🔎🦶Enumeration/Foothold
Bolt is a difficult Medium box on HTB created by d4rkpayl0ad. It features a downloadable administration template which leaks an admin password. Once logged in you find hints about the presence of sub-domains. On the new site you use an server-side template injection (SSTI) to gain access to the box. Finally with a lot of enumeration you find and decrypt a PGP key and associated message to gain root.
Before I begin each machine I kick off a full port rustscan
:
Once it completes I use the ports found to do a full NMAP
scan. Once this scan finishes I begin a full port NMAP
scan and gobuster
vhost/dns
scans.
Reviewing the results I can see Ports 22/80/443
open. Navigating over to the website I see ‘Administration using Admin LTE’ running in .html
.
Administration using Admin LTE page on Bolt.
I try the contact forms, note the names available under the ‘Meet the Team’ section and view the source code. Next I go through the other pages and see a Download page available. I download the app and proceed to unzip each .tar
file individually (instead of just building the docker environment which would have probably been easier).
Finding the download page for Bolt.
Going through all the files I finally find something:
To verify I am seeing a clean data-set via the console I open db.sqlite3
in DB Browser:
Viewing the hash for the [email protected].
I grab the hash and crack it with john
:
Using the password cracked from john
, I log into the Dashboard and note the majority of the UI is not live. On the chat I see the following:
Chat showing presence of subdomains.
Reviewing some enumeration I had running in the background (IPPSEC #1 Rule) I can see my gobuster
VHOST
scan picked up two subdomains that fit the conversation:
First I tried the credentials on the mail
subdomain with no success. I went over to demo
and saw I could register this time but I needed an invite code:
Requirement for an Invite Code on the Demo site.
Remembering during my intial enumeration of the Download and seeing a base directory with python files I went back to review:
I registered and logged into the environment:
Putting in the invite code for the Demo.
After navigating around the Admin Dashboard I remembered the second part of the original clue talking about ‘mail’. I logged in with my Dashboard creds on the mail environment. After logging into the mail environment (and unsuccessfully finding an exploit for RoundCube 1.4.6) I went back to the Dashboard and noticed it was called AdminLTE Flask. I was able to confirm on AppSeed.us that it was indeed built with Flask.
Noting the word ‘Flask’ in the footer.
This means its possible that the website is vulnerable to a SSTI
(Server Side Template Injection). After going around the Dashboard I finally found in the Settings area you could change your Name, Experience and Skills and an email would be sent to confirm.
Noting the email verification element for the SSTI.
Using this alongside PayloadsAllTheThings – SSTI I tested to see if SSTI
was present.
Verifying SSTI is available for confirmation of profile changes.
After inputting the payload I confirmed the change via email and the second email confirmed SSTI was present. I then tested SSTI Exploit – OS POPEN Read which came back as successful showing the www/data
user. I altered the exploit with a reverse shell embeeded (the syntax was very temperamental):
⚠ Attack Machine
Multiple attempts to succeed at the SSTI. Try Harder.
Once on the box, I created a working directory in /tmp/
and pulled LinPEAS
to the box for enumeration. I created a second session to poke around well LinPEAS
ran.
⚠ Attack Machine
🎯Victim Machine
I see a bunch of information regarding passbolt.php
and a short search later I can see a database is available and running on the current box:
I use the found credentials to connect to the database locally:
Expecting to find a password in the users table I pulled users first:
No passwords but the same users found in the home directories. In the secrets table I found a PGP
key:
🔝Escalation
I checked other tables and did some initial enumeration alongside LinPEAS
. Finally I tried the database password I got earlier with both users (password reuse):
🏴User
Nice, a user flag! I check his home directory and see a .ssh
directory but no authorized_keys
file. I generate a key and add it to authorized_keys
on the box. To see how to do this, refer to Backdoor as I wrote about it two days ago.
Now on the box with a stable session, I run LinPEAS again as eddie
looking for my next foothold. First thing which LinPEAS found at the same time as me was mail:
Reviewing the mail I can see the following:
This definitely explains why LinPEAS
is mentioning Google Chrome/extensions so much. A further dig showed log files dealing with the extensions in question:
This file had a lot to go through but I found a PGP key and decoded it with CyberChef. I then converted it to a hash format so I could crack it with john
.
Once converted I kicked off john
:
So after two crashes and 40minutes or so I finally got the password of merrychristmas. Next I imported the key:
The password included was for the root user. I used my current session to traverse to root and grab the flag: