PLAYER – (HACK THE BOX)

https://github.com/mazen160/bfac

Things to note:

  1. Secret key used to sign the JWT token →_S0_R@nd0m_P@ss_.
  2. The access code to get the new file location.
  3. Masked endpoint →7F2xxxxxxxxxxxxx/

If we decode the JWT token captured in cookie while requesting /launcher/dee8dc8a47256c64630d803a4c40786e.php using jwt.io , we get

Copy the cookie

https://jwt.io/

paste here the cookie : access=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwcm9qZWN0IjoiUGxheUJ1ZmYiLCJhY2Nlc3NfY29kZSI6IkMwQjEzN0ZFMkQ3OTI0NTlGMjZGRjc2M0NDRTQ0NTc0QTVCNUFCMDMifQ

and we get

We just need to change the access_code to the value found on backup file and sign the token using _S0_R@nd0m_P@ss_

When we upload any file , we see that

It gets uploaded successfully with a message of compression completed followed by a link to our uploads , clicking on the Buffed Media link.

We get the download prompt for it , also the file extension is .avi which is for video files , whereas we uploaded a jpg file , so even we upload a video file , it gets uploaded and when we search on google about video upload exploits , we get

Checking possible exploits for the same, we see that there exists a vulnerability in FFMpeg. Using the script from this repo, we will create custom payloads to read arbitrary files from the server.https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/CVE%20Ffmpeg%20HLS

When we run this file

We get forbidden command errors for every command we try , so as we know this port was running OpenSSH 7.2 , so I went on looking for any interesting CVEs for it and got

https://www.exploit-db.com/exploits/39569

copy the content and save in exploit.py

These credentials (peter : CQXpm\z)G5D#%S$y=) worked with dev.player.htb:

And we are in

Now try to create new project in /var/www/html:

But we are getting error to create new project here.

I wanted to see if that was related to /var/www/demo/home so I created a file called new.php that echoed new and I tried to access it through /home:

Now on portal we will create php backdoor

when I ran pspy to monitor the processes I noticed that /var/lib/playbuff/buff.php got executed as root periodically:

2020/01/18 05:25:02 CMD: UID=0    PID=3650   | /usr/bin/php /var/lib/playbuff/buff.php

I couldn’t write to it but it included another php file which I could write to (/var/www/html/launcher/dee8dc8a47256c64630d803a4c40786g.php):

Add this line this 
system("bash -c /tmp/pwned.sh");

in the code to get it executed

root@kali:~# mv rev.php dee8dc8a47256c64630d803a4c40786g.php

@SAKSHAM DIXIT