In this post, I would like to share a walkthrough of the OnlyforYou Machine from Hack the Box

This room will be considered a medium machine on Hack the Box

What will you gain from the OnlyforYou machine?

For the user flag, you will need to able to read different files throughout an LFI Vulnerability that exists in the form which also we can execute RCE from the form.

As for the root flag, you need to take advantage of Gogs internal website which we should be able to exploit using this_is_fine_wuzzi script. We should be able to upload the script into the Gogs application and execute the exploit by downloading the file using pip3. As a result, we should be able to modify the permission of bash into SUID binary

Information Gathering on OnlyforYou Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

┌─[darknite@parrot]─[~/Documents/htb/onlyforyou]
└──╼ $ nmap -sC -sV  10.10.11.210 -oA initial 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-18 06:39 EDT
Nmap scan report for 10.10.11.210
Host is up (0.032s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e883e0a9fd43df38198aaa35438411ec (RSA)
|   256 83f235229b03860c16cfb3fa9f5acd08 (ECDSA)
|_  256 445f7aa377690a77789b04e09f11db80 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://only4you.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.66 seconds
┌─[darknite@parrot]─[~/Documents/htb/onlyforyou]
└──╼ $ 

Let’s access the website interface

However, nothing interesting has been found on the website interface.

We managed to find a subdomain on the website interface.

Another way to obtain the subdomain is by running ffuf command which we should be getting the same result/output

We also sighted a team member which we can abuse later in the stage.

Let’s access the subdomain which we can download the source code.

Analyze the application source code

The downloaded file is something as shown above.

Inside the app.py, there’s an extensive line of code that we can analyze further

Python

@app.route('/download', methods=['POST'])
def download():
    image = request.form['image']
    filename = posixpath.normpath(image) 
    if '..' in filename or filename.startswith('../'):
        flash('Hacking detected!', 'danger')
        return redirect('/list')
    if not os.path.isabs(filename):
        filename = os.path.join(app.config['LIST_FOLDER'], filename)
    try:
        if not os.path.isfile(filename):
            flash('Image doesn\'t exist!', 'danger')
            return redirect('/list')
    except (TypeError, ValueError):
        raise BadRequest()
    return send_file(filename, as_attachment=True)

The section of line that caught my attention would be something as shown above.

We can inspect the packet via burpsuite which looks like something as above.

There are some files that we can download into our machine.

Sadly, we can see the content of images

At last, we managed to find a Local File Inclusion (LFI) via burpsuite.

We can analyze further a few files that we can show publicly to us.

As a result, we should be entering some information or details on the contact form.

The actual packet will look something as shown above

Let’s start our nc listener on our attacker’s machine.

Therefore, let’s insert our malicious command injection and it looks so promising to us.

Boom! We managed to retrieve the reverse shell connection back to us.

We managed to find a few ports that opened that the Nmap output didn’t highlight in their result

As a result, let’s upload Chisel onto the victim’s machine

Finally, we managed to connect the chisel between our machine with the victim’s machine

Port 3000 enumeration

On port 3000, it’s a Gogs website interface.

Port 8001 enumeration

While port 8001, has redirected us to a login page.

Let’s enter common credentials such as admin: admin

Boom! We have successfully accessed the dashboard.

SQL Injection on Onlyforyou Machine

Let’s execute some SQL Injection commands on the search endpoint

At last, we managed to obtain the information from the SQL command

After a few tries of SQL command, we managed to obtain the hashes from the machine.

Let’s use the crackstation to crack the hashes because I’m too lazy to use John the Ripper or Hashcat

Finally, we managed to access the machine via SSH service.

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

As usual, we will be able to obtain the binary by typing the “sudo -l” command

We should be downloading the exploit into the vulnerability

When we completed downloading the exploit into our machine, those files should be inside the exploit folder

The screenshot above shows the original code inside the setup.py file.

We should modify the file by adding the “os.system(“chmod u+s /bin/bash”)”

By default, we can compile the file by running the “python3 -m build”

Therefore, let’s create the folder on the dashboard

As a result, we should be uploading the malicious file into the upload function

Before we download the tar file into the victim’s machine, we can verify that the /bin/bash still has not been changed to SUID binary

The command above should be getting us to download the file into the machine

Boom! The bash file has changed into the SUID binary

We can read the root flag by typing the “cat root.txt” command

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *