KeyVault
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 4000 192.168.160.207
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-13 12:46 +08
Nmap scan report for 192.168.160.207
Host is up (0.17s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8080/tcp open http-proxyDid a detailed scan too:
$ sudo nmap -p 80,8080 -sC -sV --min-rate 3000 192.168.160.207
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-13 12:47 +08
Nmap scan report for 192.168.160.207
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: KeyVault Password Manager & Vault App with Single-Sign On ...
8080/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
| http-git:
| 192.168.160.207:8080/.git/
| Git repository found!
| .git/config matched patterns 'key' 'user'
| .gitignore matched patterns 'secret'
| Repository description: Unnamed repository; edit this file 'description' to name the...
| Last commit message: Added Files and .gitignore
|_ Project type: PHP application (guessed from .gitignore)
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: KeyVault - Password ManagerThere was a .git repository which we could enumerate later.
Web + Git Enum
Port 80 hosted a website for a Password Manager:
The site was rather static and had nothing interesting. Port 8080 had a login page:
Default credentials work, but we are redirected to this cryptic site:
Let's take a look at the .git repository files. The logs of the website reveal that there's a hmac.php which mentions a bit more about the crypto used:
Hash Bypass
We are required to submit a h, host and token variable to this website. There's a $secret value being passed around. While googling for similar exploits online, I came across this site:
The above resources details a similar exploit, where they submit token[]= to trigger an error within PHP to make the value of $security obsolete. Thus, the second hash_hmac would just produce the SHA-256 hash of host, allowing attackers to just specify a host and using the SHA-256 value of host as h.
We can use their parameters to bypass this check:
Visiting index.phpwith the same parameters will show us a page with a password:
We can then ssh in as ray:
Privilege Escalation
Apache-Restart -> Root Creds
Within the /opt directory, there's this file present:
I ran the binary and on another ssh session, used pspy64 to see the processes being run:
There was a password being keyed in. pspy64 shows that su was run too:
Using ltrace, we can see the system calls makde and what is being written. However, the output is too long and difficult to analyse. I transferred this to my machine for further analysis. I ran strings on it and saw this bit:
Because there's Python data, this might be a Python compiled binary. We can use a Python Decompiler to extract the modules that are within this.
Then, we can run strings on the .pyc files:
There's a string here, and it is base64:
Using this, we can su to root:
Rooted!
Last updated