Agile
Gaining Access
Nmap scan:
We need to add superpass.htb
to our /etc/hosts
file to access port 80.
SuperPassword -> LFI
The website advertised a password manager.
I tested by registering a user to see what functionalities this application has. I registed a username and got an error, revealing that this is a Flask application. Not sure if this was supposed to happen
Anyways, when I tried again it worked and brought me to a dashboard where I can add a password and Export passwords.
The Export function looks rather exploitable. I added some passwords, then tried to download the file and was presented with this HTTP request:
The fn
paramete was vulnerable to LFI.
We find 4 users, runner
, corum
, edwards
, and dev_admin
. We know that this is a Flask application, so the source code for app.py
is probably in some /app/app/main
directory or something along those lines. Some testing revealed that it was located in ../app/app/superpass/app.py
.
We can grab the SECRET_KEY variable from here and be able to spoof our own cookies using flask-unsign
.
Cookie Spoofing -> SSH Creds
Now that we have the SECRET_KEY, we can decrypt the cookie.
Now, we can change the _user_id
parameter and hopefully login as other users with stored passwords. We can keep changing the user ID to anything we want and keep getting different passwords. Here are some interesting ones:
That last one for corum
is a valid password for SSH.
Then we can easily grab the user flag.
Privilege Escalation
Chrome Debugging -> Edwards
I ran a LinPEAS scan and thsi was the one thing that stood out the most:
It would appear that there is a --remote-debugging-port being used. Essentially, it means that this port is open and running Chrome. With credentials for SSH, we can port forward this and perhaps access it from our machine to see what the user is doing.
So we can first port forward this thing using ssh
.
Afterwards, we can use Burpsuite's Chromium browser (that is in-built) to access this thing. This resource was rather helpful:
Just add localhost:41829
to the Discover Network Targets portion, and we will pick up on the target.
We can inspect this to basically spy on the user.
I visited the /vault
directory and found some secret credentials.
Then, we can su
to edwards
.
Sudoedit CVE-2023-22809
Checking edwards
sudo
privileges, we see this:
In short, we edit some files as dev_admin
. I read files and found some credentials
However, the credentials here lead to dead ends, with the SQL database having nothing of interest. I ran a pspy64
to see if there were any exploitable processes. This one line looked rather suspicious because dev_admin
had write access to it:
Checking the sudo
version online, I found that it was vulnerable to CVE-2023-22809.
In short, this exploit allows us to write in any file we want using sudoedit
despite the restrictions we have in place. The activate
file I found earlier was a bash
script being executed by root. So, all we need to do is append some commands to it to make /bin/bash
an SUID binary.
Following the PoC, we just /app/venv/bin/activateave to execute these commands:
This opens up the activate
file and we are free to edit it. We can add chmod u+s /bin/bash
into it. Then we can easily become root
.
Last updated