, is PoC time.

Settings changed:

Reverse shell attempt:

User is now achieved. And after a quick ls, a interesting file is found: h

On this file, it was possible to see an output of the trail.service which can be executed as sudo.

So, after some research on Google on this - https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-systemctl-privilege-escalation/, which lead into this:

A quick and fun ride :)))

Hack The Box | MonitorsTwo Write Up

2023-07-20T22:48:00+00:00

Monitors Two - are we going to need two monitors? Or two shells?

Recon

Recon was done through nmap command - port 80 and 22 were found to be open.

So… Let’s see what is deal with the port 80.

Wild Cacti was found and the classical admin:admin was tested without any success. The next shot was assess the version - if it has a known exploit (which happens to be true). With a quick Google search, the following CVE showed up - https://github.com/FredBrave/CVE-2022-46169-CACTI-1.2.22

Next action was to test the exploit (which was an success!!)

A shell as www-data was granted, after some non-sucessful enumeration on the host - why not test a Linux Privilege Escalation script. LinPeas was the choosen one. By reviewing the output, a script was flagged - entry_point.sh, which has a connection to a database.

After connecting to the DB:

Hashes? Hum, worth it to call John (for both of them), but only one was picked up by John:

Ok, after this, why not trying login with our friend Marcus? Voilá, it worked and now the user path is concluded.

With Marcus shell and www-data shell, we have two shells. Two monitors??

With the user shell, Linpeas.sh was again executed and docker was really in the spotlight. After some google an interesting Docker engine (Moby) vulnerability came to my attention: Moby Docker Engine PrivEsc (CVE-2021-41091).

CVE-2021-41091 is a flaw in Moby (Docker Engine) that allows unprivileged Linux users to traverse and execute programs within the data directory (usually located at /var/lib/docker) due to improperly restricted permissions. This vulnerability is present when containers contain executable programs with extended permissions, such as setuid. Unprivileged Linux users can then discover and execute those programs, as well as modify files if the UID of the user on the host matches the file owner or group inside the container.

Let’s try this then. First on the initial shell:

And then, on the second shell (Marcus):

Another crazyyyy rideeeeeeeeeeeee :)

td00k

Hack The Box | Sau Write Up

Sau? Don’t really find any possible association from the name but it is flagged as really easy by the community. Is that really easy?

Recon

Hack The Box | MonitorsTwo Write Up

Monitors Two - are we going to need two monitors? Or two shells?

Recon