# Hack The Box - Fortune

## Quick Summary

Hey guys today Fortune retired and here’s my write-up about it. It was a very cool box and I really liked it, like the last retired box LaCasaDePapel it had RCE and client certificate generation to access a restricted https service, but that’s only for the initial steps as this box had a lot of interesting stuff. It’s an OpenBSD box and its ip is 10.10.10.127, I added it to /etc/hosts as fortune.htb. Let’s jump right in !

## Nmap

As always we will start with nmap to scan for open ports and services :
nmap -sV -sT -sC fortune.htb

We have http, https on port 80, port 443 and we have ssh on port 22 so we will be focusing on the web services.

## HTTP Initial Enumeration

The index page on http://fortune.htb is pretty simple, we have some options where we can choose a database of fortunes and we will get a random fortune from that database :

On https://fortune.htb we get a handshake error, this probably means that we need a client certificate.

## RCE, Client Certificate Generation

Back to http://fortune.htb I intercepted the request with burp and there was only one parameter in the POST request called db, after trying some different things I could get RCE by appending a semi-colon ; :
Request :

Response :

I couldn’t get a reverse shell, get ssh or read the user flag so we are going to enumerate the box through this RCE for some time.
I wrote a script to make it easier :

This script takes the command to execute then sends the payload which is ;echo rce_result;COMMAND;echo rce_result_end then it searches through the response and prints the string between rce_result and rce_result_end which is the output of our command.

There are 3 users on the box : bob, charlie and nfsuser :

In bob‘s home directory there was a directory called ca :

I enumerated that directory for some time and there was a directory called intermediate where I found a certificate and a key :

We can use them to generate a PKCS12 certificate to access the https service. with openssl we can do it with a single command :

Now we can import the certificate in Firefox :

After removing the SSL exception it will ask for our certificate and give us access :

## Elevated Network Access, NFS, User Flag

After getting access to https this message is what’s on the index page :

I didn’t know what authpf was so I searched about it.

authpf is a user shell for authenticating gateways. It is used to change pf rules when a user authenticates and starts a session with sshd and to undo these changes when the user’s session exits. It is designed for changing filter and translation rules for an individual source IP address as long as a user maintains an active ssh session. Typical use would be for a gateway that authenticates users before allowing them Internet use, or a gateway that allows different users into different places. - freeBSD manual

So basically this can give access to some filtered services we weren’t allowed to access before, to use it we need a key and luckily we can generate one :

We have 3 users on the box, I tried all of them and nfsuser worked :

Now is the time for another nmap scan :
nmap -sV -sT -sC fortune.htb

We have two new ports, 8081 which is running http and 2049 which is running nfs. The http service gives us this message :

So probably we need to focus on nfs.

Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems in 1984, allowing a user on a client computer to access files over a computer network much like local storage is accessed. -Wikipedia

I used the RCE script to check /etc/exports and the only thing there was /home :

By using nfs-ls (which is a part of the package libnfs-utils) we can successfully list the directories :

I created a directory, called it mnt and mounted the nfs share in it :

However I couldn’t access charlie‘s directory :

This is because I’m trying with root whose uid is 0 :

And the way nfs permissions work I need to have the same uid as charlie which is 1000 :

I already have a user on my box with the uid 1000 called rick :

We owned user.

## Privilege Escalation, Root Flag

First thing I wanted to do is to get ssh, luckily I had write access to authorized_keys :

I used ssh-keygen to generate a private and a public key :

Then I wrote my public key to authorized_keys and got ssh as charlie :

In the home directory of charlie there was a file called mbox which had an email from bob to charlie thanking him for setting up pgadmin4 for him and also telling him that he set the dba password to the same as root password :

Note : pgadmin is an administration and development platform for PostgreSQL.
Earlier when we got the elevated network access there was an http port for pgadmin4 so I checked its web directory in /var/appsrv and the database was there :

Then I used strings to see if I can get anything interesting :

I got some salted hashes, and most importantly this :

This is the db administrator’s password hash and we know that it’s the same as the root password.
pgadmin is an open-source software so I searched on github for any cryptography related stuff and found this script called crypto.py.
I took the functions needed to decrypt the hash then I created a script to take the hash/the key and decrypt the hash using the functions from crypto.py:

The only thing left is to give the right key, I tried the other hashes I got from the database as a key and bob‘s hash worked :

And we owned root !
That’s it , Feedback is appreciated !