HackTheBox ForwardSlash Writeup – 10.10.10.183

HackTheBox ForwardSlash Writeup – 10.10.10.183

Welcome back my friends, I’m back with another HackTheBox writeup. The ForwardSlash (10.10.10.183) is a Linux box by InfoSecJack & chivato. The machine categorized as Hard with 40 points.

Important NOTE: I received a couple of messages (literally abusing ones) for not including the important part where I skip decryption and how I got the password. I did this part intentionally keeping in mind the people who abuse me.

Also, as I keep mentioning in the recent articles, I will do this in my all new articles and it will be hard for free flag takes by reading my write-ups. If you root the machine you don’t need to know the steps I missed and you already know what I did.

What I noticed is; HTB did good job by introducing dynamic flags, however it didn’t stop people to share administrator or root hash which unlocks articles.

Thank you,

Navin.

Let us start.

As usual the machine’s IP 10.10.10.183 goes to the hosts file as forwardslash.htb.

NMAP SCAN

The machine seem to have tight as I can see only two ports are open. SSH on 22 and HTTP web server on port 80.

# root @ ns09 in ~/htb/forwardslash [18:01:14] 
$ nmap -T4 -p- -oA forwardslash.scan forwardslash.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-07 18:02 +03
Stats: 0:06:11 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 59.51% done; ETC: 18:12 (0:04:13 remaining)
Stats: 0:10:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 97.79% done; ETC: 18:12 (0:00:14 remaining)
Nmap scan report for forwardslash.htb (10.10.10.183)
Host is up (0.14s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
Nmap done: 1 IP address (1 host up) scanned in 622.09 seconds
# root @ ns09 in ~/htb/forwardslash [18:12:45] 

Upon visiting the default webpage we have a webpage what seems to be compromised page of something. So, this is second similar themed machine after Traceback.

WFUZZ FUZZING

As usual, I started with WFUZZ to find subdomains using the wfuzz common wordlist. I couldn’t find anything at first however, 302 URL redirection of one of the subdomain caught my attention. All payloads returned with a status code 302 and 0,0,0 for lines, word and character but the payload “backup” returned with 6words and 32 characters.

HackTheBox ForwardSlash Writeup – 10.10.10.183 – WFUZZ Fuzzing

Trying My Luck With GoBuster

As the WFUZZ disclosed subdirectory backup.forwardslash.htb, I wanted to see if there are anything I could see further. I used GoBuster to enumerate. After running it for a few minutes I found handful of information.

A visit to http://backup.forwardslash.htb/ I received “Server not found” error, but adding the entry backup.forwardslash.htb to the hosts file and browsing again, I can see a new page “Login” and a link to “Sign up” – http://backup.forwardslash.htb/register.php

HackTheBox Forwardslash Login page

http://backup.forwardslash.htb/register.php

I registered myself and logged-in to the portal successfully. The new page is a Dashboard with few links.

  • Reset Your Password:
  • Sign Out of Your Account
  • Change Your Username
  • Change Your Profile Picture
  • Quick Message
  • Hall Of Fame

I started to enumerate the pages one by one and testing the options. The page “Change Your Profile Picture” comes with disabled input field and submit button. But I found this can be easily bypassed using “inspect elements” option of Firefox. I disabled the “disabled” option and was able to submit a new profile picture. However, I didn’t see any changes or my picture didn’t appear anywhere.

Now I’m not convinced with this behaviour, I knew there is something going behind the screen, so I decided to run burp and see it myself.

I captured the post request and sent it to repeater.

The repeater returns the regular reply from web server.

Finding LFI – A Local File Inclusion vulnerability

I was in fact found the LFI (Local file inclusion) without realizing it is the thing in this box. Since the Burp repeater didn’t provide anything helpful, I add the LFI to see in case it works, for my surprise it did work. So it then conformed the machine is vulnerable to LFI and directory traversal attack. From this point onwards I concentrated on LFI.

Continuing my directory traversal attack on the machine, I started to look for I was able to request lot of configuration files.

Gallery:

Obtain Database Credentials Using LFI

I manage to obtain temp_db database credentials using LFI and a little enumeration. The DB config file found here: var/www/backup.forwardslash.htb/config.php. Calling it from Burp returned the contents of config file:

HackTheBox Forwardslash – Obtaining Database Credentials

As GoBuster revealed /api.php (Status: 200) and /dev (Status: 301) I tried to read them using LFI – but I was denied permission with a warning “Permission Denied; not that way 😉” That means there is away to read those files.

After reading a couple of articles and PoC’s I understood that I could read the file using Wrapper php://filter (php://filter/convert.base64_encode/resource) method. I found a way in PayLoadAllTheThings.

Updating my LFI and sending again from the burp, boom I have the API in Base64.

After decoding:

<?php

session_start();

if (isset($_POST['url'])) {

	if((!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true) && $_SERVER['REMOTE_ADDR'] !== "127.0.0.1"){
		echo "User must be logged in to use API";
		exit;
	}

	$picture = explode("-----output-----<br>", file_get_contents($_POST['url']));
	if (strpos($picture[0], "session_start();") !== false) {
		echo "Permission Denied; not that way ;)";
		exit;
	}
	echo $picture[0];
	exit;
}
?>
<!-- TODO: removed all the code to actually change the picture after backslash gang attacked us, simply echos as debug now -->

Reading http://backup.forwardslash.htb/dev/ directory

After Decoding:

<?php
//include_once ../session.php;
// Initialize the session
session_start();

if((!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true || $_SESSION['username'] !== "admin") && $_SERVER['REMOTE_ADDR'] !== "127.0.0.1"){
    header('HTTP/1.0 403 Forbidden');
    echo "<h1>403 Access Denied</h1>";
    echo "<h3>Access Denied From ", $_SERVER['REMOTE_ADDR'], "</h3>";
    //echo "<h2>Redirecting to login in 3 seconds</h2>"
    //echo '<meta http-equiv="refresh" content="3;url=../login.php" />';
    //header("location: ../login.php");
    exit;
}
?>
<html>
	<h1>XML Api Test</h1>
	<h3>This is our api test for when our new website gets refurbished</h3>
	<form action="/dev/index.php" method="get" id="xmltest">
		<textarea name="xml" form="xmltest" rows="20" cols="50"><api>
    <request>test</request>
</api>
</textarea>
		<input type="submit">
	</form>

</html>

<!-- TODO:
Fix FTP Login
-->

<?php
if ($_SERVER['REQUEST_METHOD'] === "GET" && isset($_GET['xml'])) {

	$reg = '/ftp:\/\/[\s\S]*\/\"/';
	//$reg = '/((((25[0-5])|(2[0-4]\d)|([01]?\d?\d)))\.){3}((((25[0-5])|(2[0-4]\d)|([01]?\d?\d))))/'

	if (preg_match($reg, $_GET['xml'], $match)) {
		$ip = explode('/', $match[0])[2];
		echo $ip;
		error_log("Connecting");

		$conn_id = ftp_connect($ip) or die("Couldn't connect to $ip\n");

		error_log("Logging in");

		if (@ftp_login($conn_id, "chiv", 'N0bodyL1kesBack/')) {

			error_log("Getting file");
			echo ftp_get_string($conn_id, "debug.txt");
		}

		exit;
	}

	libxml_disable_entity_loader (false);
	$xmlfile = $_GET["xml"];
	$dom = new DOMDocument();
	$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
	$api = simplexml_import_dom($dom);
	$req = $api->request;
	echo "-----output-----<br>\r\n";
	echo "$req";
}

function ftp_get_string($ftp, $filename) {
    $temp = fopen('php://temp', 'r+');
    if (@ftp_fget($ftp, $temp, $filename, FTP_BINARY, 0)) {
        rewind($temp);
        return stream_get_contents($temp);
    }
    else {
        return false;
    }
}

?>

Within the decoded code, I found FTP credentials for user Chiv. However, the FTP is useless unless there is no FTP port is open. But the same credential let me in the box for SSH.

if (@ftp_login($conn_id, “chiv“, ‘N0bodyL1kesBack/‘))

SSH Using FTP Credential

Once I’m in I lost a bit, however I got my pace back after a nudge from fellow HTB user Cyberafro.

Getting User.txt

I started to enumerate Chiv’s directory and moved forward by finding another user Pain in the box. I found user.txt in Pain’s desktop but I wasn’t able to read it as I my current user Chiv has no permission to read it.

I found a note in Backup folder that says:

Chiv, this is the backup of the old config, the one with the password we need to actually keep safe. Please DO NOT TOUCH.
-Pain

So the note means it is a backup of old config files, probably before the exploit. There is a passwd.bak file that probably contains password of the user that I was looking for, possibly Pain. I was not able to read it as Chiv as a low privilege user, but I found a way to get the backup file and read it.

The credentials I recovered as: pain:db1f73a72678e857d91e71d2963a1afa9efbabb32164cc1d94dbc704

Next, I su’d user as Pain with the new credential I recovered and got the user.txt.

Privilege Escalation From The User Pain to Root

Sudo -l

The user Pain’s directory has a folder “~/encryptorinator” that contains ciphertext file and a python script to decrypt it.

pain@forwardslash:~/encryptorinator$ cat encrypter.py
def encrypt(key, msg):
    key = list(key)
    msg = list(msg)
    for char_key in key:
        for i in range(len(msg)):
            if i == 0:
                tmp = ord(msg[i]) + ord(char_key) + ord(msg[-1])
            else:
                tmp = ord(msg[i]) + ord(char_key) + ord(msg[i-1])

            while tmp > 255:
                tmp -= 256
            msg[i] = chr(tmp)
    return ''.join(msg)

def decrypt(key, msg):
    key = list(key)
    msg = list(msg)
    for char_key in reversed(key):
        for i in reversed(range(len(msg))):
            if i == 0:
                tmp = ord(msg[i]) - (ord(char_key) + ord(msg[-1]))
            else:
                tmp = ord(msg[i]) - (ord(char_key) + ord(msg[i-1]))
            while tmp < 0:
                tmp += 256
            msg[i] = chr(tmp)
    return ''.join(msg)


print encrypt('REDACTED', 'REDACTED')
print decrypt('REDACTED', encrypt('REDACTED', 'REDACTED'))

After running a long battle with my script and fixing it and failing, I finally got the password:

cB!6%sdH8Lj^@Y*$C2cf

As I saw after running sudo -l, the user Pain can mount images as root without root password.

In the mounted image file I found the RSA PRIVATE KEY.

I copied the RSA PRIVATE KEY to my local kali machine’s .ssh directory update the id_rsa.pub and id_rsa and provide the required permission to run,

chmod 600 id_rsa

Then SSH the box using ssh -i id_rsa root@forwardslash.htb and obtained the Root.txt.

# root @ ns09 in ~/.ssh [0:17:56] 
$ ssh -i id_rsa root@forwardslash.htb
load pubkey "id_rsa": invalid format
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Apr 10 21:20:52 UTC 2020

  System load:  0.16               Processes:            204
  Usage of /:   31.0% of 19.56GB   Users logged in:      1
  Memory usage: 16%                IP address for ens33: 10.10.10.183
  Swap usage:   0%

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

16 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Fri Apr 10 21:15:38 2020 from 10.10.14.12
root@forwardslash:~# ls
root.txt
root@forwardslash:~# cat root.txt
1a86a2071e64fc4e8dbda811dffb69e4
root@forwardslash:~# 

That’s all folks. Thank you for reading. I appreciate a feedback or comments.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
cyruslab
6 months ago

Hi Navin, a good write-up, i was hoping I can find an alternate method without decrypting the image itself, nevertheless thank you for your share. This is the most difficult machine which i have attempted so far, I just joined HTB and started to teach myself pentesting techniques, I started with retired machines, after doing a few like 5 machines i gave myself enough courage to attempt the active machines, I did the servmon, remote and magic, when i attempted the forwardslash i was brainfucked… this is due to lack of knowledge on a lot of things, i was panic… Read more »

Sorry, that action is blocked.