Player – 10.10.10.145 – Pentesting with Rival

in this writeup I will try to explain how I got root on the Player box

Initial port scan reveals 3 open ports

Went to the site but wasn’t available, let’s try list some dirs

Only reachable link we found was http://player.htb/launcher so let’s take a look there

Nothing there in source code so we decided to take a look in burp

We found an access token here

access=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwcm9qZWN0IjoiUGxheUJ1ZmYiLCJhY2Nlc3NfY29kZSI6IkMwQjEzN0ZFMkQ3OTI0NTlGMjZGRjc2M0NDRTQ0NTc0QTVCNUFCMDMifQ.cjGwng6JiMiOWZGz7saOdOuhyr1vad5hAxOJCiM3uzU

Also a link to some php file

/launcher/dee8dc8a47256c64630d803a4c40786c.php

After some deeper looking we found a copy of the file

/launcher/dee8dc8a47256c64630d803a4c40786c.php~

player _htb[launcher/dee8do X
@ player_htbnauncher/deegdc8a47256c64630d80Aa4c407g6c
access_code "OE76658526655756207688271159624026011393") { 7F2xxxxxxxxxxxxx/"); ) else { index.html"); } } else {
Stoken_payload = [ 'project' 'PlayBuff, •access_code• •COB137FE2D792459F26FF763CCE44574A5B5AB03' l; Skey = SO R@ndOm P@ss i; Sjwt
JWT::encode(Stoken_payload, base64 decode(strtr($key, •HS256'); Scookiename = 'access'; hmö() + (864(jO • 30), T);
header("Location: index.html"); } ?>

We put this in a beautifier and get this returned

access_code === “0E76658526655756207688271159624026011393”) {

header(“Location: 7F2xxxxxxxxxxxxx/”);

} else {

header(“Location: index.html”);

}

} else {

$token_payload = [‘project’ => ‘PlayBuff’, ‘access_code’ => ‘0E76658526655756207688271159624026011393’];

$key = ‘_S0_R@nd0m_P@ss_’;

$jwt = JWT::encode($token_payload, base64_decode(strtr($key, ‘-_’, ‘+/’)), ‘HS256’);

$cookiename = ‘access’;

setcookie(‘access’, $jwt, time() + (86400 * 30), “/”);

header(“Location: index.html”);

} ? >

So let’s analyze what this thing does

Looks like a generator for the access code cookie we found earlier so we try to understand what’s in there.

If the access code = 0E7xxxxxxxxxxx393 then our location will be something we don’t know. Let’s try that once.

So we got redirected to the right place and found some juice page.

Seems like we can upload something here

After investigating I can upload various media files here.

Let’s look for some malicious one: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/CVE%20Ffmpeg%20HLS

This gives us a few. Let’s give it a try

After uploading read_passwd.avi I noticed we could only download the video from their so I decided to take a look and noticed something strange when playing the vid

So now we can view files on the system. Where was the juice? After some tries I ran this command

python gen_avi_bypass.py file://etc/apache2/sites-available/000-default.conf payload.avi

Which gave me 3 subdomains

After adding them to my hosts file I decided to take a look

Chat.player.htb:

This gives us more information about how we will be able to proceed.

So the chat is suggesting we take a look at staging because there we will find juice for the dev domain I guess

Dev.player.htb has a single login

Staging.player.htb

Looking around here gives us some usernames

/contact.php catching in burp and putting the response in a beautifier gives us this:

I can see some sensitive files. Let’s try checking them with the .avi exploit

python gen_avi_bypass.py file://var/www/backup/service_config payload.avi

After uploading and downloading that we got this

Awesome!!

telegen:d-bC|jC!2uepS/w

Let’s try logging in!

After some trial and errors we found out the creds are for ssh on port 6686

Which gives us a limited shell.

This is pretty much it about the shell. After a lot of trial and errors I decided there is nothing I can inject here…

Or is there…

We take another look at the nmap results we got and noticed something strange. 2 ssh services and both different versions. Let’s check out what that is about

We can try that xauth Command Injection > copying it to current working directory and then firing it up.

python evil.py player.htb 6686 telegen ‘d-bC|jC!2uepS/w’

So we can read files and write files. This should be enough to get proper shell.

Maybe now it is time to check out that /staging/fix.php file

We found more creds WOOT

peter:CQXpm\z)G5D#%S$y=

Those were creds for the dev.player.htb

After noticing we could make an own project. I decided to to do. For some reason it seems it only can be made in directory /Demo

Name: Rival

Path: /var/www/Demo/rival

After making it I noticed we could upload files too.

Let’s try uploading a php revshell.

http://dev.player.htb/rival/rival.php for triggering it -> notice we have to put our dir after Demo first 🙂

Our listeners catshes shell as www-data.

We have creds for telegen. Let’s try those

This brings us back to the limited shell…

This did it

ROOT

So I tried uploading linuxprivchecker and ran it. It suggested some binary exploits for priv esc but I found out we can’t run binary on the system

Not really it. I decided to check running processes with pspy64 and came out on /var/lib/playbuff/buff.php

After a while we see this file is running every minute so let’s try getting something out of it

Looking at this file we need to look for some vuln

The script has 2 attack vectors

include(“/var/www/html/launcher/dee8dc8a47256c64630d803a4c40786g.php”);
With this it includes a file in dir launcher where www-data is owner. So we can replace that file
It takes input from merges.log and deserializes’ it

First one seems more reliable so let’s give it a try

So we made a php revshell

And downloaded it on the remote box. Now we can rename this to the same name as included in the script, setup our listener and wait for root to kick in 😀

After some time we have gotten reponse on our listener:

Dit delen:

Related

Leave a comment Cancel reply