🔎🦶Enumeration/Foothold

Bolt is a difficult Medium box on HTB created by d4rkpayl0ad. It features a downloadable administration template which leaks an admin password. Once logged in you find hints about the presence of sub-domains. On the new site you use an server-side template injection (SSTI) to gain access to the box. Finally with a lot of enumeration you find and decrypt a PGP key and associated message to gain root.

Before I begin each machine I kick off a full port rustscan:

Copy

Once it completes I use the ports found to do a full NMAP scan. Once this scan finishes I begin a full port NMAP scan and gobuster vhost/dns scans.

Copy

Reviewing the results I can see Ports 22/80/443 open. Navigating over to the website I see ‘Administration using Admin LTE’ running in .html.

Administration using Admin LTE page on Bolt.

Administration using Admin LTE page on Bolt.

I try the contact forms, note the names available under the ‘Meet the Team’ section and view the source code. Next I go through the other pages and see a Download page available. I download the app and proceed to unzip each .tar file individually (instead of just building the docker environment which would have probably been easier).

Finding the download page for Bolt.

Finding the download page for Bolt.

Going through all the files I finally find something:

Copy
Copy

To verify I am seeing a clean data-set via the console I open db.sqlite3 in DB Browser:

Viewing the hash for the admin@bolt.htb.

Viewing the hash for the [email protected].

I grab the hash and crack it with john:

Copy

Using the password cracked from john, I log into the Dashboard and note the majority of the UI is not live. On the chat I see the following:

Chat showing presence of subdomains.

Chat showing presence of subdomains.

Reviewing some enumeration I had running in the background (IPPSEC #1 Rule) I can see my gobuster VHOST scan picked up two subdomains that fit the conversation:

Copy

First I tried the credentials on the mail subdomain with no success. I went over to demo and saw I could register this time but I needed an invite code:

Requirement for an Invite Code on the Demo site.

Requirement for an Invite Code on the Demo site.

Remembering during my intial enumeration of the Download and seeing a base directory with python files I went back to review:

Copy

I registered and logged into the environment:

Putting in the invite code for the Demo.

Putting in the invite code for the Demo.

After navigating around the Admin Dashboard I remembered the second part of the original clue talking about ‘mail’. I logged in with my Dashboard creds on the mail environment. After logging into the mail environment (and unsuccessfully finding an exploit for RoundCube 1.4.6) I went back to the Dashboard and noticed it was called AdminLTE Flask. I was able to confirm on AppSeed.us that it was indeed built with Flask.

Noting the word 'Flask' in the footer.

Noting the word ‘Flask’ in the footer.

This means its possible that the website is vulnerable to a SSTI (Server Side Template Injection). After going around the Dashboard I finally found in the Settings area you could change your Name, Experience and Skills and an email would be sent to confirm.

Noting the email verification element for the SSTI.

Noting the email verification element for the SSTI.

Using this alongside PayloadsAllTheThings – SSTI I tested to see if SSTI was present.

Verifying SSTI is available for confirmation of profile changes.

Verifying SSTI is available for confirmation of profile changes.

After inputting the payload I confirmed the change via email and the second email confirmed SSTI was present. I then tested SSTI Exploit – OS POPEN Read which came back as successful showing the www/data user. I altered the exploit with a reverse shell embeeded (the syntax was very temperamental):

Copy

⚠ Attack Machine

Copy
Multiple attempts to succeed at the SSTI. Try Harder.

Multiple attempts to succeed at the SSTI. Try Harder.

Once on the box, I created a working directory in /tmp/ and pulled LinPEAS to the box for enumeration. I created a second session to poke around well LinPEAS ran.

⚠ Attack Machine

Copy

🎯Victim Machine

Copy

I see a bunch of information regarding passbolt.php and a short search later I can see a database is available and running on the current box:

I use the found credentials to connect to the database locally:

Copy

Expecting to find a password in the users table I pulled users first:

Copy

No passwords but the same users found in the home directories. In the secrets table I found a PGP key:

🔝Escalation

I checked other tables and did some initial enumeration alongside LinPEAS. Finally I tried the database password I got earlier with both users (password reuse):

Copy

🏴User

Nice, a user flag! I check his home directory and see a .ssh directory but no authorized_keys file. I generate a key and add it to authorized_keys on the box. To see how to do this, refer to Backdoor as I wrote about it two days ago.

Now on the box with a stable session, I run LinPEAS again as eddie looking for my next foothold. First thing which LinPEAS found at the same time as me was mail:

Reviewing the mail I can see the following:

Copy

This definitely explains why LinPEAS is mentioning Google Chrome/extensions so much. A further dig showed log files dealing with the extensions in question:

This file had a lot to go through but I found a PGP key and decoded it with CyberChef. I then converted it to a hash format so I could crack it with john.

Copy

Once converted I kicked off john:

Copy

So after two crashes and 40minutes or so I finally got the password of merrychristmas. Next I imported the key:

Copy

The password included was for the root user. I used my current session to traverse to root and grab the flag:

Copy

Rooted

Published On: February 19th, 2022 / Categories: HTB, Technology / Tags: , , , , , , , /

Leave A Comment