HTB-Encoding

s3cr00m
6 min readFeb 28, 2023

--

Overview:

Today, I am going to write a walkthrough of box Encoding. For user part, we need use LFI and git repository leak vulnerability to get user’s ssh key. For root part, we can use the user’s sudo to escalate privileges.

About the vm:

Box’s ip: 10.129.88.153 Attacker’s ip: 10.10.14.20

User part:

As always, we used nmap to discover which ports the box are opening.

Use options -sC for script scan and -sV for service/version scan.

So, the box only opened two ports. One for ssh and one for http.

When accessed the website, we can tell it’s a website of online string and number converter.

Interesting part is the API tab, click it.

It returns some apis that you can use of this website.

So, we noticed there is a api.haxtables.htb domain. Looks like we need add api.haxtables.htb and haxtables.htb to our host file first.

Maybe there are another subdomains in there. So we can use ffuf to fuzz it.

We found image. But returns 403. Anyway add image.haxtable.htb to /etc/hosts. This interface we put aside first, if there is no breakthrough in api interface, then we can look back later.

Scrolling down the webpage. We find an interesting api that we can read file. This api should be exploitable to us.

So, we can write a python script for this as it shows us. We can change action to b64encode then we can decode it easily.

Run this script. It returns back data.

Then we can change a little to make this script better.

With above script, we can directly to pass what file we want to read in command line. For example:

Once we can read file of the box, we can check index.php page.

Nothing special. Hold on. Remember we have another interface? The image.

We can also read that index.php.

Something pops up.

From utils.php, we notice there is git repository in image.haxtables.htb.

We can use GitTools to dump and extract files.

Now lets look back at utils.php file and see the interesting function named “get_url_content”. It blocks if the domain resolves to the loopback address. That’s why it failed.

There is two ways we can bypass this.

One: We can write a flask http server that acted as a proxy for gitdumper.sh.

Then run this server.

Ok, we try again with gitdumper.sh but with http://127.0.0.1:5000/.git/. It works.

Two: We can use LFI + gitdumper.sh. So, we need add below command under line 115 of gitdumper.sh.

curl -X POST -H ‘Content-Type: application/json’ — data-binary “{\”action\”: \”b64encode\”, \”file_url\”: \”file:///var/www/image/.git/$objname\”}” ‘http://api.haxtables.htb/v3/tools/string/index.php' | jq .data | sed ‘s/”//g’ | base64 -d > “$target”

Like this:

Then run gitdumper.sh again.

Once we dumped the git repository, we need to extract those files.

Now, we have source code of image.haxtables.htb

We find a action_handler.php.

Again, another LFI.

But we can’t access this page directly.

See carefully, it’s include utils.php first means we also need to bypass 127.0.0.1.

Remember the first LFI? We can use that.

It works. Next we can use PHP filter chain generator for generating RCE code.

Once we generated the filter chain, we can copy it to burp and send it.

Ok, we got a reverse shell.

Next, upgrade a better shell, so we can use command compliment etc.

First, let’s check what we can do with sudo.

So, we can run git-commit.sh as svc without password.

We can abuse ident filter to execute a malicious script to read svc’s id_rsa file.

Ok, we got svc’s id_rsa file.

Now, we are svc.

Root Part:

Let’s check what svc can do with sudo.

With this, we can write a service file into /etc/systemd/system and restart it with root.

Above service is to set /bin/bash with a suid bit.

Ok, we are root.

Thanks for reading.

--

--

No responses yet