HackTheBox - Ghoul
Last updated
Was this helpful?
Last updated
Was this helpful?
I will start off with a all port scan for this machine.
So there are two webservers running on port 80 and 8080. Also there two are SSH Protocols running that just means that some kind of docker container is involved.
The tomcat page requires Basic access authentication to access the web-server. I tried admin:admin and was able to get access :)
In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent (e.g. a web browser) to provide a user name and password when making a request. In basic HTTP authentication, a request contains a header field in the form of Authorization: Basic <credentials>, where credentials is the Base64 encoding of ID and password joined by a single colon :
secret.php contains a very interesting information about their webserver and configuration. Let's see what we can get from it.
Looks they have a file upload functionality and indeed they have. If you will check the server on port 8080, they have a functionality to upload a image and a zip file.
Looks like we can also upload a zip file. Speaking of zip files, there was vulnerability named ZipSlip which allowed the remote attackers to write arbitrary files which can even result into Remote Code Execution. Read more about this vulnerability over here.
This is a path traversal vulnerability and we want to store a malicious file on the webserver, so we will do the following things.
First we will create a demo file for testing
Then we will store that file in our /var/www/html directory
After that we will use the zip command to make a malicious zip file
So after extraction of this zip file, the demo.txt file will get stored in /var/www/html directory of the target machine. Now let's upload the file and see if this works or not.
And we have successfully exploited the ZipSlip vulnerability. Now we can get our reverse shell by uploading a malicious PHP Script the same way we did for demo.txt
As the tomcat is running as root user, we can potentially write root files as well. To verify, we can check the owner of the file or check the process.
We can create a SSH Key and then copy the public key's content to root user's authorized keys. Now to create a SSH key, type the following command : ssh-keygen -f root-rsa
We are in a docker container.
We have SSH Keys for the users present on the machine, but the kaneki user has encrypted his private key with a passphrase. I tried john to crack the passphrase, but didn't get anything.
We can try this ILoveTouka as a passphrase.
So the note.txt clearly states that there is some kind of network in which this vulnerable Gogs is running. Gogs is a painless self-hosted Git service.
Let's scan the network by creating a host scanner in bash.
We know our IP is 172.20.0.10 and 172.20.0.1 is the gateway, that clearly states that 172.20.0.150 is the host we are looking for.
Now let's scan for port by creating our own port scanner. This is a simple port scanner which is very fast and flexible.
If you will check the authorized keys for kaneki user, then you will notice two names. One named kaneki@Aogiri and other one with kanekipub@kaneki_pc. This is the personal pc for kaneki user. We can use private key to login into that pc.
ssh-keyscan is a utility for gathering the public ssh host keys of a number of hosts. It was designed to aid in building and verifying ssh_known_hosts files. ... The keys from a domain of 1,000 hosts can be collected in tens of seconds, even when some of those hosts are down or do not run ssh.
We have another network eth1 with a IP Range of 172.18.0.x Let's scan this network for more hosts.
Default port for Gogs service is 3000 and we have this running on IP 172.18.0.2
We need to forward this port to our local machine. We can use SSH forwarding option. I will first forward the port 3000 to Aogiri machine and then through Aogiri machine to my local machine.
I am using chisel for now to forward the ports.
Machine with network 172.20.0.x and 172.18.0.x (Kaneki's pc)
Here we are forwarding the port 3000 of 172.18.0.2 to Aogiri's machine port 1337.
Machine with network 172.20.0.x (Aogiri machine)
Now we have successfully forwarded 3000 port of 172.18.0.2 to my local machine at port 9002
We have Aogiri Test account for Gogs but we don't have a password. Enumerating a while ago, we found a password in tomcat-users.xml file. Maybe we can use that password to log in.
There is a known vulnerability for this Gogs version.
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.
Read more about this vulnerability and PoC given above which can help you understand it more clearly.
The main intention over here is to gain administrator privileges on Gogs which then can be exploited further in RCE using git hooks.
Steps to reproduce
Use the code provided above to create a forged cookie data (The above code will create a file named data)
Create a new repository (give any name you like) and upload the data file in it.
Change the i_like_gogits cookie to ../tmp/local-repo/<RepoID>/data
Refresh the page and now we are administrator.
Go the repository settings and add a update git hook (Inject reverse shell script in it)
Add or upload a new file or edit the existing file.
And we are done. You probably should get a reverse shell by now
We have to upload this data file into the new repository that we just created.
We need repository ID and we can get that by looking at the page source.
Repository ID - 2
update GIT HookUpdate the Hook and upload/edit any file to make certain changes in the repository, that will eventually trigger the update hook
Get that aogiri-chatapp in our local machine and let's analyze the app for some sensitive files or credentials.
Reflog is a mechanism to record when the tip of branches are updated. This command is to manage the information recorded in it. Basically every action you perform inside of Git where data is stored, you can find it inside of the reflog.
Poking around for a bit and using git show command to view all the files, I was able to found some credentials that can be useful.
Using that credentials to get root access on kaneki's pc.
