Write-Ups
  • Intro
  • Active Directory
    • HTB | Forest
    • HTB | Sauna
    • HTB | Active
    • HTB | Blackfield
    • HTB | Resolute
    • HTB | Cascade
    • HTB | Cicada
    • HTB | Administrator
    • HTB | Authority
    • HTB | Office
  • Windows
    • HTB | Devel
    • HTB | Chatterbox
    • HTB | SecNotes
    • HTB | Access
    • HTB | Jeeves
    • HTB | Artic
    • HTB | Bastard
    • HTB | Bastion
    • HTB | Querier
  • Linux
    • HTB | BoardLight
    • THM | CMess
    • THM | ConvertMyVideo
    • HTB | Editorial
    • HTB | Mirai
    • HTB | Nibbles
    • HTB | Help
    • HTB | SwagShop
    • HTB | Jarvis
    • HTB | Sea
    • HTB | Chemistry
Powered by GitBook
On this page
  • NMAP
  • Port 80
  • Foothold/shell
  • Priv Esc
  1. Linux

HTB | Editorial

PreviousTHM | ConvertMyVideoNextHTB | Mirai

Last updated 6 months ago

This is a Linux box. You can find it here.

Skill Learned

  • SSRF

  • git

  • CVE-2022-24439

NMAP

IP:10.10.11.11

nmap -sT -p- --min-rate 10000 10.10.11.20
nmap -sC -sV -p 22,80 10.10.11.20

Port 80

let's visit port 80

on /upload we can upload the image

on intercepting the request via burp we found

on clicking on the preview option we get a POST request for /upload-cover

Foothold/shell

There may be SSRF

I try to check if SSRF is possible or not

Looks like SSRF is indeed possible

Now let’s enter the local IP (127.0.0.1) in the input and see what happens.

I still got the same file in response

Let's check if the output is different for a port or not

I am using ffuf for fuzzing ports

ffuf -u http://editorial.htb/upload-cover -X POST -request req.txt -w ports.txt -fs 61

we found port 5000 response size is 51

we found a different file

let's try to download the file

put http://127.0.0.1:5000 in book information

on loading the image on the new tab it downloads the file

looks like some API response

we have to hit every API.

/api/latest/metadata/messages/authors give a file which contains the username and password

Let's try to ssh using this cred

and we are in and found user.txt

Priv Esc

Let's copy LinEnum.sh to the box

nothing interesting was there

in /home/dev/apps there was .git file so I did git log

on commit b73481bb823d2dfb49c44f4c1e6a7e11912ed8ae we can see change(api): downgrading prod to dev let's take a look

and now we have prod cred

now I can su prod

sudo -l tell us that prod has some root access. Let's look at the clone_prod_chang.py

since we don't have write access we have to find another way

Let's copy linux-exploit-suggester.sh and run it. All the exploits that were suggested are not working for me

let's check the pip3 installed versions pip3 list

we found GitPython 3.1.29

we found CVE-2022-24439 for GitPython 3.1.29

sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c cat% /root/root.txt% >% /tmp/root'

this cmd copied the output in /tmp/root

cat /tmp/root

and we have the root.txt

nmap
port 80
/upload
burp intercept for /upload
/upload-cover burp intercept
checking for ssrf
ffuf -u http://editorial.htb/upload-cover -X POST -request req.txt -w ports.txt -fs 61
/api/latest/metadata/messages/authors
dev cred
user.txt
LinEnum.sh
.git file
git show b73481bb823d2dfb49c44f4c1e6a7e11912ed8ae
su prod and sudo -l
cat clone_prod_chang.py
root.txt