ForwardSlash was a hard rated Linux box where a LFI vulnerability on a file upload function found on a vhost was exploited with PHP wrappers to find creds that worked for SSH. A backup utility was found that required a bash one-liner to read a backup file containing creds for another user. Finally, an encrypted disk partition was decrypted with a script to gain root's private SSH key for a root shell. I added forwardslash.htb to my /etc/hosts and got started.
Enumeration
nmap scan:
![](/content/images/2020/07/image.png)
Let's check out http:
![](/content/images/2020/07/image-1.png)
Uh oh, someone got hacked. Let's see what gobuster
turns up:
![](/content/images/2020/07/image-2.png)
Note.txt:
![](/content/images/2020/07/image-3.png)
I took the hint and added backup.forwardslash.htb to my host file:
![](/content/images/2020/07/image-4.png)
Initial Foothold
I didn't have an account but the sign up form worked:
![](/content/images/2020/07/image-5.png)
I got in and checked out the dashboard:
![](/content/images/2020/07/image-6.png)
A quick message about our environment:
![](/content/images/2020/07/image-7.png)
The message continues in the source code:
![](/content/images/2020/07/image-8.png)
The 'Change your profile picture' button looked ripe for abuse:
![](/content/images/2020/07/image-9.png)
It was disabled via HTML as the source shows:
![](/content/images/2020/07/image-17.png)
This is circumvented by interrupting it with Burp and deleting those pesky 'disabled' tags:
![](/content/images/2020/07/image-11.png)
I sent a test URL with a Python http server running just to confirm it would work:
![](/content/images/2020/07/image-12.png)
Yup, it works:
![](/content/images/2020/07/image-13.png)
I played around with it and sent the site's login.php to see what would happen:
![](/content/images/2020/07/image-14.png)
![](/content/images/2020/07/image-15.png)
Looking at the POST request in Burp showed that the url parameter was in the body so in a Repeater tab, I tried /etc/password as a url:
![](/content/images/2020/07/image-16.png)
Now that LFI is confirmed, time to figure out files to look at so gobuster
once again comes out to play:
![](/content/images/2020/07/image-18.png)
Config.php sounded promising but contained creds I couldn't do anything with:
![](/content/images/2020/07/image-19.png)
'Dev' directories are often good targets but I had no access:
![](/content/images/2020/07/image-20.png)
I was unable to view some of the php files with LFI and it took a while before I thought to look at PayloadsAllTheThings for ideas. There I learned about using php wrappers:
![](/content/images/2020/07/image-21.png)
I tried it on index.php:
![](/content/images/2020/07/image-22.png)
Got a base64 encoded block back:
![](/content/images/2020/07/image-23.png)
Cool, it worked perfectly even though this particular file was of no help:
![](/content/images/2020/07/image-24.png)
I checked out the other php files and turned up nothing. I scratched my head over this until I reviewed my notes and realized that the /dev directory might have an index.php file in it. I repeated the process above and found creds inside:
![](/content/images/2020/07/image-25.png)
Those creds worked for SSH and we now have a stable shell on the box:
![](/content/images/2020/07/image-27.png)
User Pivot
Chiv had access to Pain's home directory and in it there's a note:
![](/content/images/2020/07/image-28.png)
Inside Pain's home directory was an 'encryptorinator' folder:
![](/content/images/2020/07/image-29.png)
Let's check out this encrypter.py file:
![](/content/images/2020/07/image-30.png)
I didn't know what to do with this yet so I continued to enumerate the system. I found another note in /var/backups:
![](/content/images/2020/07/image-31.png)
The files in there:
![](/content/images/2020/07/image-32.png)
That config.php.bak file looks tempting but I could not view it. Back to enumerating! I eventually found a SUID file /usr/bin/backup
:
![](/content/images/2020/07/image-33.png)
Let's run it to see what happens:
![](/content/images/2020/07/image-34.png)
I flailed here for a good while trying to be fancy - figuring out the time, hashing it, etc. before I got a nudge that I had everything I needed already. That set off a lightbulb/facepalm combo and I shortly had a bash one-liner that would read the value from the error message, create a symlink to the config.php.bak file and re-run the /usr/bin/backup
file:
![](/content/images/2020/07/image-35.png)
These creds allowed me to su
to Pain:
![](/content/images/2020/07/image-36.png)
User flag:
![](/content/images/2020/07/image-37.png)
Privilege Escalation
Let's see what Pain has sudo access to:
![](/content/images/2020/07/image-38.png)
Further enumeration revealed an encrypted file:
![](/content/images/2020/07/image-39.png)
Let's try decrypting just to see what it looks like:
![](/content/images/2020/07/image-40.png)
The intended route appears to be decrypting the backup and mounting it. I believe some people took an unintended route of uploading their own image, mounting it and getting root that way but I didn't think of that :/.
Remember that 'encryptorinator' folder in Pain's home directory? It's what was used to encrypt the disk image and from what I gathered from HTB Discord, the encryption is weak and easily defeated. I tried to figure out the flaw but the math gave me a headache and so I went brute force with rockyou.txt. I was able to bumble/copy-paste my way into throwing rockyou.txt at the problem but had major issues trying to figure out how to parse the results which was screenfuls of junk. I finally teamed up with someone and here's the final script we came up with:
![](/content/images/2020/07/image-41.png)
It was basically a lot of guesswork and experimentation where we wanted to have results that contained more than 145 ASCII characters shown. Running the script wasn't pretty but it worked:
![](/content/images/2020/07/image-42.png)
The password let me decrypt the file:
![](/content/images/2020/07/image-43.png)
Mount it:
![](/content/images/2020/07/image-44.png)
Inside we find an id_rsa file:
![](/content/images/2020/07/image-45.png)
![](/content/images/2020/07/image-46.png)
This private key lets us SSH in as root:
![](/content/images/2020/07/image-47.png)
Root flag:
![](/content/images/2020/07/image-49.png)