Pawned: 17/02/23
Tags: Vhost Sub-domain Scanning, BurpSuite Repeater, json Injection, SKia/PDF Vulnerability, LFI, Malicious script, Path Traversal
Enumeration
First, as always, we use an nmap
version and script scan to
start off the enumeration.
We can see that port 80 is open, so we can navigate to http://10.10.11.196. This IP address tries to redirect us to http://stocker.htb. However, since the box is locally hosted, there is no DNS resolver, so the redirect fails. We can manually resolve the IP address by doing to following:
This allows us to visit the webpage where we see a 'stock' website.
Digging around the website and in the source code, we don't find anything,
nor is there anywhere to inject code. So we'll have to enumerate further.
Running a directory scan turns up a few sub-directories:
However, none of these leads us anywhere. We could keep trying to scan directories using different and bigger wordlists, but next, let's try a vhost sub-domain scan:
From the scan, we can see that there is at least one sub-domain:
dev.stocker.htb.
To visit the webpage, we must manually resolve the IP address again.
Visiting the site, we see a login screen.
Initial Foothold
Let's intercept the web requests using BurpSuite and try some code
injection in Repeater.
Failed attempts give us this response:
However, if we change the "Content-Type" from
"application/x-www-form-urlencoded" to "application/json", we can change
the request:
username=******&password==******
, into the json equivalent:
{"username":"=******","password":"=******"}
.
This allows us to do the following injection:
{"username":{"$ne":""},"password":{"$ne":""}}
.
This request gives us a different response on Repeater.
If we forward this request, we get redirected to dev.stocker.htb/stock. Here, we see a page where we can add items to a cart and print an order summary PDF:
Let's download an order summary and inspect it using exiftool
:
From this, we can see that the PDF is produced by Skia/PDF m108.
A quick Google search reveals that this version of the tool is vulnerable
to XSS (cross-site scripting) to SSRF (server-side request forgery).
(CVE-2021-23639)
Information on how to exploit this was found on HackTricks.xyz.
Let's intercept requests with BurpSuite again:
In the order summary printing request, we see this line of json: "title":"Bin"
.
We can change this to the following:
"title":"<iframe src=file:///etc/passwd height = 1000px width=1000px></iframe>"
The above request fetches the "passwd" file and increases the size
of the frame so that the whole file is readable.
Inside the "passwd" file, we find a username, "angoose":
Next, we'll change the request again, this time fetching "index.js":
"title":"<iframe src=file:///var/www/dev/index.js height = 1000px width=1000px></iframe>"
Inside "index.js" we find a password, "IHeardPassphrasesArePrettySecure":
Since we have a username and password, we can ssh
into
the machine:
Now that we are logged in as angoose and in their home folder, we can get the user flag. Note that the flags get randomized periodically.
Privilege Escalation
First, we'll run sudo -l
to see what privileges our
current user, angoose, has.
As we can see, angoose can use node
to run any javascript
file in "/usr/local/scripts".
To exploit this, let's navigate to "/tmp" where we can create a malicious
javascript file called "escalate.js":
Inside this file, we'll write a function that executes a command that allows angoose to run "/bin/bash" as "root":
const { exec } = require("child_process"); exec("chmod u+s /bin/bash", (error, stdout, stderr) => { if (error) console.log(`error: ${error.message}`); if (stderr) console.log(`stderr: ${stderr}`); if (stdout) console.log(`stdout: ${stdout}`); return; });
To run this file, we need to traverse the directory from "/usr/local/scripts/"
to "/tmp". After doing so, we'll use ls -al
to check if
"/bin/bash" was successfully modified into an executable with root
permissions. These two steps are shown below:
Next, we'll run /bin/bash -p
where the -p
flag
allows us to run the command as a user whose id is not equal to our own:
Running id
, we can see that we have an "euid" (effective user ID)
of "root". So now all we have to do is grab the root flag located
in "/root/root.txt":
Thus, we have successfully hacked the box, but we must remember to clean up after ourselves.