Hack The Box: Unrested Machine Walkthrough – Medium Difficulty

Introduction to Unrested:

This write-up will explore the “Unrested” machine from Hack the Box, categorized as a medium-difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

The objective for the Unrested Machine:

The goal of this walkthrough is the completion of the “Unrested” machine on Hack The Box through the achievement.

User Flag:

Exploitation of Zabbix Vulnerabilities for User Access Escalation

The machine is hosting Zabbix, and two critical vulnerabilities were identified. The first is a lack of access controls for the user.update function allows unauthorized modifications to user permissions. The second is an SQL injection vulnerability in the user.get function, which enables unauthorized access to sensitive user data. These weaknesses were successfully leveraged to escalate privileges and gain user access to the target system.

Root Flag:

Sudo Misconfiguration Exploited for Privilege Escalation

Enumeration of the system revealed a sudo misconfiguration, granting the Zabbix user the ability to execute /usr/bin/nmap with elevated privileges. This misconfiguration, associated with an optional Zabbix server dependency, was exploited to escalate privileges and gain root access on the target machine.

Enumerating the Machine on an Unrested Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine.

nmap -sC -sV -oN nmap_initial.txt 10.10.11.50

Nmap Output:

┌─[darknite@parrot]─[~/Documents/htb/unrested]
└──╼ $nmap -sC -sV 10.10.11.50 -oA initial
# Nmap 7.94SVN scan initiated Thu Dec  5 18:01:48 2024 as: nmap -sC -sV -oA initial 10.10.11.50
Nmap scan report for 10.10.11.50
Host is up (0.17s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Analysis:

• Port 22 (SSH): Secure Shell service for remote access.
  
• Port 80 (HTTP): Web server running Apache.
  

Web Enumeration:

Web Application Exploration:

Let’s navigate to the website interface displaying the Zabbix application.

What is Zabbix?

Zabbix is like a digital watchdog for computers and networks. Think of it as a tool that helps IT professionals make sure everything is running smoothly. It collects data and shows it in an easy-to-understand way, helping teams maintain and improve their IT systems.

We didn’t need to search for credentials as they were provided on the HackTheBox interface, as shown in the screenshot above.

The Zabbix interface dashboard appears similar to the one shown above.

We discovered that the Zabbix version in use is 7.0.0.

Two CVEs have been identified that could potentially be exploited in the discovered Zabbix version.

Overview of CVE-2024-36467

CVE-2024-36467 is a security flaw in Zabbix, a software used for monitoring computer systems. This flaw allows someone who is already logged into the system and has access to the system’s API (a kind of digital toolkit) to change their group membership.

Privilege Escalation via Zabbix API Abuse

Authenticated User with API Access:
An authenticated user can interact with the system using the API, enabling actions that are restricted through the standard web interface.

User Role and Permissions:
Zabbix roles come with specific access levels.

API Endpoint: user.update:
The user.update endpoint lets a user modify their details, including group memberships.

Privilege Escalation:
By adding themselves to high-privilege groups like “Zabbix Administrators,” the user can escalate their access, gaining control over sensitive system functions and compromising its security.

Let’s refer to the Zabbix website documentation to gather more information.

Upon careful review, I noticed a PHP file called api_jsonrpc.php that we can check for existence on the machine.

A blank page confirms the file’s existence.

JSON-RPC Request Format:

• Request Requirements:
  • The Content-Type header must be set to one of the following: application/json-rpc, application/json, or application/jsonrequest.
  • The request object includes:
    • jsonrpc: Specifies the API’s JSON-RPC protocol version (Zabbix API uses version 2.0).
    • method: The API method being invoked.
    • params: Parameters passed to the API method.
    • id: An arbitrary identifier for the request.

To carry out the exploitation, we begin by authenticating the API with user credentials, which returns an API key as a response.

Analyzing the source code in the Zabbix GitHub repository, we locate the CUser.php file and examine the user.update function on line 358.

User ID 3 corresponds to Matthew, User Group 7 represents the Zabbix Administrators group, and User Group 13 is the Internal group, both of which have unrestricted privileges. The response confirms the change was successful

In this activity, specifying the selectRole option triggers an insecure call to the DBSelect function without sanitizing user inputs, leading to Time-based and Blind Boolean-based SQL injection vulnerabilities. To confirm this, we use a payload from the provided link to test for a successful injection point in the selectRole parameter.

With the Admin user’s API token, we can create and trigger an item through a task. First, we retrieve the current host IDs and their corresponding interface IDs. The response provides the necessary host details.

We can establish a shell connection using the payload provided above.

The user flag can be retrieved by executing the cat user.txt command.

Escalate to Root Privileges Access on Unrested machine

Privilege Escalation:

We discover that /usr/bin/nmap it can be executed without restrictions.

What is Nmap?

Nmap helps users see which devices are connected, and what ports they are using and provides information on security vulnerabilities. The tool is commonly used by network administrators to monitor and manage network infrastructure.

It appears that the server maintainers were aware of the potential privilege escalation risks associated with Nmap.

The nse_main.lua file is the default script that can be triggered with the -sC option. To exploit this, we create a new file /tmp/nse_main.lua containing os.execute("chmod +x /bin/bash"). When scanning localhost with -sC enabled, we set /bin/bash it to SUID and spawn a shell with the effective UID of the root user.

Let’s run the above command to gain root access. Unfortunately, it failed.

We can view the root flag by running the command cat root.txt.