Hello Everyone, today I will be talking about how to hack in to the web application Inject from HacktheBox.
Lets start by running nmap on the website so see what ports are open.
After looking at the output we can see that ssh on port 22 and a web server on port 8080 are both open. Lets open the web browser and see what we can find on the website. At the top of the page is a row of links that lead to different parts of the website.
Once we have clicked on all of the links and seen were they go we can begin to get an idea of what the site is for and how we might be able to hack in. The first place to look is the uploads page that allows anyone on the website to upload an image to the server and then view the image. The first thing we should try to do is upload an image and capture the web requests in burp suite.
Once the image is uploaded a new link appears at the top of the upload page that has a link were we can view the image that was just uploaded.
Everything works normally when I click the link to view the image that was uploaded but the request in burp suite is a little suspicious. The URL looks like their could be a LFI vulnerability where other parts of the server can be accessed using this URL.
The only way to test this theory is to use burp suite to see if other files on the server can be accessed. The first file we will try to access is the /etc/passwd file. To access this file I will put around ten ../ before I put in the /etc/passwd so that I navigate all the way back to the root of the file system before going out to /etc/passwd.
Using this vulnerability we can explore the file system and see what is powering the website and find out how to hack in to the server. After looking around the root of the web server I found a interesting file called pom.xml which is usually associated with java applications. Using the curl command I can download the contents of the file to my computer.
curl http://10.10.11.204:8080/show_image?img=../../../pom.xml > pom.xmlThe pom.xml has a list of all the java libraries used in the web application. With this information we can start googling all of the libraries to see if their are any know vulnerabilities in them.
Sure enough the pom.xml contains a library that is vulnerable to spring4shell CVE-2022-22965.
org.springframework.cloud
The first thing we should do is search for a metasploit module the we can use to get remote code execution on the server.
Looking through the list of metasploit modules the best option looks like three.
Now that we have selected the correct Metasploit module we need to fill in some basic information about are target server and host machine. The first field to fill in is the LHOST which is the HacktheBox VPN IP address that the reverse shell will connect back to.
Now that the LHOST is set we need to set the RHOST which is the IP address of the web server and also check to make sure all the other settings for the Metasploit module are correct.
Since we have finished configuring the module it is time to run it and see if it gets a meterpreter shell on the target webserver.
And it worked. Now that we have a meterpreter shell on the target machine we need to run the shell command to spawn a shell. Once we have a shell we can see what user we are and explore are home directory.
Now that we know we are the frank user and that we found Phil’s username and password we can switch users to phil and get the user flag.
Since we have the user flag all we need to get is the root flag. If we look around the server then we will find a folder in /opt/automation/tasks. Inside this folder their is a file called playbook_1.yml that contains an ansible playbook script.
Armed with this information we can write a malicious ansible playbook and put it in this folder and it will get run as root. Using this website we can write a malicious ansible playbook that will change the permissions on the bash command. Since we do not have a fully interactive shell on the target will will have to write the ansible playbook on are computer and upload it to the target.
Once we get the server started on are computer we can download the evil.yml file on to the target server and let ansible run the script as root.
Once the ansible script runs we can run the bash -p command to escalate privileges to root and get the flag.
That is all. I hope you had fun and learned a lot.