A landing page greeted us and provided us with two distinct links on two different subdomains, api and gogs. But before being able to access them we had to add them to our hosts file. Sure enough we found the repository for the API, exposed at api.
After just a few minutes of browsing the source code, we found a major flaw in the brew endpoint used to add a new beer. The use of eval stood out like a sore thumb, it evaluates user controlled input POST body field abv. The only thing which held us back from abusing this endpoint, was the fact that we first had to authenticate in order to use the API, as indicated by the auth.
We consulted the source once again to find out what kind of authentication we were dealing with. We found our answer, we had to provide a username and password to authenticate with basic-auth. The response should provide us with a JWT token. After gaining this insight we dug around in the git commits to search for API credentials.
A few minutes later, after inspecting each commit, we found what we were looking for:. We immediately tried to authenticate as dinesh. Luckily the credentials were valid and granted us access to the API. A few moments later we built a quick and dirty Python script to authenticate and invoke the vulnerable endpoint to spawn a reverse shell.
After taking a look around we determined that we ended up inside a docker container. It took a while for us to figure out where to go from here. After breaching the web server we had to somehow move laterally to carry on, as the docker container did not contain anything that spiked our interest. After re-reading the source code we realized we completely ignored the database, which is used to store the users and brews for the API. The dbtest. The settings module should contain the credentials to access the database.
After we realized settings. To make our lives easier we copied dbtest. The docker-compose. More importantly, we pulled a copy of the SSH public- and private key which were carelessly committed as well.So I added both of api. Here we can see the API endpoints and how to interact with them.
Craft – HackTheBox writeup
Obviously gogs. The repository of the API source code was publicly accessible so I took a look at the code and the commits. I took a look at the API documentation again to find in which request I can send the abv parameter:. The other commit was a test script which had hardcoded credentials, exactly what we need:. I tested the credentials and they were valid:. I wrote a small script to authenticate, grab the token, exploit the vulnerability and spawn a shell.
Gilfoyle had a private repository called craft-infra :.Daz3d descargar
He left his private ssh key in the repository:. By looking at vault. We have the token. And we owned root! Expand all Back to top Go to bottom. Nmap done: 1 IP address 1 host up scanned in DictCursor try : with connection. You are now authenticated. The token information displayed below is already stored in the token helper.
You do NOT need to run "vault login" again. Future Vault requests will automatically use this token.However, at the top right were two links to two different subdomains.
Browsing the site we can get access to the source code of the API. But also the issue tracker is available:. Thanks to that issue we now know what header the API expects from us.
The token in the issue is however already expired. More interestingly the last comment of that issue was:. That eval on line 43 is practically executing any code we pass to it in the abv parameter. But we still need a token first. After a few dead-ends we take a look at the commit history of the project, there are only 6 commits in total and one in particular contained user credentials and in a later commit they were removed again:.
There are a few restrictions though, it expects python code and we will not get the result printed back. From there we can get additional credentials:. We use that key to login, the passphrase is the same as the password we got from MySQL for gilfolye:. In the repository is one more interesting configuration.
Your email address will not be published. But also the issue tracker is available: Thanks to that issue we now know what header the API expects from us. We use that key to login, the passphrase is the same as the password we got from MySQL for gilfolye: In the repository is one more interesting configuration.
Vault is being used to store credentials, and there is a configuration for root SSH using OTP: We simply use this to login as root: Vault happily gives us the one time password with which we can login as root.
Leave a Reply Cancel reply Your email address will not be published.My first Medium box!CTF-E12 HackTheBox Craft Machine Walkthrough - Vault, Python Flask, Eval - Tamil
Of course, I needed the help of the forums to guide me :P. Using nmapwe are able to determine the open ports and running services on the machine. Not much can be done with the ssh service as we do not have any credentials on hand so lets come back to it later. As for the https service, maybe we can find some information on it? Nothing much here except for the API and the git icon on the top right.
Lets first check out the API. Upon clicking on ExecuteI was prompted for credentials. Since I did not have any credentials, I decided to put this on hold for now. Lets move on the git icon. So this website is like a private github of some sort? By clicking on Explorewe are able to list all the public repositories, users and organisations on the website.
Hack The Box - Craft
Oh we found something! There was an issue posted which contained the API token, but sadly was expired. In the commits history, I found some credentials! Looks like Dinesh accidentally commited his credentials and tried to cover it up haha.
We managed to get a valid API token! Not much can be done now so I decided to look at the source code for any vulnerabilites. This means that whatever python expression we enter in the abv field, it will be executed.
I decided to search for how to achieve reverse shell from the eval function and I found this post on StackOverflow. I used the below python script to assist in the sending of the payload. And run our exploit script. Back on our listener, we catch the connection. Wait, we are already root? There was no root. Lets try running LinEnum to get some insights. Ahh I see, we are in a Docker container.
We might need to escape from it if we want to get our flags :P. The settings.January 04, Craft was a fun 30 point box created by rotarydrone. It started out with finding and exploiting the Python eval function in a flask API application via exposed source code in Gogs to get a shell as root in a docker container.
I added the api. We clearly need more information in order to proceed on this subdomain. I decided to check out gogs. The gogs. This project aims to build a simple, stable and extensible self-hosted Git service that can be setup in the most painless way.
From here I clicked Explore which leads us to a page showing the repositories available on gogs. It is common for sensitive information to be unintentionally leaked in Git repositories.
With this in mind I started digging through the repo. The first thing that caught my eye was dbtest. The app. We now possess the credentials required to authorize with the craft-api application.
After browsing the repository I came across brew. The application is using the Python eval function on the abv parameter used by the API. Python has a number of built-in functions and eval is one of them, more information can be found here. CWE does a great job in explaining the problem here:. The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call e.
This may allow an attacker to execute arbitrary code, or at least modify what code can be executed. We now know the abv parameter of the brew API is vulnerable to this type of attack. This article includes payloads we can use to acheive RCE. After testing a couple of examples in the Kali Python terminal I decided upon the following payload:. All we have to do now is authenticate with the dinesh credentials and interact with the abv parameter of the brew API so we can inject our payload.
I used the test. I added minor modifications to include the dinesh credentials and the payload for the Python eval function in order to exploit the application and get a shell. Running the test. After playing with the script for a while I managed to dump some credentials from the user table using the simple SQL statement shown below:.
None of the credentials worked for either of the SSH ports. They did however allow me to login to the Gogs interface. The gilfoyle account however did have some sensitive info as he had access to the repo for the Craft Infrastructure craft-infra. This repository contained an. I gave the key the correct permissions but was prompted for a password when connecting.
As gilfoyle you can simply cat the user flag:. The bash script secrets. Googling vault ssh led me to vaultproject. There are a couple of different ways we can get root here but I decided to create a root OTP and authenticate with it, which then drops you into a root SSH shell.
From the secrets. The command for this specific instance is then as follows:.Today they retired my favorite box so far, Craft. This box was very real world in the chain of mistakes that lead to each exploit. The beer theme and Silicon Valley theme were also awesome. We begin our reconnaissance by running a port scan with Nmap, checking default scripts and testing for vulnerabilities. So it looks like there are some links to subdomains.
We see the documentation page for Craft API 1. Figure 2: Craft API 1. The other link on the page is to Gogsa self hosted git repository. This is fun! It looks like we may get to hack an open source program.
Does this remind you of digging through repos on GitHub? Going through the commit history we come across some committed credentials right away.Siren head meme
The screenshot actually contains the commit in which they were removed, but we can see through red highlighting! Figure 5: add test script you say!? This process required developing several payloads that ran correctly locally, only to fail on the box. When we run the script with our sexy little payload we catch a reverse shell, and gain our initial foothold. Here are the contents of that file. If we modify dbtest. We replace the sql statement above with one to show us the tables, and replace the fetchone command with fetchall.
Again we replace the sql command, this time to display the entire user table. There must be some credential stuffing we can do with all these.
We already know that dinesh reused his password, so maybe the others did too. Figure 6: ssh keys inside. Figure 7: vault secrets! On to the root portion we go. Now we already know about something very important, and thats vault. Figure 8: rooted. This box was fun from the beginning. I enjoyed going through the Flask code in the git repository to find a vulnerability, as well as finding the credentials and test script in an old commit.
This gain of the initial foothold seemed to me to be very realistic.Frsky x8r
Developing the exploit to get code execution was rather difficult for me at least. I will say that storing credentials in plain text is probably almost as bad, or worse, than using the eval function, but some people still do this crap too.
Running vault as root is also a mistake, but a lazy developer may do too for one reason or another. All in all Craft has been my absolute favorite box thus far.The site hosts a simple page with no seemingly interesting information. But there are 2 links at the top right hand corner currently inaccessible because of unknown host name. Further investigation reveals that a fix on the script brew. However, the user input ABV value is not sanitized to be a valid number.
Therefore, arbitrary code injection is possible and eval function will executed the injected code, resulting in remote code execution. So, in order to exploit this vulnerability, we will need to find some credentials to authenticate our api usage. The updated test. We got root already. More enumeration is needed. No luck in using the credentials on SSH login.
But we can login to the Gogs site using the credentials. Passphrase is needed which is the credentials obtained from the mysql database. After googling, it is a vault from vaultproject. The secrets.
However eval function is used that allows code injection. Privilege Escalation user Vulnerability: critical information stored in git Explanation: ssh private key is stored in git. Obtaining the private key allows ssh login to the owner. Privilege Escalation root Vulnerability: vault is setup to allow root access Explanation: Script stored in git revealed vault is setup to allow ssh login as root. Enumeration nmap -p- -A -T4 Looks like we need to authenticate to the api website first.Kawasaki mule 4010 recall crankshaft
Quick modification to dbtest. DictCursor try: with connection. Root shell obtained. Nice box. Thank you rotarydrone for making the machine. Leave a Reply Cancel reply. Close Menu.
- Polaroid onestep 2 i type
- Puffin browser old version ios
- Myth and roid album
- Micro finance and rural development pdf
- Canteen food ordering and management system using html
- Etg 68 hours
- Noodles supplier
- Medical mycology ppt
- Dockerfile env file
- Hand sanitizer in stock
- Cristian estan (estan)
- Song leave me alone
- Rawkhet pokemon reviews
- Hechizos para dominar a un traidor
- Diagram based honda gx390 ignition wiring diagram
- Mips pipeline simulator
- Ashleigh baker snapchat
- Acoustic details in auditorium dwg
- Pes 2020 best white ball players
- Tmnt fanfiction mikey hates his brothers