Carrotbane of My Existence
Hopper’s uprising is just getting started. - by ar33zy & Maxablancas
The following post by 0xb0b is licensed under CC BY 4.0
Recon
We use rustscan -b 500 -a 10.80.146.187 -- -sC -sV -Pn to enumerate all TCP ports on the target machine, piping the discovered results into Nmap which runs default NSE scripts -sC, service and version detection -sV, and treats the host as online without ICMP echo -Pn.
A batch size of 500 trades speed for stability, the default 1500 balances both, while much larger sizes increase throughput but risk missed responses and instability.
In addition to SSH port 22 and the activation page on port 21337, we have the following ports open: an SMTP service on port 25, DNS on port 53, and a web server on port 80.
DNS
Since DNS (port 53) is running on the target machine we try to perform performed a DNS zone transfer. A DNS zone transfer is a mechanism used by DNS servers to replicate all DNS records for a domain between authoritative servers. If misconfigured, it allows anyone to retrieve the full list of subdomains and records, leaking internal infrastructure details. The DNS service leaks the entire hopaitech.thm zone. This reveals internal subdomains (like admin, ticketing-system, dns-manager).
We put the result of our DNS zone transfer to our /etc/hosts in order to enumerate these subdomains in the next step.
Furthermore, we may discover additional internal addresses that resemble Docker addresses.
WEB
http://hopaitech.thm/ is a static page.
Nevertheless, we already find some useful loot. At http://hopaitech.thm/employees, we find a list of the team and their corresponding email addresses. We make a note of these for possible later use.
At http://dns-manager.hoptech.thm, we find a possible manager for the DNS. This is still protected with a login. We already have the email addresses, but unfortunately we still need the passwords.
The same applies to http://ticketing-system.hopaitech.thm/login, where we have a ticketing system. However, this is also protected by a login.
The last interesting subdomain is http://url-analyzer.hopaitech.thm/. Here we are dealing with a URL analyzer, which appears to call up URLs and summarize the results using AI. This immediately raises the possibility of Server-Side Request Forgery (SSRF). We could use this to enumerate internal services, read files on the system, or even indirectly prompt the AI.
Flag 1
We will initially focus on the subdomain http://url-analyzer.hopaitech.thm/, as it offers the most interaction and allows us to test the SSRF.
From the DNS zone transfer, we learned about the internal addresses 172.18.0.2 and 172.18.0.3. As mentioned, these appear to be Docker addresses. We will attempt to probe the host with the URL Analyzer and assume that this is 172.18.0.1.
We can tell that an address is accessible when there is a long delay before we receive a response. This is because the AI is processing the result. It summarizes the content of the page. 172.18.0.1 is reachable.
With the following script, we implement our findings and attempt to enumerate internal services. We evaluate every request that requires a longer delay as an internal service that is accessible.
We test 172.18.0.1, .0.2, and .0.3 and get different ports, but they refer to the already known services.
So SSRF won't get us anywhere here. However, we know that we are dealing with an AI. If we host our own web server and have the content processed via the AI will open us an indirect prompt injection. But first, let's take a look at main.js. This processes the result of the AI on the client side.
We see that the result will differ depending on FILE_READ, SUMMARY, and CAPABILITY. This is a powerful piece of information; we could possibly read internal files via the AI and have them output to us.
We make it completely blunt and try FILE_READ <path/to/file>. We host the fil with our web server and issue the URL analyzer. We are successful; we can, for example, display the contents of /etc/passwd. The /proc/self/environ is interesting.
The /proc/self/environ contains the admin credentials of the DNS manager and the first flag!
We can also see which model is being used, OLLAMA. On the standard port 11434.
Flag 2
Now that we have the admin credentials for the DNS manager, we can continue here. We enter the credentials...
... and successfully log in. We see several entries. There is also the following entry that concludes to docker.internal (used for OLLMAA), which resolves to 172.17.0.1. We note that down for later.
But what can we do with it now? We remember from our initial recon that the entire team was available on the static page with their email addresses. We also know about the SMTP service on port 25. We can now try to send emails to these addresses, but we would not receive a reply because our email address cannot be resolved. Now, with the DNS portal, we can create an MX record to resolve our email and thus receive possible replies. An MX record Mail Exchange record is a DNS record that tells email servers which mail server is responsible for receiving email for a domain. So we create one for the domain 0xb0b.thm that resolves to our attacker machine IP.
We end up with the following entry:
Next, we host a simple SMTP server. With the following command we start a simple SMTP server using aiosmtpd that listens on all network interfaces at port 25 without storing received emails.
We define a variable emails, containing all mails we gathered so far...
... and iterate over that list to send a mail to each recipient using swaks. We ask for a simple password reset, maybe we receive an answer.
Almost all response with an out-of-office message or an excuse immediately. But Violet Thumper takes some time. Looks like an AI is processing the answer in this case. The user answers that they are happy to help and we need to specify which email subject we are looking for.
The following solution feels like an unintended one, because the user offers to forward the request to the AI in other requests, even though the user is also an AI. For this solution, we ask for the subjects that are available.
We receive a reply with all subjects available for the email account, including a password reset for Violet.
We ask Violet to resend the mail with the subject Your new ticketing system password...
... and receive an anweser. We have the Credentials of violet.thumper and the second flag.
Flag 3
With the credentials we received, we will now try to log in to the ticketing system.
We are successful and find two tickets. One with ID #9 and one with ID #5.
The tickets are processed with AI. The requests take a certain amount of time. When we try to request other tickets directly with a minimal prompt like shown below (to bypass guardrails), we receive an immediate response. This suggests that we did not inject the AI directly, but rather that the system pre-processes the requests. It was not possible to make a distinction. At least we can use the technology to check the other tickets.
We look through the tickets and find what we are looking for on the sixth ticket. A user needs access to a development instance via a tunnel.
The ticket contains an ed2551 private key and the third flag.
Flag 4
We try to get a session with the key and the user midnight.hop from the ticket, but without success. The session closes immediately.
The request in the ticket was about a tunnel to the development instance. What we haven't tested yet is the internal service of OLLAMA at 172.17.0.1:11434. We remember the entry in the DNS Management portal:
We test for the service in the URL Analyzer and get a response, its actually running on 172.17.0.1:11434.
So we open an SSH connection using the ed25519 key to forward local port 11434 to 172.17.0.1:11434 through midnight.hop@hopaitech.thm without starting a remote shell.
We can reach the service now from our attacker machine.
Let's research the documentation and look up what we could do now.
First of all we could list the models used.
With the model we could show its details, its system prompt.
So, we query for the models and find the sir-carrotbane model.
We query for the details of the sir-carrotbane model and have the system prompt infront of us and the final flag.
Last updated
Was this helpful?