search

CrossFit

hashtag
Gaining Access

Nmap scan:

$ nmap -p- --min-rate 3000 10.129.221.128
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-10 05:59 EDT
Warning: 10.129.221.128 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.221.128
Host is up (0.0085s latency).
Not shown: 63082 closed tcp ports (conn-refused), 2450 filtered tcp ports (no-response)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

Detailed scan:

$ nmap -p 21,80 -sC -sV --min-rate 3000 10.129.221.128
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-10 07:44 EDT
Nmap scan report for 10.129.221.128
Host is up (0.011s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=*.crossfit.htb/organizationName=Cross Fit Ltd./stateOrProvinceName=NY/countryName=US
| Not valid before: 2020-04-30T19:16:46
|_Not valid after:  3991-08-16T19:16:46
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: Host: Cross

Added crossfit.htb to my /etc/hosts file. Also noted that the cert name had a wildcard, meaning there is possibly multiple subdomains.

hashtag
SSL Enumeration -> Subdomain

The web page did not load anything useful, so I turned to enumerating the SSL cert for FTP. Using openssl, I can connect to this certificate and find the email address associated with it:

gym-club.crossfit.htb is the next step.

hashtag
Web Enum -> XSS

The website was a fitness and sport promoting one:

This was PHP based, and there were quite a few functionalities in this. There was some countdown and subscribe function, which sent a POST request with any email:

I could leave a comment on some posts:

When I posted this comment, this message appeared:

So our comment was being evaluated by a moderator, meaning someone was viewing it! This opens XSS up as a potential first vulnerability.

I sent this payload in :

This returned something...interesting:

There's a WAF blocking our request, and it takes note of our IP address and browser information. I also did not get the callback.

I tried to bypass this WAF, but nothing got me a callback. I thought about it, and perhaps I was supposed to trigger this error.

It's quite odd that the website tells me exactly what it is going to send to the security team. Browser information is normally present within the User-Agent header.

As such, I tried poisoning that header with an XSS payload, and triggering the security warning by sending a <script> tag.

This triggered the bug again, but this time I was able to get a callback:

Using this knowledge, automating this step is rather easy.

hashtag
CORS(?) -> Subdomain Fuzzing

Using this, I was able to inject payload. However, I was unable to steal any cookies, nor was I able to view anything that was interesting.

I noticed that within these requests, the Access-Control-Allow-Credentials header was set to true.

This means that the browser includes credentials, which includes cookies and whatever authentication headers are being used. This gave me an idea to try using CORS to find what other subdomains are present on this machine.

Using this, and the XSS I had, I constructed a quick script to test subdomains reachable via XSS, and then steal the page contents.

So the above takes a fake subdomain, and then attempts to fetch it. Retrieving a legit domain results in a page being stolen like so:

I noted that this was being visited by report.php. As such, I can start brute forcing this thing using a Python server that accepts POST requests and outputs them to stdout.

The zxx check is there because I noticed a lot of the results returned that, and it was for the default Apache page.

Here's my Javascript file:

And lastly, the payload script:

Eventually, this output something interesting:

It seems there's an FTP Account Manager on the website.

hashtag
XSS + CSRF -> FTP Account

I was able to view the new account page by visiting http://ftp.crossfit.htb/accounts/create. Here's the form required:

So to create a new account, I just have to create some POST parameters using a username and password of my choosing.

The above doesn't work in registering an account, and I think it is due to the _token variable changing each time I use fetch. This CSRF token has to be retrieved in the same session.

Here's the updated exploit code:

Setting credentials to include means I use the same session for everything. When this is run, the response tells me it worked:

Using this, I can now login and enumerate the FTP server:

hashtag
FTP Write -> Webshell

From the above image, I can only write to development-test. This directory also includes all of the other web applications, and they are all in PHP. I cannot reach development-test from my machine, so I probably gotta use the XSS + CSRF exploit.

I tried uploading a PHP webshell which worked:

Afterwards, I can execute commands via the webshell, and return that response to my HTTP server.

Finally. The cmd.php shell is cleared pretty fast, but getting a reverse shell from here is trivial and fast. I had to use a PHP reverse shell in the end for some reason.

hashtag
Privilege Escalation

hashtag
Ansible Playbooks -> User Password

I ran linpeas.sh, and it picked up on a few interesting things:

There's a cronjob by the user isaac, but I cannot read the PHP files so I won't worry about that yet.

At the very bottom of the output are these 2 hashes:

There is a hank user on this box:;

It can be cracked using john:

I can then su to hank:

hashtag
Admins Group + Cronjob + SQL Creds

hank is part of the admins group. Earlier, I saw a cronjob running a script from isaac directory, and conveniently the directory is owned by the admin group:

Here's the contents of the send_updates.php script:

The script runs every time there's a new file within a msg_dir variable. The most interesting part was the dependency used:

This particular version had RCE exploits for it:

LogoCommand Injection in mikehaertl/php-shellcommand | CVE-2019-10774 | SnykLearn more about Composer with Snyk Open Source Vulnerability Databasechevron-right

The addArg function does not escape all arguments. However, I would need to have direct access to the database to exploit this, which I do not right now.

As such, I took a look around the machine, and found some FTP stuff:

This was running vsftpd, so I checked the /etc folder, and found some interesting details within /etc/vsftpd/user_conf:

I searched for all vsftpd files:

Reading one of the files gives me FTP creds:

These creds work:

And it brought me to the messages directory, and this is probably tied to the msg_dir variable I found earlier.

I thought of the script itself, and wondered where did I encounter emails at, and realised that way earlier in the box, there was a "Subscribe" option asking for emails.

Within the /var/www/gym-club file, there was a jointheclub.php script:

Here's the code for it:

db.php contained some credentials too:

There's only one check for input, and its this line:

I logged into the database, and found that there wasn't any emails table:

So to trigger the script and the exploit, I have to upload a file via FTP, and have a malicious email payload to get a shell as isaac.

hashtag
Isaac RCE

From the Github issues, the RCE payload is --wrong-argument || COMMAND.

LogoescapeArgs option is not working properly · Issue #44 · mikehaertl/php-shellcommandGitHubchevron-right

From this, I inserted a email column into the users table with a payload, since its contents is part of the command passed to addArg:

Afterwards, I need to upload any file via FTP This is because the send_update.php file runs on detecting new files. Putting a new file within the messages directory triggers the payload:

hashtag
Basic Enum -> Ghidra RE

I ran pspy64 and linpeas.sh to enumerate stuff as this user, and was initially particularly interested in the staff group.

I checked both ./pspy64 and ./pspy64 -f to monitor for file events.

There was something running dash:

I monitored stuff running within /bin and /usr/bin.

There was dbmsg binary, which I could not find on my own machine, meaning it is not a default one.

Here's some basic information about it:

Downloaded this back to my machine, and opened it up in ghidra.

The main functions checks if the user running is root:

This calls process_data() after srand, which does some stuff with the MySQL database:

The process_data() function did somet unique stuff, in which it took all the stuff from the messages table and stored it within a variable:

It then opens a .zip file and creates a new file for each entry in /var/local:

The name of each file s rather unique. It is local_98, and it is the random number generated from main() and the first column, which is MD5 hashed together.

The file is then dumped into /var/local. Afterwards, this new file is added to thecomments.zip file.

Afterwards, the file in /var/local is deleted, and the database entry is removed.

This binary is always run as root and it creates files with MD5 hashes as their name. The srand number can be brute forced if given enough hashes. I already have database control, and root is writing to files. If I can guess the right hash, then I can create a symbolic link (with the same name) directed at /root/.ssh/authorized_keys.

Based on the hash generation, this script runs every minute or so, and I can control what is in the database. As such, generating the hash is easy since the random number (based on time) will eventually be right if I run it infinitely, and the database entry is controlld by me.

So to exploit this, I have to:

  • Write a small random number generator based on the time.

  • Insert an entry into the database with my public SSH key.

  • Create a bash script that loops forever, generating random numbers and hashing it to create new files within /var/local.

  • Each file created must be a symlink pointing to /root/.ssh/authorized_keys.

hashtag
Root Shell

Here's the script for generating random numbers based on time:

This has to be compiled on the machine itself. From the binary, the messages table has 4 columns: id, name, email and message. The id can be fixed at 1, and the rest of the fields would be my public SSH key.

Here's the one-liner to put a database entry:

Then, here's the bash loop to infinitely generate symlinks:

When the loop is running, it generates a lot of files within the /var/local file:

And every single one points to the root directory:

While it was running, I just kept trying to ssh in as root using the private key. Again, this works because eventually the right number and hence MD5 hash is created.

After a while, it worked!

Rooted!

hashtag
Scripts Used

Just to recap:

  • The Pyhton POST server was used to receive POST requests from the XSS.

  • Another Python script was used for delivering my XSS payload, and I varied the Javascript file executed.

  • One Javascript payload was used for enumerating subdomains, thus accepting a fuzz parameter.

  • The other Javascript payload was used for creating a new account with the same session (credentials set to include).

  • The last script was to trigger the cmd.php shell.

hashtag
Python POST Server

hashtag
XSS Payload Delivery

hashtag
Fuzzing

hashtag
Account Creation

hashtag
RCE

PreviousBrainFuckNextDerailed

Last updated