Curling is a retired vulnerable Linux machine available from HackTheBox. The machine maker is L4mpje, thank you. It has an Easy difficulty with a rating of 4.4 out of 10.
Kali Linux is used to carry out the enumeration, exploitation and privilege escalation. The goal is to obtain root shell together with both user & root flags.
Exploitation Summary (tap to reveal)
Initial Exploitation
- Vulnerability: Remote code execution through Joomla admin account access
- Explanation: Password exposed through a hidden file paired with an easy guessed username. Administrative access to Joomla admin console resulting in remote code execution
Privilege Escalation
- Vulnerability: Curl command execution hijacking
- Explanation: Cron execution of curl command with a writable config file allows customized execution with root privilege
Enumeration
nmap -p- -A -T4 10.10.10.150
TCP 22: OpenSSH 7.6p1 TCP 80: Apache httpd 2.4.29
Initial Shell Exploitation
Only port 22 & 80 open. So let’s check out the website:
This is a website with a few blog posts. Looking at the html source reveals that it is using Joomla.
Also, scrolling down to bottom of the source shows a file called secret.txt in comments.
Doing a directory scan using gobuster reveals this secret file plus some useful information like /administrator folder:
gobuster dir -u http://10.10.10.150/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307" -x "txt,html,php"
Navigate to the secret.txt shows a string of text which we can base64 decode it:
Awesome, we find a password Curling2018!. Joomla has default username admin. Let’s try to login at /administrator:
Unfortunately, that doesn’t work. ssh login doesn’t work either. So we need to find the right username. If we look more carefully at the blog posts, we can see that one of the posts was written by user Floris. Let’s try login as floris:
All right! We get in as floris and looks like floris is Super User with administrative privilege. It’s my first time working on Joomla. So I would like to do a searchsploit to see if there’s any remote code execution exploit for Joomla. Before doing that, I would like to know the version of Joomla. I am able to find it at the Help > Joomla! Help menu:
The version of Joomla is 3.9.18! Now let’s do searchsploit:
There’s tons of vulnerabilities if I just search using Joomla. Search using Joomla 3.9 gives more narrow down results. But neither search find me some remote code execution exploits to use. There’s an exploit that can do directory traversal & authenticated arbitrary file deletion. I tried the exploit. It does work and allows me to list the directory structure of Joomla. It does give me a little more information but other than that not much use for my purpose.
I then google to see if there’s any Joomla exploits available that can lead to shell access but unfortunately couldn’t find one.
While doing searchsploit & googling, I also browse around Joomla. Similar to WordPress, I finally locate the error.php under menu Extensions > Templates > Templates. There are 2 templates Beez3 and Protostar. Either one should work and I selected Protostar template. There’s a few php files you can modify. I like to use error.php because it won’t affect the pages the website already have but I can test out the script easily with an invalid url.
In this case, I am able to access the error.php with url http://10.10.10.150/templates/protostar/error.php. So I prepare a php reverse shell with the correct ip address (10.10.14.20, my kali box) & port 4000. A php reverse shell is available at /usr/share/webshells/php/php-reverse-shell.php. I then copy the php reverse shell script to error.php and save the file.
Time to start netcat listening to port 4000 and then navigate to
http://10.10.10.150/templates/protostar/error.php
Awesome, initial shell obtained!
Exploitation – Part 2
Quick navigation to /home folder shows that there’s only 1 user floris. And under floris home directory there is a file called password_backup that looks promising.
It’s a hex dump of some data. Let’s copy it locally and convert it to binary to see what it is using xxd command.
xxd -r password_backup password file password
It’s a bzip2 compressed file. Let’s keep going:
Turns out it’s a password.txt file that has been compressed several times using various compression methods. And we finally obtained a password 5d<wdCbdZu)|hChXll. Let’s try it out using ssh.
Yes! We get in as floris. And quick check to user.txt get us the user flag.
Privilege Escalation – Part 2
There is a folder admin-area in floris’s home directory. That looks interesting. Inside the folder is 2 recently created files input & report. Apparently the input file carries a url to http://127.0.0.1 while report file holds the content of the url.
With further investigation, these 2 files are updated every minute. And what’s more important is the owner of these 2 files is root. That is, files were created with root privilege. Moreover, these 2 files are writable by floris.
Performing checks on crontabs and regular enumeration (linenum.sh) do not yield any information about these 2 files nor any other interesting information.
Now, lets use pspy to monitor the processes.
https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64s
Download pspy64s to kali box and then upload to the target box (using python SimpleHTTPServer and wget).
Secrets revealed. curl command using input file as config is executed and then 1 second later, /root/default.txt is copied to overwirte input file.
Awesome, since curl command use input file as config file, we can hijack the execution by modifying the input file. We can custom made a sudoers file and modify the input file to read it and output it to /etc/sudoers. If all goes well, floris will then be able to perform all sudo commands.
The custom sudoers file will have the following:
floris ALL=(ALL) NOPASSWD:ALL
And we will modify input file as follow:
url = "file:///home/floris/.exploit/sudoers" output = "/etc/sudoers"
I created folder .exploit and create new sudoers & input file.
Time to perform the exploit. Overwrite input file with the modified version and wait for the execution:
Bingo, root shell obtained. Fetching the root flag and we are done.
Thank you L4mpje for creating the box Curling and hope you enjoy the box and the walkthrough!
