HTB – Holiday

nmap -A -p- 10.10.10.25 --open

As port 8000 is running http we open the IP address in the browser, and find a webpage.

We didn’t find anything on the webpage so we use dirb to enumerate the directories.

Dirb scan gives us a link to a directory called /login, we open the link and find a login page.

We capture the login request using burpsuite. We use random credentials as placeholder.

We use sqlmap to check if it is vulnerable to sql injection. After finding that it is vulnerable to sql injection, we use sqlmap to dump the database and find a username “RickA” and password hash.

c:\SQLMAP>sqlmap.py -r sql.txt --level 5 --risk 3 --batch --dbms=SQLite -T users --columns --dump  --threads 10 --batch
___
__H__
___ ___[,]_____ ___ ___ {1.2.11.19#dev}
|_ -| . [.] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V |_| http://sqlmap.org

[*] starting @ 12:41:27 /2018-11-29/

[12:41:27] [INFO] parsing HTTP request from 'sql.txt'
[12:41:28] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: username=admin") OR NOT 5230=5230 AND ("qZXC"="qZXC&password=admin
---
[12:41:28] [INFO] testing SQLite
[12:41:28] [INFO] confirming SQLite
[12:41:28] [INFO] actively fingerprinting SQLite
[12:41:28] [INFO] the back-end DBMS is SQLite
back-end DBMS: SQLite
[12:41:28] [INFO] resuming partial value: CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT,username TEXT,password TEXT
[12:41:28] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[12:41:28] [INFO] retrieved: ,active TINYINT(1))
Database: SQLite_masterdb
Table: users
[4 columns]
+----------+---------+
| Column | Type |
+----------+---------+
| active | TINYINT |
| id | INTEGER |
| password | TEXT |
| username | TEXT |
+----------+---------+
-snip-
Database: SQLite_masterdb
Table: users
[1 entry]
+----+--------+----------+----------------------------------+
| id | active | username | password |
+----+--------+----------+----------------------------------+
| 1 | 1 | RickA | fdc8cd4cff2c19e0d1022e78481ddf36 |
+----+--------+----------+----------------------------------+

[12:42:31] [INFO] table 'SQLite_masterdb.users' dumped to CSV file 'C:\Users\jacco\.sqlmap\output\10.10.10.25\dump\SQLite_masterdb\users.csv'

[*] ending @ 12:42:31 /2018-11-29/
c:\SQLMAP>

We use hashkiller.co.uk to decrypt the hash and find the password to the user. : nevergonnagiveyouup

We login using these credentials and we are redirected to a page with that looks like it contains user information.

We click on one of the UUID link and find a page that we can post notes for the users. It also shows that it will take up to 1 minute to post the note.

We try exploit the note function, and find it is vulnerable xss. As the notes are being read by administrator xss can be used to get the admin cookie. To run xss and run our payload we need to bypass the filter using java script function String.fromCharCode to run our payload. I created this script here to convert string to ascii code.

We post the note to bypass the filter we have to use this payload:

We setup our listener using nc on port 80, as we will receive the the response of the page including the administrator cookie on this port.

After waiting for 1 minute we received the admin cookie.

The cookie is url encoded we decode and use it hijack the administrator session.

We capture the webpage’s request using burpsuite. We change our cookie with that of administrator and forward it.

As soon as we forward the request, we are able to successfully hijack the administrator session.

We now go to /admin directory and find a page where there are options to export bookings and notes.

We capture the request using burpsuite, and check if it is vulnerable to any king of injection. After enumerating we find that this page is vulnerable to command injection.

We are unable to get a shell using web_delivery module of metaploit due to there being filters. Now we create a payload using msfvenom to upload into the target machine using command injection and get reverse shell.

After creating a shell, we create a python http server to upload into the target machine.

Now “.” Is not blacklisted so we convert the ipaddress into decimal number so that we can bypass the filter.

We upload the shell using wget command into the target machine and save it in /tmp directory.

As soon as we run the command we get a prompt that shell is uploaded.

We give our payload read, write and execute permission using command injection.

Now we setup our listener using metasploit.

We run the shell using command injection vulnerability on the target machine.

As soon as we run the shell we get a reverse shell.

We spawn a tty shell and take a look at the sudoers list and find that we can run /usr/bin/npm I * as root with no password.

Before trying to get root shell we first enumerate rest of the directories and find a file called “user.txt” in /home/algernon directory. We take a look at the content of the files and find the first flag.

Now we try to take root.txt we go to /app directory. We rename package.json to pack, and symlink /root/root.txt package.json

We run /usr/bin/npm i * as root user and find the final flag.

After searching through google we find a way to get reverse shell using a package called rimrafall.

We setup rimrafall by following the instructions given on the webpage.

We setup the json file and change the preinstalled script to bash one liner.

We run the command as root user to get privileged shell.

We setup the listener as soon as we run the preinstalled shell is getting executed we get a reverse shell.

We go to /root directory and find a file called root.txt. We take a look at the content of the file and find the final flag.

Author: Sayantan Bera