In this post, I would like to share a walkthrough of the Snoopy Machine from Hack the Box
This room will be considered a Hard machine on Hack the Box
What will you gain from the Snoopy machine?
For the user flag, you will need to retrieve the file such as /etc/passwd and named.conf by using the LFI attack. We are required to combine DNS Record with SMTP email service with the password reset token of a subdomain. We should be able to retrieve the password for cbrown with the SSH MITM to an internal command. Once we access by cbrown, we should be able to retrieve the sbrown’s access by using the git apply with the wildcards.
As for the root flag, you need to abuse the clamscan binary to debug the malicious file from CVE-2023-20052
Information Gathering on Snoopy Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
┌─[darknite@parrot]─[~/Document/htb/snoopy] └──╼ $nmap -sC -sV 10.129.220.171 -oA initial Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-09 00:42 EDT Nmap scan report for 10.129.220.171 Host is up (0.24s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 ee:6b:ce:c5:b6:e3:fa:1b:97:c0:3d:5f:e3:f1:a1:6e (ECDSA) |_ 256 54:59:41:e1:71:9a:1a:87:9c:1e:99:50:59:bf:e5:ba (ED25519) 53/tcp open domain ISC BIND 9.18.12-0ubuntu0.22.04.1 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.18.12-0ubuntu0.22.04.1-Ubuntu 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: SnoopySec Bootstrap Template - Index |_http-server-header: nginx/1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 47.62 seconds
Let’s access the website interface
However, there is nothing interesting
I managed to find a download link
Sadly, the download link only needs to download the zip file into our attacker’s machine
The file cannot be unzipped at all.
Therefore, let’s download the file using the curl command.
Boom! We have successfully unzipped the file
As a result, we have managed to see the /etc/passwd file
We can analyze the source code of the named.conf
SMTP enumeration on Snoopy Machine
Python SMTP server
Therefore, let’s start our smtpd server
However, nothing is coming back to us.
DevNull SMTP on Snoopy machine
Another tool that we can read the email which we can use to reset the password is DevNull SMTP. For those who want to follow the steps below, you can download the tool here
We also can use tools such as Mailhog to read the email which we can be able to click the “Reset Password” button
The easier way to get the token right would be to email the request
Sadly, we didn’t get any response with the reset password
It said that the error saying “Invalid or missing token in the request body”
At last, we managed to access the mattermost dashboard
We notice that port 2222 has been assigned to SSH-2.0-paramiko_3.1.0
SSH-MITM server to retrieve the credential on Snoopy machine
We can run the ssh-mitm tool to capture the packet of the process
As a result, we can run the port-forwarding by using Socat
We should generate details such as shown above.
We are required to obtain the password for cbrown
For those who want to know more about the vulnerability of CVE-2023-23946. The vulnerability is been found on Git ( a software tool that has been designed for managing file changes) which affects the version that precedes 2.39.2. The attacker can abuse the vulnerability by manipulating the files outside of the working directory which the vulnerability will permit the malicious actors by supplying the malicious input to the ‘git apply’ command.
The solution has been incorporated into the Git Version 2.39.2 and subsequent releases.
Score for the vulnerability
NIST CVSS score Base Score: 7.5 HIGH Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CNA score Base Score: 6.2 MEDIUM Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:Nv
The score above can be used for the penetration testing report
The method before the machine patch
At last, we managed to access the machine via SSH service.
Let’s create the SSH private key inside the victim’s machine
As a result, we should be creating a diff file on the /tmp/ directory
The file will look something as shown above.
Let’s take the public key that we created earlier
We should paste the ssh public key at the end of the line on the diff file.
Therefore, we should be executing the diff file with the SUID binary
The method after the machine patch
The binary looks a little different than the binary before the patch
Let’s initialize the GIT repository
Let’s create a directory within cbrown
We are required to put our SSH public key into the symlink code
As a result, we need to create a new symlink by using the binary
Boom! Finally, we managed to obtain access to sbrown via SSH service within the victim’s machine
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
The method before the machine patch
We can see the SUID binary by typing the command “sudo -l”
We can get the SSH private key by running the command above.
The method after the machine patch
We managed to notice the binary is related to clamscan vulnerability
After research on the internet, we have found one exploitation script that we can use to obtain at least the root shell
A security vulnerability was disclosed in the ClamAV scanning library on 15 February 2023. The machine that would be impacted by the vulnerability is listed below:
- ClamAV versions 1.0.0 and earlier,
- ClamAV versions 0.105.1 and earlier,
- ClamAV versions 0.103.7 and earlier.
For more understanding, ClamAV also known as CVE-2023-20052 is vulnerable to an attack that is related to XML External Entity Injection(XXE) attack. The attacker could be able to exploit this vulnerability to retrieve any useful data from any file stored in the device, especially if the device can be accessed by the ClamAV scanning process.
Score of the vulnerability
Base Score: 5.3 MEDIUM Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
As shown above, you can use those scores on your penetration testing report for your client
Before we start exploiting, we need to download the script into our machine.
We will follow all the steps that have been mentioned over here so that we didn’t miss anything out for the exploitation
We should build a docker for the vulnerability
Therefore, let’s start our docker instance
The command above shows how to create the malicious file
Therefore, we should transfer the malicious file to our victim’s machine
Boom! We have successfully obtained the SSH private key
Before we give permission to the SSH key, we are required to clean up the messed-up key
Boom! We managed to get access to the machine via SSH private key
As a result, we can read the root flag by typing the “cat root.txt” command
Another method is retrieving the flag directly with the SUID binary