Drive Machine Writeup
Drive is HackTheBox Hard Linux Machine which starts with a website that I can upload, store, edit, and share files. as well as adding groups and showing reports. First I’ll register an account and upload a file. I’ll try to reverse it and find an IDOR
vulnerability. Then I’ll brute force the file’s ids using burp intruder and found login credentials to SSH into machine. I’ll forward port 3000
and discover Gitea
service. I’ll extract database from backups
folder and read db.sqlite3
file. I’ll reverse engineer a binary file and read source code using IDA
. Finally I’ll exploit Remote Code Execution
using load_extension
library in sqlite3
.
Recon
As always let’s start with nmap port scanning.
-sC
for default scripts scan.
-sV
for enumerate version of services.
-oN
for output.
We have 2 open ports 22 (SSH), 80 (HTTP) and 1 filtered port that is 3000
. The host is running on ubuntu
OS and nginx 1.18
web server.
There’s a redirect on port 80 to drive.htb
, so let’s add it to /etc/hosts
and check it.
We can see we have option to register an account and login, so let’s register an account and access the website.
After checking the website, we can upload, edit, reserve, and share files. We can also add user groups and show reports. lot of features we need to test.
So First let’s try upload a file.
MIME type (also known as a Multipurpose Internet Mail Extension) is a standard that indicates the format of a file. It is a fundamental characteristic of a digital resource that influences its ability to be accessed and used over time.
For example: text/plain
If we try to abuse upload functionality, it isn’t vulnerable.
Let’s show our file and intercept the request in burp. We can see file id looks interesting.
So, let’s send the request to intruder and try to fuzz file id.
We can see above there are various file ids with different status code 401
which means it’s unauthorized to access. So let’s continue check other functionalities.
If we click Reverse
we can edit that file.
Let’s intercept the request to burp and analyze it.
Shell as Martin
If we try to change the file id to any pervious id which gives us unauthorized, we can access these files which is IDOR
vulnerability.
Insecure direct object reference also known as idor occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.
ID: 98
ID: 99
ID: 100
ID: 101
ID: 79
As we see above 79
ID leaks sensitive information.
If we try to SSH with martin:Xk4@KjyrYv8t194L!
, we will login.
Shell as Tom
When we do some manual enumeration on machine, we can find backups
directory which looks interesting.
Let’s transfer files to our local and try to unzip it.
We can see zipped files are protected and martin
password also not working.
Let’s do more enumeration and we can see the following open ports which port 3000
looks interesting.
So, let’s forward this port and access it.
We can see it’s Gitea
website. If we try to login with with martin
credential, we can access it.
As we see above it’s DoodleGrive
repository, let’s check db_backup.sh
.
Now we have zip password, so let’s extract zip files in backups
folder one by one it gives us four different hashes for tom
user.
Let’s try to crack these hashes with hashcat
.
It shows us the following results:
If we try to SSH with tom
user and these passwords, tom:johnmayer7
will work.
Let’s read user.txt
.
Shell as root
We can see we have an interesting file called doodleGrive-cli
which used to monitoring server status.
As we see below, we need username and password to run this file.
So let’s transfer it to our local machine and reverse engineering using IDA
.
We can see login credentials in the main function of the binary code.
let’s login and explore doodleGrive-cli
binary file.
So let’s look around main function in IDA
.
We can see it calls different function in each case.
Function #1: main_menu()
Function #2: show_users_list()
This function use select query to display users data.
Function #3: show_groups_list()
This function use select query to display users group data.
Function #4: show_server_status()
This function runs server-health-chech.sh
file as www-data
user.
Function #5: show_server_log()
This function displays the last 1000
line of access.log
file.
As we can see above all functions are normal, but the function below looks interesting.
Function #6: activate_user_account
This function use update query to set is_active
column to value 1
where username
is specified by user.
We can see above the function runs sqlite3
and accepts user input in username
which indicates to sqlite
injection.
If we search for sqlite injection
, we can find some tricks in PayloadAllTheThings.
According PayloadAllTheThings, we can use load_extension function to call other file from directory and execute a Remote Code Execution
.
The load_extension(X,Y) function loads SQLite extensions out of the shared library file named X using the entry point Y. The result of load_extension() is always a NULL. If Y is omitted then the default entry point name is used. The load_extension() function raises an exception if the extension fails to load or initialize correctly.
The load_extension() function will fail if the extension attempts to modify or delete an SQL function or collating sequence. The extension can add new functions or collating sequences, but cannot modify or delete existing functions or collating sequences because those functions and/or collating sequences might be used elsewhere in the currently running SQL statement. To load an extension that changes or deletes functions or collating sequences, use the sqlite3_load_extension() C-language API.
For security reasons, extension loading is disabled by default and must be enabled by a prior call to sqlite3_enable_load_extension().
Remote Code Execution also known as RCE attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining full control over a compromised machine.
Now we know the first parameter in load_extension() function is a shared library, let’s search for Shared Library Exploit.
The only command we are using is chmod
to change the suid
of bash
file.
First we need to write a malicious script with our payload, then we need to compile it.
Now let’s call it using load_extension()
, but because the query inside string according with IDA
that we’ve analyze before, we must close
the quotes to separate between string and function using "+load_extension()+"
.
As we see above the binary removes letter .
, /
.
If we back to IDA
, we will notice the sanitize_string()
function.
So let’s check what this function does.
as we see it filter the following bad characters from string.
We can bypass filtered characters by using char()
function.
The char(X1,X2,…,XN) function returns a string composed of characters having the unicode code point values of integers X1 through XN.
But If we call the shell
file, it shows us the following error:
I think there is a limitation on the file name, so we can make the file name one character.
So let’s convert shell.c
to a.c
and compile it again.
We need to convert the file name to ascii
and call it again.
Now Let’s run /bin/bash
and use the -p
option to run it in privileged mode to be able to read root.txt
.