Hack the Box: Intuition Machine Walkthrough – Hard Diffucility

Introduction to Intuition:

In this write-up, we will explore the “Intuition” machine from Hack The Box, categorized as a Hard difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Intuition” machine from Hack the Box by achieving the following objectives:

User Flag:

Initial Access

As a web developer, I identified a vulnerability in the bug reporting system that allowed me to exploit a cross-site scripting (XSS) attack. This gave me initial access to the system as a web developer. I then repeated the attack, this time as an administrator, to gain elevated privileges. With my newfound access, I navigated to the admin dashboard and discovered a file read vulnerability in Python’s urllib module, which allowed me to export files as PDFs.

Escalating Privileges and Exploiting Vulnerabilities

I used this vulnerability to gain access to the FTP server, where I found stored credentials. I then used these credentials to obtain a private SSH key. While exploring the system, I stumbled upon Suricata logs containing sensitive information about another user’s password. It appeared that the system configuration was flawed, allowing me to gather this information. With my newfound access and knowledge, I was able to move further into the system, exploiting vulnerabilities and uncovering sensitive information along the way.

Root Flag:

Abusing Custom Binaries

I identified a vulnerability in custom binaries designed to interact with Ansible, allowing me to exploit a command injection attack. Through this vulnerability, I was able to execute arbitrary commands on the system, giving me increased access and control. Additionally, I discovered a bug in Ansible Galaxy, a bug that could be leveraged to gain further access to the system.

Escalating Privileges and Exploiting Vulnerabilities

I used my newfound access to execute further commands and gather sensitive information about the system. With my increased privileges, I was able to move further into the system, exploiting vulnerabilities and uncovering sensitive information along the way.

Enumerating the Intuition Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine.

nmap -sC -sV -oN nmap_initial.txt 10.10.11.15

Nmap Output:

┌─[darknite@parrot]─[~/Documents/htb/Intution]
└──╼ $nmap -sC -sV 10.10.11.15 -oA initial
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-13 22:50 EDT
Nmap scan report for 10.10.11.15
Host is up (0.19s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 b3:a8:f7:5d:60:e8:66:16:ca:92:f6:76:ba:b8:33:c2 (ECDSA)
|_  256 07:ef:11:a6:a0:7d:2b:4d:e8:68:79:1a:7b:a7:a9:cd (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://comprezzor.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.83 seconds

Analysis:

• Port 22 (SSH): OpenSSH 8.9p1 service for secure remote access, running on Ubuntu.
• Port 80 (HTTP): Nginx 1.18.0 web server on Ubuntu, redirecting to http://comprezzor.htb.

Web Enumeration:

Perform web enumeration to discover potentially exploitable directories and files.

gobuster dir -u http://10.10.11.15 -w /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt 

Gobuster Output:

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://comprezzor.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 20116 / 20117 (100.00%)
===============================================================
Finished
===============================================================

Analysis:

• Gobuster Directory Enumeration: Scanned 20,117 entries; no additional directories or files were identified. The enumeration process is complete.

┌─[darknite@parrot]─[~/Documents/htb/Intution]
└──╼ $gobuster vhost --append-domain -u http://comprezzor.htb -w /opt/SecLists/Discovery/DNS/namelist.txt --random-agent -t 600
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://comprezzor.htb
[+] Method:          GET
[+] Threads:         600
[+] Wordlist:        /opt/SecLists/Discovery/DNS/namelist.txt
[+] User Agent:      Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: auth.comprezzor.htb Status: 302 [Size: 199] [--> /login]
Found: dashboard.comprezzor.htb Status: 302 [Size: 251] [--> http://auth.comprezzor.htb/login]
Found: report.comprezzor.htb Status: 200 [Size: 3166]
Progress: 151265 / 151266 (100.00%)
===============================================================
Finished
===============================================================

Analysis:

• auth.comprezzor.htb: Found with status code 302 (redirect) to /login, indicating an authentication page.
• dashboard.comprezzor.htb: Found with status code 302 (redirect) to auth.comprezzor.htb/login, suggesting the dashboard requires login via the authentication subdomain.
• report.comprezzor.htb: Found with status code 200, indicating a valid page with a size of 3166 bytes.

Exploitation

Web Application Exploration:

CVE-2024-3094 Vulnerability

Malicious code was found in the upstream tarballs of xz starting from version 5.6.0. The liblzma build process, through intricate obfuscations, extracts a prebuilt object file from a disguised test file within the source code. The object file modifies specific functions in the liblzma library. As a result, any software linked to this compromised library can intercept and modify interactions with it.

On the comprezzor.htb domain, there is functionality to upload and compress files.

Files are compressed using the LZMA algorithm during the upload process.

We should be aware of a known CVE related to this algorithm.

The screenshot above displays the response captured via Burp Suite.

Despite several attempts to exploit the vulnerability, it turned out to be a rabbit hole, prompting us to shift focus and explore other potential attack vectors.

On the auth.comprezzor.htb subdomain, an authorization form is presented.

Let’s create a new account.

Log in to the dashboard with the credentials we just created.

Gain the capability to send reports.

Let’s launch our Python server.

This form is vulnerable to Blind XSS, allowing us to capture user cookies. Use the payload shown in the screenshot above.

Using cookies to obtain a session

We access the dashboard, where different priorities categorize reports.

We set a higher priority for our report.

Send the payload and capture the admin cookies. Use these cookies to access the functionality for creating PDF reports.

File read vulnerability on the Intuition machine

This allows us to read any file.

Notice that this script imports several modules, including index, report, auth, and dashboard in the blueprints section. This suggests that the source code is a .py script. Let’s examine these files.

Locate the admin password

Accessing internal FTP through SSRF vulnerability

Obtain an encrypted SSH key

The screenshot above reveals the SSH private key.

Next to the private key was a note with the password needed for decryption.

The key command might reveal a potential username.

You can reveal the user flag with the cat user.txt command.

Elevate to Root Privileges

Privilege Escalation:

In contrast to the directory where the user database was found /var/www/app

Extract the hashes and use the password twisted to connect via FTP.

Then, download all the files from there.

We found the FTP connection logs for user Lopez and observed that the FTP server requires a password for this user. To access the logs, we’ll use the flow_id, which will help us locate Lopez’s data.

Once connected via SSH, we should investigate what actions a user with sudo privileges can perform.

We’ve identified that we can execute the runner2 binary with sudo. Let’s copy it to our environment and analyze its functionality. Upon starting the application, we’ll observe that it requests a JSON file.

Although most of the file is commented out, we notice multiple references to runner1. Additionally, there’s a possible password on the final line, though the last four characters seem to be obscured. Runner1.c is likely the source code for runner1.

Let’s generate the required JSON file.

You can reveal the root flag with the cat root.txt command.