Inject [HackTheBox]

Sep. 26, 2023

This is a retired Linux machine tagged as Easy in HackTheBox. It involves interesting attack paths and a unique privilege escalation that you may commonly see misconfigured on industry scenarios.

Reconaissance

An _nmap _scan at the target IP reveals a service running on Port 8080.

Upon loading port 8080 in our web browser, we are greeted with a web application named “Zodd Cloud”.

Navigating around the website, we can come across _/release_notes _which contains a change log of the website

We do find a _/show_image _endpoint that we might be able to leverage further.

Foothold

Initial

I attempted to modify the magic bytes (header) in a Hex Editor as well as explore several CVEs regarding images, but unfortunately was not successful in my attempts.

We do find that LFI (Local File Inclusion) works. (I used the LFI-Jhaddix wordlist in SecLists.)

The user that ran the web server has access to the /home directory:

Digging through the directories I found credentials for phil:

1

phil:DocPhillovestoInject123

Unfortunately, phil’s credentials does not work via SSH.

Additionally, leaking the private key from the above path does not resolve the issue.

Digging around for more clues, we find that the website is running on Spring Boot 1.2.0.

In 2022, the exploit known as Spring4Shell gained significant popularity. This exploit was widely discussed and utilized within the cybersecurity community.

With that in mind, Let’s try using an exploit from MetaSploit for this one:

It worked!

After logging in as frank, we can try to use our credentials for phil that we found earlier via su.

Success! We also got the user flag from phil’s home directory as shown above

1

01d476d4b9410bfd1f4b4ff5a20e1420

Privilege Escalation

We have 777 permissions in this directory.

We can run an ansible playbook. Here is an example of a playbook that can be used for privilege escalation.

My payload was not working due to issues with spaces and tabs.

1
2
3
4
5

- hosts: localhost
tasks:
- name: Evil
command: chmod +s /bin/bash
become: true

This payload essentially sets the SUID bit on for the _bash _binary. Since the bash binary is owned by the root user, this basically allows us to run the bash binary as root.

More information on exploiting the SUID bit can be read in this great article by Vickie Li!

By default, YAML does not support tabs, so I converted them to spaces and waited for a while for the playbook to load.

As shown below, we see that the permissions for the _bash _binary has been set to

1

-rwsr-sr-x 1 root root

We see that the SUID bit has been set, allowing us to run the _bash _binary as root via

1

bash -p

Sure enough we get root!

YouTube HackTheBox GitHub LinkedIn X