# Hack The Box - OneTwoSeven

## Quick Summary

Hey guys today OneTwoSeven retired and here’s my write-up about it. It was a very special box and I enjoyed every part of it, especially the apt man in the middle attack part. Definitely one of my favorite boxes. It’s a Linux box and its ip is 10.10.10.133, I added it to /etc/hosts as onetwoseven.htb. Let’s jump right in !

## Nmap

As always we will start with nmap to scan for open ports and services :
nmap -sV -sT -sC onetwoseven.htb

Only http on port 80 and ssh.

## Web Enumeration

By going to http://onetwoseven.htb we see this nice website :

There’s a sign-up button, and some other info :

So now we know that sftp is running, and we also know that if we tried to bruteforce anything we’ll get banned.
If we look at the navigation bar we can see 3 pages :

Home is where we are, statistics just shows stuff like up-time, banned ip addresses etc.., there’s a page titled Admin and it’s disabled, let’s look at the html source :

Admin’s page is on port 60080 and it’s only accessible from localhost, so we can skip that for now.

We have credentials for sftp : ots-5MWI1ZmI : f991b5fb
and we also have a personal home page (http://onetwoseven.htb/~ots-5MWI1ZmI/) which looks like this :

## SFTP, User Flag

With the sftp credentials we have we can access the root directory of our home page :

You may wonder why we didn’t see an open port for sftp, that’s because sftp runs on top of ssh by default, check this.
I created a php test file and uploaded it :

Unfortunately it will respond with 403 to any uploaded php file :

I checked the commands list of sftp and saw that I can create symlinks with symlink :

So I tried to create a symlink to /etc/passwd and it worked :

As you can see there’s a user with localhost‘s ip, that can be helpful but we need to know his password, we already got the username : ots-yODc2NGQ.
I wanted to know how usernames were generated so I made some assumptions and tested them.
Usernames were following the same pattern which was ots- then a base-64 encoded string , I tried to decode the string from my username (5MWI1ZmI) but I got nothing readable, so I tried to encode my password (f991b5fb) :

So the string in usernames is part of the base-64 encoded password, but how these password are generated in the first place ? my password looked like hex but after decoding it I got nothing readable so I guessed it might be a part of an md5 hash, but what hash ? I tried the md5 hash of my ip :

So passwords are just the first 8 chars of the ip’s md5 hash, now we can generate the password for ots-yODc2NGQ based on the same idea :

ots-yODc2NGQ : f528764d , let’s try it :

We owned user.

I tried ssh but I got this message :

However we can still use it to forward ports, let’s forward port 60080 :

We need credentials to login, I used the symlink command and created a symlink to /var/www :

I downloaded login.php.swp :

Because it’s a vim swap file it had a lot of unreadable characters so I used strings :

login.php :

The credentials are hardcoded, however the password is hashed :

Crackstation was able to crack it :

ots-admin : Homesweethome1 :

There’s a plugin upload form and some installed plugins above it, additionally there’s a small button to download the module’s php source from the directory /addons:

If we can upload plugins then we got RCE, the form submit button is disabled but we can easily change that :

rev.php :

It sent the request to addon-upload.php and the response was 404.

If we check the Addon manager plugin we can see some interesting things :

First thing is the rewrite rules, any request sent to addon-upload.php and addon-download.php gets sent to addons/ots-man-addon.php. There’s also a small note that says “Disabling a feature through htaccess leads to 404 errors for now.”, This explains why we got 404 when attempting to upload a plugin, however the download feature isn’t disabled and I was able to download the Addon manager plugin :

Since both requests to addon-upload.php and addon-download.php go to ots-man-addon.php, we have to find a way to exploit ots-man-addon.php and just use addon-download.php because it’s not disabled.
ots-man-addon.php :

This part of the code tells us what we need to do :

We need to have /addon-upload.php in the request URI, we can’t request /addon-upload.php directly because it’s disabled but we can just put a useless GET parameter with the value /addon-upload.php, and it will pass the check.
It takes the addon name from the GET parameter addon so we have to add that parameter to the request URI.
So the request URI looks like this :

Request :

Response :

Now if we check /addons, rev.php is there :

## APT MITM, Root Flag

As www-admin-data we can run apt-get update and apt-get upgrade as root without a password :

Also when using sudo it doesn’t reset these environment variables : ftp_proxy, http_proxy, https_proxy
We can create a fake apt repository and add a malicious package that gives us code execution. Then we can run a proxy server (burp or anything else) and set the http_proxy variable to our server. After that we can make the proxy server use our fake repository instead of the real one by adding an entry in /etc/hosts. Finally when we run apt-get update && apt-get upgrade it will attempt to install our malicious package that will give us a root shell. This article was very helpful.
Let’s check the sources that box is using first :

In /etc/apt/sources.list.d/onetwoseven.list there’s an entry for packages.onetwoseven.htb. Let’s use that.
I started another burp listener on port 8181 :

And I added packages.onetwoseven.htb to my hosts file and made it point to my ip :

Now any request to packages.onetwoseven.htb through the proxy server will be sent to my ip. Now we need to create the fake repository and the malicious package.
I chose telnet :

The version on the box is 0.17-41, I searched for it and downloaded it :

We will unpack it :

And add a reverse shell payload in the post install script :

Then we will pack it again and change the version number :

What’s left is to create the repository, its name will be devuan as we saw in the sources list :

The path for the package will be :

as we saw in the apt-cache result :

Now we need to create a Packages file, we’ll copy the stuff from apt-cache show telnet and change the version number, size and the hashes.

Packages :

Path for the Packages file will be dists/ascii/main/binary-amd64, we know it’s ascii/main from the sources list :

And binary-amd64 because the package’s architecture is amd-64

And that’s it for the repository.

What’s left is to run a python http server in ~/Desktop/HTB/boxes/onetwoseven/apt-mitm/ and everything is done.
I exported the http_proxy variable and I ran apt-get update:

Then I ran apt-get upgrade :

And we owned root !
That’s it , Feedback is appreciated !