Curling
https://app.hackthebox.com/machines/Curling
Last updated
https://app.hackthebox.com/machines/Curling
Last updated
Checking the web server we are presented with the page for the "Cewl Curling site".
Looking at the site icon we can see the target web server is running Joomla. Running joomscan against the host reveals Joomla is running on version 3.8.8.
However, I was unable to identify any immediate exploit for this particular host. Back to the root page and the main site header "Cewl" is a hint for the tool Cewl.
Cewl is a tool which can create custom word lists by spidering URL's looking for words. I used the command below to generate a custom word list and specified a minimum length of five.
After generating the word list I attempted a quick logon attempt to capture the request through ZAProxy.
After capturing the request I set the username as "super user" as this is the name given on the main home page blog entries and then set the password variable to the list generated by Cewl.
However, I was unable to get in with the username and password list. Looking at the list of passwords generated by Cewl we have an entry for curling2018. Which looks like a potential password. As this did not work I will instead write a few potential editions of this word.
As well as this we notice one of the blog posts are signed off by the user Floris.
Repeating the login requests again with ZAP using the new username and revised password list we get a hit for the following credentials: floris:Curling2018!.
After confirming the credentials are correct we find they are reused on the administrative login located at http://10.10.10.150/administrator/index.php.
A quick Google search shows various articles for obtaining a reverse shell through the use of Joomla after obtaining administrative credentials.
URL: https://cheatsheet.haax.fr/web-pentest/content-management-system-cms/joomla/#reverse-shell
Using the same steps as specified above we insert a pentest monkey PHP reverse shell under index.php in the template for protostar.
After setting up a listener and refreshing /index.php to trigger the shell we receive a connection back.
Check the user floris' home directory we find we are unable to read the user.txt flag.
We do have a file of interest within the home directory "password_backup". Reading the ASCII file shows what appears to be a hex / packet dump.
Looking at the magic bytes at the beginning of the output and running it through Cyberchef we identify the bytes as belonging to a Bzip2 file.
the binary xxd can be used to rebuild the file as shown below.
After rebuilding the file we need to iterate through multiple compression archives to extract the original document.
Reading password.txt gives us the SSH password for the user floris.
Password: 5d<wdCbdZu)|hChXll
We are then able to authenticate over SSH.
Where we can now grab the user.txt flag.
In our home directory we have a directory named "admin-area". Which consists of two files which are owned by root and modifiable by floris.
Runing pspy on the target system we get a better insight at what might be happening in this directory. We can see that periodically the command /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report is running.
We know that now root is executing curl on the contents of input and outputting it to report. Checking GTFOBins shows that curl can be used to perform privileged reads.
GTFOBins: https://gtfobins.github.io/gtfobins/curl/
We can use nano to edit the contents of input so we can read the root.txt flag.
After making the required changes we can use the watch command to monitor the report file for any changes.
After a couple of minutes we see the contents of the root flag.
