CVE-2023-23946 » THOVITI SIDDHARTH

September 25, 2023

Snoopy – HackTheBox Writeup

Thoviti Siddharth HackTheBox, Infosec ClamAV, CVE-2023-20052, CVE-2023-23946, dns zone transfer, Git, git apply, HackTheBox, HTB, LFI, Mail Server, Man in The Middle, nsupdate, Patch File, SMTP, ssh-mitm, symlink, Update DNS Record, XXE 0

Machine Name: Snoopy
IP: 10.10.11.212
Difficulty: Hard

Summary

Snoopy is a hard machine that starts with discovering subdomains through DNS zone transfer, and exploiting an LFI to obtain site configuration files that revealed mailserver secret key. The key was used to update the mail server’s DNS records to receive mails on my local SMTP server. The mattermost subdomain discovered had an “email password reset link” page. The password was received on the SMTP server for user cbrown. Authenticated session of mattermost provided an option to interact with the server through SSH which was intercepted to perform a man-in-the-middle attack to fetch the SSH credentials of cbrown. The user cbrown could run “git apply” command as user sbrown which was exploited by using a known vulnerability that uses symbolic links to access files of the user running Git. This was used to write the SSH public key into sbrown and gain a SSH shell. Privilege escalation involved exploiting ClamAV’s XXE vulnerability to fetch the private key of root.