Shared - [HTB]

Cover Image for Shared - [HTB]
Marmeus
Marmeus

Introduction

Shares is a medium Linux machine from HackTheBox where the attacker will have to perform some enumeration in order to retrieve some domains to access an online shop. Then, it will have to exploit an SQLi on a JSON cookie to retrieve some credentials. After that, it will have to exploit the CVE-2022-21699 for iPython to escalate privileges. To keep escalating privileges, it will have to perform some dynamic application analysis to obtain some credentials for a Redis service executed as root. Finally, to obtain a shell as root, the attacker will have to exploit the vulnerability CVE-2022-0543.

Enumeration

As always, let's start finding all opened ports in the machine with Nmap.

Then, we continue with a deeper scan.

Thanks to Nmap, it is possible to obtain the domain of the machine.

Moreover, some subdomains can be obtained by enumerating virtual hosts.

Accessing the subdomain "www", a redirect is made to the store web page.

Store subdomain

Then, after checking out, you are redirected to the shopping cart.

image-20220802231852262

On this web page, the product id and the quantity of each product are stored on a JSON URL encoded cookie named custom_cart.

Checkout cookie

The key of the JSON cookie seems to be vulnerable to union SQLi.

SQLi

Exploitation

After some trial and error, it seems that the response of the query is composed of 3 columns.

order by

Then, it is possible to discover that the second and third columns are shown in the response.

Response values

After that, you can obtain the database name.

Finally, all the information from the database is the following.

Once cracked the hash (Soleil101), it is possible to access the machine as James through SSH.

Privilege escalation 1

Looking for associated files or folders to the developer group appears a folder where developers have written permission.

Then, using pspy it is possible to discover that the user "dan_smith" (1001) is accessing the ``scripts_reviewfolder and executingipython` every minute.

It seems that iPython is vulnerable to the CVE-2022-21699 (execution with Unnecessary Privileges in iPython).

This vulnerability can be exploited to obtain Dan's SSH private key with the following commands.

After, a minute, you can obtain the key.

Now, you can retrieve the user flag.

Privilege escalation 2

Dan is member of the sysadmin group, which has an associated binary that can be executed by the sysadmins of the system.

After downloading and executing the file, you can see that is trying to connect to localhost at port 6379.

Setting with netcat a listening port, you can obtain a password.

Because the reddis server is being executed as root, maybe it is possible to escalate privileges.

Privilege escalation 3

First of all, let's check its version.

This version is vulnerable to CVE-2022-0543, allowing attackers to escape the Lua sandbox and execute arbitrary code on the host.

To exploit the vulnreability and obtain a reverse shell, you can execute the following command.

Finally, you will be able to obtain the root flag.