- author: IppSec
HackTheBox Bagel – Exploiting a Linux Box with .NET
In this article, we will be exploring the HackTheBox (HTB) machine "Bagel". Bagel is a Linux box that features .NET, which is pretty cool now that .NET core runs on Linux. The first step of the box is just a standard python flask web server that features a file disclosure vulnerability. You can leak its source code to reveal it talks to the .NET application over Port 5000, and you can also use that same file disclosure to brute force pids in the /proc directory to see all the running processes of the box, or at least the processes you have access to. One of those CMD lines that you can see leaks where the dll for the .NET web server is. You can use the file disclosure to download the dll, do some light reversing, discover there is a deserialization vulnerability in the .NET web server that leads to you extracting a SSH key, and then the priv esc of the box is sudowic.net.
Enumeration
As always, we start off with nmap. The command we used is:
nmap -sC -sV -oA Bagel 10.10.11.201
After running the above command, we can see there are just three open ports. The first one is SSH on Port 22, and its banner tells us it's an OpenSSH server. We also have Port 5000 that is open, and based upon these headers, it looks like it is a web server, and we see Microsoft.netcore 2.0, so we may think this is a Windows box, but we can validate it by using the TTL. If we do a ping 10.10.11.201, we see the TTL is set to 63; the default TTL on Linux is 64, so it decrements by one and you get 63. Therefore, we know this is Linux. If it were Windows, the default TTL there is 128, decrements by 1 to 127, so if we saw 127, that would be Windows, and 63 would be Linux. It is odd that it is running .NET on Linux, but that is possible nowadays. We also have Port 8000 that is open. It's running WorkZog, and that's Python 3.10.
Initial Exploitation
Looking into Port 8000, we can see it is redirecting us to bagel.hdb with page equal to index.html. This looks like a textbook file disclosure vulnerability right off the bat. Therefore, let's add this to a host file by using sudo vi /etc/hosts, then adding the IP address and domain name:
10.10.11.201 bagel.htb
After adding the host entry, we can go to bagel.htb and try Port 5000 first. However, we just get a white page, so let's try port 8000 by going to the URL bagel.htb:8000. We get a "Welcome to the bagel shop" message, but scrolling down, we can see that it just looks like a shop, and we don't see any way to order anything.
Since we noticed that there is a /orders page, let's check that out, and it looks like it just leaks all their clients. So this would be a vulnerability right off the bat. We can see that P. Morgan bought 20 chocolate bagels, and his address looks like this is just a horrible online shop. But we don't know exactly what to do with orders; however, we could enumerate this directory to find other endpoints. Whenever we see page=, we always test for file disclosure. Therefore, we will start with file disclosure.
File and Directory Disclosure
We start by testing for LFI (Local File Inclusion) by putting a bunch of dot dot slashes and see that we get the /etc/passwd file. The very first thing we generally check is /proc/self/cmdline, which shows us where we're running out of. In this case, it is /home/developer/app/app.py. To include this file, we can do:
http://bagel.htb:8000/static/../../home/developer/app/app.py
We get the application source. We can also test for SSH keys by doing .ssh/id_rsa, which returns "file not found."
We can also test if directories exist by doing /home/developer/nonexistentdir, which returns "file not found," but we cannot validate if directories exist. If we couldn't access this proc directory, we could try including the filename, such as /static/app.py.
WebSocket Server
Going back to the file disclosure, in the code, there is a comment saying "Don't forget to run the order app first with .net." This suggests that Port 5000 is running .NET, and then it's just doing a WebSocket connection, which is not really a web server; it's a WebSocket server. Then it's sending "read order orders.txt," and there's outputting the data. Therefore, we can connect through websockets and use a tool called ws-cat to send text.
We can do:
wscat -c ws://10.10.11.201:5000
And then grab "read order" out of app.py and send it this string. We can see that we get unauthorized access, but it outputs a list of all the orders. If we find the DLL file for the .NET web server, we can extract the source code and analyze the application running.
Exploiting Bagel Server: Finding and Analyzing the Running Process
In this section, we will discuss how to find and analyze the running process of Bagel Server in order to exploit its vulnerabilities. We will use a combination of command-line tools and scripting to achieve this.
Finding the Running Process
To find the running process, we need to locate the DLL file that Bagel Server is running. We can do this by using the following steps:
- Get our own PID by running
echo $$. - Use
curlto access Bagel Server's webpage and specify the PID to view the running process. - Brute force all PIDs to locate the DLL file.
We can automate this process by using the script below:
#!/bin/bashforiin{0..1000};doecho-n$icurl-s"http://bagel.htb:8000/?page=/proc/$i/cmdline"\-o/dev/null\&&echo" PID $i found"doneThis script will output the PIDs that have successfully run Bagel Server. We can then locate the file's path and extract its source code.
Analyzing the Source Code
Once we have located the DLL file, we can use a tool like DNSpy on our Windows box to decompile and analyze the source code. We can find the message received function, which receives and deserializes a JSON object. It uses the Newton Soft JSON Library, with the type name handling set to 4, which allows us to create an object containing gadgets and call other functions within the application.
We can use this to exploit various vulnerabilities, including reading and writing files to the disk and leaking credentials from the DB class. We can also use an SSH key to access the machine as a different user.
Exploring the Bagel Server
In this article, we will be taking a closer look at the Bagel server and examining its vulnerabilities. Our aim is to demonstrate the importance of secure coding practices and secure configurations. Let's dive into the details of our exploration.
Removing Orders and Creating an Object
We begin by removing orders and creating an object. Here are the steps we followed:
- Remove order
- Create an object with the type "Bagel server"
- For the object, specify "Bagel" as the inner object
- Read file with a file name of "orders.txt" in the directory "opt/Bagel/orders"
Reading sh Keys and Logging into Bagel Server
We then move on to reading sh keys and logging into the Bagel server. Here are the steps we followed:
- Read sh keys using the command: home/developer/SSH/id_rsa
- Use printf to obtain the "fill.id_rsa" file
- Change the permission to 600 for "fill.id_rsa"
- Log into Bagel server using "[email protected]" with the obtained "fill.id_rsa" file
- Check for the existence of the "user.txt" file
- Execute the "sudo -l" command to see which users have sudo privileges
- Locate the "python web server" in the "developer" user's directory
- Check for the .NET application and run it using "sudo userbin.net"
- Check for vulnerabilities using the GTFO bins command
Accessing Root and Abusing F-Sharp
Our exploration led us to access root and abuse F-Sharp. Here are the steps we followed:
- Check for the existence of the Bagel executable
- Access root and obtain "root.txt" file
- Create an FSI file and run F-Sharp commands to access system files
InIn conclusion, we were able to exploit a linux box with .net by discovering a file disclosure vulnerability, using websocket connections, and finding a dll file for the .net server. by doing so, we could extract the source code and analyze the application’s code running on the box. it was a fun challenge to break down and exploit this box! Finding and analyzing the running process of bagel server is crucial to exploiting its vulnerabilities. with the right tools and scripts, we can locate the dll file, extract its source code, and use it to exploit various vulnerabilities. this information can be used to secure the application and prevent future attacks. , our exploration of the Bagel server revealed vulnerabilities that could be exploited by malicious actors. This underlines the need for developers to follow secure coding practices and for users to configure their systems securely.
About The auther
New Posts
Popular Post
Precious from Hack The Box: Command Injection and Deserialization Exploits
Exploring Health Hack the Box Box - Initial Reconnaissance
Chachi BT and Notable: A Powerful Combination for Data Retrieval and Analysis
The Student Loan Debt Crisis and its Magnitude
Understanding the Debt Ceiling: What Investors Need to Know
How to Raise Capital: The Number One Skill of an Entrepreneur
The Dangers of Using AI to Create SEO Content
The Best SEO Tools You Should Be Using Right Now
Google Search Office Hour: Latest Updates and Blog Articles
How Real Estate Agents Make Money: Explained by Lorie Balan