HTB CDSA
Certified Defensive Security Analyst by Academy. Get started now!
Machine Synopsis
Seventeen is a hard Linux machine that features an SQL injection vulnerability in an `exam management system` web application, which allows dumping the available databases from the remote machine. From there, a new vhost can be discovered which is an old file management system. Enumerating the available files, another vhost that runs a Roundcube instance can be found. Combining some clues, like the date that the files were uploaded to the management system and the contents of the files, it turns out that the version of the installed Roundcube instance is vulnerable to a PHP file inclusion vulnerability, enabling an attacker to get a reverse shell. Then, enumerating the remote system as `www-data` some hard coded credentials can be found. It turns out that these credentials are valid for the user `mark` over SSH. Afterwards, it is discovered that on the remote machine a local `npm` registry is running. Installing a private npm module reveales another set of hard-coded credentials, this time for the user `kavi`. For the root part, `kavi` is able to run a package dependency resolve script as `root`. The script uses `npm` again to install the packages, so an attacker can create a private registry to his machine, host a malicious npm package and point the script to that registry. Then after the malicious package is executed a reverse shell as `root` can be obtained.
Machine Matrix