Hack The Box: Curling

14 January, 2019

HackTheBox is a free pen-testing lab where you can prove yourself as a hacker

The machines name is curling. You all know the 'curl'-command? Chances are, that you have to use it.

First things first, what you want to do if you have a target is to nmap it.

nmap -sC -sV 10.10.10.150

Quickly you find that port 22 and port 80 are open. This is usually the SSH and HTTP port. nmap also tells us, that a Joomla-webiste is running on port 80.

We then go ahead and check with our browser what kind of content the user is sharing with the world.

Well its about curling - the sport.

I quickly read all the published articles - I see that he likes to use some kind of curling-jargon. Maybe we need that later in order to create a wordlist.

What I usually do then is to wfuzz the webserver. For that I take Kalis standard builtin wordlist of wfuzz which is under /usr/share/wfuzz/wordlist/general/common.txt

First I check against php files:

wfuzz --hf 404 -z file,/usr/share/wfuzz/wordlist/general/common.txt http://10.10.10.150/FUZZ.php

I only find configuration and index. I could enumerate more against Joomlas architecture by not using a file extension, but usually I try the txt-file extension, too.

voila: secret.txt . There is also a string in there, which looks like a password. I google which standard admin users Joomla utilizes, but I can't get in. Maybe I have to create a wordlist from the Joomla's content and brute force my way in. (If you look at the sourcecode of the Joomla page, you see a hint for this file on the end of the file) The content of the secret.txt is base64 encoded - it took me quite some time to notice this.

So I see that the author of the Joomla content writes "cewl" instead of "cool". You have to know there is a wordlist generator named "cewl" we can utilize.

We do so with

cewl -w curlingwordlist.txt -d 5 -m 2 10.10.10.150 

Minimum character count is 2, and deepness of crawling is 5

First, because it is easier, I try to break into ssh. With

hydra -L curlingwordlist.txt -P secret.txt 10.10.10.150 -t 4 ssh -v

but with no success.

Okey lets try to break into Joomla - I use burp to see what data is transfered when i try to login to joomla. I can see where my username and password is put, and also there is a "return" parameter, which looks like a base64 encoded string (which it is) and deters where the page should return the user after a successful login.

But there is another parameter - looks like a csrf token. This way I cannot automate brute force attacks that easily.

I researched a bit and came to a pretty good tutorial of how to bypass such csrf tokens: https://blog.g0tmi1k.com/dvwa/bruteforce-high/

It worked and we can login to the admin page. I think from here on you have many possibilities. I installed a plugin which lets me upload files and loaded a php shell which opens a reverse shell to my host.

Now I have RCE. I found a password_backup file inside the users home folder - it is a hexdump. With some bash-jutsu I got the hex code into a binary, checked that, and figured out that this is a bzip2, I unpacked it, et voila, it is a another bzip2, then it was a gz, then a tar - and finally I got a cleartext password with which I could change users.

user-flag secured.

In the home folder there was another folder, called admin-area. Two files in it which where recently changed - looks like a cronjob. The files belong to root, so I guess that this is my way to the root-flag. My user has read and write access as well.

There is one file which states input with url = http://127.0.0.1 in it. And there is a second file with report. Which seems to be the result of a curl with the parameters of the first, the input file.

I think I have to change the url so that it connects to a consuming-server I control in order to disclose sensible information, like the contents of this juicy root-flag.

What is disconcerning me is, that the input file gets changed minutely by this cronjob as well. I set up a Python server which listens to my attackers address. I changed the input file accordingly and it got a connection from my target host.

Thats nice. Well the input file has been resetted but who cares. Let's see whether we can transmit the output of some bash-commands.

Just for testing purposes I set the input Url with some test parameters. To see whether my Python server echoes them properly. It works.

Now I want to test whether I can let execute the PWD command. But it does not seem to work. Maybe I have to try some sql-injection stuff - only that it wouldn't be sql injection, but bash injection

After I tried a for while I thought that I should aim for lower hanging fruits. I started looking for crons and started the linenum script. Did not found anything - well now I'll bring the big guns. procmon.sh. It monitors all processes and writes them into stdout. Then I can see what exactly happens to the files.

And I see that the input file gets served into the -K parameter of a curl-command. I see two options:

  1. is to create a hook which gets executed on curl-command.
  2. is to exploit the -K parameter. Lets check the curl-man page first.

I see, you can pass a configuration file when executing curl. So I could pass more than only the url parameter. Let's see if there are other useful configurations I could exploit - I think that could be any parameter available - which means that I could pass a file (or its content) as parameter. Let's try that.

Quickly I spotted the upload-file parameter. That should be easy. One parameter per line. Okay tried it and worked. Only my Python SimpleHTTPServer doesn't support PUT A quick google and I found a ready sourcecode for Python 3 with a http server with put support! Now craftig a nice payload to tell the curl process to upload its root.txt to my server and I'm good to go !

Author: Marcel Michelfelder


Add a comment

Want to get in touch?

Contact