Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
Hackthebox - Faculty
|htbmachinesretired|

Summary

Faculty is a medium Linux machine that features a PHP web application that uses a library which is
vulnerable to local file inclusion. Exploiting the LFi in this library reveals a password which can be used to log
in as a low-level user called gbyolo over SSH. The user gbyolo has permission to run an npm package
called meta-git as the developer user. The version of the meta-git installed on this box is vulnerable to
code injection, which can be exploited to escalate the privileges to the user developer . The privilege
escalation to root can be performed by exploiting the CAP_SYS_PTRACE capability to inject shellcode into a
process running as root .

Initial Enumeration

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
 sudo nmap -sC -sV -oN nmap/faculty faculty.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-21 22:51 IST
Nmap scan report for faculty.htb (10.10.11.169)
Host is up (0.081s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 e9:41:8c:e5:54:4d:6f:14:98:76:16:e7:29:2d:02:16 (RSA)
|   256 43:75:10:3e:cb:78:e9:52:0e:eb:cf:7f:fd:f6:6d:3d (ECDSA)
|_  256 c1:1c:af:76:2b:56:e8:b3:b8:8a:e9:69:73:7b:e6:f5 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
| http-title: School Faculty Scheduling System
|_Requested resource was login.php
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.50 seconds

Web

Visiting the IP address auto redirect to faculty.htb

lets run gobuster for vhost and dir burteforce till we explore the site manually

While playing with login page we see an request to /admin/ajax.php so there maybe admin directory

Trying some default credentials we get nothing but trying some basic sqli we get into the application admin'-- -

When we try to generate a pdf we see it is using mpdf to generate the pdf

Also checking the download payload for pdf it seem to be base64 encoded html

Checking exploitdb we see 50995

where we can use annotation to read file

We get a pdf but there is no anotation. trying few more payloads i was unable to get it working

then i went back to the correct payload and tried to actually decode the payload. and saw it was urlencoded -> urlencoded and then base64 encoded.

trying the same with the anotaion we

Trying to get that file

Following admin_class.pdf we find db_connect.pdf

which contain

Trying the password with each user

Privilege Escalation


As soon as we login we see You have mail. notification

Also checking sudo -l we see we can run /usr/local/bin/meta-git as developer

Checking for exploit for meta-git we see it has command injection [poc]

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/faculty/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
linuxwriteupretiredhacktheboxmediumLFIPHPpassword reusecode injectionmeta-gitCAP_SYS_PTRACE