Hacking the Bagel Shop

This is my write-up of the Medium Hack-the-Box-Machine, “Bagel”. Hacking into this machine, we assume the role of a bagel-loving hacker who tries to infiltrate an online bagel shop’s server. Topics covered in this article are LFI, fuzzing for process IDs, reverse engineering, JSON deserialization, and, of course, bagels.

As usual, once we’ve booted the machine up we start with an nmap scan.

The results from the scan take a bit of time to interpret, but it’s clear that the bagel shop is running SSHon port 22, something that’s using Microsoft-NetCore/2.0 on port 5000 and what appears to be a Werkzeug python server on port 8000. Naturally, our first target will be the Werkzeug deployment. Hopefully we’ll be able to gather some information about the system and possibly learn more about the service running on port 5000.

Browsing to port 8000 will redirect us to bagel.htb:8000/?page=index.html

Here we see a delicious selection of bagels that we can order online.

What I immediately notice is the way that the website retrieves files to be displayed. The web application retrieves pages based on a query parameter called “page”. The value of the “page” parameter determines which page to fetch and display. Therefore, when we put “bagel.htb:8000/?page=index.html” in our browser it fetches the index.html page and renders it. However, if there is no filtering in place, we may be able to retrieve any arbitrary file from the backend, which would mean that there is a Local File Inclusion vulnerability (LFI) in the web app.

I know a bit about Werkzeug’s file structure and I know that there should be an app.py file that’s pretty important. The app.py file typically serves as the main entry point for the application and contains the Flask application instance. Basically, it’s a central point for the application and we should try to read it with our LFI.

I start recursively moving back from whatever present working directory I’m in using ../ searching for the app.py file. I get the file after moving back one directory.

We can write our own python script that will connect to the web socket:

We can guess that whatever is running on port 5000 is this mysterious .dll executable. We need to download it and reverse engineer it’s source code! I can read files with my LFI, but how will I be able to find out where the executable is? Well, if it’s running currently as a process, we can search for running processes using the LFI and get it’s location that way!

The first thing we need to do is make a list of possible process id numbers:

This is going to create a wordlist that has an array of integers in it from 1 to 3000.

Now we can use wfuzz to fuzz for running processes on the machine.

This is going to return a list of running processes. We can copy and paste this into a text file and then clean it up a bit with the cut command:

This will give us a nice list of process ID numbers that are running on the machine. Now that I have a list of running processes on the machine we can write a quick bash script that’s going to send curl requests to each of them and append the output to a file.

This is going to give us a list of running processes, along with the path to the executable that is running. Going through the list we spot this:

Nice! Now we know the location of the bagel.dll executable! We can go and download it with our LFI.

Here is the code for File:

File provides methods and properties for reading and writing files. It allows setting a file to read or write and handles the read/write operations.

Here is the code for Orders:

Finally, we have Handler:

This file is very interesting and contains a vulnerability that we can exploit to move deeper into the bagel network.

In the above code, the Handler class has two methods related to serialization and deserialization: Serialize and Deserialize. The Deserialize method uses the JsonConvert.DeserializeObject method to deserialize the JSON string into an object. However, a vulnerability arises, because this process allows for the deserialization of arbitrary types.

The deserialization process can execute arbitrary code during the deserialization of an object. The TypeNameHandling setting is set to 4, which means “ALL”. This means that the deserializer will attempt to map the JSON object to a .NET object based on the type of information provided in the JSON.

By crafting a malicious payload, an attacker can pass a JSON object with a nested type that triggers the execution of malicious code.

Running our exploit will result in output that looks like this:

Once we’ve logged in as Phil, I do some light enumeration, but I already have a plan…

You see, when I disassembled bagel.dll with dnspy, I spotted another interesting file called DB:

As you can see it contains a username and password for a database connection. The username is “dev”. I remembered from the /etc/passwd file that there is a user on the system named “developer”. I had tried to ssh into the machine with these creds, but it didn’t work. But now that I was in the machine as phil perhaps I could switch users and become developer?

Yes! We are able to switch over to developer, the password works!

Running sudo -l as developer we see our path to rooting the bagel shop laid out before us!

By running these commands we can break out of the environment and spawn an interactive shell as root!

We’ve done it! We’ve taken over the Bagel Shop! Now all the sweet bagels are ours!!!!

Related posts:

As I promised to write more on Aadhaar this is one story Luytens media is hesitant to tell us. After years of struggle finally the verdict on Aadhaar was delivered on Sep 26 2018 .Two days after the…

visit the official website Link;https://healthcares.com.pk/product/neo-hair-lotion/ call us for online order with free home delivery +923053333127 ✔️ Neo Hair Lotion Available in…

The Deep Learning Sessions Lisboa is a community dedicated to bringing together people learning about deep learning as well as giving them a platform to share their work, so that we can all grow…