Craft — HackTheBox
Summary
Craft is a medium-rated box created by rotarydrone. We gain initial foothold by finding exposed user credentials to a git service. A docker container shell is obtained after discovering a script on the repository where we can inject our reverse shell and the credentials we found. With the help of another script after gaining the initial shell, we are able to send database queries which will give us another set of credentials to use for SSH authentication. Finally, root access is gained after creating a one time ssh password for root.
Reconnaissance
As usual, we run Nmap to scan for open ports and services.
Only port 22, 443, and 6022 are open. Visiting port 443 will bring us to a page about Craft repository which instructs us to check out the API.
Clicking the API icon on the top right corner does not bring me anywhere as well as the icon right beside it which should go to gogs.craft.htb. I added these two in my hosts file in order to access the pages.
Now we can take a look at the API and the gogs repository.
API page is used to retrieve token for credentials that we don’t have yet so lets enumerate the git repository instead. I tried signing in with default credentials such as ‘admin:password’ but I was unsuccessful. Going to the ‘Explore’ section will show the repository and clicking ‘Users’ will reveal some possible usernames.
The user that we want here initially is Dinesh. He recently made a change on ‘test.py’, a script on the repository where he had his credentials exposed.
After clicking at the commit in red circle, we are able to see what changes he had done to the script.
After looking through more of his public activities, I came across a discussion between the users about a bogus ABV value which could be dangerous if exploited. I downloaded the script from the repository and tested it. I managed to craft a payload which gave me a docker container reverse shell.
Reverse shell payload is placed on the ABV value while Dinesh’s credentials will be on the authentication request. Executing ‘test.py’ right after will give us a docker container shell.
After going through directories, I found a script ‘dbtest.py’ which post requests to the SQL database.
None of the credentials worked on SSH. I went and tried authenticating on the git service and successfully got in using Gilfoyle’s username and password. ‘gilfoyle:ZEU3N8WNM2rh4T’
From here, we can browse his profile and his repository. An ‘.ssh’ directory is found inside the repository which contains his private key. We will use this key to login to SSH and the his password from the dump as the passphrase.
Privilege Escalation
Privilege escalation part is pretty straightforward. We will find a script named ‘secret.sh’ inside gilfoyle’s repository which contains information about OTP or One Time Password.
I did a few readings on OTP and came across a page that illustrates how to generate one. I proceeded to create a One Time Password for root and logged in to SSH with it.
After successfully authenticating into SSH, we wrap it up by grabbing the root flag.