HackTheBox — RedPanda

ARZ101
7 min readNov 26, 2022

Red panda, an easy rated linux machine, involved a spring boot application vulnerable Server Side Template Injection (SSTI) which was blocking few characters to not allow remote code execution, using any encoder for generating payload for java runtime exec, we get the shell as woodenk user, running pspy a jar file was being executed as root user which was dealing with XML and abusing XXE by performing directory traversal we can read any file as the root user.

NMAP

Nmap scan report for 10.10.11.170
Host is up (0.089s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
8080/tcp open http-proxy
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200
| Content-Type: text/html;charset=UTF-8
| Content-Language: en-US
| Date: Sat, 09 Jul 2022 19:01:58 GMT
| Connection: close
| <!DOCTYPE html>
snip..
|_ Request</h1></body></html>
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-title: Red Panda Search | Made with Spring Boot

PORT 8080 (HTTP)

On port 8080 we see an animation of a fox having a search bar and the title bar tells us that it’s made on Spring Boot which is a java web framework

I tried some stuff like putting a single quote ' to see if there's sqli or some command injection

Fuzzing for files with gobuster we find an endpoint /stats

This shows two potential usernames damian and woodenk, clicking on either one of them will show us an option to export table and a GET parameter author

I tried fuzzing for LFI through a payload list which failed as well

On clicking Export table it downloads an xml file

Foothold

But we can’t really change the contents of xml so there’s no chance ofXXE, testing for SSTI it was vulnerable to Thymeleaf which is a template engine for spring boot, testing it with @{7*7]

So we know that it’s vulnerable to SSTI, let’s try to get RCE and look for any payloads if there are

But this payload didn’t worked and gave an error that there are banned characters

I tried different fragment expressions

And * this one worked with our payload

For getting a reverse shell I tried bunch of things, encoding the reverse shell with base64 and sending it off but I didn't get a connection back

I searched around for ways to generate java runtime exec payloads and found an encoder for that

Stabilizing the shell with python3

Since we are in logs group, I checked if this group has access anywhere

The reason we are in this group is because the panda search is application is being ran as woodenk as user and with logs group

Checked for sudo -l which was asking for a password

I transferred linpeas to enumerate the machine

It didn't found anything but pspy we can see something running in background as root user

Privilege Escalation

In /opt , we can see a clean up script removing every jpg and xml files from every publicly writable directory

We can check the source code of panda search MainController.java

In the source code we can see that it's looking for either damian_creds.xml or woodenk_creds.xml in /credits and reading the contents

We can find the password of woodenk user here

But it was useless as we wouldn't be in the logs group also this file isn't important as the one which is running as root through cronjob is credit score /opt/credit-score/LogParser/final/src/main/java/com/logparser/App.java

First it's going to set arguments from the log file from which it can parse the values and separate them with ||

In IsImage function it's going to check for a jpg image extension file , will come back to it later

From getArtist function it's going to read the meta data of the image specifically the name of Artist of the image

Lastly the main function from which the code will start from which wiil read the uri part from the log file separated by ||, it will check if there's a jpg image file in the uri, if there is , it's going to fetch the artist name of the image file and it's going to send the value to addviewto function which will check if the uri of the image is the similar the one present in the xml file

So to perform the XXE, first we need to make jpg image file point to an artist name and it could be any name so I’ll be setting it to uwu but we don't have write permissions in the directory where the source code is running so we'll need to perform directory traversal to /home/woodenk

For the xml file we need to name it artist + creds.xml, so it's going to be uwu_creds.xml also we need to add the location of the image in uri and this needs to be the same as the one in the log file

Method 1

Transfer both the image and xml file in woodenk’s home directory

Now to add the uri of this image file we’ll perform a directory traversal from /clients as the path is hard coded /opt/panda_search/src/main/resources/static + uri , here uri is our input where we'll perform directory traversal to our image file location /home/wendook/smooch.jpg

echo "200||10.10.14.36||Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0||/../../../../../../../../../../home/woodenk/smooch.jpg" > ./redpanda.log

After waiting for some time we’ll see the root ssh key being reflected in uwu xml attribute which we set

Method 2

The second way is also with XXE but it’s with blind SSRF which is also known as out of band XXE, through which we’ll get the root flag by transferring an xml file having an entity to make a request to our server with the entity having the flag contents as a parameter being passed on to our hosted xml having the entities to load the contents

We’ll transfer this on the target machine

And host this xml file on our python server

References

--

--