Writer - [HTB]

Cover Image for Writer - [HTB]
Marmeus
Marmeus

Introduction

Writer is a medium linux machine where the attacker will have to use sqli for becoming Admin in a writer's blog and for downloading files from the machine. Thanks to the files that the attacker is able to download will be able to analyse its functions discovering a vulnerability that will lead him or her to obtain RCE. Then, will have to modify a bash script used in a local smtp server to become the user john. Finally, because john is able to create files under the apt configuration folder, the attacker will only have to create a malicious file under this directory waiting for an automated update.

Enumeration

As always, let's start finding all opened ports in the machine with nmap.

Then, we continue with a deeper scan of every opened port, getting more information about each service.

Looking at port 80 seems to be a blog.

Write WebPage

Because the main page isn't very helpful, let's jump in to web enumeration.

In the /administrative page there is a login form vulnerable to SQLi.

Admin Login

Exploitation

In order to check if it is vulnerable to **SQLi **we can send 'or 1=1 -- - as username, getting access as Admin. So now, we are able to create posts with images attached.

Note: You need to click on 'here' in order to write an URL. This will come handy later.

Remote File Inclusion

Then we can use sqlmap to dump not only the database, but stored files in the machine like /etc/passwd.

Note: By default sqlmap uses time based attackes, so downloading a file can take hours. Hence, you need to specify the Union technique taking just a couple of seconds.

Furheremore, obtaining the file /etc/apache2/sites-available/000-default.conf we can obtain information about the web server internals. As we can see, trying to access to the port 80 the apache server executes the script writer.wsgi.

Downloading the file writer.wsgi we can know the existance of a file named __init__.py.

This file is stored under the path /var/www/writer.htb/writer/.

Viewing the code inside the file we can see that under the routes /dashboard/stories/add and /dashboard/stories/edit/<id>' the following code is being executed if we upload an image by file or by URL.

Analysing the code we can see several things. First, we can upload any file containing the characters ".jpg" in its filename ( image parameter) which will beistored under the path /var/www/writer.htb/writer/static/img/<FilenName>.

Secondly, and most important, we need to know how the function urllib.request.urlretrieve() works so we can obtain RCE. Basically, if we pass this function an url like http://domain.com/image.jpg the local_filename variable will stored a string like /tmp/tmptetntjkk. But, if the image url looks like "file:///etc/passwd" it will return the actual path "/etc/passwd". Furtheremore, the path will by added to the function os.system() which will execute anything in the resulting string as a command.

Hence, if we create a file named patata.jpg; id ;echo the resulting string will look like this.

This will produce an error on the mv command, executing the id command and avoiding any error with the ".jpg" string.

In order to obtain a reverse shell we need to encode the payload into base64, creating the file with touch.

Now, we need to create a post uploading the file we have just created and then,modify it by changing its story image using the URL form.

RCE URL image_url

However, we need to remove the pattern html attribute from the image_url form so we can submit the modification.

If you have done everything above correctly you will get a reverse shell as www-data.

Privilege Escalation 1

Inside the MariaDB configuration file located at /etc/mysql/my.cnf we can obtain obtaining kyle's hashed password.

In order to crack it we can use hashcat.

Kyle's creds can be used for getting access to the machine through SSH, obtaining the user flag.

Privilege Escalation 2

Kyle is a member of the group filter allowing him to edit the file /etc/postfix/disclaimer .

Digging more inside the /etc/postfix/ directory there is a file named master.cf where appears the user john and the file disclaimer.

Looking at the POSTFIX documentation we can know that once an email is received the user john will execute the file /etc/postfix/disclaimer. So because we have write permissions in this file we can add a malicious code, obtaining a reverse shell.

Finally, we only need to send an email to the local smtp server running on port 25.

You can use the following python script to send the email.

Note: Because the machine erase everything under the /tmp folder every two minutes I encourage you to use another folder. Furthermore, it replaces the file /etc/postfix/disclaimer with a new copy so keep a copy of your modified version of disclaimer, avoiding editing the same file over and over in case you can't do everything fast enough.

Once the file has been modified and the emails has been sent you will receive a reverse shell as john.

Privilege Escalation 3

Inside the john's home directory there is an SSH key.

Using john's SSH key show us that we are member of the management group, something that didn't appear before.

The members of this group can create files under the /etc/apt/apt.conf.d directory.

Looking on google about "apt.conf.d privilegfe escalation" appears this post explaining how can we become root if we have write permissions in this folder.

Basically we only need to create a new file inside this folder with the following content so when the system updates; apt will execute our command before updating itself.

Finally, after two minutes we will obtain a reverse shell as root.