Saturday, August 8, 2020

HackTheBox - Fatty

 Hello guys. Today we will be doing Fatty from HackTheBox

This box is marked as Insane probably due reversing stuff. If you are into reversing then this box is relatively easy one.  

Port scanning

As we do not have any web server and higher ports are not recognized by nmap so lets download all files from as we have anonymous access.

FTP

Now we have username and password which is great. However we know a purpose of the higher ports from nmap scan.

Reversing client

Before we even connect to the server lets reverse the client in jadx-gui.

As we already know port 8000 is not used so we need to redirect traffic to port 1337 and as they use hostname we have to add it to the /etc/hosts and then run socat

Now it is time to download the newest Java 8 and Eclipse for Java 

Run the client and login with: qtc:clarabibi

From FileBrowser functionality we can read some notes about security issues. It would be good if could read files from others directories. In Eclipse install this plugin Enhanced Class Decompiler. Once we have it installed Create a Java Project -> change JRE to 8 -> Next -> Libraries -> Add External JARs -> choose our client and click Finish. There is one more thing to do it: Window -> Preferences -> General -> Editors -> File Associations -> class without source -> choose Class Decompiler Viewer and click Default.

Now put a breakpoint like this

Now we can debug application by clicking Debug As -> Java Application and then choose Starter class. After logging in head over to FileBrowser choose Configs (but it does not matter what you choose) and switch perspective to Debug.

As we change arg as above and hit Resume button then we get this

The file jar is a binary file so we can't read it by open functionality. In Eclipse we do not have any functionality to dump data in debugger to a file. The only workaround is to put conditional breakpoint which gives you ability to execute any code like in our case saving to a file.

Then right click on breakpoint properties

Now open fatty-server.jar and remember to change path to .. and after a while we should have the server.jar. 

There were some rubbish bytes at the beginning of the file and after removing them. We have server.jar which we can load to jadx-gui.

Reversing server


This is very simple SQL Injection. For this we use simple union select injection like this:

' union select 1337, 'pwned', 'pwned@fatty.htb', 'a2b782c00592afd41d63bde32dc48ab0ddc5dbfe8b99a11a2fb55b6bc0d2111a', 'admin

This will be our login payload. Now put breakpoint in htb.fatty.shared.message.LoginMessage at 32 line and debug client. For login put our payload from above and password leave as empty and click Login. Once we hit a breakpoint change variable this -> user -> password to a2b782c00592afd41d63bde32dc48ab0ddc5dbfe8b99a11a2fb55b6bc0d2111a and click Resume.

Now as we are admin we can change password and above code let us RCE due deserialization.

We use ysoserial to get payload. Remove all breakpoint and put breakpoints in htb.fatty.shared.message.ActionMessage at 19 and 37 lines then list files in FileBrowser and change command from files to changePW and args to our payload

And...

We are in docker... and we can't get a proper shell. After looking around there is one interesting file /opt/fatty/tar/logs.tar so we can make assumption that host downloads this log file.

And we are root! Fun and great box. Hope you guys enjoy it and learnt something new.