Drive Machine Writeup

7 minute read

Drive

Drive is HackTheBox Hard Linux Machine which starts with a website that I can upload, store, edit, and share files. as well as adding groups and showing reports. First I’ll register an account and upload a file. I’ll try to reverse it and find an IDOR vulnerability. Then I’ll brute force the file’s ids using burp intruder and found login credentials to SSH into machine. I’ll forward port 3000 and discover Gitea service. I’ll extract database from backups folder and read db.sqlite3 file. I’ll reverse engineer a binary file and read source code using IDA. Finally I’ll exploit Remote Code Execution using load_extension library in sqlite3.

Recon

As always let’s start with nmap port scanning.

nmap_results

-sC for default scripts scan.

-sV for enumerate version of services.

-oN for output.

We have 2 open ports 22 (SSH), 80 (HTTP) and 1 filtered port that is 3000. The host is running on ubuntu OS and nginx 1.18 web server.

There’s a redirect on port 80 to drive.htb, so let’s add it to /etc/hosts and check it.

We can see we have option to register an account and login, so let’s register an account and access the website.

Doodle_website

After checking the website, we can upload, edit, reserve, and share files. We can also add user groups and show reports. lot of features we need to test.

Doodle_home_page

So First let’s try upload a file.

MIME type (also known as a Multipurpose Internet Mail Extension) is a standard that indicates the format of a file. It is a fundamental characteristic of a digital resource that influences its ability to be accessed and used over time.

For example: text/plain

Doodle_upload

Doodle_show_file

If we try to abuse upload functionality, it isn’t vulnerable.

Let’s show our file and intercept the request in burp. We can see file id looks interesting.

GetFileDetail

So, let’s send the request to intruder and try to fuzz file id.

GetFileDetail_Failed

We can see above there are various file ids with different status code 401 which means it’s unauthorized to access. So let’s continue check other functionalities.

If we click Reverse we can edit that file.

Doodle_edit_file

Let’s intercept the request to burp and analyze it.

Shell as Martin

burp-idor-error

If we try to change the file id to any pervious id which gives us unauthorized, we can access these files which is IDOR vulnerability.

Insecure direct object reference also known as idor occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.

ID: 98

Doodle_Hi

ID: 99

Doodle_security_announce

ID: 100

Welcome_to_Doodle_Grive

ID: 101

Doodle_database_backup

ID: 79

Doodle_software_engineer

As we see above 79 ID leaks sensitive information.

If we try to SSH with martin:Xk4@KjyrYv8t194L!, we will login.

martin_shell

Shell as Tom

When we do some manual enumeration on machine, we can find backups directory which looks interesting.

sqlite_7z_backups

Let’s transfer files to our local and try to unzip it.

We can see zipped files are protected and martin password also not working.

faild_unzip

Let’s do more enumeration and we can see the following open ports which port 3000 looks interesting.

netstat

So, let’s forward this port and access it.

ssh-tunnel

We can see it’s Gitea website. If we try to login with with martin credential, we can access it.

gitea_page

Doodle_source

As we see above it’s DoodleGrive repository, let’s check db_backup.sh.

db_backup_password

Now we have zip password, so let’s extract zip files in backups folder one by one it gives us four different hashes for tom user.

tom_hash1

tom_hash2

tom_hash3

tom_hash4

Let’s try to crack these hashes with hashcat.

hashcat_payload

It shows us the following results:

hashcat_results

If we try to SSH with tom user and these passwords, tom:johnmayer7 will work.

Let’s read user.txt.

user_flag

Shell as root

We can see we have an interesting file called doodleGrive-cli which used to monitoring server status.

README

As we see below, we need username and password to run this file.

doodleGrive-cli_faild_login

So let’s transfer it to our local machine and reverse engineering using IDA.

We can see login credentials in the main function of the binary code.

doodleGrive-cli_main

let’s login and explore doodleGrive-cli binary file.

doodleGrive-cli_test

So let’s look around main function in IDA.

We can see it calls different function in each case.

Function #1: main_menu()

doodleGrive-cli_main_menu

Function #2: show_users_list()

This function use select query to display users data.

doodleGrive-cli_show-users-list

Function #3: show_groups_list()

This function use select query to display users group data.

doodleGrive-cli_show-groups-list

Function #4: show_server_status()

This function runs server-health-chech.sh file as www-data user.

doodleGrive-cli_show-server-status

Function #5: show_server_log()

This function displays the last 1000 line of access.log file.

doodleGrive-cli_show-server-logs

As we can see above all functions are normal, but the function below looks interesting.

Function #6: activate_user_account

This function use update query to set is_active column to value 1 where username is specified by user.

doodleGrive-cli_activate_users

We can see above the function runs sqlite3 and accepts user input in username which indicates to sqlite injection.

If we search for sqlite injection, we can find some tricks in PayloadAllTheThings.

According PayloadAllTheThings, we can use load_extension function to call other file from directory and execute a Remote Code Execution.

The load_extension(X,Y) function loads SQLite extensions out of the shared library file named X using the entry point Y. The result of load_extension() is always a NULL. If Y is omitted then the default entry point name is used. The load_extension() function raises an exception if the extension fails to load or initialize correctly.

The load_extension() function will fail if the extension attempts to modify or delete an SQL function or collating sequence. The extension can add new functions or collating sequences, but cannot modify or delete existing functions or collating sequences because those functions and/or collating sequences might be used elsewhere in the currently running SQL statement. To load an extension that changes or deletes functions or collating sequences, use the sqlite3_load_extension() C-language API.

For security reasons, extension loading is disabled by default and must be enabled by a prior call to sqlite3_enable_load_extension().

Remote Code Execution also known as RCE attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining full control over a compromised machine.

Now we know the first parameter in load_extension() function is a shared library, let’s search for Shared Library Exploit.

The only command we are using is chmod to change the suid of bash file.

First we need to write a malicious script with our payload, then we need to compile it.

root_shell

Now let’s call it using load_extension(), but because the query inside string according with IDA that we’ve analyze before, we must close

the quotes to separate between string and function using "+load_extension()+".

doodleGrive-cli_test_shell

As we see above the binary removes letter ., /.

If we back to IDA, we will notice the sanitize_string() function.

So let’s check what this function does.

santize_code

as we see it filter the following bad characters from string.

bad_chars

We can bypass filtered characters by using char() function.

The char(X1,X2,…,XN) function returns a string composed of characters having the unicode code point values of integers X1 through XN.

But If we call the shell file, it shows us the following error:

limition_bypass

I think there is a limitation on the file name, so we can make the file name one character.

So let’s convert shell.c to a.c and compile it again.

edit_shell

We need to convert the file name to ascii and call it again.

text-to-ascii

final_exploit

Now Let’s run /bin/bash and use the -p option to run it in privileged mode to be able to read root.txt.

root.txt

Categories:

Updated: