$ nmap -p- --min-rate 3000 10.129.172.106
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-06 09:31 EST
Nmap scan report for 10.129.172.106
Host is up (0.17s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
We need to add superpass.htb to our /etc/hosts file to access port 80.
SuperPassword -> LFI
The website advertised a password manager.
I tested by registering a user to see what functionalities this application has. I registed a username and got an error, revealing that this is a Flask application. Not sure if this was supposed to happen
Anyways, when I tried again it worked and brought me to a dashboard where I can add a password and Export passwords.
The Export function looks rather exploitable. I added some passwords, then tried to download the file and was presented with this HTTP request:
GET /download?fn=newuser_export_611199da8a.csv HTTP/1.1Host:superpass.htbUser-Agent:Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language:en-US,en;q=0.5Accept-Encoding:gzip, deflateConnection:closeCookie:remember_token=9|8f50cc62e035672203937ef350c45d6a6780afafd9114b725dfb34ffa10cd42e92e484635b44b3f13d76ce1f6af818f2501684844daf93217e66ec4af933165f; session=.eJwlzjEOwzAIAMC_MHewgYDJZyJiQO2aNFPVvzdS51vuA1sdeT5hfR9XPmB7BaygREnUXHNahqQzMpG1bqUkrMWFSN3CzW4tHTI6Kk5H8d0jVaa6OZlbaFMxDqlR0tBmYx6Yfei-hA0WGr4IlfalocRu0wTuyHXm8d8YfH9o4y4B.ZAX6Tg.txUnjeEEeD_3BB80vD96et6vwwUUpgrade-Insecure-Requests:1
The fn paramete was vulnerable to LFI.
We find 4 users, runner, corum, edwards, and dev_admin. We know that this is a Flask application, so the source code for app.py is probably in some /app/app/main directory or something along those lines. Some testing revealed that it was located in ../app/app/superpass/app.py.
We can grab the SECRET_KEY variable from here and be able to spoof our own cookies using flask-unsign.
Now, we can change the _user_id parameter and hopefully login as other users with stored passwords. We can keep changing the user ID to anything we want and keep getting different passwords. Here are some interesting ones:
It would appear that there is a --remote-debugging-port being used. Essentially, it means that this port is open and running Chrome. With credentials for SSH, we can port forward this and perhaps access it from our machine to see what the user is doing.
So we can first port forward this thing using ssh.
ssh-L41829:127.0.0.1:41829corum@superpass.htb
Afterwards, we can use Burpsuite's Chromium browser (that is in-built) to access this thing. This resource was rather helpful:
Just add localhost:41829 to the Discover Network Targets portion, and we will pick up on the target.
We can inspect this to basically spy on the user.
I visited the /vault directory and found some secret credentials.
Then, we can su to edwards.
Sudoedit CVE-2023-22809
Checking edwardssudo privileges, we see this:
edwards@agile:/home/corum$sudo-l[sudo] password for edwards: MatchingDefaultsentriesforedwardsonagile:env_reset,mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,use_ptyUseredwardsmayrunthefollowingcommandsonagile: (dev_admin:dev_admin) sudoedit/app/config_test.json (dev_admin:dev_admin) sudoedit/app/app-testing/tests/functional/creds.txt
In short, we edit some files as dev_admin. I read files and found some credentials
However, the credentials here lead to dead ends, with the SQL database having nothing of interest. I ran a pspy64 to see if there were any exploitable processes. This one line looked rather suspicious because dev_admin had write access to it:
Checking the sudo version online, I found that it was vulnerable to CVE-2023-22809.
In short, this exploit allows us to write in any file we want using sudoedit despite the restrictions we have in place. The activate file I found earlier was a bash script being executed by root. So, all we need to do is append some commands to it to make /bin/bash an SUID binary.
Following the PoC, we just /app/venv/bin/activateave to execute these commands: