Python has a built-in eval() function. The eval() function is used to evaluate the specified expression. If the expression is a correct Python statement, it will be executed. This can be very dangerous if used incorrectly by a web developer.
In Craft from HTB, initial access is leveraged through the use of this function. Let's take a look:
1) Initial enumeration provides us with a hostname of craft.htb (add to /etc/hosts file) and listening services. We are interesting in the web server for initial access.
2) https://craft.htb does not get us anywhere so we continue with enumeration on subdomains and possibly directories. We are able to identity two, gogs and api. Let's see how these two tie together. (spoiler alert gogs -> creds -> api usage).
3) For real world git, there are many tools you can use to do this. Since this is a CTF, we can leverage something like gitrob for example. Perform some manual enumeration and check out the commits and determine where to manually start looking.
4) Once we take a look at that specific commit, we identify some credentials.
5) With the credentials identified above, we can log in as Dinesh.
6) Further enumeration and you should have seen the discussions in the "issue". I'm going to skip some of the details and skip to the good part, abusing their eval() function implementation.
7) Long story short, Dinesh's "fix" was no bueno. :). His eval function used in brew.py can be abused using the API (and credentials we already have).
8) Below is the code used to get a reverse shell. It's pretty simple. We import the os module and execute some bash.
9) This shell lands us in a docker container. To get to docker to the gilfoyle user, you perform some enumeration, find dbtest.py and some settings.py. Once you figure out what this can do for you, you dump all the users by modifying the SQL query being used. dbtest.py is the one given to you by the server. Since we can write to this script, I simply changed query being used. #GiveMeAllTheUsers
sql = "SELECT * from `user`"
10) Once we log into gogs as gilfoyle, we find his private ssh key and can ssh into the machine with the -i flag.
ssh -i private_id_rsa email@example.com
11) Gilfoyle to root was a bit new for me. Awesome experience. Long story short, there is this "vault" application running on the server. Here is a great article on understand the next steps. https://www.vaultproject.io/docs/secrets/ssh/one-time-ssh-passwords.html.
vault secret list will give you the list of all running "vaults".
Gilfoyles "craft-infra" has tons of loot. There is a
secret.sh script that gives you the exact command you will need to root the machine.
I hope you enjoyed this post. Until next time!