HackTheBox : Sandworm (SSTI)
Intro : Hey this is my new writeup on HackTheBox Machine SANDWORM. It is saying medium difficulty but I found it a bit Hard. It started with SSTI to get User Shell and Upgrade our user to next User And lastly we have to exploit Firejail to get Root Access. So let’s start.
Nmap Scan :
As usual we start with a Simple Nmap Scan. I found 22(ssh), 80(http), 443(ssl/http) Ports are Running.
I found a hostname ‘ssa.htb’ and I add it in my host File.
Then In visited the Web-Site. Page on Secret Spy Agency. I found Nothing Interesting here in this Page.
Web Enumeration :
So I start a Simple GoBuster Scan with common wordlist.
I found ‘admin’ page but no Credentials. But I found ‘guide’ page Interesting. Here is the Page.
Here at the last there is a Public Key and Signed Text field. It takes gpg key value and signed text verified with that Key and it will Verify Signature.
Exploit with GPG :
So now we have to generate a gpg key with command line.
I found Real name field is vulnerable to SSTI(Server Side Template Injection). So for testing I put {{7*7}} payload in name field. If it is vulnerable then it will give output 49 as a name.
Tip : gpg — gen-key (Key Generate)
Real name : {{7*7}}
Email Address : <any_mail>
gpg — list-keys for checking all generate Keys.
Then we have to make our Public Key with the following command for Encryption.
Tip : gpg — armor — export <your_mail> > public_key.asc
Then we have to make our signed key to Encrypt our Message that we will put in Input Field as Signed Text.
Tip : echo “Test” > message.txt
Tip : gpg — clear-sign — output signed_message.asc messsage.txt
This is my Public Key.
This is my Signed Text.
After putting this 2 Content into the Proper Field I press on Verify Signature and I found this below.
I found “49” [unknown]. It is jinja2 Template Engine. So it Worked and it is Exploitable.
Then I use ‘id’ to see what user are there in that message using Previous Method. Before we have to delete the Previous Keys.
Tip : gpg — delete-secret-keys <your_mail>
Tip : gpg — delete-keys <your_mail>
Shell as Atlas :
Then I again generate keys but this time the payload will be Different.
In the name Field I put this Payload below.
Tip : {{self.__init__.__globals__.__builtins__.__import__(‘os’).popen(‘id’).read() }}
Then You have to follow the before Process to make those 2 Keys. I am not showing Here. After making and putting those in Input Field I get the UID of user ‘atlas’.
Then I change the ‘id’ command with a Reverse Shell command but it shows Error. Not supporting “<>”.
So I encode it in base64 and put it in there and it worked Perfectly.
And again follow the previous Method and verify it .
And suddenly I get a Reverse Shell in my Netcat Listener as Atlas User.
Atlas → Silentobserver :
Here in home folder I found ‘.config’ Folder and go into that. I found another folder and I climb up 1 by 1.
At last I found config.json where I found Username and Password of ‘silentobserver’ User.
Then I use those Creds with ssh and I get my 1st User Access.
Vertical Privilege Escalation :
Then it’s time for Vertical PrivEsc. I run ‘pspy’ and I found ‘/opt/tipnet’ service running. So I get into that folder.
In the /target/debug folder I found tipnet.d file. When I cat that file and I found 2 Rust File with ‘.rs’ extension.
I found one of them has write Access. So I change the code with some shell code. You will find it Here.
Tip : use std::process::Command;
let output = Command::new(“bash”)
.arg(“-c”)
.arg(“<shell_code>”)
.output()
.expect(“failed to execute process”)
Then I set my Netcat Listener and get Shell again Atlas User.
Here in ‘.ssh’ folder I put my own ‘id_rsa.pub’ file and rename it again with ‘authorized_keys’. Then I use my own id_rsa to login as Atlas User.
Privilege Escalation :
Here we will start our Final PrivEsc to get Root. When I run linpeas.sh I found the following Interesting File.
It has SUID permission. So we can use that for Exploitation. I search in Google for Firejail Exploit. I found this Here.
I copy it in Atlas shell and named it as explot.py and gave it Executable Permission.
Then I ran that File.
It is saying to join a session number in another Terminal and then saying to Execute ‘su -’ command. So I again open a Shell as Atlas User using ssh and id_rsa. And type the following Command.
Tip : firejail — join=<number>
Tip : su -
And we get Root Shell and the Root Flag. Bingo!!!! So in this way I pawned the Machine. Bye!!
If you like this post Don’t Forget to follow me for more Posts :)
THANKS FOR READING!!
Happy Hacking~
