HackTheBox Writeup — Craft

Hello Guys , I am Faisal Husaini. My username on HTB is “kngf” .

The IP of this box is 10.10.10.110

Port Scan

Running NMAP on the open ports , we get

We see 2 ssh ports open on Port 22 and Port 6022 and one https service running on Port 443

Port 443

Ignoring the risk and moving , we see

We get to the homepage and see an About Craft and it says about rest API and asks to check their API , also on the top right corner we get two links , clicking on both , we get redirected to

We get api.craft.htb and gogs.craft.htb which I already put on my hosts file like given below

Looking in the API stuff , we see many stuffs like GET requests for Auth Token Validity Check and Auth Login , and many other methods for the brew stuff

Checking the GET /auth/login part

We see that it asks for Try it out option , clicking on that

Its gives us an Execute button and a Cancel button too, clicking on Execute

It prompts us for Login , typing random admin admin creds , we see

It fails , so we now move on to gogs.craft.htb

We see it has one repository , we move on and open it

We get some python scripts , and this is totally similar like what we see on Github Repositories of someone

We move onto the tests folder and see

There is a test.py script , checking the code

This script does the authentication part of the API GET /auth/login and then checks the validity of the token on /auth/check ,checking the commits of this folder

We see that it had some changes in the code and also it contains creds for user dinesh, we try these creds on that login API which we saw before and see what happens

We put our credentials and then click OK , also checking the responses

We see in the responses that we got the token , and we can see this on the web page too

We can verify the validity of the Token using the /auth/check API which we got before

We click on execute and see

We get invalid token message and also we didnt see our token given in the request too , so we dont know the format of providing our token for the request to check the validity , so we move on to the Gogs

We can see that there is an issue in this repo , we move on that tab and see

It has something like Bogus ABV Values , we open it and check

We see that the guy Dinesh provides the token in the header X-CRAFT-API-Token so we will now validate our token using Postman instead of Curl

Here we put our URL to the /auth/check API and put our Token Headers and its Value and click Send

We get the “Token is valid!” message , also remember that the token gets expired in a matter of time , so keep updated from /auth/login , it will give different tokens

Since we had scripts for Authentication API on the Gogs , let’s check the scripts for Brew on it

Here on craft-api/api , we have our scripts related to auth and brew moving onto the brew folder , we see

We get 4 python scripts and one endpoints folder , looking further on that folder

We have 2 python files , the interesting one looks brew.py , checking the code , we see

We see python codes , scrolling futher down below

We see that the Post function on BrewCollection class is running eval function on the json parameter ‘abv’ , and we know that python eval function is vulnerable to code execution , the Post function here is literally the POST method which was in the Brew API

Expanding this , we can see that

We see that it has a paramter ‘abv’, so we can exploit the python eval function using this parameter

So we intercept this request on Burp and modify the params and tokens

We changed the contents of abv parameter and added our token and tried to use the ls command , but we didnt get any input back , lets try pinging our machine back

We click on Go and see the results of tcpdump

We get pinged back to ourselves and came to know that it has blind OS Injection , so we now move onto getting a reverse shell

We are ready to get our reverse shell , so we move to check our netcat

We got our reverse shell , since I used rlwrap I have a proper shell where I can use clear and arrow keys , so now we move futher on

We see that we got spawned to the /opt/app location and it contains the files and folders that we saw on Gogs , so we enter the craft_api folder to see if we get something interesting

We see a python script named settings.py which was not there in the Gogs repo , we see the code present

We see that it contains MYSQL Database creds , and we also remember that we had a dbtest.py script on /opt/app , looking at the contents of the script

We see that it uses the pymysql python module to connect to a mysql database and uses the creds from the settings.py script , also it runs the sql command given in the sql variable and then returns the output as result

Running the script , we see

We see that we got the result of the query “SELECT * from brew;” , so we will remove this script and edit the script and change the query and also the fetching method used , i.e , fetchone() as it just fetches one row and change it to fetchall()

So we modified the code and will use it to list the tables , now we will save this script and send it to the box using python SimpleHTTPServer and get the file through wget

Now we run the script

We see that we get two tables , brew and user , we will use the user tables and list out all the contents

So , we now run the script and see

We see that we got three credentials for user dinesh , ebachman and gilfoyle

Since we already got dinesh’s credentials before from the commits and it didnt worked out with SSH , so we will try out the other ones with SSH

We tried login in through SSH , but it failed eventually for every users , lastly we were left with the Gogs Login Page

We use the creds for gilfoyle and see

We click on Sign In and

We got login as gilfoyle on Gogs , going to his repositories craft-infra

We see that it has .ssh folder , which might contain the public key for the SSH

We get the ssh key , so we just copy it to our box and then save it , also change the permission to 600

We try to connect through SSH using this key

We see that it asks for passphrase , so we put the password of gilfoyle which we got before from the mysql database and check

We got connected successfully as gilfoyle on the box , now we move on to getting the user flag

The user flag was located on the same place where we were spawned after connecting through SSH , now we move on to privelege escalation part

Privelege Escalation

We see that Vault is running by root , also on the home directory of gilfoyle , we find a vault token

We cat that token and see

Also from the repository of Gilfoyle on gogs , we see a folder names vault , so we open in and see

There are three files , interesting one looks the secret.sh file , we look into that file

We see that it has enables secrets on ssh and given default_user as root , so it means that we can get the root otp and use it as ssh login password for root

We authenticated to the vault server using the token we have

Now we get the root otp so that we can use it to connect to root account through SSH

As we got the root otp at the key section , we use it as password for root SSH Login

We got successfully logged in as root and now its time to get the root flag

We got the root flag and here’s the machine solved

Overall this was my favourite box I solved after Olympus as it was totally real life scenario based.

References

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store