HackTheBox-Faculty

ARZ101
6 min readOct 22, 2022

Faculty was a medium rated linux machine which involved exploiting Local File Inclusion in mpdf allowing us to read local files, reading the db_connect.php file we’ll get the credentials which will work for gbyolo user, running sudo -l, we’ll see that we can run meta-git through which we can escalate to developer user due to remote code execution, having the capabilities set on gdb allowing to inject commands through a system call in python3 process in getting root.

NMAP

PORT   STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://faculty.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

Visiting port 80 it redirects to faculty.htb, so adding that in hosts file

I tried with a random ID number but it failed

On trying a sqli to bypass login it worked

I intercepted the request with burp to run sqlmap on the parameter to dump database

But the issue that arises is that it’s time-based blind sqli so it’s going to take a lot of time in dumping data, in the meantime I ran gobuster to fuzz for files and directories which found /admin

After bypassing login, we can just visit /admin to access the admin dashboard

From the Course List we have an option to download the course list in pdf format

On intercepting the request we see base64 content in the pdf POST parameter

Using cyberchef we can see that data is first being double URL encoded then base64 encoded and then generated into pdf format and it’s just html data being converted

From the url it seems that it uses mpdf which is a php library for generating pdfs, and from googling it seems that it's vulnerable to remote code execution but that requires a crafted image with php deserlization to be uploaded on the server, there was LFI (Local File Inclusion) through mpdf which was found by Jonathan Bouman

Our payload will look like this

<annotation file="/etc/passwd" content="/etc/passwd"  icon="Graph" title="Attached File: /etc/passwd" pos-x="195"/>

Even tho the page looks empty but on clicking on the attachment it shows the passwd file

From the passwd file we can see two users, developer and gbyolo

I tried to read ssh keys of the users if they were readable and were there

Foothold (gbyolo)

Going back to login page, we can see the error message through sqli which reveals the full path of the php file

Placing the encoded content in the POST parameter again we’ll get admin_class.php

We can see it’s including db_connect.php file which might be having credentials to database

Using the password Co.met06aci.dly53ro.per we can login through ssh as gbyolo user

Privilege Escalation (developer)

We can see a message on login You have mail , on checking /var/mail/gbyolo it tells that we can manage git repositories belonging to faculty group

Doing sudo -l we can run meta-git as developer user

I didn’t find any files owned by faculty group but meta-git itself was vulnerable to remote code execution. It doesn’t sanitize user input so we can execute arbitrary commands

This user is in debug group and checking what files or folders does this group have access it to reveals that it can run gdb binary

Privilege Escalation (root)

Checking the capabilities on this system it seems that gdb has cap_sys_ptrace through which we can inject commands into the process

https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities#example-with-binary-1

We need to find the process id (pid) of processes running as root user

I first tried attaching the process of id of cronjob 908

But this didn’t worked, next I looked for another root owned process which was running python3 with process id 730

Attaching it to a python3 process makes it possible to execute system calls and we can execute arbitrary commands, all that is left is to get a reverse shell

The reason why it only worked with python3 process was that somehow python3 loads some libraries which includes system object which was pointed by Kavi

References

--

--