HackTheBox - Validation Writeup

Box author |  ippsec

Nmap

Like always, I’m going to scan the IP Address by using Nmap.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

# Nmap 7.92 scan initiated Fri Aug 19 23:10:37 2022 as: nmap -sCV -O -oN nmap/validation 10.10.11.116
Nmap scan report for 10.10.11.116
Host is up (0.19s latency).
Not shown: 992 closed tcp ports (reset)
PORT     STATE    SERVICE       VERSION
22/tcp   open     ssh           OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 d8:f5:ef:d2:d3:f9:8d:ad:c6:cf:24:85:94:26:ef:7a (RSA)
|   256 46:3d:6b:cb:a8:19:eb:6a:d0:68:86:94:86:73:e1:72 (ECDSA)
|_  256 70:32:d7:e3:77:c1:4a:cf:47:2a:de:e5:08:7a:f8:7a (ED25519)
80/tcp   open     http          Apache httpd 2.4.48 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.48 (Debian)
5000/tcp filtered upnp
5001/tcp filtered commplex-link
5002/tcp filtered rfe
5003/tcp filtered filemaker
5004/tcp filtered avt-profile-1
8080/tcp open     http          nginx
|_http-title: 502 Bad Gateway
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=8/19%OT=22%CT=1%CU=39488%PV=Y%DS=2%DC=I%G=Y%TM=62FFA81
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=2%ISR=10F%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Aug 19 23:11:17 2022 -- 1 IP address (1 host up) scanned in 39.91 seconds

There are a bunch of filtered ports. However, there still have open ports. Such as 22,80,8080. It’s like something is happening with these ports. Based on port 22 the host is running Ubuntu but in port 80 it says the host running on Debian.

Http: UHC

Well, the port 80 is open and running on Apache. Now, I’m going to take a look at it. Surprisingly, it is a simple website about UHC and I can register on it by putting the username and selecting the country.

I’m going to register my name and the country. When I clicked the “Join Now” button, it goes to this page.

It shows my name and the county that I picked to register. When I register with the same name and a different country. It keeps showing the page as the image above and always goes through the /account.php endpoint.

Gobuster

So, I’m going to run gobuster to enumerate the hidden directory on it. Well, it did not reveal much of the directory in other words this site is very “barebone”. However, config.php sounds interesting but it is empty.

Http: Cookie

Honestly, I found that weird. So, I’ll try to check if this page has some sort of section or cookie. Turns out, it has a set cookie called user. This cookie appears to change when I register a new username.

SQL Injection

I end up running the burpsuite to analyze the response and how the register form handles the request. Then, I’ll try to add a single quote ' everywhere and nothing happens. That’s so weird!, Hold and behold I forgot to change the cookie. So, I changed it and I’ve got an error that indicates it is vulnerable to SQLi.

SQL Injection: UNION

Then, I’ll check the columns that can be injected and display the output to me. As always, this is the first time I’m going to try and the columns must be number 1. Right? ;). So, the payloads going to be country=country' UNION ALL SELECT 1-- -.

Shockingly, it works on the first try. Based on the output itself, I can inject it with a malicious payload and display it to me. Such as VERSION().

SQL Injection: RCE

I want to upload the web shell to this box. However, I can’t find any path to upload it. To be honest, I’m stuck at this point and felt defeated. Then, I manage to find this article by threatening Mr.Google (not asking nicely today sir! jk). This is possible by using OUTFILE to write a file to the server.

The webpage still throws an error. When I navigated to the file that I created and try the id commands it works.

Foothold: Bash reverse shell

Now, it’s time to get a reverse shell. Seems the host is running on Linux. I’m going to use bash reverse shell and encoded with URL and BOOM!

Foothold: Upgrade shell using script

Finally, I’ve got the reverse shell as the www-data user. As always, I want to have a full working shell, and it’s time to upgrade my reverse shell. However, when I lookups python either v2 or v3 its shows no result at all. Then, it clicks in my mind. I can upgrade this shell using script like unified box.

Foothold: Config.php

So, I’m already in /var/www/html directory. When I list all the content in this directory. I found that config.php is not empty after all. Not just that! I manage to grab credentials in that file as well.

Then, I’ll try to enumerate the database with those credentials but nothing useful came back. So, I check how many users are on this box by reading the /etc/passwd file. Surprisingly, there’s only one user in this box.

Root

So, I’ll try those credentials with the root user and it works.

NICE!