Introduction to Editorial:
In this write-up, we will explore the “Editorial” machine from Hack The Box, categorized as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective:
The goal of this walkthrough is to complete the “Editorial” machine from Hack The Box by achieving the following objectives:
User Flag:
SSRF Exploit Leading to Credential Exposure
A vulnerability in the book upload functionality was identified, allowing for server-side request Forgery (SSRF) attacks. This SSRF exploit enables the enumeration of local ports on the target machine, providing critical information about the system’s internal network configuration.
Further investigation revealed this vulnerability resulted in credential leaks, exposing sensitive data such as usernames and passwords. This exposure creates a significant security risk, potentially allowing unauthorized access to the system.
Root Flag:
Sensitive Data Exposure and Potential Privilege Escalation
We have identified a sensitive .git
directory on the server, which poses a significant security risk. Further analysis of the commit history has revealed additional user data leaks. Notably, one of the affected users has sudo privileges, which is concerning given the presence of a GitPython script.
Moreover, this script is vulnerable to CVE-2022-24439, a known exploit that allows threat actors to escalate their privileges. Attackers could potentially leverage this vulnerability to gain elevated access to the system, further compromising the server’s security.
Enumerating the Editorial Machine
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oN nmap_initial.txt 10.10.11.20
Nmap Output:
┌─[darknite@parrot]─[~/Documents/htb/editorial]
└──╼ $nmap -sV -sC 10.10.11.20 -oA initial
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-16 09:07 EDT
Nmap scan report for 10.10.11.20
Host is up (0.17s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 0d:ed:b2:9c:e2:53:fb:d4:c8:c1:19:6e:75:80:d8:64 (ECDSA)
|_ 256 0f:b9:a7:51:0e:00:d5:7b:5b:7c:5f:bf:2b:ed:53:a0 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editorial.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.43 seconds
┌─[darknite@parrot]─[~/Documents/htb/Editorial]
└──╼ $
Analysis:
- Port 22 (SSH): Secure Shell service for remote access.
- Port 80 (HTTP): Web server running Apache.
Web Enumeration:
Perform web enumeration to discover potentially exploitable directories and files.
The web app has a straightforward design, and the source code doesn’t indicate anything particularly noteworthy.
┌─[darknite@parrot]─[~/Documents/htb/editorial]
└──╼ $gobuster dir -u http://editorial.htb -w /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://editorial.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/upload (Status: 200) [Size: 7140]
/about (Status: 200) [Size: 2939]
Progress: 20116 / 20117 (100.00%)
===============================================================
Finished
===============================================================
I tried brute-forcing the subdomain and directory but didn’t uncover anything valuable. The only directories identified were /upload and /about. However, a page that seems promising is http://editorial.htb/upload, which features a web form. I’m launching Burp Suite to explore this further.
Web Application Exploration:
The upload feature allows submitting a book and cover via any URL.
We tested this by attempting to upload a PHP reverse shell to see how the process functions.
The request and response will resemble what is displayed in the Burp Suite interface above.
When we upload the file and hit the ‘Preview‘ button, the JavaScript functions are triggered, sending the file via the POST method to the /upload-cover path.
By intercepting the /upload-cover path with Burp Suite, I tested the book URL by setting it to my machine’s IP on port 80. Meanwhile, Kali Linux was listening on port 80 using a Python server. This confirmed the presence of an SSRF vulnerability.
Server-Side Request Forgery on Editorial machine
I needed to identify the local port running on the target machine. To do this, I used Burp Intruder to brute-force port numbers, scanning the entire range from 1 to 65535.
We discovered that port 5000 was open, and noticed that the response length over this port differed. By accessing the path revealed in the Burp Intruder response, some files were downloaded to my machine. After reviewing these files, I found that they contained details about the URL path endpoints for retrieving various resources.
I attempted to access all the files from these URLs and discovered a credentials leak in the ‘authors’ path. It contained the username ‘dev’ along with the corresponding password.
With the credentials in hand, we can now log into the system via SSH, successfully compromising the ‘dev’ user account.
We can view the user flag by executing the command “cat user.txt.”
Escalate To Root Privileges Access on Editorial machine
Privilege Escalation:
There’s no binary to look into
When we performed further enumeration, we found an interesting folder named ‘apps’. We also found a ‘.git’ folder. By using the ‘git log’ command, we can see the commit history of any projects.
Prod Privileges Access
The env_reset
option means that when executing a sudo
command, the environment variables and $PATH
are reset to secure defaults, excluding my custom protocol from the path.
To find a workaround, I started examining the installed software for outdated or vulnerable versions. While it wasn’t my main focus, I ran pip3 list
to see the installed Python packages. During this process, I found that the ‘prod’ user can execute the clone_prod_change.py
script with sudo
privileges using Python 3, which could serve as a potential privilege escalation vector.
CVE-2022-24439
A security vulnerability has been identified in all versions of the GitPython package, which makes it susceptible to Remote Code Execution (RCE) attacks. This vulnerability arises from inadequate validation of user input, allowing an attacker to inject a maliciously crafted URL into the clone command. As a result, the library’s external calls to Git are not properly sanitized, making it possible for an attacker to execute arbitrary code.
What is GitPython?
GitPython is a Python library designed for interacting with Git repositories, offering both high-level functionality similar to git-porcelain and low-level capabilities akin to git-plumbing.
It simplifies access to repository data by providing abstractions of Git objects, often utilizing calls to the Git command-line interface in the background.
While examining the code files and the installed packages with the ‘pip3 list’ command, we identified a vulnerable package: GitPython version 3.1.29. This package is susceptible to a Remote Code Execution (RCE) vulnerability documented as CVE-2022-24439.
After conducting further research on this CVE, we discovered a Proof of Concept (PoC) available on GitHub that can be utilized.
When I attempted to use the Proof of Concept (PoC), the command ext::sh -c touch% /tmp/pwned
didn’t execute as expected. However, the presence of files in the /tmp
directory indicates that the Python script ran with root user privileges.
Now, we should adjust the command to fetch the contents root.txt
from the /root
directory by using ext::sh -c cat% /root/root.txt% >% /tmp/root
.
We can view the root flag by executing the command “cat root.txt.”
Another method of obtaining root flag
To begin, we need to initiate our listener.
Let’s generate a reverse shell command for one file.
We’ll grant execute permissions to the file.
An error occurred, as evident from the screenshot provided.
To work around the issue, we’ll encode the command using Base64.
The encoded command will appear similar to the example shown in the screenshot.
With the encoded command, let’s attempt to execute it again.
The command was successfully executed without any issues.
We can view the root flag by executing the command “cat root.txt.”
No responses yet