MovableType is a CMS that allows companies and individuals to host their own blogs.
We audited the open source version of this project, and ended up identifying an unauthenticated RCE vulnerability in the XMLRPC Implementation of MT.
This post explains a bit of how we found the vulnerability.
Writeup HTB Cereal
Cereal is a hard box from HTB.
It begins with a lot of enumeration that leads to source code disclosure for the running application.
Once we have that code, we analyze it to find out that there is a json deserialization vulnerability in it.
It also lets us know that in order to use the vulnerable service, we have to be coming from the server itself.
We then dig deeper and find an XSS vulnerability in the marked library used in the application.
By testing if a user clicks on it we find out that the admnistrator is and he’s on the server, convenient.
Finally we deserialize an object that let’s us upload a reverse shell.
System is obtained by using an SSRF in a GraphQL mutation coupled with GenericPotato.
It begins with a lot of enumeration that leads to source code disclosure for the running application.
Once we have that code, we analyze it to find out that there is a json deserialization vulnerability in it.
It also lets us know that in order to use the vulnerable service, we have to be coming from the server itself.
We then dig deeper and find an XSS vulnerability in the marked library used in the application.
By testing if a user clicks on it we find out that the admnistrator is and he’s on the server, convenient.
Finally we deserialize an object that let’s us upload a reverse shell.
System is obtained by using an SSRF in a GraphQL mutation coupled with GenericPotato.
Writeup HTB Laboratory
Laboratory is an easy box from HTB.
It begins with a webserver talking about how secure their services are.
Digging a bit further into that webserver, we find a VHOST that contains a Gitlab instance.
We register into this instance, and notice that the running version of Gitlab is vulnerable to a known exploit that leads to RCE.
We leverage this vulnerability with metasploit to gain a shell on the remote system as the “git” user.
We then use our privileges as the “git” user to gain access to the user dexter’s account in the Gitlab instance.
Once in we find an ssh-key that we can use to connect as dexter to laboratory.htb. For root, we find a fishy binary with suid/sgid bits that uses an unsanitized path to chmod in a system call.
We change our own user’s path to control what is being executed and gain root.
It begins with a webserver talking about how secure their services are.
Digging a bit further into that webserver, we find a VHOST that contains a Gitlab instance.
We register into this instance, and notice that the running version of Gitlab is vulnerable to a known exploit that leads to RCE.
We leverage this vulnerability with metasploit to gain a shell on the remote system as the “git” user.
We then use our privileges as the “git” user to gain access to the user dexter’s account in the Gitlab instance.
Once in we find an ssh-key that we can use to connect as dexter to laboratory.htb. For root, we find a fishy binary with suid/sgid bits that uses an unsanitized path to chmod in a system call.
We change our own user’s path to control what is being executed and gain root.
Writeup HTB Time
Time is a medium box that involves java deserialization. By scanning hte box we notice and apache server on port 80, while enumerating we notice that the backend of the validate feature uses a library vulnerable to deserialization. We exploit that vulnerability and gain user. Then for root we exploit a crontab/permisison misconfiguration that causes a script to be run by root and be writable by the compromised user. Essentially directly letting us execute commands as root. It is a fun box but can be complicated for those who do not come from a programming background.
Writeup HTB Luanne
Luanne is categorized as an easy box.
It begins with a lot of enumeration, two webserver and a fishy hidden service.
We leverage the hidden service into RCE in order to get a shell on the system.
We then enumerate and notice another version of the previously exploited service running.
That version of the service is launched using weird options it grants us access to a conveniently placed ssh key, using this key gets us user.
Afterwards, we decrypt an old backup version of the service and find credentials in a config file, these work for the root user.
It begins with a lot of enumeration, two webserver and a fishy hidden service.
We leverage the hidden service into RCE in order to get a shell on the system.
We then enumerate and notice another version of the previously exploited service running.
That version of the service is launched using weird options it grants us access to a conveniently placed ssh key, using this key gets us user.
Afterwards, we decrypt an old backup version of the service and find credentials in a config file, these work for the root user.
Writeup HTB Passage
Writeup for the medium difficulty HTB machine Passage.
This machine begins with an RCE using a public exploit against an old blogging software.
From this point on we escalete to user by cracking the user passwords hashes found in the blog software’s configuration.
Afterwards, we move laterally to a different user by using a forgotten pair of ssh keys in the first user’s home.
Finally we exploit a known vulnerability in the USBCreator service to escalate to root by overwriting passwd and creating a user.
This machine begins with an RCE using a public exploit against an old blogging software.
From this point on we escalete to user by cracking the user passwords hashes found in the blog software’s configuration.
Afterwards, we move laterally to a different user by using a forgotten pair of ssh keys in the first user’s home.
Finally we exploit a known vulnerability in the USBCreator service to escalate to root by overwriting passwd and creating a user.
Writeup HTB Academy
Academy is a box that was quite a lot of fun.
It was made to promote the new learning platform from HTB : http://academy.hackthebox.eu.
This box is fun and definitely a must for newfound offensive security enthusiasts.