In this post, I would like to share a walkthrough of the Snoopy Machine from Hack the Box

This room will be considered a Hard machine on Hack the Box

What will you gain from the Snoopy machine?

For the user flag, you will need to retrieve the file such as /etc/passwd and named.conf by using the LFI attack. We are required to combine DNS Record with SMTP email service with the password reset token of a subdomain. We should be able to retrieve the password for cbrown with the SSH MITM to an internal command. Once we access by cbrown, we should be able to retrieve the sbrown’s access by using the git apply with the wildcards.

As for the root flag, you need to abuse the clamscan binary to debug the malicious file from CVE-2023-20052

Information Gathering on Snoopy Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

┌─[darknite@parrot]─[~/Document/htb/snoopy]
└──╼ $nmap -sC -sV 10.129.220.171 -oA initial 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-09 00:42 EDT
Nmap scan report for 10.129.220.171
Host is up (0.24s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 ee:6b:ce:c5:b6:e3:fa:1b:97:c0:3d:5f:e3:f1:a1:6e (ECDSA)
|_  256 54:59:41:e1:71:9a:1a:87:9c:1e:99:50:59:bf:e5:ba (ED25519)
53/tcp open  domain  ISC BIND 9.18.12-0ubuntu0.22.04.1 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.18.12-0ubuntu0.22.04.1-Ubuntu
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: SnoopySec Bootstrap Template - Index
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.62 seconds

Let’s access the website interface

However, there is nothing interesting

I managed to find a download link

A screenshot of a computer

Description automatically generated

Sadly, the download link only needs to download the zip file into our attacker’s machine

The file cannot be unzipped at all.

Therefore, let’s download the file using the curl command.

Boom! We have successfully unzipped the file

As a result, we have managed to see the /etc/passwd file

A picture containing text, screenshot, font

Description automatically generated

We can analyze the source code of the named.conf

SMTP enumeration on Snoopy Machine

Python SMTP server

Therefore, let’s start our smtpd server

However, nothing is coming back to us.

DevNull SMTP on Snoopy machine

Another tool that we can read the email which we can use to reset the password is DevNull SMTP. For those who want to follow the steps below, you can download the tool here

A screenshot of a computer

Description automatically generated with medium confidence

Mailhog server

We also can use tools such as Mailhog to read the email which we can be able to click the “Reset Password” button

The easier way to get the token right would be to email the request

A screenshot of a computer

Description automatically generated

Sadly, we didn’t get any response with the reset password

A screenshot of a login box

Description automatically generated with medium confidence

It said that the error saying “Invalid or missing token in the request body”

At last, we managed to access the mattermost dashboard

We notice that port 2222 has been assigned to SSH-2.0-paramiko_3.1.0

SSH-MITM server to retrieve the credential on Snoopy machine

A screen shot of a computer

Description automatically generated with low confidence

We can run the ssh-mitm tool to capture the packet of the process

As a result, we can run the port-forwarding by using Socat

We should generate details such as shown above.

We are required to obtain the password for cbrown

CVE-2023-23946 vulnerability

For those who want to know more about the vulnerability of CVE-2023-23946. The vulnerability is been found on Git ( a software tool that has been designed for managing file changes) which affects the version that precedes 2.39.2. The attacker can abuse the vulnerability by manipulating the files outside of the working directory which the vulnerability will permit the malicious actors by supplying the malicious input to the ‘git apply’ command.

The solution has been incorporated into the Git Version 2.39.2 and subsequent releases.

Score for the vulnerability

Makefile
NIST CVSS score 
Base Score: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CNA score
Base Score: 6.2 MEDIUM
Vector:  CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:Nv

The score above can be used for the penetration testing report

The method before the machine patch

At last, we managed to access the machine via SSH service.

Let’s create the SSH private key inside the victim’s machine

As a result, we should be creating a diff file on the /tmp/ directory

The file will look something as shown above.

Let’s take the public key that we created earlier

We should paste the ssh public key at the end of the line on the diff file.

Therefore, we should be executing the diff file with the SUID binary

The method after the machine patch

The binary looks a little different than the binary before the patch

Let’s initialize the GIT repository

Let’s create a directory within cbrown

We are required to put our SSH public key into the symlink code

As a result, we need to create a new symlink by using the binary

Boom! Finally, we managed to obtain access to sbrown via SSH service within the victim’s machine

A picture containing font, text, screenshot, graphics

Description automatically generated

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

The method before the machine patch

We can see the SUID binary by typing the command “sudo -l”

We can get the SSH private key by running the command above.

The method after the machine patch

We managed to notice the binary is related to clamscan vulnerability

After research on the internet, we have found one exploitation script that we can use to obtain at least the root shell

Vulnerability Background

A security vulnerability was disclosed in the ClamAV scanning library on 15 February 2023. The machine that would be impacted by the vulnerability is listed below:

  • ClamAV versions 1.0.0 and earlier,
  • ClamAV versions 0.105.1 and earlier,
  • ClamAV versions 0.103.7 and earlier.

For more understanding, ClamAV also known as CVE-2023-20052 is vulnerable to an attack that is related to XML External Entity Injection(XXE) attack. The attacker could be able to exploit this vulnerability to retrieve any useful data from any file stored in the device, especially if the device can be accessed by the ClamAV scanning process.

Score of the vulnerability

Makefile
Base Score: 5.3 MEDIUM
Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

As shown above, you can use those scores on your penetration testing report for your client

Before we start exploiting, we need to download the script into our machine.

We will follow all the steps that have been mentioned over here so that we didn’t miss anything out for the exploitation

We should build a docker for the vulnerability

Therefore, let’s start our docker instance

The command above shows how to create the malicious file

Therefore, we should transfer the malicious file to our victim’s machine

Boom! We have successfully obtained the SSH private key

Before we give permission to the SSH key, we are required to clean up the messed-up key

Boom! We managed to get access to the machine via SSH private key

As a result, we can read the root flag by typing the “cat root.txt” command

Another method is retrieving the flag directly with the SUID binary

Extra Information

Leave a Reply

Your email address will not be published. Required fields are marked *