HackTheBox - Bagel

IppSec · Beginner ·🔐 Cybersecurity ·3y ago

Key Takeaways

The video demonstrates how to exploit vulnerabilities in a Linux-based system with a .NET application running on Port 5000, using tools such as nmap, burp, and dnspy to gain root access.

Full Transcript

what's going on YouTube this is ipsack I'm doing bagel from hack the box which is a Linux box that also features.net it's pretty cool now that.net core runs on Linux the first step of the Box though is just a standard python flask web server that features a file disclosure vulnerability you can leak its source code to reveal it talks to the.net application over Port 5000 and you can also use that same file disclosure to brute force pids in the slash proc directory and see all the running processes of the box or at least the processes you have access to and one of those CMD lines that you can see leaks where the dll for the.net web server is so you use the file disclosure to download the dll do some light reversing discover there's a deserialization vulnerability in the net web server that leads to you extracting a SSH key and then the privest of the box is sudowic.net you can use that with FSI it's called the F-sharp interactive mode and they can just execute commands right on it as root so with that being said let's just jump in as always we start off with an end map so Dash SC for default scripts as V enumerate versions OA I'll put all formats playing the end map directory and call it Bagel then the IP address of 10 10 11.201 this can take some time to run so I've already ran it looking at the result we have just three ports open the first one is SSH on Port 22 and its Banner tells us it's an open SSH server we also have Port 5000 that is open and based upon these headers it looks like it is a web server and we see Microsoft netcore 2.0 so you may think this is a Windows box but we can validate that by using the TTL so if I do a ping 10 10 11 201 we see the TTL is set to 63. the default TTL on Linux is 64 so it documents by one and you get 63 so we know this is Linux if it was Windows the default TTL there is 128. document that by 1 127 so if we saw 127 that would be Windows 6 D3 would be Linux it is odd that is running.net on Linux but that is possible nowadays so we also have Port 8000 that is open it's running work Zog and that's Python 3.10 and looking deeper into this we can see it is redirecting us to bagel.hdb with page is equal to index.html so this looks like a textbook file disclosure vulnerability right so let's add this to a host file so sudo VI Etsy host then 10 10 11 201 we can do bagel.htb and then let's just go there so bagel.htb we can try Port 5000 first and we just get a white page so let's try port 8000. and we have welcome to the bagel shop and scrolling down we can see it just looks like a shop I don't see any way to order anything and these Bagels I'm hoping this is like a dozen or two because 22.50 for a sweet Bagel that is one expensive Bagel um so there is a slash orders page if we go there it looks like it just leaks all their clients so this would be a vulnerability right off the bat oh it could we can see p Morgan bought 20 chocolate Bagels in his address like this is just a horrible online shop but I don't know exactly what to do with orders we could probably go Buster this and try to find other endpoints but whenever I see page is equal to something I always test for file disclosure right and I'm saying file disclosure purposefully because it's technically not an lfi unless it actually executes code the inclusion part of lfi comes from like PHP include statements where it executes code right so since this is python I'm going to guess it's just going to be file disclosure technically but most people call it lfi because you include a local file but semantics right so we're in the repeater tab we can look at this it's just giving us a not modified we do have some caching headers so if I remove these um it tells us it just gives us the page right and then we also get um the header so we could do caching if we want to but when we're testing we generally want to get rid of the cache so the first thing I want to test for is um lfi right or file disclosure and with test for birth file and director file disclosure with directory traversal by putting a bunch of dot dot slashes and we can see we get the Etsy pass WD file now the very first thing I generally check is like proc self CMD line and we can see uh where we're running out of so we're running out of home developer app app.pi so let's try um including this so we'll do home developer app app.pi and we can get the application Source burp is not showing us the spaces that start on a line so if we wanted to we could just copy this and then do curl bagel.hdb paste it in uh we need to specify Port 8000 and then Dash o app.pi to save it there so we got the web Source we can also test for like SSH keys so we can do dot SSH ID RSA we get file not found one of the things I always like testing for when we um have some type of file disclosure is if it can enumerate a valid directory we know home developer does exist we try accident we get file not found we put something that doesn't exist I assume this directory doesn't we get the same thing so we can't validate if directories exist unfortunately um we could do like proc self Environ and get all the environment variables to see if there's maybe like some type of secret key but it doesn't look like there is um if for some reason we couldn't access this proc directory um like python applications are probably going to be named like app.pi or server.pi so we could do Pages equal to app.pi we don't get it dot dot slash and then we do get it so um two different ways to get it obviously knowing the file name is much quicker but if you go the long route of a numerating proc self you'll almost always be able to find the python source code so let's go take a look at it so let's open up nvim and we can look at the source so the default route the just slash page or index page it's going to check if page is in request.arguments if it's not it's going to send a redirect if it is then we're going to build the paths or static slash the argument so this is why we need to do dot dot slash app.pi because it's putting static in front of it and then we check with the file and send the file back to the user so nothing too interesting there we've already discovered the file disclosure then we have this orders and there is a comment here saying don't forget to run the order app first with.net path the dll command use your SSH key to access the machine so um this is definitely going to be Port 5000 we already know that's running.net and then it's just doing a websocket connection so it's not really a web server it's a websocket server right and then it's sending read order orders.txt and there's outputting the data so let's test this out um let's connect through websockets and I'm going to use a tool called WS cat if you don't have it you can do a sudo npm install Dash gws cat to get it but with it it'll just let us connect to a websocket and send text right so I'm going to do WS cat and then Dash C to connect and we'll do WS 10 10 11 201.5 000. and it says it's connected so I'm going to grab read order out of app.pi I'm going to send it this string and I think I know what we're going to get back because we saw the slash orders page right if we do this um we do get unauthorized but it does output a list of all the orders so um we can access this right I'm not going to play too much in the read order because we already found a file disclosure vulnerability I guess this could be running as a different user but my main thing is um around the comment of the dll right if we look at it we want to know exactly where this dll is because if we find it we can extract the source code to this and then analyze the application that's running right and if we go back to the file disclosure we can easily do something right so we do Rock self CMD line this is just getting our own PID right but if we specify the PID we can see the running process there's also maybe um scad underscore debug will this show us let's see what is that LS proc grep so I guess that's just not there sometimes you can get running processes from this file but if we just brute force all these pids we may be able to get um where the dll is right so let's run a quick script to do this so I'm going to copy this and I'm going to do 4 i n then we can do sequence zero to a hundred oh let's do a thousand and then we'll say do Echo I will do dash n I probably should put this in a script um process.sh there we go this will be easier for you to read set zero a thousand do and then we'll do Echo dash n so the dash n is just saying don't put a line break there and now we can do curl bagel.htb Port 8000 page is equal to this I'm going to do I dot CMD line and then done what happens when we run this uh we probably want this dash dash output to say um standard out so let's see um if I do curl Bagel hdb 8000 we can just grab this one so I can show exactly what happened there Pages equal um we do Dash o this because for some reason Carl thinks this is a binary file and it doesn't want to Output it so we do Dash o dash to force it to um the other thing is it's not putting a line break for us so we're going to put a aggregate command afterwards so we have this Dash o dash and I'm going to give it a blank Echo then we can run dump process and we're getting everything I'm going to use T just so we have it outputting I was hoping to Output to a log uh let's see is it Dash Q to hide that for quiet let's see man curl there's a silent dash s there we go so it's going to write everything to process.log just so we have a record of it and I'm going to pause the video I'm going to resume when this is all dumped so we have an output of the first 1000 pids and that should be in the file process.log so I'm just going to grab for anything that be or has a slash because I don't want to see these file not founds and also um if we didn't have permission to it it just displayed nothing right so uh maybe grab Dash I there we go so now we can see a list of everything we want and we see.net is running out of opt Bagel bin debug net 6.0 bagel.dll so let's copy this and try to download it right so we can curl bagel.htb Port 8000 page is equal to a bunch of Dot slashes and then this path fix that we'll call it bagel.dll and we have it if we look at it we can see it's a net assembly so I'm going to copy it over to my windows box and we're going to run Dance by against it to decompile it so over on windows open up dnspy we can do file open go to desktop bagel dll and we have the source code Let's see we want to go expand Bagel server so in the bagel server we have main it's going to initialize it and then do an infinite Loop just leaping for a second and the whole reason it does this is just so it doesn't Peg a processor whenever you want to just wait forever just don't do a blank Loop make sure there's a sleep involved so that way you don't Spike the CPU to 100 we initialize it we start it then here's message received and we're going to get a string and then deserialize it and then send it back so let's look at what the DCL as I done deserialization function looks like and we see it's doing Json convert.dcli's object and it's taking the base object and we got type name handling for so we shouldn't figure out what this is so I'm going to grab um type name handling so it's on my clipboard and then I'm going to go up to the top and we're going to see it's using the Newton soft Json Library so let's ask chat gbt exactly what this is so I'm going to say um what is type name handling equals four and Dot Nets Newton soft Json Library and it's going to say 4 refers to Value objects I want to say the one thing I don't like about using chat gbt is we always get different things the last time I asked it it was said four was set to Auto so um it's not always going to lead to the correct answer right um let's see I wonder if I just search type name handling and we um do it the old-fashioned way of research type name handling Newton soft uh we probably should take burp Suite off type name handling Newton soft so let's see creates an object so essentially um what we have I'm going to try just explaining this this piece will be helpful later um but the type name handling is going to be um how it can be serialized or what can be serialized and when it's set to four it's either all or automatic I want to say it's automatic which means it's going to Auto discover what the setting is so this enables us essentially to make it an object and we make it an object we can find those gadgets and create our own types of functions right so this is the dangerous setting of type name handling it wants it probably should be like one or two just so you can't deserialize objects and it says it's going to be the base object we can click here and see what it is so it's going to be um orders so we only have access to um orders it looks like and the object's going to include a user ID a session a Time and then in the orders class we probably have remove order right order and read order and read order is what we did before to get order.txt right and this is a string this is a string but remove order is an object so um since it's an object when we deserialize this we can make it call other things within this application so if we go over to the file Handler we have read file so we can make a remove order object become read file and then read any file we want we also got read content um let's see I think there's a set file as well right file so we can also write files to the disk and by default it's going to be out Bagel orders orders.tax but again we're able to change this there's also a DB class and in DB it does leak credentials so we got Dev with this password if we tried spraying this password nothing works um the hint in the python code does say you should um attempt to use SSH keys for login right if I go back to app.pi use your SSH key to access this machine so I'm guessing the user that is running this.net app is different and we're able to um read their SSH key right so what users are on this box first if we go back to burp Suite and let's do Etsy pass WD we can try fill and developer um we already tried developer from this we could also try home fill SSH ID RSA and we can't get it from this but maybe the.net application is running as fill and we can leak the source code so we want to make an object and this type thing in here is definitely key so this is how we specify the object so it goes um type is let's see going to be Bagel server and then the um file so let's do I'm going to make this in a text file so first we do remove order and then we create our object right so I want to say type and then we want I wonder if I think I just do how is this done and it's in quotes so we do Bagel server dot file because this is what we want to read and then this piece is going to be the assembly name and the assembly name here is going to be bagel so inner object we can specify bagel so the next piece we want is going to be uh read file and then we want um probably file name so let's do read file and then a file name of etsy pass WD and then close out the Json object we can cat it pipe the JQ to make sure we wrote a valid Json and let's just send this over so let's do WS cat again WS cat Dash C websocket 10 10 14 8 not 10 48 10 10 11 201.5 thousand I don't need a period there send this and we get order not found so let's go back over to the source code and let's see read file um it's reading this directory this file name and we're right here at read content and we caught the exception because we said order not found if we scroll all the way down we see directory asset the op Bagel orders and the file name is orders.txt so let's do directory traversal again and we'll do three dot dot slashes to get out of opt Bagel orders so we can do T dot slash dot dot slash dot dot like this and now we have successfully read this file so let's now go read sh Keys again so we can do home uh developer SSH idrsa order not found the other user was fill and we get an sh key so let's grab this and I'm going to do printf because printf is going to obey these um backslash ends or I thought it would we do printf uh I don't know why they did not work that's just V we'll call this fill.id or s a paste it in percent s replace line break with backslash R backslash n that did not work let's try this again replace line break with line break backslash R there we go that looks better so let's chmod 600 fill idrsa sh Dash I fill idrsa and fill at 10 10 11 201 yes and we get logged into bagel and there is user.txt right there if we go in this.net directory nothing really too interesting if we do sudo-l we need the password for fill um if we go back to the source code there was this database right and we saw user ID Dev and a password of this K8 right so let's grab this paste it in and it did not work so I'm going to control C make sure it was on my clipboard correctly it is and let's try um other uses for this password Etsy pass WD will grab everything that ends in sh there is a developer user this password was for a Dev so maybe this is that user's password and we can log into developer and that's where the python web server is right so let's do a sudo-l and we can see developer is able to run.net so we can pretty much run any.net application if I do GTFO bins we do a search let's look at dot net we can see there is a pseudo and if we do um FSI system diagnostic process start bensh it looks like it will allow us to run a shell so I'm going to copy that we'll do sudo userbin.net enter do LS let's see quit Ctrl D there we go it put this on two lines so let's make sure this goes on one line put this in a single quote let's see unable to find this that did not work wait I think it told me it can't find a file right it didn't try to run the command unable to find the file system diagnostic so it's expecting this to be a file name and not a um command I bet if I just ran it here in this terminal which looks like it's running.net code there we go so if I do ID now we can see we are root um I guess SE Linux is also enabled because we have this context but if I do CD slash root we can get root dot text if we go CD bagel I guess that's the dot net binary I don't know what Bagel is uh a Linux executable health so if we exit this I just want to test this out real quick what if I put this as a file so I'm going to V Dev shm test.cs but this and let's do Dev shm test dot CS it wants FS FSI okay we'll do FSI extension I'm not exactly sure what this mode is we know how to abuse it we don't know what FSI is um start F sharp Interactive or execute F sharp scripts so we're not doing um the typical.net this is F sharp I guess and I'm guessing there's some magic bytes that we want for an FSI file um because if we run this what'd it say unexpected identifier and signature file yeah so we're just in um an interactive mode where you can run F-sharp commands so that's where the thing came from so hopefully that somewhat makes sense but that's going to be the video hope you guys enjoyed it take care and I will see you all next time

Original Description

00:00 - Introduction 01:00 - Start of nmap 02:50 - Taking a look at the web page 04:30 - Looking for LFI, then exploring /proc to find where the application is and extracting the source code 06:30 - Taking a look at the Python Source Code and discovering port 5000 is the dotnet application and uses websockets 07:55 - Using wscat to test the websocket 09:00 - Bruteforcing the /proc/{pid}/cmdline directory in order to see running processes and find the dotnet dll 13:45 - Reversing Bagel.dll and discovering a deserialization vulnerability in dotnet which allows us to read files 15:00 - Looking at what TypeNameHandling means in NewtonSoft's deserialize 20:00 - Looking for a gadget to use with our deserialization 21:40 - Building the deserialization payload 23:20 - Dumping Phil's SSH Key, then logging in 25:00 - The dotnet app, had developers password, switching to that user 25:50 - Developer can run dotnet with sudo, using the FSI gtfobin to get a shell.
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

The video teaches how to exploit vulnerabilities in a Linux-based system with a .NET application running on Port 5000, using tools such as nmap, burp, and dnspy to gain root access. The lesson covers topics such as file disclosure vulnerability, deserialization vulnerability, and SSH key extraction.

Key Takeaways
  1. Run an nmap scan to identify open ports
  2. Use the file disclosure vulnerability to access the box's files
  3. Extract a SSH key using the deserialization vulnerability
  4. Use the SSH key to access the box as root using FSI
  5. Create a .fsi file and run it using the F# Interactive mode
💡 The video demonstrates how to chain multiple vulnerabilities together to gain root access to a system, highlighting the importance of securing systems against common vulnerabilities and exploits.

Related Reads

📰
Your Background Subagents Can Leak Secrets — Build the Isolation Model
Background subagents can leak secrets, learn to build an isolation model to prevent this
Dev.to · TerminalBlog
📰
CISA Shares Critical Lessons After AWS GovCloud Credentials Exposure
Learn critical lessons from CISA after AWS GovCloud credentials exposure to improve cybersecurity in cloud environments
Medium · Cybersecurity
📰
Cybersecurity News Review — Week 28 (2026)
Stay updated on the latest cybersecurity threats and standards with a review of week 28's news, including old vulnerabilities and new AI-powered threats
Medium · Cybersecurity
📰
Cloudflare Zero Trust Limitations (2026): 7 Ceilings You’ll Hit as You Grow
Learn the 7 limitations of Cloudflare Zero Trust that you'll encounter as you grow, and how to address them
Medium · Cybersecurity

Chapters (14)

Introduction
1:00 Start of nmap
2:50 Taking a look at the web page
4:30 Looking for LFI, then exploring /proc to find where the application is and ext
6:30 Taking a look at the Python Source Code and discovering port 5000 is the dotne
7:55 Using wscat to test the websocket
9:00 Bruteforcing the /proc/{pid}/cmdline directory in order to see running process
13:45 Reversing Bagel.dll and discovering a deserialization vulnerability in dotnet
15:00 Looking at what TypeNameHandling means in NewtonSoft's deserialize
20:00 Looking for a gadget to use with our deserialization
21:40 Building the deserialization payload
23:20 Dumping Phil's SSH Key, then logging in
25:00 The dotnet app, had developers password, switching to that user
25:50 Developer can run dotnet with sudo, using the FSI gtfobin to get a shell.
Up next
Is the CCNA Still Worth It in 2026? The Truth Nobody in IT Tells You #ccna #cisco
Sirat in Tech
Watch →