HTB | Editorial

This is a Linux box. You can find it here.

Skill Learned

• SSRF

• git

• CVE-2022-24439

NMAP

IP:10.10.11.11

nmap -sT -p- --min-rate 10000 10.10.11.20

nmap -sC -sV -p 22,80 10.10.11.20

nmap

Port 80

let's visit port 80

port 80

on /upload we can upload the image

/upload

on intercepting the request via burp we found

burp intercept for /upload

on clicking on the preview option we get a POST request for /upload-cover

/upload-cover burp intercept

Foothold/shell

There may be SSRF

I try to check if SSRF is possible or not

checking for ssrf

Looks like SSRF is indeed possible

Now let’s enter the local IP (127.0.0.1) in the input and see what happens.

I still got the same file in response

Let's check if the output is different for a port or not

I am using ffuf for fuzzing ports

ffuf -u http://editorial.htb/upload-cover -X POST -request req.txt -w ports.txt -fs 61

ffuf -u http://editorial.htb/upload-cover -X POST -request req.txt -w ports.txt -fs 61

we found port 5000 response size is 51

we found a different file

let's try to download the file

put http://127.0.0.1:5000 in book information

on loading the image on the new tab it downloads the file

looks like some API response

we have to hit every API.

/api/latest/metadata/messages/authors give a file which contains the username and password

/api/latest/metadata/messages/authors

dev cred

Let's try to ssh using this cred

and we are in and found user.txt

user.txt

Priv Esc

Let's copy LinEnum.sh to the box

LinEnum.sh

nothing interesting was there

in /home/dev/apps there was .git file so I did git log

.git file

on commit b73481bb823d2dfb49c44f4c1e6a7e11912ed8ae we can see change(api): downgrading prod to dev let's take a look

git show b73481bb823d2dfb49c44f4c1e6a7e11912ed8ae

and now we have prod cred

now I can su prod

su prod and sudo -l

sudo -l tell us that prod has some root access. Let's look at the clone_prod_chang.py

cat clone_prod_chang.py

since we don't have write access we have to find another way

Let's copy linux-exploit-suggester.sh and run it. All the exploits that were suggested are not working for me

let's check the pip3 installed versions pip3 list

we found GitPython 3.1.29

we found CVE-2022-24439 for GitPython 3.1.29

sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c cat% /root/root.txt% >% /tmp/root'

this cmd copied the output in /tmp/root

cat /tmp/root

and we have the root.txt

root.txt