Introduction

It is the second machine in the HTB-Starter series, and the difficulty rating is very easy. Oopsie hints towards a mistake. I am blogging while trying to solve so expect facing rabbit holes.

Starting Point Machines

Scanning & Enumeration

> ------------------------Nmap Results-----------------------------<
--------------------------------------------------------------------
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-16 00:46 IST
Nmap scan report for 10.10.10.28
Host is up (0.44s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
|   256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
|_  256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Welcome
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=6/16%OT=22%CT=1%CU=40594%PV=Y%DS=2%DC=T%G=Y%TM=60C8FCC
OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10F%TI=Z%CI=Z%II=I%TS=A)SEQ
OS:(SP=104%GCD=1%ISR=10F%TI=Z%CI=Z%TS=A)OPS(O1=M54BST11NW7%O2=M54BST11NW7%O
OS:3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST11NW7%O6=M54BST11)WIN(W1=FE88%W2=
OS:FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54BNNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 554/tcp)
HOP RTT       ADDRESS
1   499.93 ms 10.10.16.1
2   296.19 ms 10.10.10.28
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.57 seconds
--------------------------------------------------------------------

From the results above, let us populate our Service Version Enumeration Table.

Service Version Enumeration Table

HTTP Enumeration

Well, we know SSH is not usually the way in, so we start with HTTP.

Landing Page

We take the happy path before going malicious and try to view the website like any normal user.

gobuster dir -u http://10.10.10.28/ -w /opt/seclists/Discovery/Web-Content/big.txt -t 20

Finally, we get a login page at /cdn-cgi/login

I tried SQL injections and some default passwords. Finally, I realized I had a password(I am not sure if I can reveal the password here) from the first box in the series, so with the username admin and the password, we log in.

Repair Management System - After Logging In

Now we again take the happy path and gather some more information.

When we try to log in on uploads section :

Upload Feature

We come across the following message “This action requires super admin rights”. So I started looking for other usernames/accounts. That’s when I found that we have a client with the name Tafcz and the contact email - [email protected] who also owns an account with id = 4 and
8832 — is the access id for Tafcz
So now we have to brute-force different ids. Let's do that using Burp.
Finally, I got the access id for super admin

Access ID - 86575

With this access id, we click on uploads and intercept the request in Burp, and replace the access ID.

Upload Feature

We finally get the upload option!

Vulnerability Analysis

We have super admin rights and we have an upload page, this should be an insecure functionality where I can upload a malicious PHP and gain a reverse shell. Let’s try that.

Upload Reverse Shell

We were able to upload the malicious file. The next task is to find the location where these files are uploaded.

Exploitation

In the reverse-shell.php add your ip and port and create a listener.
Change the cookie to contain the id of the super admin.

Edit Cookie

Access the reverse shel

And we finally get the basic shell.

Shell with User Privileges

Lateral Movement

I logged in and kept looking at different files. One of the best tips is to look at the web directory and look for config files. I found a db.php file which has credentials.

Contents of db.php

I have a hunch that this can be the password for the user Robert.

SSH as robert successful

And we were able to log in. We still do not have admin rights. So the saga continues.

Privesc

Now we run linpeas and go through the results.

Local Ports

Some useful ports, we will try to check these out as well.

Interesting groups

We saw that we are in the group bugtracker as well, this might be the intended vector.

run the bugtracker binary

But we need to get a tty.

Source Code of binary bugtracker

We see that they are using cat as an absolute path. So we can create a custom cat file, and add it to the path.

Shell with Root Privileges

And we got root.

Summary | TL;DR

1. Scan ports using Nmap
2. Reuse password to login as admin
3. Find access code for super admin using brute-force
4. Upload PHP reverse shell
5. Reuse password from config files to log in as robert.
6. Priv esc using the binary bugtracker, which has suid set, and absolute path for cat.

Parting Thoughts

In this machine, we learned the following:

1. We should not reuse passwords
2. When writing shell scripts, we should define absolute paths to binaries and ensure that no one has permissions to rewrite those binaries.

Thank you for reading, please provide your feedback and share it with people who are in need. :)