Hack The Box: Inject Walkthrough

Jul 24, 2024

Hack The Box: Inject Walkthrough by IPS

Overview

  • Box: Inject
  • Platform: Hack The Box
  • Topics Covered: Spring Cloud Config Server, File Disclosure Vulnerability, Tomcat, Ansible Playbook, LFI (Local File Inclusion)

Initial Reconnaissance

  • Tools Used: nmap
    • -sc for default scripts
    • -sv to enumerate versions
    • -oA to output in all formats
  • Findings:
    • SSH on port 22 (Ubuntu Server)
    • HTTP on port 8080 (potentially Nagios NSCA)
  • Next Steps: Investigate HTTP service

Investigating HTTP Service

  • Initial Observations:
    • Webpage likely using Tomcat (not explicitly mentioned in headers)
    • Error pages and behaviors reminiscent of Tomcat
  • Tools Used: Burp Suite, GoBuster
    • Examined server headers; no explicit mention of Nagios
    • Ran GoBuster to enumerate directories
  • Findings:
    • Potential file upload vulnerability in the image upload functionality

Exploiting File Disclosure Vulnerability

  • Procedure:
    • Uploaded an image file; modified the HTTP parameter to attempt Local File Inclusion (LFI)
    • Used ../../../../../etc/passwd to confirm file disclosure vulnerability
    • Navigated using directory traversal to discover pom.xml
  • Importance of pom.xml:
    • Lists all libraries and dependencies of the application
    • Confirmed application uses Spring Cloud Config Server
    • Identified possible exploits for Spring vulnerabilities

Gaining Initial Foothold

  • Tools Used: Visual Studio Code, Sneak
    • Scanned pom.xml for vulnerabilities
    • Found critical vulnerability: CVE-2022-22965
    • Used GitHub POC to exploit and gain initial access
  • Method:
    • Sent a crafted HTTP POST request to /functionRouter endpoint
    • Included a payload to execute system commands via a web shell

Elevating Privileges

  • User Transition: From 'frank' to 'phil'
    • Discovered credentials for 'phil' in settings.xml inside .m2 directory
    • Logged in as 'phil'
  • Ansible Playbook Exploitation:
    • Found writable directory: /opt/automation/tasks
    • Created a new Ansible playbook to execute a reverse shell
    • Waited for cron job to trigger the playbook, gaining root access

Final Steps and Notes

  • Tools Used: Pspy (to monitor cron jobs)
  • Root user obtained, root flag captured
  • Summary:
    • Exploited file disclosure to gain information on running services and dependencies
    • Used discovered vulnerabilities and crafted exploits to transition from initial access to root
    • Leveraged Ansible misconfigurations for privilege escalation

Conclusion

  • Successful root on the box Inject via detailed reconnaissance, identifying vulnerabilities, exploiting file disclosure and leveraging misconfigurations in Ansible.
  • Key Takeaway: Importance of thorough enumeration and understanding the underlying technology stack.