Edit

Faculty

Summary

Our nmap scan only finds SSH and an nginx webserver on port 80. We discover a login page to an application called "School Faculty Scheduling System," which we can bypass using a basic SQL injection. In the main application, we are able to generate pdfs of a table of data. By looking at the URL where the PDFs are served from and the actual PDF metadata, we learn that they are generated using mPDF. We look at the requests that are sent when we click the PDF download button and see that we control the PDF content through a base64 encoded string. After a lot of digging, we find a local file inclusion (LFI) exploit in mPDF. We also are able to get the website to produce an erorr page that gives the full path to one of its PHP files. Using the LFI exploit, we get this file and obtain some credentials.

The credentials get us connect to the box via SSH and sudo -l shows that we can run meta-git as another user. We find an exploit and move laterally to that other user. On the new user, we get the user.txt flag. We run LinPEAS and discover that we can now run GDB and that GDB has the SYS_PTRACE capability, so it can attached to processes running as root. We find a python3 process, attach to it, and make a call to system giving us a reverse shell as root!

Enumeration

Nmap

First, let's scan for open ports using nmap. We can quickly scan for open ports and store them in a variable: ports=$(nmap -p- --min-rate=1000 -T4 10.10.11.169 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//). Then, we can scan those specific ports in depth by running nmap's built-in scripts: nmap -p$ports -sC -sV 10.10.11.169.

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 e9:41:8c:e5:54:4d:6f:14:98:76:16:e7:29:2d:02:16 (RSA)
|   256 43:75:10:3e:cb:78:e9:52:0e:eb:cf:7f:fd:f6:6d:3d (ECDSA)
|_  256 c1:1c:af:76:2b:56:e8:b3:b8:8a:e9:69:73:7b:e6:f5 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://faculty.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Pretty light nmap scan for this box. Only SSH and a nginx webserver.

Let's add the faculty.htb domain to /etc/hosts: echo "10.10.11.169 faculty.htb" | sudo tee -a /etc/hosts.

Nginx (Port 80)

Navigating to http://faculty.htb redirects to http://faculty.htb/login.php:

We try to brute force the required id number using burpsuite's intruder feature, but after trying a few hundred numbers with no luck we give up.

Let's brute force directories with ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://faculty.htb/FUZZ:

Going to the newly discovered http://faculty.htb/admin shows a login page:

Trying a classic SQL injection with a username of admin' -- and password anything works (MySQL Injection info & general list of SQL injection payloads)! We get access to an administrator interface:

Searching for vulnerabilities in this program finds this list on ExpoitDB.

Anyway, the "Faculty List" section contains the information we need:

Now that we have emails and, more importantly, some ID numbers, we can try to get into the main page at http://faculty.htb, but going back to the main page just shows us a calendar. Logging out as admin and using an ID number does work, but doesn't seem to get us anywhere:

Interestingly, we can generate a PDF of the table. We get a pdf at http://faculty.htb/mpdf/tmp/OKFEkR81dfJX73wmOhSsyV9r0D.pdf. The mpdf in the URL indicates that this PDF was generated using mpdf.

Going back to the PDF download button and clicking it with the Network tab open in Firefox's developer tools shows that the button makes a POST request to /download.php:

There is a pdf field submitted with the following data:

Pasting it into CyberChef and clicking the magic button three times (base64 decode, url decode, url decode again) produces the following:

This looks like the HTML content from the page. So, we have control over the content sent to mpdf. Let's try to find an exploit.

If we download the produced PDF and use exiftool like so exiftool OKOPoRnvSh3lM7xqe2iLIW1GJU.pdf, we get mpdf's version number:

Searching for "mpdf 6.0 exploit" finds Insecure PHP deserialization through phar:// wrapper which seems a little promising, CVE-2018-19047 (GitHub issue) that probably won't help, and phar:// deserialization and weak randomness of temporary file name may lead to RCE. The first and last seem like they might work if we knew if and where unserialize was called on our data.

Finding the exploit was kind of difficult in this case. Looking at the changelog for mpdf for version 6.1.0 doesn't seem interesting, but in version 7.0.0 this line is interesting: Security: Embedded files via <annotation> custom tag must be explicitly allowed via allowAnnotationFiles configuration key. Searching for "mpdf embedded files annotation tag" finds Make annotation tags disabled by default (mpdf annotation tag documentation).

Additionally, searching for "mpdf" exploit on Google reveals this article on the second page: Local file inclusion at IKEA.com.

Foothold

The proof-of-concept exploit is as follows:

Let's use burp to send this as the PDF to be generated instead of the table. First, we need to encode this in the reverse order that CyberChef decoded the PDF originally. So, with CyberChef we URL encode twice and then base64 encode:

We can intercept and send the request using burp to get a PDF url/file:

Then, all we have to do is open up the sidebar in Firefox's pdf.js viewer and look at the attached files. Or you can mouse over the small dot in the rop right and click the file name:

Looks like we have two users: gbyolo and developer.

Let's try to get their private SSH keys since that is the only other port open. We modify the payload accordingly:

Encode with CyberChef:

However, sending thise on in burp produces an error: mPDF Error: Cannot access file attachment - /home/developer/.ssh/id_rsa. So, that file doesn't exist. /home/gbyolo/.ssh/id_rsa also doesn't exist.

Looking back at the application, we see that we can view users' schedules:

Clicking one produces a request in burp with faculty_id=2. I messed around with different values and found that sending a non-integer like faculty_id=not_an_int produces an error message:

As you can see, we are given the absolute path of a file that is part of the website: /var/www/scheduling/admin/admin_class.php. Let's read that with the LFI exploit we discovered with mpdf:

Encode with CyberChef:

Using the same method as before, this gives us admin_class.php. Right at the top there is a mention of a db_connect.php file. Let's get that via LFI too:

This gives us the password Co.met06aci.dly53ro.per. Attempting to login via SSH as developer with this password doesn't work, but trying it with the gbyolo user does work!

No user.txt so it looks like we to pivot to the developer user.

Lateral Movement

We switch to pwncat instead of ssh so we can easily upload LinPEAS by running upload linpeas.sh in the local shell. Run LinPEAS with ./linpeas.sh -a 2>&1 | tee linpeas_report_gbyolo.txt. Download the report with download linpeas_report_gbyolo.txt in the local terminal. You can open linpeas_report_gbyolo.txt with less -R linpeas_report_gbyolo.txt.

This doesn't find too many interesting things. But, since we have the password for this user, we can check sudo -l:

We can run /usr/local/bin/meta-git as the developer user.

Running ls -la /usr/local/bin/meta-git shows that /usr/local/bin/meta-git is a sumbolic link to ../lib/node_modules/meta-git/bin/meta-git, which is an NPM package so we can find it up on npmjs.com.

After manually trying to find an exploit for a while, I instaed simply Google "meta-git exploit" and immediately find what I was looking for: HackerOne report.

We can use the following syntax to get command execution: /usr/local/bin/meta-git clone 'sss||bash'. Make sure to execute it with sudo -u developer so it runs as the developer user: sudo -u developer /usr/local/bin/meta-git clone 'sss||bash'.

We get the following output:

The issue is that we are still in /home/gbyolo, which developer cannot access so we cd /tmp and then run it and it works!

We can now cat ~user.txt to get the user.txt flag and run cat ~/.ssh/id_rsa to get the SSh private key and login direrctly as developer.

Privilege Escalation

We can run LinPEAS again with ./linpeas.sh -a 2>&1 | tee linpeas_report_developer.txt to see if there is anything new: linpeas_report_developer.txt

We notice this file in the home directory: /home/developer/sendmail.sh:

We also notice this interesting output from LinPEAS:

And this:

Basically, since we are in the debug group, we have access to execute gdb, a debugging program. On this machine, gdb has the SYS_PTRACE capability, which means we can use it to "trace arbitrary processes using ptrace" (source). HackTricks has some additional information. Under the "Example with environment (Docker breakout) - Gdb Abuse" heading they discuss roughly what we are about to do.

We're going to use gdb to debug a process running as root and then make that process call the system function.

Example payload from HackTricks:

Let's look for a process with ps aux | grep ^root. Eventually we find python3 running as root:

So, we start a listener with pwncat-cs -lp 58619 run the following commands:

Those commands output this:

This should spawn a reverse shell as the root user. Run cat /root/root.txt to get the root.txt flag.

PreviousOpenSourceNextStreamIO

Last updated

Was this helpful?