• author: IppSec

HackTheBox Bagel – Exploiting a Linux Box with .NET

In this article, we will be exploring the HackTheBox (HTB) machine "Bagel". Bagel is a Linux box that features .NET, which is pretty cool now that .NET core runs on Linux. The first step of the box is just a standard python flask web server that features a file disclosure vulnerability. You can leak its source code to reveal it talks to the .NET application over Port 5000, and you can also use that same file disclosure to brute force pids in the /proc directory to see all the running processes of the box, or at least the processes you have access to. One of those CMD lines that you can see leaks where the dll for the .NET web server is. You can use the file disclosure to download the dll, do some light reversing, discover there is a deserialization vulnerability in the .NET web server that leads to you extracting a SSH key, and then the priv esc of the box is sudowic.net.


As always, we start off with nmap. The command we used is:

nmap -sC -sV -oA Bagel

After running the above command, we can see there are just three open ports. The first one is SSH on Port 22, and its banner tells us it's an OpenSSH server. We also have Port 5000 that is open, and based upon these headers, it looks like it is a web server, and we see Microsoft.netcore 2.0, so we may think this is a Windows box, but we can validate it by using the TTL. If we do a ping, we see the TTL is set to 63; the default TTL on Linux is 64, so it decrements by one and you get 63. Therefore, we know this is Linux. If it were Windows, the default TTL there is 128, decrements by 1 to 127, so if we saw 127, that would be Windows, and 63 would be Linux. It is odd that it is running .NET on Linux, but that is possible nowadays. We also have Port 8000 that is open. It's running WorkZog, and that's Python 3.10.

Initial Exploitation

Looking into Port 8000, we can see it is redirecting us to bagel.hdb with page equal to index.html. This looks like a textbook file disclosure vulnerability right off the bat. Therefore, let's add this to a host file by using sudo vi /etc/hosts, then adding the IP address and domain name: bagel.htb

After adding the host entry, we can go to bagel.htb and try Port 5000 first. However, we just get a white page, so let's try port 8000 by going to the URL bagel.htb:8000. We get a "Welcome to the bagel shop" message, but scrolling down, we can see that it just looks like a shop, and we don't see any way to order anything.

Since we noticed that there is a /orders page, let's check that out, and it looks like it just leaks all their clients. So this would be a vulnerability right off the bat. We can see that P. Morgan bought 20 chocolate bagels, and his address looks like this is just a horrible online shop. But we don't know exactly what to do with orders; however, we could enumerate this directory to find other endpoints. Whenever we see page=, we always test for file disclosure. Therefore, we will start with file disclosure.

File and Directory Disclosure

We start by testing for LFI (Local File Inclusion) by putting a bunch of dot dot slashes and see that we get the /etc/passwd file. The very first thing we generally check is /proc/self/cmdline, which shows us where we're running out of. In this case, it is /home/developer/app/app.py. To include this file, we can do:


We get the application source. We can also test for SSH keys by doing .ssh/id_rsa, which returns "file not found."

We can also test if directories exist by doing /home/developer/nonexistentdir, which returns "file not found," but we cannot validate if directories exist. If we couldn't access this proc directory, we could try including the filename, such as /static/app.py.

WebSocket Server

Going back to the file disclosure, in the code, there is a comment saying "Don't forget to run the order app first with .net." This suggests that Port 5000 is running .NET, and then it's just doing a WebSocket connection, which is not really a web server; it's a WebSocket server. Then it's sending "read order orders.txt," and there's outputting the data. Therefore, we can connect through websockets and use a tool called ws-cat to send text.

We can do:

wscat -c ws://

And then grab "read order" out of app.py and send it this string. We can see that we get unauthorized access, but it outputs a list of all the orders. If we find the DLL file for the .NET web server, we can extract the source code and analyze the application running.

Exploiting Bagel Server: Finding and Analyzing the Running Process

In this section, we will discuss how to find and analyze the running process of Bagel Server in order to exploit its vulnerabilities. We will use a combination of command-line tools and scripting to achieve this.

Finding the Running Process

To find the running process, we need to locate the DLL file that Bagel Server is running. We can do this by using the following steps:

  1. Get our own PID by running echo $$.
  2. Use curl to access Bagel Server's webpage and specify the PID to view the running process.
  3. Brute force all PIDs to locate the DLL file.

We can automate this process by using the script below:

#!/bin/bashforiin{0..1000};doecho-n$icurl-s"http://bagel.htb:8000/?page=/proc/$i/cmdline"\-o/dev/null\&&echo" PID $i found"done

This script will output the PIDs that have successfully run Bagel Server. We can then locate the file's path and extract its source code.

Analyzing the Source Code

Once we have located the DLL file, we can use a tool like DNSpy on our Windows box to decompile and analyze the source code. We can find the message received function, which receives and deserializes a JSON object. It uses the Newton Soft JSON Library, with the type name handling set to 4, which allows us to create an object containing gadgets and call other functions within the application.

We can use this to exploit various vulnerabilities, including reading and writing files to the disk and leaking credentials from the DB class. We can also use an SSH key to access the machine as a different user.

Exploring the Bagel Server

In this article, we will be taking a closer look at the Bagel server and examining its vulnerabilities. Our aim is to demonstrate the importance of secure coding practices and secure configurations. Let's dive into the details of our exploration.

Removing Orders and Creating an Object

We begin by removing orders and creating an object. Here are the steps we followed:

  1. Remove order
  2. Create an object with the type "Bagel server"
  3. For the object, specify "Bagel" as the inner object
  4. Read file with a file name of "orders.txt" in the directory "opt/Bagel/orders"

Reading sh Keys and Logging into Bagel Server

We then move on to reading sh keys and logging into the Bagel server. Here are the steps we followed:

  1. Read sh keys using the command: home/developer/SSH/id_rsa
  2. Use printf to obtain the "fill.id_rsa" file
  3. Change the permission to 600 for "fill.id_rsa"
  4. Log into Bagel server using "[email protected]" with the obtained "fill.id_rsa" file
  5. Check for the existence of the "user.txt" file
  6. Execute the "sudo -l" command to see which users have sudo privileges
  7. Locate the "python web server" in the "developer" user's directory
  8. Check for the .NET application and run it using "sudo userbin.net"
  9. Check for vulnerabilities using the GTFO bins command

Accessing Root and Abusing F-Sharp

Our exploration led us to access root and abuse F-Sharp. Here are the steps we followed:

  1. Check for the existence of the Bagel executable
  2. Access root and obtain "root.txt" file
  3. Create an FSI file and run F-Sharp commands to access system files

InIn conclusion, we were able to exploit a linux box with .net by discovering a file disclosure vulnerability, using websocket connections, and finding a dll file for the .net server. by doing so, we could extract the source code and analyze the application’s code running on the box. it was a fun challenge to break down and exploit this box! Finding and analyzing the running process of bagel server is crucial to exploiting its vulnerabilities. with the right tools and scripts, we can locate the dll file, extract its source code, and use it to exploit various vulnerabilities. this information can be used to secure the application and prevent future attacks. , our exploration of the Bagel server revealed vulnerabilities that could be exploited by malicious actors. This underlines the need for developers to follow secure coding practices and for users to configure their systems securely.

Previous Post

Achieving 1 Million YouTube Views: What I Learned on the Way

Next Post

Leveraging AI to Scale Your Marketing Agency: An Interview with Ryan Stewart

About The auther

New Posts

Popular Post