BountyHunter 10.10.11.100
by 130n@calvinlai.com, 11 Sep 2021
Background
BountyHunter is a Linux base machine from HackTheBox that required your patient on web searching technique with some encoding concepts and Python Hacking skill is required on the privilege escalation.
XXE is the technique using for gaining initial access. The web application is vulnerable to the XML injection that allows an attacker to interfere with an application's processing of XML data. We can use this loophole to read some configuration files at the target system. A DB configuration file contains a login credential that can be used to gain access.
The initial account can execute a python script with root privilege. This python script is exploiting on one of these dangerous functions: eval(), exec() and input().
130n@calvinlai.com
Target Machine: 10.10.11.110
Attacker Machine: 10.10.14.3
Hacking Process Part 0 – Service Scanning
Nmap
1) nmap -p- -T5 --min-rate=1000 10.10.11.100 -oG fkclai.nmap 2) nmap -p $(grep -Eo '[0-9]{1,5}/open' fkclai.nmap | cut -d '/' -f 1 | tr -s '\n' ',') -sC -sV 10.10.11.100 -o nmap-result.txt
Enumeration Strategies
No vulnerability was found on the SSH and HTTP service, it was going to review the web application to check any information leakage or misconfiguration.
Hacking Process Part 1 – Enumeration
With basic web enumeration using gobuster, a set of web pages was found and the following one was interesting with submission function.
The data passed to the backend server was encoded by base64 and URL encoding. After decoded, an XML format payload was found as below.
Possible XML Injection
Tried the XML External Entity (XXE) Injection Payload List, the site was injectable. The below files were access, finally, the db.php file contained a login credential.
/etc/passwd
/index.php
/db.php
The syntax of the injection payload was below and remind to encoded with base64 + URL encoding before being sent to the HTTP Request.
Using this CyberChef tool for preparing the encoded payload.
PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KPCFET0NUWVBFIHJlcGxhY2UgWzwhRU5USVRZIHh4ZSBTWVNURU0gInBocDovL2ZpbHRlci9jb252ZXJ0LmJhc2U2NC1lbmNvZGUvcmVzb3VyY2U9ZGIucGhwIj5dPgoJCTxidWdyZXBvcnQ%2BCgkJPHRpdGxlPmE8L3RpdGxlPgoJCTxjd2U%2BYjwvY3dlPgoJCTxjdnNzPmM8L2N2c3M%2BCgkJPHJld2FyZD5lPC9yZXdhcmQ%2BCgkJPC9idWdyZXBvcnQ%2B
After submitting the above payload, the response HTML contained a set of base-64 encoded messages.
Decoded the message, a database login credential was found.
Hacking Process Part 2 – Gaining Foothold
Using the credential found at the db.php to access the ssh service, however, failure to login.
According to the "passwd" file got from the above process, there was a user "development".
ssh using the account "development" with the password "m19RoAU0hP41A1sTsq6K" and the user flag was found.
a0929aa9a9ec25cec7bc41a139f2b829
Hacking Process Part 3 – Privilege Escalation
Just simple list out the sudo rights of this account, there was interesting stuff that was a python script execution as a root that no password input required.
Check the ticketValidator.py file
The python script read an input file with the extension .md and with the following logic
The first three lines of the input file should be
The fourth line must start with ** and a number with "+" at the end
The number is greater than 100 and mod 7 is 4
Ultimately, I found the magic number 102. The "eval" function was an advantage code here according to the article Python Hacking. In order to make the eval statement true and to make the hacking work, let eval one more condition
Finally, I created the following file
Run the python script and got the root access
Conclusion
Prevent the XXE vulnerability can set the libxml_disable_entity_loader to true to sanitize the XML input file
https://documentation.help/InfoSec-cn/8d5649b4-8523-4cbf-b4bb-8424f871f7b2.htm
Reference
Last updated