042#:HTB - Broker
We are back at it and moving right into the next room. This time Broker on Hack the Box. I am continuing my journey through TJ Null’s OSCP prep list and trying to iron out my methodology along the way.
That’s a lot of output, but I am going to start simple with checking out what’s running on port 80 first. This is a login page though, so there isn’t much to do there yet.
Hitting cancel at the login prompt drops us to an error page that tells us this is running Jetty and even the version. Working down the nmap results, we see it there too. I finish doing an initial exploration of the nmap results and made notes about their software stack.
I checked for Jetty exploits but I didn’t get many hits for the version being used. Moving on, I start looking into OpenWire 5.15. With this we have some potential RCE’s though.
Given that the name of the room is Broker and the exploit mentions brokers, I feel like we are on the right track. Looking around, I found this poc by evl1kd.
Reading over this exploit, we need to host the poc.xml somewhere before we run the exploit. I cloned the repository to my exploits directory, and then spun up a python web server there.
I opened another terminal window and modified the poc.xml file to point to my ip. We need to start a netcat listener too. Finally, we can run our exploit which results in a shell and gets us the first flag!
That’s great, but before we continue we should stabilize our shell. I poked around a little then got linpeas running from the tmp folder.
I slowly work through the results while taking notes of various accounts and software seen. Noticing the OS version, exploit suggestor flagged CVE-2022-32250, sudo rights to run nginx without a password, etc.
That sudo one is pretty significant though, so I took a detour to inspect that further.
I pulled up GTFOBins and began searching for sudo rights to nginx. We have a few options here, like abusing this to write data to the server as root or we can pull data from it as root.
Since we are targeting root.txt specifically, I focused on the “upload” option which will allow us to pull data from the server.
I started by making the file on the server as shown. We do have to tweak this some for this to work for us and I had to play around with it a little before I got it right.
The notable changes are that I chose a higher port number. When using port 80 I couldn’t get it to work, and it’s more likely to run without needing higher permissions if we use an uncommon port.
The next change is that we have to run this as sudo with the explicit path of nginx. This looks like it did nothing, but we will have to run curl to see if it worked.
Here, we can see me tinkering from this end too. We don’t really need an outfile to save to, so I dropped that after the first try. I also realized I hadn’t specified the port we set in the payload, so for the second image I added that.
The error I got this time was the file wasn’t found, so I removed the file from the target URL. This is where it gets interesting though, because the results look like it is reading the root directory of the server. Knowing this, I again targeted root.txt but this time specifying it’s absolute path.
That’s it! We have root and another room completed. This room was a lot of fun and a good one to help me warm back up after a four month study binge.