{"id":211,"date":"2023-04-22T18:01:04","date_gmt":"2023-04-22T17:01:04","guid":{"rendered":"https:\/\/merrillnewman.tech\/?p=211"},"modified":"2023-04-22T18:03:34","modified_gmt":"2023-04-22T17:03:34","slug":"htb-shared","status":"publish","type":"post","link":"https:\/\/merrillnewman.tech\/?p=211","title":{"rendered":"HTB: Shared"},"content":{"rendered":"\n

Overview<\/h3>\n\n\n\n

Shared is a great box that taught me much. You start out by enumerating a web app and then find an SQL injection in an unexpected place. You’ll use this SQL injection to extract a username and a password hash which can be cracked and used to SSH. Once on the box you’ll exploit iPython and Redis to make your way to root.<\/p>\n\n\n\n\n\n\n\n

Scan Details<\/h3>\n\n\n\n
PORT    STATE SERVICE  VERSION\n22\/tcp  open  ssh      OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)\n| ssh-hostkey: \n|   3072 91e835f4695fc2e20e2746e2a6b6d865 (RSA)\n|   256 cffcc45d84fb580bbe2dad35409dc351 (ECDSA)\n|_  256 a3386d750964ed70cf17499adc126d11 (ED25519)\n80\/tcp  open  http     nginx 1.18.0\n|_http-title: Did not follow redirect to http:\/\/shared.htb\n|_http-server-header: nginx\/1.18.0\n443\/tcp open  ssl\/http nginx 1.18.0\n|_http-server-header: nginx\/1.18.0\n| tls-alpn: \n|   h2\n|_  http\/1.1\n|_ssl-date: TLS randomness does not represent time\n| tls-nextprotoneg: \n|   h2\n|_  http\/1.1\n| ssl-cert: Subject: commonName=*.shared.htb\/organizationName=HTB\/stateOrProvinceName=None\/countryName=US\n| Not valid before: 2022-03-20T13:37:14\n|_Not valid after:  2042-03-15T13:37:14\n|_http-title: Did not follow redirect to https:\/\/shared.htb\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n<\/code><\/pre>\n\n\n\n
Enumeration and Initial Foothold<\/h3>\n\n\n\n
Browsing to the site redirects us to shared.htb<\/a> so we’ll have to add this to \/etc\/hosts<\/code>. After doing so, we are presented with a online store that mentions a new checkout process on the front page.<\/p>\n\n\n\n
\"\"
https:\/\/shared.htb<\/figcaption><\/figure>\n\n\n\n
Trying to test the checkout function, we find out that it doesn’t actually send a request. It just creates an alert.<\/p>\n\n\n\n
\"\"
https:\/\/checkout.shared.htb<\/figcaption><\/figure>\n\n\n\n
Taking a closer look at the request used to get the page we see that in the custom_cart <\/code>cookie, we have some JSON containing the product ID and the quantity to retrieve from the database.<\/p>\n\n\n\n
\"\"
Checkout GET request<\/figcaption><\/figure>\n\n\n\n
Doing some basic testing with single quotes and comments reveals that this is vulnerable to SQL injection. I used the following payloads to enumerate and exploit the database.<\/p>\n\n\n\n
Get Databases<\/h5>\n\n\n\n
{\"' UNION SELECT 1,(SELECT group_concat(schema_name) FROM INFORMATION_SCHEMA.SCHEMATA),3-- -\":\"1\"}<\/code><\/pre>\n\n\n\n
Get Tables<\/h5>\n\n\n\n
{\"' UNION SELECT 1,(SELECT group_concat(table_name) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema LIKE 'checkout'),3-- -\":\"1\"}<\/code><\/pre>\n\n\n\n
Get Columns<\/h5>\n\n\n\n
{\"' UNION SELECT 1,(SELECT group_concat(column_name) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name LIKE 'user'),3-- -\":\"1\"}<\/code><\/pre>\n\n\n\n
Get User Information<\/h5>\n\n\n\n
{\"' UNION SELECT 1,(SELECT group_concat(username,':',password) FROM user),3-- -\":\"1\"}<\/code><\/pre>\n\n\n\n
The final payload will return a username and password hash.<\/p>\n\n\n\n
\"\"
Extracting user information via SQL injection<\/figcaption><\/figure>\n\n\n\n
Pasting this into crackstation<\/a> gives us a hit quickly.<\/p>\n\n\n\n
\"\"
Cracking hash with crackstation<\/figcaption><\/figure>\n\n\n\n
We can then use these credentials to SSH onto the box. But this is not enough to get the user flag, to get the user flag we will have to escalate our privileges to the dan_smith user as the flag is only readable by him and root.<\/p>\n\n\n\n
\"\"
Flag ownership and permissions<\/figcaption><\/figure>\n\n\n\n
Privilege Escalation<\/h3>\n\n\n\n
Listing all files in dan_smith’s home directory reveals the hidden .iPython directory. Running strings on the history.sqlite<\/code> file within reveals that iPython is being ran every minute.<\/p>\n\n\n\n
\"\"
strings history.sqlite<\/figcaption><\/figure>\n\n\n\n
This could be a good target since it looks like iPython is being ran every minute under the dan_smith user. Getting the version (8.0.0) by simply running ipython<\/code>, we can google for exploits. In the first couple results we will see a GitHub advisory.<\/p>\n\n\n\n
\"\"
iPython GitHub advisory<\/figcaption><\/figure>\n\n\n\n
Seems simple enough to exploit, but we will need to find out the directory that iPython is being ran from. To do this we can use Pspy.<\/p>\n\n\n\n
\"\"
Pspy output<\/figcaption><\/figure>\n\n\n\n
We can see that the cronjob executes iPython from the \/opt\/scripts_review<\/code> directory. With this information we can rip a Python reverse shell off of revshells.com<\/a><\/code> and follow the advisory steps.<\/p>\n\n\n\n
\"\"
Following advisory steps<\/figcaption><\/figure>\n\n\n\n
\"\"
Receiving a shell as dan_smith<\/figcaption><\/figure>\n\n\n\n
From here we can take dan_smith’s ssh key and ssh as him. Continuing our enumeration as dan_smith, we see that we are a part of the sysadmin group. Looking for files owned by this group reveals a custom binary.<\/p>\n\n\n\n
\"\"
Finding files owned by sysadmins<\/figcaption><\/figure>\n\n\n\n
Running it shows that it logs into a Redis instance and executes the info command.<\/p>\n\n\n\n
\"\"
redis_connector_dev output<\/figcaption><\/figure>\n\n\n\n
Copying the file to our local machine and running it shows that it tries to login to Redis at localhost on port 6379 and then fails.<\/p>\n\n\n\n
\"\"
redis_connector_dev output on attack box<\/figcaption><\/figure>\n\n\n\n
Starting a listener and then running it will give us the Redis password.<\/p>\n\n\n\n
\"\"
Getting Redis password.<\/figcaption><\/figure>\n\n\n\n
With access to Redis we can use RedisModules-ExecuteCommand<\/a> to execute commands as root.<\/p>\n\n\n\n
\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"
Overview Shared is a great box that taught me much. You start out by enumerating a web app and then find an SQL injection in an unexpected place. You’ll use this SQL injection to extract a username and a password hash which can be cracked and used to SSH. Once on the box you’ll exploit […]<\/p>\n","protected":false},"author":1,"featured_media":232,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"hide_page_title":"","_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-211","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/posts\/211","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=211"}],"version-history":[{"count":4,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/posts\/211\/revisions"}],"predecessor-version":[{"id":231,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/posts\/211\/revisions\/231"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/media\/232"}],"wp:attachment":[{"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=211"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=211"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=211"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}