Forgotten - Hack The Box | Exploit & Evolve

Enumeration

Nmap

Initial nmap scan revealed SSH and HTTP ports were open.

00 - nmap output

WEB Enumeration

Website showed 403 Forbidden error.

01 - forbidden

Directory brute forcing revealed survey endpoint. It was a limesurvey installation endpoint.

02 - dirbuster

03 - limesurvey

When I tried to finish the setup, I was stuck at db connection. Then I thought to create my own database and connect to it remotely.

I used below commands to set the database and the user. The ‘%’ means from anywhere (0.0.0.0):

CREATE DATABASE test_limedb;
CREATE USER 'test_limeuser'@'%' IDENTIFIED BY 'Test1234';
GRANT SELECT, CREATE, INSERT, UPDATE, DELETE, ALTER, DROP, INDEX ON test_limedb.* TO 'test_limeuser'@'%';
FLUSH PRIVILEGES;

Then restarted the db and set the firewall rules:

sudo ufw allow in on tun0 to anyport 3306
sudo /etc/init.d/mariadb stop
sudo /etc/init.d/mariadb start

04 - db creation

And I set the database configurations on limesurvey installation.

05 - db config

Then populated the database and set administrator username and password.

06 - populate

07 - admin

Then I simply logged in.

08 - login

Exploitation

CVE-2021-44967

After obtaining admin dashboard, I knew that I could abuse CVE-2021-44967. I could upload malicious plugin and get a reverse shell. INE post explains it in detail.

I could have exploited it manually but I used this tool and got a reverse shell. The reverse shell was in a docker container and there were no flags.

09 - cve-2021-44967

10 - shell

At first I used socat the get an upgraded shell.

11 - socat

12 - socat shell

Then I run linpeas and found an environment variable which includes limesvc’s password.

14 - env

I was the root inside the container but there were still no flags. Then I tried the SSH login and it worked. I got the user flag on the host machine.

15 - root

15 - got the user

Privilege Escalation

After some research I found out that, if there was a custom mount on the container I could write to it as container root and execute it as user on the host machine if I host user has access.

So using ‘findmnt’ I checked available mounts. One of them was a custom mount.

16 - read write

On the host machine, I had access to the mounted directory.

So as a root on the container, I copied a bash binary to the mount and gave it a SUID privileges.

17 - copy

Then on the host machine I executed it and got the root shell and flag.

18 - root

Pwned

The machine was fully compromised.

pwned

Baby - Hack The Box

Lock - Hack The Box