HackTheBox Agile Writeup
Hello, i want to share how i solve Hackthebox Agile box. this box is fun and quite complicated, but at this moment i only got the user flag, i will continue to solve for the root flag if there more free time :)
Information Gathering
First step is NMAP to enumerate open port and domain name and result open port only in port 22 (ssh) and 80 (http)
Add Domain name for superpass.htb to local DNS in kali linux
Next is scanning web dir using gobuster, and found nothing interesting
Next i explore the whole website and make an account
I found download directory return error and I get information that python libs in /app/venv/lib/python3.10/ and this web use flask
Also from this error page ifound that we can wake console for rce, but we need pin to unlock console, so lets save this clue
while continue explore the web, i try the export button
and we can see in burp, the parameter fn= used to get some file
Exploit
Local File Intrusion
Next I tried to do directory traversal to show /etc/passwd and the server give the response inside /etc/passwd, proved that directory traversal is working in this server, so we can sneek into the server file and we got user name’s like Edwards, Corum, and dev_admin that can do bash, so keep this information
Cracking WerkZeug Pin Console
So i back to the interesting part is to cracking werkzeug console pin and i tried to follow the step from https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/werkzeug, but i still cannot get the right pin because configuration each flask apps is different, so after many tried and trials and errors, i figure how to crack the werkzeug pin console,
I used the exploit template from https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/werkzeug
What i need to do now is searching for this param= Username, modname, classname, app.py path, Address, machine-id, and cgroup
Public Bits
Username
To get username we can view /proc/self/environ to see user who start flask: www-data
Modname
flask.app is the flask module name
Name
For this parameter i got from file that i got from the traceback error page and found the app name is located in debuggedapplication function on this file
App.py path
the path we can obtain from the traceback error page that the path containing python script path this path is the absolute flask app.py path
Private Bit
1st Privatebit
to get private bit first we need to know net interface from /proc/net/arp
then we get mac address from /sys/class/net/{interface we get from above step}/address
Then convert mac address to decimal using python so we can pass the value to 1stprivatebit to the exploit script
2nd Privatebit
To fill this variable we need to get machine-id and cgroup, because this variable in exploit script is concatenate of machine-id and cgroup
gaining machine-id
cgroup we need the first line from cgroup file
Then we do a little reverse engineering the werkzeug debugger to get the right value of the cgroup using this code i found from youtube
Then lets pass all value we gather on the above steps to this exploit code to generate the werzeug pin console
The exploit script gave me key 339–183–899 to spawn the werkzeug console and the key is correct
Remote Code Execution
Now lets do reverse shell! First lets start the netcat listener
To use the venv shell locally I used python oneliner reverse shell from https://rcenetsec.com/reverse-shell-one-liner-how-to-do-it/
And i get the low level www-data shell on local venv
Privilege Escalation
In the step what we can do is enumerate anything inside the machine, while enumerating the machine using low level privilege I found clue from the running service that there is mysql service is running
And found SQL credential from the /app/config_prod.json file
Username: superpassuser
Password: dSA6l7q*yIVs$39Ml6ywvgK
Then, use the credential above to enumerate mysql’s databases
From the password table I got some credential and tried to ssh with creds:
username: corum
password: 5db7caa1d13cc37c9fc2
Horizontal Privilege Escalation
Using the above ssh cred, i successfully connected to corum account and finally gaining user flag